Kubiya’s serverless tools architecture ensures every automation operation runs in an isolated, ephemeral environment. This approach eliminates the common problems of state drift, dependency conflicts, and security vulnerabilities that plague traditional automation scripts.
Traditional automation approaches suffer from persistent state problems:
Stateful Scripts
Serverless Tools
Problems with persistent environments:
Configuration drift over time
Dependency conflicts between different scripts
Leftover state from previous executions
Security vulnerabilities from long-running processes
Difficult to reproduce issues across environments
Container-Native Execution
Every operation in Kubiya runs as a containerized tool:
# Example: Kubernetes health check tool
name : kubectl-health-check
image : kubiya/kubectl:latest
command :
- kubectl
- get
- pods
- --all-namespaces
- --field-selector=status.phase!=Running
environment :
- KUBECONFIG=/secrets/kubeconfig
volumes :
- name : kubeconfig
secret : prod-cluster-config
Zero Setup Required
Tools run anywhere without installation or configuration:
No dependencies to install on target machines
No version conflicts between different tools
No environment-specific setup requirements
No state pollution from previous executions
Built-in Security
Container isolation provides multiple security benefits:
Process Isolation Each tool runs in its own process namespace with no access to host processes
Network Segmentation Network policies control which services tools can communicate with
Filesystem Protection Read-only filesystems prevent unauthorized file modifications
Resource Limits CPU, memory, and disk limits prevent resource exhaustion attacks
Kubernetes
Cloud Providers
Monitoring
# Native kubectl operations
kubectl get pods --selector=app=nginx
kubectl scale deployment nginx --replicas=5
kubectl rollout status deployment/nginx
# Helm operations
helm upgrade myapp ./chart --values prod-values.yaml
helm rollback myapp 1
Build tools specific to your applications:
# Custom deployment health checker
#!/usr/bin/env python3
import requests
import time
import os
def check_service_health ( service_url , timeout = 300 ):
"""Check if newly deployed service is healthy"""
start_time = time.time()
while time.time() - start_time < timeout:
try :
response = requests.get( f " { service_url } /health" )
if response.status_code == 200 :
health_data = response.json()
if health_data.get( 'status' ) == 'healthy' :
return True
except requests.RequestException:
pass
time.sleep( 10 )
return False
if __name__ == "__main__" :
service_url = os.environ[ 'SERVICE_URL' ]
if check_service_health(service_url):
print ( "✅ Service is healthy" )
else :
print ( "❌ Service failed health check" )
exit ( 1 )
Tools that bridge between systems:
# Slack notification tool
name : slack-notify
image : alpine/curl:latest
script : |
curl -X POST \
-H "Authorization: Bearer ${SLACK_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"channel\": \"${CHANNEL}\", \"text\": \"${MESSAGE}\"}" \
https://slack.com/api/chat.postMessage
environment :
- SLACK_TOKEN=/secrets/slack_token
- CHANNEL=#alerts
- MESSAGE="Deployment completed successfully"
Execution Environment
Runtime Configuration
Each tool execution includes:
Resource limits : CPU, memory, disk space, network bandwidth
Security context : User permissions, security policies, network access
Environment variables : Configuration, credentials, context data
Volume mounts : Access to configuration files, secrets, temporary storage
Real-Time Monitoring
Track tool execution with detailed observability:
Live logs : Stream stdout/stderr in real-time
Performance metrics : CPU, memory, network usage
Exit status : Success/failure with detailed error information
Execution timeline : Start time, duration, completion status
Secrets Management
Securely inject credentials without exposing them:
# Secrets are mounted as files or environment variables
volumes :
- name : aws-credentials
secret : aws-prod-creds
mount_path : /root/.aws/credentials
- name : kubeconfig
secret : k8s-prod-config
mount_path : /root/.kube/config
environment :
- DATABASE_PASSWORD=/secrets/db_password
- API_KEY=/secrets/api_key
Develop and test tools interactively:
Write your script in the embedded editor
Configure environment variables and secrets
Set resource limits for testing
Execute and debug with live feedback
Testing Framework
Built-in testing capabilities:
# test_deployment_tool.py
import unittest
from kubiya import ToolTest
class TestDeploymentTool ( ToolTest ):
def setUp ( self ):
self .tool = self .load_tool( 'deployment-checker' )
self .mock_environment({
'SERVICE_URL' : 'http://localhost:8080' ,
'TIMEOUT' : '60'
})
def test_healthy_service ( self ):
self .mock_http_response( 'GET' , '/health' , 200 , { 'status' : 'healthy' })
result = self .tool.execute()
self .assertEqual(result.exit_code, 0 )
def test_unhealthy_service ( self ):
self .mock_http_response( 'GET' , '/health' , 500 )
result = self .tool.execute()
self .assertEqual(result.exit_code, 1 )
CI/CD Integration
Tools can be versioned and deployed like any application:
# .github/workflows/build-tools.yml
name : Build Kubiya Tools
on :
push :
paths : [ 'tools/**' ]
jobs :
build :
runs-on : ubuntu-latest
steps :
- uses : actions/checkout@v3
- name : Build tool images
run : |
for tool in tools/*/; do
docker build -t "myorg/$(basename $tool):${{ github.sha }}" $tool
docker push "myorg/$(basename $tool):${{ github.sha }}"
done
Advanced Features
Chain operations within a single container:
# Multi-stage deployment tool
FROM alpine/git as source
WORKDIR /app
RUN git clone https://github.com/myorg/app.git .
FROM node:18-alpine as builder
COPY --from=source /app /app
WORKDIR /app
RUN npm install && npm run build
FROM nginx:alpine as runtime
COPY --from=builder /app/dist /usr/share/nginx/html
EXPOSE 80
Parallel Execution
Run multiple tools concurrently for performance:
# Parallel health checks across environments
parallel_tools :
- name : check-prod
tool : health-checker
environment :
ENV : production
- name : check-staging
tool : health-checker
environment :
ENV : staging
- name : check-dev
tool : health-checker
environment :
ENV : development
Pass outputs between tools safely:
# Tool chain: build -> test -> deploy
workflow :
- name : build-app
tool : docker-builder
outputs :
- IMAGE_TAG
- name : run-tests
tool : test-runner
inputs :
IMAGE_TAG : ${build-app.IMAGE_TAG}
outputs :
- TEST_RESULTS
- name : deploy-app
tool : kubernetes-deployer
inputs :
IMAGE_TAG : ${build-app.IMAGE_TAG}
condition : ${run-tests.TEST_RESULTS} == "PASSED"
Performance Tip : Tools start quickly because they use optimized base images and cached layers. Most tools start executing within 2-3 seconds, making them suitable for interactive workflows.
What’s Next?
Serverless tools run on Kubiya Runners —the execution engine that manages containers on your infrastructure. Runners handle resource allocation, security policies, and cross-environment orchestration.