How to operate kars in production. Each page is one operational concern, with the full runbook for that concern.
| Topic | Read |
|---|---|
| GitOps — managing kars with Flux / Argo CD instead of the CLI. | gitops.md |
| Secret rotation — rotating Foundry keys, ACR credentials, federated identities. | secret-rotation.md |
Image versioning — :latest tag policy, pinning by digest, supply-chain considerations. |
image-versioning.md |
| Helm packaging — packaging the chart for offline / sovereign deployments. | helm-packaging.md |
| Branch protection — repository hygiene for forks and downstream consumers. | branch-protection.md |
| Supply chain — Cosign signing, SBOM, SLSA provenance. | supply-chain.md |
| Chaos tier — fault-injection harness used in CI and on demand against staging. | chaos-tier.md |
| A2A gateway — operating the public-ingress A2A endpoint. | a2a-gateway.md |
| BYO strict — running the strict-validation BYO contract. | byo-strict.md |
For day-to-day work the most useful surfaces are:
kars operator— the live fleet TUI. Seedocs/operator-tui.md.kars status <name>— quick health snapshot of one sandbox.kars logs <name> -f— tail router + agent logs.kars policy show <name>— what is allowed / denied / approval-gated for a sandbox.kubectl describe karssandbox <name>— full condition chain (every status condition is documented in../api/conditions.md).kars eval— reproducible evaluation against a pinned sandbox spec.
- Cluster provisioning — see Getting started.
kars upprovisions AKS, ACR, Foundry, federated identity, and Helm install in one go. - Architecture and CRDs — see Architecture and CRD reference.
- Security guarantees — see Security model.