Copyright © KC Green

ZeroClaw in the Lab: a GitOps Agent on Matrix

Permalink 2 min read Modified: (UPDATED)
 infrastructure  #ZeroClaw #GitOps #Kubernetes #Matrix #MCP #AI #Flux #Renovate

An ops-oriented agent on Kubernetes — Matrix chat in, Flux and kubectl out, MCP for the web.

ZeroClaw (nickname Claw) is a small AI agent for cluster work: check Flux status, explain failing pods, dry-run Renovate, draft Git patches. It shares the same GitOps monorepo as the cluster — it is not a second control plane.

You talk to it on Matrix at matrix.this-is-fine.social. Web fetches go through MCP to a Scrapling sidecar instead of built-in browser tools, so there is one audited path for HTTP.

The agent is deliberately ops-focused. It is not a general chatbot for the public internet; it reads cluster state, follows skills checked into Git, and proposes changes that still pass human review. That keeps expectations aligned with what automation can safely do inside a production-shaped lab.

Concepts worth knowing

Topic Pointer
GitOps agent Policy and skills in Git; credentials mounted read-only at runtime
Agent Skills Short SKILL.md playbooks instead of huge prompts
MCP Sidecar on loopback; the agent calls tools over HTTP
Matrix E2EE Crypto state on a PVC — not inside the workspace seed image

Skills are the main teaching device. Each skill is a short markdown playbook (flux debugging, storage checks, Renovate dry-runs) so the model reaches for a documented procedure instead of improvising shell one-liners.

Flow

operator -> Matrix chat
  -> ZeroClaw pod (kubectl, flux, skills)
  -> MCP -> Scrapling (web)
  -> git patch on forge -> merge -> Flux reconciles

Pod layout

init: copy OCI workspace seed onto PVC
containers:
  zeroclaw (daemon)
  scrapling :8000 (MCP)
mounts: kubeconfig, registry auth, matrix, sops-age
HTTPRoute: claw.this-is-fine.internal

An ImageVolume refreshes workspace files from oci.this-is-fine.io/zeroclaw/workspace on each start. Conversation memory and Matrix state/ stay on the PVC. API access to other clusters uses normal pod DNS and *.tif.internal (see the tailnet post).

Forge CI builds and signs images — Cosign and Kyverno. The workspace image can refresh on every pod start while chat history and Matrix crypto keys persist on disk, which is the usual split between replaceable config and state you must not wipe casually.

Deliberate limits

  • Changes go through a cloned repo and review, not edits on the live PVC tree.
  • Built-in web_fetch and browser tools are disabled; Scrapling handles the web.
  • Effective permissions follow kubeconfig RBAC; AGENTS.md gates destructive actions.

Claw is a readable layer on top of Flux: ask in chat, confirm with flux get, land the fix in Git. If Flux says the cluster is healthy but an app misbehaves, the agent still has to read events and logs like anyone else — it just lowers the friction for doing that often.