February Product Update

🔍 What's New in Plural

This month we're shipping Agent Runtime - a new first-class primitive that gives platform teams fine-grained control over the AI coding agents that power Plural's agentic workflows. Built on top of Agent Runtime, we're also shipping two major extensions: the Cluster Upgrade Agent, which automates the most painful part of Kubernetes fleet management end to end, and CVE remediation, which brings automated vulnerability response to your fleet. Here is what we shipped in February.

🤖 Agent Runtime

Every team running AI-powered infrastructure automation eventually hits the same wall: you want different agents for different contexts, with different scopes, different models, and different permissions. A security-sensitive production environment shouldn't share an agent with a development sandbox, and an agent trusted to modify your Terraform shouldn't have the same reach as one answering a question about pod counts.

Agent Runtime is Plural's answer to this. It's a new first-class primitive that lets platform teams define reusable agent configurations, each scoped to specific AI model backends, allowed repositories, and tool access. You can create as many runtimes as your organization needs and assign them to specific teams, flows, or workloads.

With Agent Runtime you get:

Configurable AI model backends: Point each runtime at any supported AI provider, giving teams the flexibility to use different models for different workloads — whether optimizing for cost, latency, or capability.
Repository allowlist policies: Define exactly which GitOps repositories an agent is permitted to read from and write to, so agents can't touch infrastructure outside their intended scope.
Runtime selector in chat: Users can pick which runtime to invoke directly from the Plural AI chat interface, making it easy to route requests to the right agent without leaving their workflow.
Full UI management: Create, update, and delete Agent Runtimes from the console, including all repository and model configuration.

👉 Read the full announcement

🛡️ CVE Remediation

Responding to CVEs across a large Kubernetes fleet is a slow, manual process by default. Engineers have to trace which services are affected, determine the right fix for each, and push changes across potentially dozens of repositories before anything is resolved.

Agent Runtime makes automated CVE remediation possible. Trivy scans your entire fleet for vulnerabilities continuously. When a patched version is available, the Observer CRD verifies compatibility with your specific Kubernetes versions before doing anything, then triggers PR generation via PrAutomation with the exact changes needed. Your team reviews and merges - the agent handles everything before that point.

What's New:

Automated vulnerability scanning → Trivy scans all managed clusters continuously, identifying affected components across your fleet as CVEs surface.
Compatibility-verified patch proposals → Before opening a PR, the agent checks that the patched version is compatible with your Kubernetes versions, so you're not reviewing changes that can't safely be applied.
PR-based remediation → Every fix is a pull request in your Git repository. Nothing merges without engineer sign-off, giving you a fully auditable record of every security change.

🚀 Cluster Upgrade Agent

Kubernetes upgrades have always been one of the highest-risk, most manual tasks a platform team faces. Even with Plural's existing Upgrade Assistant pointing you to the right Helm chart versions, the actual work of modifying dozens of services and configurations still fell on engineers. The Cluster Upgrade Agent changes that.

The agent uses Plural's coding agent runtime as a workhorse, combining semantic search and your GitOps source of truth to craft precise, reviewable pull requests for each step of an upgrade path. It runs the analysis in parallel using an in-memory engine — avoiding unnecessary database round-trips — so it can work across multiple services simultaneously. Every change surfaces as a PR for human review before anything touches your clusters.

We've also added a K8s changelog flyover directly into the upgrade plan view, so you can see exactly what's changing between versions before you commit, and tuned the underlying agent prompts based on early testing with production workloads.

End-to-end upgrade orchestration: The agent analyses your fleet, identifies the required changes across services, and opens PRs automatically, with no manual YAML editing required.
Upgrade step error surfacing: Errors in upgrade plan steps are surfaced directly in the console UI so you can identify and fix blockers without leaving Plural.
New upgrade agent UI: A dedicated interface to manage and monitor the upgrade agent's progress across your fleet.
REST endpoints for cluster upgrades: Programmatic access to trigger and manage cluster upgrades via the REST API, for teams building custom automation on top of Plural.

⚡ ServiceNow PR Governance

For teams running Plural in regulated environments, we've added native ServiceNow integration for PR governance. Platform teams can now require that a ServiceNow change request be raised and approved before a Plural PR automation is allowed to execute — connecting GitOps workflows directly to your existing ITSM processes without any custom glue code.

This matters because most enterprise compliance frameworks require a documented change record before infrastructure is modified in production. Until now, teams had to maintain that linkage manually or build integrations themselves. With this release, you define a PrGovernance CRD that references your ServiceNow instance, and Plural handles the rest.

🔧 Other Feature Updates

OCI Helm chart publishing: Plural's console chart is now published to an OCI-compatible registry, making it easier to integrate Plural into environments that rely on OCI artifact workflows or require fully air-gapped installs.
Kustomize PostRenderer support: Teams using Kustomize as a post-renderer in their GitOps pipelines can now configure this directly through the Go client.
Git and Helm repository search: Added search fields to repository queries in the console, making it easier to find specific repos in large environments.
Service account access token shortcut: You can now create an access token directly from a service account table row without navigating into the detail view.
ServiceContext secretRef and configMapRef: Services can now reference Kubernetes Secrets and ConfigMaps directly in their ServiceContext configuration, reducing the need to embed sensitive values in GitOps manifests.
Flow routing by name or ID: Flows can now be routed using either their name or internal ID, giving integrations more flexibility when constructing API calls.
gRPC ToolQuery service for observability: A new gRPC service exposes observability tool queries, laying the groundwork for deeper Datadog and Grafana integrations coming later this quarter.
Sentinel case types and expected result field: Sentinels now support additional case types and an expectedResult field in raw YAML mode, giving teams more expressive power in their integration test assertions.
CR deprecation group and kind filters: The custom resource deprecation view now supports filtering by group and kind, making it faster to identify which CRDs in your fleet are at risk ahead of a Kubernetes upgrade.
Mermaid diagram styling improvements: The Infra Research diagram view has been polished with improved rendering and visual styling.
Expanded compatibility matrix: Added scrapers for Harbor, external-secrets, Dynatrace Operator, CoreDNS, and Kubescape — so Plural can now automatically track EOL and upgrade compatibility for more of the add-ons running in your clusters.

🏢 Company Updates

We’ll be attending KubeCon next month in Amsterdam. Let us know if you plan on attending! We'll be at booth 684.

NYC Kubernetes Meetup: Thanks to everyone who joined our platform engineering session last week, led by Avinash Sabat. See you at the next one!