Potoo

In the dark, catching bugs before they bite.

Every policy blocking your Kubernetes workloads — discovered, correlated, and explained to the developers who need it.

Get Started Read the Docs GitHub

The Problem

Your cluster is full of hidden constraints

NetworkPolicies, Gatekeeper constraints, Kyverno policies, Istio rules, resource quotas, webhooks. When something blocks a deploy, developers get cryptic errors and no answers.

Scattered across engines

Policies live in Cilium, Gatekeeper, Kyverno, Istio, native K8s, and custom CRDs. No single tool shows them all.

Cryptic error messages

Developers see connection timed out or webhook denied the request with zero context about which policy caused it.

Cross-team friction

Platform teams write policies. App teams hit them. The debugging loop burns hours and goodwill on both sides.

The Solution

Ask Potoo what went wrong

Potoo watches every policy-related resource in your cluster. When something breaks, it tells developers exactly what happened and how to fix it.

Terminal
$ potoo explain -n payments "connection timed out"

Explanation: Network egress is restricted in this namespace.
Confidence: high

Matching Constraints:
   restrict-egress (NetworkPolicy) — Severity: Critical
    Restricts egress to ports 443, 8443 only

Remediation:
  1. Request exception from [email protected]
  2. Or add port 9090 to the allow list in restrict-egress

Features

Not a policy engine. A policy explainer.

Potoo doesn't enforce anything. It discovers what's already there and makes it understandable.

Universal Discovery

Finds constraints from NetworkPolicy, Cilium, Gatekeeper, Kyverno, Istio, webhooks, and any custom CRD you register.

Developer Notifications

K8s Events on affected workloads, ConstraintReport CRDs, Slack integration, and workload annotations.

Privacy-Aware

Multi-tenant safe. Developers see what they need to unblock themselves. Cross-namespace details stay hidden.

AI Agent Integration

Built-in MCP server lets Claude, Copilot, and other AI assistants query constraints and explain errors directly.

Pre-Flight Checks

Validate manifests before deploying. Know which policies would block your workload before kubectl apply.

ConstraintReport CRDs

Machine-readable reports per namespace. Query with kubectl, pipe to dashboards, or feed to automation.

How It Works

Watches everything, explains what matters

Potoo runs as a controller in your cluster. No sidecars, no agents on nodes, no policy changes.

1

Discover

Watches all policy CRDs in the cluster via dynamic informers. Adapters normalize each type into a common model.

2

Index

Constraints are indexed by namespace, labels, and type. Lookups are instant regardless of cluster size.

3

Correlate

When errors appear, Potoo matches Kubernetes events to the constraints that caused them.

4

Explain

Developers get privacy-scoped notifications with what went wrong, why, and how to fix it.

Get Started

Up and running in two commands

Install via Helm, then use the CLI or let your AI assistant connect over MCP.

helm repo add potoo https://potoo.io/charts
helm install potoo potoo/potoo -n potoo-system --create-namespace

Installation Guide CLI Reference