Agent Harness#
AgentHarness creates a long-running remote execution environment on Agent Substrate. Unlike an Agent or SandboxAgent, it does not package a kagent runtime into the workload. The backend provisions a sandbox that runs a coding agent (OpenClaw or Hermes), which you can chat with from the kagent UI and wire into messaging channels.
Use AgentHarness when you want kagent to manage the lifecycle of an OpenClaw or Hermes sandbox and surface it in the kagent API/UI alongside regular agents.
Before you begin#
- Install kagent v0.9.9 or later by following the quick start guide.
- Install Agent Substrate and enable the substrate integration in kagent. For Helm-based setup instructions, see Enable AgentHarness support and the Agent Substrate example.
When the substrate integration is not enabled, the controller cannot provision AgentHarness resources.
Choose a backend#
spec.backend selects the sandbox backend.
openclawprovisions an OpenClaw-compatible sandbox. WhenmodelConfigRefis set, kagent translates the referencedModelConfigand writes OpenClaw configuration into the sandbox.hermesprovisions a Hermes sandbox. kagent writes Hermes configuration and environment files into the sandbox and wires supported messaging channels into Hermes environment variables.
Both backends share the same top-level AgentHarness shape: backend, required substrate, optional description, optional image, optional env, optional modelConfigRef, and optional channels.
Create an OpenClaw harness#
The following resource creates an OpenClaw harness on Agent Substrate.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: openclaw-shellnamespace: kagentspec:backend: openclawdescription: "OpenClaw shell for platform experiments"modelConfigRef: default-model-configsubstrate:workerPoolRef:name: kagent-default
spec.substrate is required. Set workerPoolRef to an existing WorkerPool, or omit it to use the controller's configured default WorkerPool. You can also set substrate.snapshotsConfig.location (a gs:// prefix) and substrate.workloadImage to override the default backend image.
Apply the resource and wait for it to become ready.
kubectl apply -f openclaw-shell.yamlkubectl -n kagent get agentharness openclaw-shell
Example output:
NAME BACKEND READY ID AGEopenclaw-shell openclaw True kagent-openclaw-shell 30s
Create a Hermes harness#
Hermes uses the same AgentHarness API with spec.backend: hermes.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: hermes-shellnamespace: kagentspec:backend: hermesdescription: "Hermes shell for scheduled and chat-driven workflows"modelConfigRef: default-model-configsubstrate:workerPoolRef:name: kagent-default
If spec.image is omitted, kagent uses the backend's default sandbox base image. Set spec.image only when you need a custom image that is compatible with the selected backend.
Configure Slack#
Slack channels require a bot token and an app-level token. Store them in a Kubernetes Secret and reference them from the harness.
apiVersion: v1kind: Secretmetadata:name: slack-tokensnamespace: kagenttype: OpaquestringData:bot-token: xoxb-your-bot-tokenapp-token: xapp-your-app-token
Backend-specific Slack settings are nested under the backend name. The API validates this with CEL:
backend: hermesrequiresslack.hermesand rejectsslack.openclaw.backend: openclawrequiresslack.openclawand rejectsslack.hermes.
OpenClaw Slack#
OpenClaw Slack settings control channel access and interactive replies.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: openclaw-slacknamespace: kagentspec:backend: openclawmodelConfigRef: default-model-configsubstrate:workerPoolRef:name: kagent-defaultchannels:- name: platformtype: slackslack:botToken:valueFrom:type: Secretname: slack-tokenskey: bot-tokenappToken:valueFrom:type: Secretname: slack-tokenskey: app-tokenopenclaw:channelAccess: allowlistallowlistChannels:- C0123456789interactiveReplies: true
Set channelAccess to open, allowlist, or disabled. When channelAccess is allowlist, allowlistChannels must include at least one Slack channel ID.
Hermes Slack#
Hermes Slack settings control allowed users and the home channel used for scheduled messages.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: hermes-slacknamespace: kagentspec:backend: hermesmodelConfigRef: default-model-configsubstrate:workerPoolRef:name: kagent-defaultchannels:- name: platformtype: slackslack:botToken:valueFrom:type: Secretname: slack-tokenskey: bot-tokenappToken:valueFrom:type: Secretname: slack-tokenskey: app-tokenhermes:allowedUserIDs:- U01234567- U89ABCDEFhomeChannel: C0123456789homeChannelName: platform-alerts
Use allowedUserIDsFrom instead of allowedUserIDs when you want to load the Slack member allowlist from a Secret or ConfigMap key. The two fields are mutually exclusive.
Check status#
Use kubectl to confirm the harness was accepted and is ready.
kubectl -n kagent get agentharnesseskubectl -n kagent describe agentharness hermes-slack
The Accepted condition reports whether kagent accepted the spec. The Ready condition reports whether the harness ActorTemplate golden snapshot is ready. Once ready, .status.backendRef identifies the harness instance and .status.connection.endpoint shows the connection hint returned by kagent.
Chat with the harness#
Once the harness is Ready, it appears in the kagent UI alongside your other agents. kagent talks to the backend over the Agent Client Protocol (ACP): an in-sandbox acp-shim bridges the agent's stdio ACP server to a WebSocket endpoint, and the controller exposes it through the standard agent chat surface.
-
Port-forward the kagent UI.
kubectl port-forward -n kagent svc/kagent-ui 8001:8080 -
Open http://localhost:8001, select your harness (for example
kagent/openclaw-shell) from the Agents list, and send a message.
The first chat connection creates a shared Substrate actor from the harness template; every chat is multiplexed as an ACP session inside that actor. You see streamed tool activity, and any tool-approval prompts the backend raises are surfaced through kagent's human-in-the-loop flow.
Troubleshooting#
If the harness is not accepted or ready, check these common causes.
- The kagent controller was not installed with the Agent Substrate integration enabled, so AgentHarness resources cannot be provisioned.
- The referenced
WorkerPooldoes not exist, or no default WorkerPool is configured. - The
ActorTemplategolden snapshot has not finished building yet — wait for theReadycondition. modelConfigRefpoints to a missing or unsupportedModelConfig.- A Slack channel has the wrong backend settings, such as
slack.hermeson an OpenClaw harness orslack.openclawon a Hermes harness. - A Slack credential uses neither
valuenorvalueFrom, or sets both.
For the complete generated schema, see the API reference.