Agent Harness#
AgentHarness creates a long-running remote execution environment through an OpenShell gateway. Unlike an Agent or SandboxAgent, it does not package a kagent runtime into the workload. The backend provisions a sandbox that operators, tools, or chat integrations can attach to.
Use AgentHarness when you want kagent to manage the lifecycle of an OpenClaw, NemoClaw, or Hermes sandbox and surface it in the kagent API/UI alongside regular agents.
Before you begin#
- Install kagent v0.9.1 or later by following the quick start guide.
- Install and expose an OpenShell gateway that the kagent controller can reach over gRPC. For Helm-based setup instructions, see Enable AgentHarness support.
- Configure the kagent controller with the gateway address. For example, set the controller environment variable
OPENSHELL_GATEWAY_URLto a gRPC target such asdns:///openshell.openshell.svc:443.
When OPENSHELL_GATEWAY_URL is empty, the AgentHarness backends are not registered by the controller.
Choose a backend#
spec.backend selects the sandbox backend.
openclawprovisions an OpenClaw-compatible sandbox. WhenmodelConfigRefis set, kagent translates the referencedModelConfigand writes OpenClaw configuration into the sandbox.nemoclawuses the same kagent backend path asopenclaw, but lets you label the resource for NemoClaw-oriented usage.hermesprovisions a Hermes sandbox. kagent writes Hermes configuration and environment files into the sandbox and wires supported messaging channels into Hermes environment variables.
All three backends share the same top-level AgentHarness shape: backend, optional description, optional image, optional env, optional network, optional modelConfigRef, and optional channels.
Create an OpenClaw harness#
The following resource creates an OpenClaw harness and lets it reach the OpenAI and Slack APIs.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: openclaw-shellnamespace: kagentspec:backend: openclawdescription: "OpenClaw shell for platform experiments"modelConfigRef: default-model-confignetwork:allowedDomains:- api.openai.com- slack.com- api.slack.com- hooks.slack.com- wss-primary.slack.com- wss-backup.slack.com
Apply the resource and wait for it to become ready.
kubectl apply -f openclaw-shell.yamlkubectl -n kagent get agentharness openclaw-shell
Example output:
NAME BACKEND READY ID AGEopenclaw-shell openclaw True kagent-openclaw-shell 30s
Create a Hermes harness#
Hermes uses the same AgentHarness API with spec.backend: hermes.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: hermes-shellnamespace: kagentspec:backend: hermesdescription: "Hermes shell for scheduled and chat-driven workflows"modelConfigRef: default-model-confignetwork:allowedDomains:- api.openai.com- slack.com- api.slack.com- wss-primary.slack.com- wss-backup.slack.com
If spec.image is omitted, kagent uses the backend's default sandbox base image. Set spec.image only when you need a custom image that is compatible with the selected backend.
Configure Slack#
Slack channels require a bot token and an app-level token. Store them in a Kubernetes Secret and reference them from the harness.
apiVersion: v1kind: Secretmetadata:name: slack-tokensnamespace: kagenttype: OpaquestringData:bot-token: xoxb-your-bot-tokenapp-token: xapp-your-app-token
Backend-specific Slack settings are nested under the backend name. The API validates this with CEL:
backend: hermesrequiresslack.hermesand rejectsslack.openclaw.backend: openclawandbackend: nemoclawrequireslack.openclawand rejectslack.hermes.
OpenClaw Slack#
OpenClaw and NemoClaw Slack settings control channel access and interactive replies.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: openclaw-slacknamespace: kagentspec:backend: openclawmodelConfigRef: default-model-configchannels:- name: platformtype: slackslack:botToken:valueFrom:type: Secretname: slack-tokenskey: bot-tokenappToken:valueFrom:type: Secretname: slack-tokenskey: app-tokenopenclaw:channelAccess: allowlistallowlistChannels:- C0123456789interactiveReplies: true
Set channelAccess to open, allowlist, or disabled. When channelAccess is allowlist, allowlistChannels must include at least one Slack channel ID.
Hermes Slack#
Hermes Slack settings control allowed users and the home channel used for scheduled messages.
apiVersion: kagent.dev/v1alpha2kind: AgentHarnessmetadata:name: hermes-slacknamespace: kagentspec:backend: hermesmodelConfigRef: default-model-configchannels:- name: platformtype: slackslack:botToken:valueFrom:type: Secretname: slack-tokenskey: bot-tokenappToken:valueFrom:type: Secretname: slack-tokenskey: app-tokenhermes:allowedUserIDs:- U01234567- U89ABCDEFhomeChannel: C0123456789homeChannelName: platform-alerts
Use allowedUserIDsFrom instead of allowedUserIDs when you want to load the Slack member allowlist from a Secret or ConfigMap key. The two fields are mutually exclusive.
Check status#
Use kubectl to confirm the harness was accepted and is ready.
kubectl -n kagent get agentharnesseskubectl -n kagent describe agentharness hermes-slack
The Accepted condition reports whether kagent accepted the spec. The Ready condition reports whether the backend sandbox is ready. Once ready, .status.backendRef identifies the sandbox in the OpenShell control plane and .status.connection.endpoint shows the connection hint returned by kagent.
Troubleshooting#
If the harness is not accepted or ready, check these common causes.
- The kagent controller was not configured with
OPENSHELL_GATEWAY_URL, so AgentHarness backends were not registered. - The OpenShell gateway address is not reachable from the controller pod.
modelConfigRefpoints to a missing or unsupportedModelConfig.- A Slack channel has the wrong backend settings, such as
slack.hermeson an OpenClaw harness orslack.openclawon a Hermes harness. - A Slack credential uses neither
valuenorvalueFrom, or sets both.
For the complete generated schema, see the API reference.