CHAPTER 05 · 2 MIN READ

What KAOS sees, and what it doesn't

Training on incidents, the privacy boundary, and the RBAC line we draw across both.

Author Jōkamachi Systems

Stub — this is brainstorm material for licence terms, not finished educational content. Most of what’s below belongs in the contract between Jōkamachi Systems and the customer (and possibly in the privacy policy), not in an introductory booklet. It’s parked here while we figure out where it actually lives. When the licence terms exist, this chapter should be replaced by a one-line cross-reference.

Training on incidents

KAOS gets better the more incidents it has seen. We train on incidents we resolve across all customers to improve the substrate for every customer; the alternative is that each customer’s KAOS starts from scratch, which would be a worse product. We don’t pretend otherwise.

The same trade applies to the model providers underneath KAOS: anything passed to a frontier model can be expected to inform that model’s next iteration, on the same argument.

What KAOS does not see

The privacy boundary sits at the cluster-management plane, not below it.

  • No database access. KAOS does not open databases. It reads the manifests that describe a database (StatefulSet, PVC, credentials reference); it does not read the rows inside it.
  • No customer traffic inspection. KAOS reads metrics and event logs, not packet contents. It knows that an ingress is dropping TLS; it does not know what was being sent over it.
  • RBAC scoped to cluster management. The same RBAC rules that stop human operators from inspecting customer data also fire when an agent attempts to escalate. KAOS is not a database administrator, and the cluster’s policy actively says so.

If KAOS attempts a privileged operation outside the cluster-management surface, it’s blocked at the API server — the same way a human operator would be — and the attempt is logged for audit, not quietly dropped.

Anonymity in the training corpus

Incidents fed into the training loop are anonymised at ingest: cluster identifiers, customer identifiers, hostnames, secret references, and any free-form text that could re-identify a customer are stripped before the incident enters the shared corpus. What remains is the shape of the incident — symptoms, investigation, resolution, outcome.