activity

module

v0.7.1 Latest Latest Go to latest Published: Jun 25, 2026 License: AGPL-3.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/milo-os/activity

Links

Open Source Insights

README ¶

Activity

Ever wonder who changed that production secret? Or need to understand what happened before an incident? Activity turns Kubernetes audit logs and control plane events into plain-language summaries you can search, stream, and explore — using familiar Kubernetes tools.

What is this?

Activity is a Kubernetes extension that translates raw audit logs and control plane events into a queryable activity feed. You define how events are described using ActivityPolicy resources and CEL expressions — "Alice created HTTPProxy for myservice.com" instead of decoding JSON structures. The feed is searchable by actor, resource, time range, and more, and updates in real time via the Kubernetes Watch API.

It's built as an aggregated API server, so it works natively with kubectl and any Kubernetes client.

Components

Activity consists of several components that work together:

activity-apiserver: Kubernetes aggregated API server that handles queries, Watch streams, and the ActivityPolicy API
activity-processor: Processes audit logs and control plane events through ActivityPolicy rules to generate Activity records
activity-controller-manager: Manages ActivityPolicy lifecycle, status, and ReindexJob execution
activity-ui: React component library (@datum-cloud/activity-ui on npm) for embedding activity exploration in your platform UI
kubectl-activity: kubectl plugin for command-line querying
MCP server: Exposes activity data to AI assistants via the Model Context Protocol

What can it do right now?

Human-readable activity feed — Define ActivityPolicy resources with CEL expressions to translate audit logs and control plane events into plain-language summaries. Test policies safely with the PolicyPreview API before deploying.
Control plane events — Search and stream control plane events (pod restarts, scheduler decisions, BackOff messages) alongside audit logs using EventQuery and EventFacetQuery.
Powerful queries using CEL expressions: "Find all secret deletions by users whose name starts with 'system:'"
Filter by what matters: time ranges, namespaces, actions (create/update/delete), resource types, actors, and more
Real-time streaming — Watch API support for Activity and Event resources so dashboards update instantly without polling
Reindex history — Use ReindexJob to backfill Activity records when you add or update a policy, so your feed reflects the full history
AI integration — Query activity data from AI assistants via the MCP server. The milo-activity Claude Code plugin adds guided investigation, auditing, and policy authoring workflows.
Embeddable UI — Drop-in React components for activity feeds, policy editors, PolicyPreview panels, and event explorers
Fast queries backed by a high-performance ClickHouse storage layer with smart indexing
Works like Kubernetes because it's built as an aggregated API server — use kubectl or any Kubernetes client
Multi-tenant by design so teams can only see their own activity

Documentation

Guides

Activity Policies - Writing CEL-based translation rules
Control Plane Events - Querying and streaming events
MCP Server - Setting up AI assistant integration
ReindexJob - Backfilling history when policies change
CLI User Guide - Complete guide to using the Activity CLI

Reference

API Reference - API specifications
Architecture Overview - System design and components
Migration Guide - Upgrading from previous versions

Releases

v0.3.0 Release Notes

Claude Code plugin

The milo-activity plugin adds guided workflows for incident investigation, user auditing, and ActivityPolicy authoring on top of the MCP server. Install it from the marketplace:

/plugin marketplace add datum-cloud/claude-code-plugins
/plugin install milo-activity@datum-claude-code-plugins

Prerequisite: the activity binary must be on your PATH and configured as an MCP server. See the MCP server guide for setup.

Who is this for?

Platform teams who need to understand cluster activity across multiple tenants
Security teams investigating incidents or building compliance reports
Developers debugging "who changed what" questions
Anyone who's ever wished Kubernetes audit logs were easier to query

Prerequisites

For users:

Kubernetes 1.34+ cluster
kubectl configured to access your cluster

For developers:

Go 1.25+
Task for development workflows
Docker for building container images

License

See LICENSE for details.

Questions or feedback? Open an issue—we're here to help!

Directories ¶

Path	Synopsis
cmd
activity command
kubectl-activity command
internal
activityprocessor
apierrors
apiserver
cel Package cel provides CEL (Common Expression Language) utilities for filtering audit logs and activities in ClickHouse queries.	Package cel provides CEL (Common Expression Language) utilities for filtering audit logs and activities in ClickHouse queries.
controller
eventexporter Package eventexporter implements a Kubernetes Event exporter that watches for Events and publishes them to NATS JetStream for ingestion into ClickHouse.	Package eventexporter implements a Kubernetes Event exporter that watches for Events and publishes them to NATS JetStream for ingestion into ClickHouse.
metrics
processor
registry/activity/activityquery
registry/activity/auditlog
registry/activity/auditlogfacet
registry/activity/eventfacet
registry/activity/eventquery
registry/activity/events
registry/activity/facet
registry/activity/policy
registry/activity/preview
registry/activity/record
registry/activity/reindexjob
registry/scope
reindex
storage
timeutil
types Package types provides shared type definitions and constants used across the activity service.	Package types provides shared type definitions and constants used across the activity service.
version Package version provides version information for the Activity API server.	Package version provides version information for the Activity API server.
watch
pkg
apis/activity Package activity contains the internal types for the activity API group.	Package activity contains the internal types for the activity API group.
apis/activity/install
apis/activity/v1alpha1 Package v1alpha1 contains API Schema definitions for the activity v1alpha1 API group	Package v1alpha1 contains API Schema definitions for the activity v1alpha1 API group
client/clientset/versioned
client/clientset/versioned/fake This package has the automatically generated fake clientset.	This package has the automatically generated fake clientset.
client/clientset/versioned/scheme This package contains the scheme of the automatically generated clientset.	This package contains the scheme of the automatically generated clientset.
client/clientset/versioned/typed/activity/v1alpha1 This package has the automatically generated typed clients.	This package has the automatically generated typed clients.
client/clientset/versioned/typed/activity/v1alpha1/fake Package fake has the automatically generated clients.	Package fake has the automatically generated clients.
client/informers/externalversions
client/informers/externalversions/activity
client/informers/externalversions/activity/v1alpha1
client/informers/externalversions/internalinterfaces
client/listers/activity/v1alpha1
cmd
cmd/common
cmd/policy
cmd/reindexjob
generated/openapi
mcp/tools Package tools provides MCP (Model Context Protocol) tools for interacting with the Activity service.	Package tools provides MCP (Model Context Protocol) tools for interacting with the Activity service.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL