What is Ankra CLI?
The Ankra CLI is a powerful command-line interface for interacting with the Ankra platform. It enables you to manage clusters, chat with AI about your infrastructure, browse Helm charts, manage credentials, deploy stacks, and automate platform operations directly from your terminal.
Features
- SSO Login Browser-based authentication with PKCE
- AI Chat Interactive and one-shot AI-powered troubleshooting
- Organisation Management List, switch, create organisations, manage members
- Cluster Management List, select, reconcile, provision, deprovision, delete, and clone clusters
- Cluster Access Grant, list, and revoke scoped kubectl access to a cluster through the Ankra gateway
- Kubernetes Resources Browse pods, deployments, services, nodes, and other resources directly
- Pod Logs Stream and tail pod logs with namespace and container filtering
- Stack Management Create, list, rename, delete, clone between clusters, and view stack history
- Addon Management List, configure, update, and uninstall cluster addons
- Operations & Jobs Track operations, cancel running jobs, filter by kind and timestamp
- Agent Management View agent status, manage tokens, trigger upgrades
- Manifest Management List and inspect cluster manifests
- In-Cluster Helm List and uninstall Helm releases running in the cluster
- Helm Charts Browse, search, and get details on available charts
- Helm Registries Manage organisation Helm registries and registry credentials
- SOPS Encryption Encrypt and decrypt manifest and addon configuration files
- Hetzner Cloud Provision and manage Hetzner Kubernetes clusters
- OVH Cloud Provision and manage OVH Kubernetes clusters
- UpCloud Provision and manage UpCloud Kubernetes clusters
- Credentials Manage cloud provider and Git credentials
- API Tokens Create, list, revoke, and delete API tokens
- Shell Completion Generate completion scripts for bash, zsh, fish, and powershell
- Agent Skills Install the curated Ankra Agent Skills into Cursor/Claude (works offline)
- Secure Credentials stored locally in
~/.ankra.yaml
Installation
Single Command Installation (Recommended)
bash <(curl -sL https://github.com/ankraio/ankra-cli/releases/latest/download/install.sh)
Direct Download
Download the binary directly from GitHub Releases.
chmod +x ankra
mv ankra ~/bin/ankra # or /usr/local/bin/ankra
Upgrading the CLI
The CLI can update itself in place with ankra upgrade (aliased as ankra self-update). The downloaded binary is verified against its published SHA-256 checksum before it replaces the running executable.
# Upgrade to the latest stable release
ankra upgrade
# Check whether a newer release exists without installing
ankra upgrade --check
# Pin an exact version (also works as a downgrade / rollback)
ankra upgrade --version v0.3.0
| Flag | Description |
|---|
--version <tag> | Install an exact release (e.g. v0.3.0 or 0.3.0); installs whether newer or older, so it doubles as a rollback |
--check | Report whether a newer release is available without installing |
--beta | Include pre-release versions for this run (overrides the saved channel) |
--force | Reinstall even if already on the target version |
-y, --yes | Skip the confirmation prompt |
--allow-unverified | Install even when no checksum is published (insecure) |
If the binary lives in a root-owned location, run sudo ankra upgrade or re-run the install script.
Beta (pre-release) channel
Opt in to release candidates (such as v0.3.0-rc.1) so ankra upgrade resolves the newest release including pre-releases:
ankra config beta enable # opt in
ankra config beta status # show current channel
ankra config beta disable # back to stable only
~/.ankra/settings.json (separate from your credentials).
Authentication
SSO Login (Recommended)
The easiest way to authenticate is using browser-based SSO:
This will:
- Open your browser to the Ankra login page
- After you authenticate, save your credentials locally
- You can then use all ankra CLI commands
Your credentials are saved to ~/.ankra.yaml.
To logout and clear credentials:
Environment Variables (Alternative)
You can also use environment variables:
export ANKRA_API_TOKEN=your-token-here
export ANKRA_BASE_URL=https://platform.ankra.app # optional
~/.zshrc or ~/.bashrc) for persistence.
Quick Start
# 1. Login with SSO
ankra login
# 2. List your clusters
ankra cluster list
# 3. Select a cluster to work with
ankra cluster select
# 4. Start chatting with AI about your infrastructure
ankra chat "What's the status of my deployments?"
Command Reference
Authentication
login
Authenticate with the Ankra platform using browser-based SSO.
logout
Remove saved credentials from ~/.ankra.yaml.
Organisation Management
Aliases: ankra org, ankra organisation, ankra organization
org list
List all organisations you belong to.
org switch
Switch to a different organisation. This persistently changes your selected
organisation for all future commands.
ankra org switch <org_id>
Run a single command against another organisation
Use the global --org flag (organisation name or ID) to scope a single command
to a different organisation without changing your selected organisation. You
can also set the ANKRA_ORG environment variable to scope a whole shell session.
ankra --org "Acme Corp" cluster list # by name, just this command
ankra --org <org_id> get pods my-cluster # by ID
export ANKRA_ORG="Acme Corp" # for the whole session
ankra cluster list
ankra org switch. You must
be an active member of the target organisation, otherwise the API returns a
permission error.
org current
Show the currently selected organisation.
org create
Create a new organisation.
ankra org create <name>
ankra org create <name> --country <code>
org members
List members of an organisation.
ankra org members # current organisation
ankra org members <org_id> # specific organisation
org invite
Invite a user to the current organisation.
ankra org invite <email>
ankra org invite <email> --role admin # role: member, admin, read-only
org remove
Remove a user from the current organisation.
ankra org remove <user_id>
ankra org remove <user_id> -f # skip confirmation
org variables
Manage organisation-scoped template variables. These are available to every
cluster in the organisation as substitutions in stack manifests and addon
values at deploy time, and are shadowed by cluster- or stack-scoped variables
of the same name.
ankra org variables list # list all
ankra org variables get DB_HOST # show one
ankra org variables set DB_HOST db.example.com # upsert
ankra org variables set API_TOKEN - # value from stdin
ankra org variables delete DB_HOST # delete (prompts)
| Subcommand | Notable flags |
|---|
list | -o json|yaml |
get | -o json|yaml |
set | --description <text> (creates or updates; pass - for the value to read from stdin) |
delete | --yes skips the confirmation prompt |
AI Chat
chat
AI-powered chat for troubleshooting and assistance.
Interactive mode:
ankra chat
ankra chat --cluster my-cluster # with cluster context
ankra chat "Why are my pods in CrashLoopBackOff?"
ankra chat --cluster staging "How do I scale my deployment?"
exit, quit, q Exit chatclear Clear conversation history
chat health
Get AI-analyzed cluster health for the selected cluster.
ankra chat health
ankra chat health --ai # include detailed AI analysis (default: true)
chat history
List previous chat conversations.
ankra chat history
ankra chat history --cluster my-cluster # filter by cluster
ankra chat history --limit 10 # max conversations (default: 20)
chat show
Show a specific conversation.
ankra chat show <conversation_id>
chat delete
Delete a conversation.
ankra chat delete <conversation_id>
Cluster Operations
cluster list
List all clusters.
cluster info
Show details of a specific cluster. Defaults to the currently selected cluster if no name is provided.
Aliases: ankra cluster get-cluster
ankra cluster info # uses selected cluster
ankra cluster info <cluster-name> # specific cluster
cluster select
Select a cluster for subsequent commands. Supports both interactive selection and direct selection by name.
ankra cluster select # interactive picker
ankra cluster select <cluster-name> # select directly by name
cluster clear
Clear the active cluster selection.
cluster reconcile
Trigger cluster reconciliation to sync desired state with actual state.
ankra cluster reconcile # uses selected cluster
ankra cluster reconcile <cluster-name> # specific cluster
cluster apply
Apply an ImportCluster YAML to the Ankra API.
ankra cluster apply -f <file>
# Validate the YAML locally (offline) without calling the API
ankra cluster apply -f <file> --dry-run
# Submit, then block until the platform finishes (with a timeout)
ankra cluster apply -f <file> --wait --timeout 15m
| Flag | Description |
|---|
--dry-run | Run the local structural, dependency, and YAML checks only, without calling the API. For server-side checks (chart existence, secret detection), use cluster validate |
--wait | Submit the change, then wait for the operation to finish and report success/failure (default: submit and return immediately) |
--timeout | Maximum time to wait when --wait is set (default 10m) |
Writes are submitted asynchronously by default - the command returns as soon as the platform accepts the change, and the work continues in the background. Add --wait to block until completion. Avoid resubmitting the same change while it may still be running.
cluster draft
Stage every stack in an ImportCluster YAML as reviewable drafts instead of deploying. Local checks run first (the same as --dry-run), then each stack is saved as a draft you can review, edit, and deploy from the stack builder. If the cluster doesn’t exist yet it is imported first (drafts attach to an existing cluster). Stacks already matching desired state report “no changes”.
ankra cluster draft -f <file>
cluster validate
Validate an ImportCluster YAML without applying it. Local checks run first, then the file is sent to the Ankra API for server-side validation the offline checks can’t do: chart existence in your connected Helm registries, plaintext Secret / unencrypted addon-value detection, and parent references resolved against a cluster’s resources.
ankra cluster validate -f <file>
# Treat plaintext secrets as errors instead of warnings
ankra cluster validate -f <file> --strict-secrets
# Validate against an existing cluster's deployed resources
ankra cluster validate -f <file> --cluster <cluster-id>
cluster clone
Clone stacks from an existing cluster to a new cluster configuration.
# Clone all stacks
ankra cluster clone source-cluster.yaml new-cluster.yaml
# Clone from a remote URL
ankra cluster clone https://github.com/org/repo/raw/main/cluster.yaml new-cluster.yaml
# Clone only specific stacks
ankra cluster clone cluster.yaml new-cluster.yaml --stack "monitoring" --stack "networking"
# Replace all stacks in target
ankra cluster clone cluster.yaml new-cluster.yaml --clean
# Force merge even with conflicts
ankra cluster clone cluster.yaml new-cluster.yaml --force
# Copy missing files from skipped stacks
ankra cluster clone cluster.yaml new-cluster.yaml --copy-missing
| Flag | Description |
|---|
--clean | Replace all stacks in the target (clean copy) |
--force | Force merge even when names conflict |
--copy-missing | Copy missing files even for skipped stacks |
--stack | Clone only specific stacks by name (repeatable) |
cluster provision
Provision (start) a managed cluster.
ankra cluster provision # uses selected cluster
ankra cluster provision <cluster-name> # specific cluster
cluster deprovision
Deprovision (stop) a managed cluster.
ankra cluster deprovision # uses selected cluster
ankra cluster deprovision <cluster-name> # specific cluster
ankra cluster deprovision <cluster-name> --auto-delete # auto-delete after deprovision
ankra cluster deprovision <cluster-name> --force # force even if unexpected state
| Flag | Description |
|---|
--auto-delete | Automatically delete the cluster after deprovisioning |
--force | Force deprovision even if cluster is in an unexpected state |
cluster roll-to
Roll a cluster resource to a specific version.
ankra cluster roll-to --version <resource_version_id>
ankra cluster roll-to --version <resource_version_id> --cluster <cluster_id>
| Flag | Description |
|---|
--version | Resource version ID to roll to (required) |
--cluster | Cluster ID (defaults to selected cluster) |
delete cluster
Delete a cluster by name.
ankra delete cluster <name>
ankra delete cluster <name> -f # skip confirmation
cluster access
Manage who can reach a cluster’s Kubernetes API through Ankra’s API proxy (organisation admins only). A grant maps an organisation member to a Kubernetes role, cluster-wide or limited to one namespace. See Cluster Access for roles, scopes, and how grants are reconciled into RBAC.
# List grants and their RBAC reconcile status
ankra cluster access list --cluster my-cluster
# Grant a member access (cluster-wide view by default)
ankra cluster access grant [email protected] --role view
# Limit a grant to one namespace
ankra cluster access grant [email protected] --role edit --namespace staging
# Revoke a single grant by ID, or every grant a member has on the cluster
ankra cluster access revoke 6f1f9aca-2c3d-4e5f-8a9b-0c1d2e3f4a5b
ankra cluster access revoke [email protected]
| Flag | Description |
|---|
--cluster | Cluster name or ID (defaults to the selected cluster) |
--role | Kubernetes role for the grant: view (default), edit, admin, or cluster-admin |
--namespace | Limit the grant to one namespace (default: cluster-wide) |
-o, --output | json or yaml for list and grant |
cluster kubeconfig
Manage the Ankra entries in your local kubeconfig so you can run kubectl against a cluster through Ankra’s API proxy. See Accessing Clusters with kubectl for the full flow.
# Add the selected cluster and make it active
ankra cluster kubeconfig add --cluster my-cluster --use
# Add every cluster you can access
ankra cluster kubeconfig add --all
# List and remove Ankra-managed contexts
ankra cluster kubeconfig list
ankra cluster kubeconfig remove --cluster my-cluster
add writes an exec-based context that fetches a short-lived token on demand (auto-refreshing, SSO-backed). Use --embed-token for a self-contained file, --print to write a standalone kubeconfig to stdout, and --namespace to set a default namespace. Other entries in your kubeconfig are left untouched.
cluster kube-token
Print a short-lived Kubernetes ExecCredential JSON. This is invoked by kubectl as a credential plugin (the default cluster kubeconfig add wires it up for you); you rarely run it directly.
ankra cluster kube-token --cluster <cluster-name-or-id>
cluster metrics
Query the Prometheus metrics source configured for a cluster (Cluster Settings → Metrics), proxied through the agent. See Prometheus integration.
# Instant PromQL query
ankra cluster metrics query 'up'
ankra cluster metrics query 'sum(rate(container_cpu_usage_seconds_total[5m])) by (pod)'
# Range query
ankra cluster metrics query-range 'rate(node_cpu_seconds_total[5m])' --range 6h --step 5m
| Flag | Description |
|---|
--cluster | Cluster name (defaults to the selected cluster) |
--range | Duration relative to now for query-range (e.g. 15m, 1h, 6h, 24h, 7d) |
--start / --end | Range bounds as Unix seconds (alternative to --range) |
--step | Resolution step for query-range (e.g. 30s, 1m, 5m) |
--timeout | Query timeout in seconds |
-o, --output | table (default), json, or yaml |
SOPS Encryption
Encrypt and decrypt manifest and addon configuration values using SOPS.
All encrypt and decrypt subcommands support two modes:
- Cluster mode (default) — fetch the resource from a live cluster, encrypt
or decrypt via the SOPS API, and (for encrypt) push the result back via the
partial-stack PATCH endpoint along with
encrypted_paths. No local files
needed. The owning stack is resolved automatically.
- File mode (
-f cluster.yaml) — rewrite the local from_file referenced
by a cluster.yaml, updating encrypted_paths in the YAML. Used by GitOps
workflows where the source of truth lives on disk.
The two modes are mutually exclusive. Without -f, the CLI uses the selected
cluster (or the cluster passed via --cluster <name|id>).
cluster sops-config
Display the SOPS encryption configuration including the public key for the organisation.
ankra cluster sops-config
cluster encrypt manifest
Encrypt a specific key in a manifest.
# Cluster mode (selected cluster)
ankra cluster encrypt manifest <manifest_name> --key <key_name>
# Cluster mode (specific cluster)
ankra cluster encrypt manifest <manifest_name> --key <key_name> --cluster <name|id>
# File mode
ankra cluster encrypt manifest <manifest_name> --key <key_name> -f <cluster.yaml>
| Flag | Description |
|---|
--key | YAML key name to encrypt (e.g. password, not data.password) — required. A dotted value is normalised to its last segment with a notice |
--cluster | Target cluster (name or ID); defaults to the active selection (cluster mode) |
-f, --file | Path to a local cluster.yaml (enables file mode) |
cluster encrypt addon
Encrypt a specific key in an addon’s Helm values.
# Cluster mode
ankra cluster encrypt addon --name <addon_name> --key <key_name> [--cluster <name|id>] [--stack <stack>]
# File mode
ankra cluster encrypt addon --name <addon_name> --key <key_name> -f <cluster.yaml>
| Flag | Description |
|---|
--name | Addon name — required |
--key | YAML key name to encrypt (e.g. adminPassword) — required. A dotted value is normalised to its last segment with a notice |
--cluster | Target cluster (cluster mode) |
--stack | Required (cluster mode) when the addon exists in multiple stacks |
-f, --file | Path to a local cluster.yaml (enables file mode) |
cluster decrypt manifest
Decrypt and print a manifest. Cluster mode fetches from the live cluster; file
mode reads the referenced from_file from a local cluster.yaml.
ankra cluster decrypt manifest <manifest_name> [--cluster <name|id>]
ankra cluster decrypt manifest <manifest_name> -f <cluster.yaml>
cluster decrypt addon
Decrypt and print an addon’s Helm values. Cluster mode fetches from the live
cluster; file mode reads the referenced from_file from a local cluster.yaml.
ankra cluster decrypt addon --name <addon_name> [--cluster <name|id>] [--stack <stack>]
ankra cluster decrypt addon --name <addon_name> -f <cluster.yaml>
You can add new encrypted keys to files that are already SOPS-encrypted, as long as they were encrypted with your organisation’s key.
If a file was encrypted by a different organisation, you’ll need to decrypt it first using the original key, then encrypt it with your organisation’s key.
Stack Management
All stack commands operate on the currently selected cluster.
cluster stacks list
List all stacks for the active cluster.
ankra cluster stacks list
ankra cluster stacks list <stack-name> # show details for a specific stack
cluster stacks create
Create a new stack.
ankra cluster stacks create my-stack
ankra cluster stacks create my-stack --description "Application stack"
cluster stacks delete
Delete a stack.
ankra cluster stacks delete <stack-name>
cluster stacks rename
Rename a stack.
ankra cluster stacks rename <old-name> <new-name>
cluster stacks history
Show change history for a stack.
ankra cluster stacks history <stack-name>
cluster stacks clone
Clone a stack to another cluster as a draft.
ankra cluster stacks clone <stack-name> --to <target-cluster>
ankra cluster stacks clone my-stack --to production --name my-stack-prod
ankra cluster stacks clone my-stack --to production --include-config=false
| Flag | Short | Description |
|---|
--to | -t | Target cluster name or ID (required) |
--name | -n | Custom name for the cloned stack |
--include-config | | Include addon configurations (default: true) |
Encrypted values are not transferred during cloning. You’ll need to reconfigure secrets in the target cluster.
cluster stacks variables
Manage stack-scoped variables — the most specific scope, shadowing cluster and
organisation variables of the same name when this stack’s manifests/addons are
rendered. Edits travel through the same partial-stack PATCH used by
manifests upgrade / addons upgrade.
ankra cluster stacks variables list <stack> # list
ankra cluster stacks variables get <stack> DB_HOST # print value
ankra cluster stacks variables set <stack> DB_HOST db.example.com # upsert
ankra cluster stacks variables set <stack> NEW_KEY new-val --dry-run # preview
ankra cluster stacks variables delete <stack> DB_HOST [--yes] # delete
| Subcommand | Notable flags |
|---|
list | --cluster <name|id>, -o json|yaml |
get | --cluster <name|id> |
set | --cluster <name|id>, --dry-run (pass - for the value to read from stdin) |
delete | --cluster <name|id>, --yes |
cluster variables
Manage cluster-scoped variables that are available to every stack on the
cluster. Cluster variables shadow organisation variables of the same name on
this cluster, and are shadowed by stack variables.
ankra cluster variables list # list (uses selected cluster)
ankra cluster variables get DB_HOST --cluster prod
ankra cluster variables set DB_HOST db.prod.example.com [--description <text>]
ankra cluster variables delete DB_HOST [--yes]
| Subcommand | Notable flags |
|---|
list | --cluster <name|id>, -o json|yaml |
get | --cluster <name|id>, -o json|yaml |
set | --cluster <name|id>, --description <text> (pass - for the value to read from stdin) |
delete | --cluster <name|id>, --yes |
Addon Management
All addon commands operate on the currently selected cluster.
cluster addons list
List all addons for the active cluster, or show details for a specific addon.
ankra cluster addons list
ankra cluster addons list <addon-name>
cluster addons available
List addons available for installation.
ankra cluster addons available
cluster addons settings
Get settings for a specific addon.
ankra cluster addons settings <addon-name>
cluster addons values
Print the addon’s current Helm values document. The decoded YAML is written to
stdout, ready to pipe to a file or edit and re-apply.
ankra cluster addons values <addon-name>
ankra cluster addons values <addon-name> -o raw # base64-encoded form
cluster addons update
Update settings for an addon from a JSON file.
ankra cluster addons update <addon-name> -f <settings.json>
cluster addons upgrade
Upgrade an addon in-place by patching only the fields you supply: bump the chart
version, mutate Helm values with helm-style --set, replace the whole values
document, swap registry credentials, or change the namespace.
# Bump the chart version
ankra cluster addons upgrade ankra-website --chart-version 1.0.146
# Mutate a single Helm values field (the CLI fetches and patches existing values)
ankra cluster addons upgrade website --set image.tag=1.0.146
# Address a list item by a stable field instead of a numeric index
ankra cluster addons upgrade website --set 'env[name=LOG_LEVEL].value=debug'
# Edit dependency parents (controls deployment ordering inside the stack)
ankra cluster addons upgrade infisical --add-parent name=infisical-ns,kind=manifest
| Flag | Description |
|---|
--chart-version | New chart version to install |
--set | Mutate one Helm value (repeatable, helm-style; supports foo[0] and foo[name=bar] selectors) |
--set-string | Like --set but always treats the value as a string |
--set-file | Like --set but reads the value from a file (key=path or key=@path) |
--add-parent | Add a dependency parent name=<n>,kind=<manifest|addon> (kind defaults to manifest; repeatable) |
--remove-parent | Remove a dependency parent (repeatable) |
--set-parent | Replace ALL dependency parents with the given set (repeatable) |
--values-from-file | Replace the entire values document from a file |
--values - | Replace the entire values document from stdin |
--registry-name / --registry-url / --registry-credential-name | Retag the addon’s registry |
--namespace | Change the namespace (destructive: Helm reinstall) |
--stack | Required when the addon exists in multiple stacks |
--dry-run | Print the before/after spec without applying |
-o json|yaml | Machine-readable output |
--set* (mutate) and --values-from-file / --values - (replace) are mutually exclusive. --set-parent replaces the parent list wholesale and cannot be combined with --add-parent/--remove-parent; removing the last parent clears the link.
cluster addons uninstall
Uninstall an addon from the cluster.
ankra cluster addons uninstall <addon-name>
ankra cluster addons uninstall <addon-name> --delete # also delete permanently
| Flag | Description |
|---|
--delete | Also delete the addon permanently |
Operations Management
All operations commands operate on the currently selected cluster.
cluster operations list
List operations for the active cluster, or show details for a specific operation.
ankra cluster operations list
ankra cluster operations list <operation_id>
cluster operations cancel
Cancel a running operation.
ankra cluster operations cancel <operation_id>
cluster operations cancel-job
Cancel a specific job within an operation.
ankra cluster operations cancel-job <operation_id> <job_id>
cluster operations jobs
List jobs for a specific operation.
ankra cluster operations jobs <operation_id>
ankra cluster operations jobs <operation_id> --kind reconcile
ankra cluster operations jobs <operation_id> --since "2025-01-01T00:00:00Z"
| Flag | Description |
|---|
--kind | Filter by job kind |
--since | Show jobs updated since this UTC timestamp |
Agent Management
All agent commands operate on the currently selected cluster.
cluster agent status
Get the agent status for the selected cluster.
ankra cluster agent status
cluster agent token
Get or generate the agent token.
ankra cluster agent token
ankra cluster agent token --generate # generate a new token
cluster agent upgrade
Upgrade the agent on the selected cluster.
ankra cluster agent upgrade
Manifest Management
cluster manifests list
List manifests for the active cluster, or show details for a specific manifest.
ankra cluster manifests list
ankra cluster manifests list <manifest-name>
cluster manifests get
Print a manifest’s current Kubernetes YAML. The decoded content is written to
stdout, ready to pipe to a file or edit and re-apply with --from-file.
ankra cluster manifests get <manifest-name>
ankra cluster manifests get <manifest-name> -o raw # base64-encoded form
cluster manifests upgrade
Upgrade a manifest in-place. Replace the whole manifest from a file or stdin, or
patch a single path inside the Kubernetes YAML with helm-style --set (for
example, to bump a Deployment image tag).
# Bump a Deployment's image tag in place
ankra cluster manifests upgrade web \
--set 'spec.template.spec.containers[name=app].image=nginx:1.27'
# Pick a document when the manifest holds several
ankra cluster manifests upgrade web \
--target-kind Deployment --target-name web \
--set 'spec.replicas=3'
# Replace the whole manifest from a file
ankra cluster manifests upgrade demo-namespace --from-file manifests/demo.yaml
# Edit dependency parents (controls deployment ordering inside the stack)
ankra cluster manifests upgrade web --add-parent name=infisical-ns,kind=manifest
| Flag | Description |
|---|
--set | Mutate one path in the manifest YAML (repeatable; supports containers[0] and containers[name=app] selectors) |
--set-string | Like --set but always treats the value as a string |
--set-file | Like --set but reads the value from a file (key=path or key=@path) |
--target-kind | With --set: pick the document by Kubernetes kind (multi-doc manifests) |
--target-name | With --set: pick the document by metadata.name (multi-doc manifests) |
--add-parent | Add a dependency parent name=<n>,kind=<manifest|addon> (kind defaults to manifest; repeatable) |
--remove-parent | Remove a dependency parent (repeatable) |
--set-parent | Replace ALL dependency parents with the given set (repeatable) |
--from-file | Replace the entire manifest from a file |
--manifest - | Replace the entire manifest from stdin |
--namespace | Change the manifest’s namespace |
--dry-run | Print the before/after spec without applying |
-o json|yaml | Machine-readable output |
--set* MUTATE the existing manifest and are mutually exclusive with --from-file / --manifest -, which REPLACE it. A list selector that matches nothing fails with a clear error rather than guessing. Parent flags (--add-parent / --remove-parent / --set-parent) edit dependency parents; --set-parent replaces the list wholesale and cannot be combined with the others.
cluster manifests delete
Disconnect a manifest from its stack, removing its resources from the cluster.
The owning stack is resolved automatically (manifest names are unique per
cluster). A confirmation prompt protects the operation.
ankra cluster manifests delete <manifest-name>
ankra cluster manifests delete <manifest-name> --yes # skip confirmation
ankra cluster manifests delete <manifest-name> --dry-run # preview only
| Flag | Description |
|---|
--yes | Skip the confirmation prompt |
--dry-run | Print the manifest that would be disconnected without making changes |
--cluster | Target cluster (name or ID); defaults to the active selection |
Kubernetes Resources
Browse and inspect Kubernetes resources in the active cluster. All commands operate on the currently selected cluster.
cluster get pods
List pods or get a specific pod’s manifest.
ankra cluster get pods
ankra cluster get pods -n kube-system
ankra cluster get pods --all-namespaces
ankra cluster get pods my-pod -n default # get a specific pod's manifest
ankra cluster get pods --node worker-1 # filter by node
ankra cluster get pods --name nginx # filter by name (contains)
ankra cluster get pods -o json # output as JSON
| Flag | Short | Description |
|---|
--namespace | -n | Kubernetes namespace |
--all-namespaces | -A | List across all namespaces |
--node | | Filter by node name |
--name | | Filter by pod name (contains) |
--output | -o | Output format: table, json, yaml (default: table) |
cluster get <kind>
List resources of a specific kind. Dedicated commands are available for common resource types:
deployments, services, nodes, namespaces, ingresses, events, configmaps, secrets, statefulsets, daemonsets, k8s-jobs, cronjobs
ankra cluster get deployments
ankra cluster get deployments -n kube-system
ankra cluster get services --all-namespaces
ankra cluster get nodes
ankra cluster get events -n default
ankra cluster get secrets -n my-app -o json
ankra cluster get deployments my-deploy -n default # get a specific resource's manifest
| Flag | Short | Description |
|---|
--namespace | -n | Kubernetes namespace |
--all-namespaces | -A | List across all namespaces |
--name | | Filter by resource name |
--selector | -l | Label selector |
--output | -o | Output format: table, json, yaml (default: table) |
nodes and namespaces are cluster-scoped and do not accept namespace flags.
cluster get resources
Fetch any Kubernetes resource type by kind. Use this for resource kinds not covered by the dedicated commands above.
ankra cluster get resources PersistentVolumeClaim -n default
ankra cluster get resources NetworkPolicy --all-namespaces
ankra cluster get resources CertificateRequest --group cert-manager.io -o json
| Flag | Short | Description |
|---|
--namespace | -n | Kubernetes namespace |
--all-namespaces | -A | List across all namespaces |
--name | | Filter by resource name |
--selector | -l | Label selector |
--output | -o | Output format: table, json, yaml (default: table) |
--api-version | | API version (default: v1) |
--group | | API group (e.g., apps, networking.k8s.io) |
cluster logs
Stream log output from a pod in the active cluster.
ankra cluster logs my-pod -n default
ankra cluster logs my-pod -n default -c my-container
ankra cluster logs my-pod -n default --tail 100
ankra cluster logs my-pod -n default --since 3600
| Flag | Short | Description |
|---|
--namespace | -n | Kubernetes namespace (required) |
--container | -c | Container name (defaults to pod name) |
--tail | | Number of lines from the end of the logs |
--since | | Seconds of logs to retrieve |
Helm Charts
charts list
List available Helm charts.
ankra charts list
ankra charts list --page 2 --page-size 50
ankra charts list --subscribed # show only subscribed charts
charts search
Search for Helm charts by name.
ankra charts search nginx
ankra charts search prometheus
charts info
Get detailed information about a chart.
ankra charts info nginx
ankra charts info grafana --repository https://grafana.github.io/helm-charts
In-Cluster Helm Releases
Manage Helm releases running in the active cluster. These commands operate on the currently selected cluster.
cluster helm releases
List Helm releases in the cluster.
ankra cluster helm releases
ankra cluster helm releases -n kube-system
ankra cluster helm releases --all-namespaces
ankra cluster helm releases -o json
| Flag | Short | Description |
|---|
--namespace | -n | Kubernetes namespace |
--all-namespaces | -A | List across all namespaces (default) |
--output | -o | Output format: table, json (default: table) |
cluster helm uninstall
Uninstall a Helm release from the cluster.
ankra cluster helm uninstall my-release -n default
| Flag | Short | Description |
|---|
--namespace | -n | Kubernetes namespace (required) |
Helm Registries
Manage organisation-level Helm chart registries and registry credentials.
helm registries list
List all Helm chart registries.
ankra helm registries list
helm registries get
Get details of a Helm chart registry.
ankra helm registries get <name>
helm registries create
Create a Helm chart registry from a JSON spec file.
ankra helm registries create -f registry-spec.json
| Flag | Short | Description |
|---|
--file | -f | Path to registry spec JSON file (required) |
helm registries delete
Delete a Helm chart registry.
ankra helm registries delete <name>
ankra helm registries delete <name> -f # skip confirmation
| Flag | Short | Description |
|---|
--force | -f | Skip confirmation prompt |
Helm Registry Credentials
helm credentials list
List all Helm registry credentials.
ankra helm credentials list
helm credentials create
Create a Helm registry credential with username and password. The password is prompted interactively.
ankra helm credentials create --name my-cred --username user
# Password: ****
# Helm registry credential 'my-cred' created successfully!
| Flag | Description |
|---|
--name | Credential name (required) |
--username | Registry username (required) |
helm credentials delete
Delete a Helm registry credential.
ankra helm credentials delete <name>
ankra helm credentials delete <name> -f # skip confirmation
| Flag | Short | Description |
|---|
--force | -f | Skip confirmation prompt |
Hetzner Clusters
Provision, manage, and scale Kubernetes clusters on Hetzner Cloud.
cluster hetzner create
Create a new Hetzner cluster.
ankra cluster hetzner create \
--name my-cluster \
--credential-id <hetzner-credential-id> \
--ssh-key-credential-ids <key-id-1>,<key-id-2> \
--location fsn1
| Flag | Default | Description |
|---|
--name | required | Cluster name |
--credential-id | required | Hetzner API credential ID |
--ssh-key-credential-ids | | SSH key credential IDs (comma-separated for multiple keys) |
--ssh-key-credential-id | | SSH key credential ID (single key, for backward compatibility) |
--location | required | Hetzner datacenter (e.g., fsn1, nbg1, hel1) |
--control-plane-count | 1 | Number of control plane nodes |
--control-plane-server-type | cx33 | Server type for control planes |
--worker-count | 1 | Number of worker nodes |
--worker-server-type | cx33 | Server type for workers |
--bastion-server-type | cx23 | Server type for the bastion host |
--network-ip-range | 10.0.0.0/16 | Private network IP range |
--subnet-range | 10.0.1.0/24 | Subnet range |
--distribution | k3s | Kubernetes distribution |
--kubernetes-version | latest | Kubernetes version |
cluster hetzner deprovision
Deprovision a Hetzner cluster and delete all associated resources.
ankra cluster hetzner deprovision <cluster_id>
cluster hetzner workers
Get the current worker count and scaling limits.
ankra cluster hetzner workers <cluster_id>
cluster hetzner node-group
Manage node groups for a Hetzner cluster.
ankra cluster hetzner node-group list <cluster_id>
ankra cluster hetzner node-group add <cluster_id> --name <name> --instance-type <type> --count <n>
ankra cluster hetzner node-group scale <cluster_id> <group_name> <count>
ankra cluster hetzner node-group upgrade <cluster_id> <group_name> <instance_type>
ankra cluster hetzner node-group delete <cluster_id> <group_name>
cluster hetzner scale
Scale all worker nodes up or down (legacy, prefer node-group scale).
ankra cluster hetzner scale <cluster_id> <worker_count>
# Scale up to 5 workers
ankra cluster hetzner scale abc-123 5
# Scale down to 2 workers
ankra cluster hetzner scale abc-123 2
cluster hetzner k8s-version
Get the current Kubernetes version and distribution.
ankra cluster hetzner k8s-version <cluster_id>
cluster hetzner upgrade
Upgrade the Kubernetes (k3s) version on all nodes. Only supports upgrading one minor version at a time; downgrades are not supported.
ankra cluster hetzner upgrade <cluster_id> <target_version>
# Upgrade to v1.35.1+k3s1
ankra cluster hetzner upgrade abc-123 v1.35.1+k3s1
OVH Clusters
Provision, manage, and scale Kubernetes clusters on OVH Cloud.
cluster ovh create
Create a new OVH cluster.
ankra cluster ovh create \
--name my-cluster \
--credential-id <ovh-credential-id> \
--ssh-key-credential-id <ssh-key-credential-id> \
--region GRA7
| Flag | Default | Description |
|---|
--name | required | Cluster name |
--credential-id | required | OVH API credential ID |
--ssh-key-credential-id | required | SSH key credential ID |
--region | required | OVH Cloud region (e.g., GRA7, SBG5, BHS5) |
--control-plane-count | 1 | Number of control plane nodes |
--control-plane-flavor-id | b2-15 | Instance flavor for control planes |
--worker-count | 1 | Number of worker nodes |
--worker-flavor-id | b2-15 | Instance flavor for workers |
--gateway-flavor-id | b2-7 | Instance flavor for the gateway |
--network-vlan-id | 0 | VLAN ID for the private network |
--subnet-cidr | 10.0.1.0/24 | Subnet CIDR range |
--dhcp-start | 10.0.1.100 | DHCP allocation range start |
--dhcp-end | 10.0.1.200 | DHCP allocation range end |
--distribution | k3s | Kubernetes distribution |
--kubernetes-version | latest | Kubernetes version |
cluster ovh deprovision
Deprovision an OVH cluster and delete all associated resources.
ankra cluster ovh deprovision <cluster_id>
cluster ovh workers
Get the current worker count and scaling limits.
ankra cluster ovh workers <cluster_id>
cluster ovh node-group
Manage node groups for an OVH cluster. OVH node groups also support Kubernetes labels and taints, both when adding a group and as dedicated subcommands to update them later.
ankra cluster ovh node-group list <cluster_id>
ankra cluster ovh node-group add <cluster_id> --name <name> --instance-type <type> --count <n> \
--labels "team=platform,tier=backend" \
--taints "dedicated=gpu:NoSchedule"
ankra cluster ovh node-group scale <cluster_id> <group_name> <count>
ankra cluster ovh node-group upgrade <cluster_id> <group_name> <instance_type>
ankra cluster ovh node-group delete <cluster_id> <group_name>
# Update labels / taints on an existing group (empty value clears them)
ankra cluster ovh node-group labels <cluster_id> <group_name> --labels "team=platform"
ankra cluster ovh node-group taints <cluster_id> <group_name> --taints "dedicated=gpu:NoSchedule"
| Flag | Description |
|---|
--labels | Comma-separated key=value labels for the node group |
--taints | Comma-separated key=value:Effect taints (e.g. dedicated=gpu:NoSchedule) |
Node-group mutations are submitted asynchronously. Add --wait (with an optional --timeout) to block until the operation completes instead of returning immediately.
cluster ovh scale
Scale all worker nodes up or down (legacy, prefer node groups via Settings > Nodes).
ankra cluster ovh scale <cluster_id> <worker_count>
# Scale up to 5 workers
ankra cluster ovh scale abc-123 5
# Scale down to 2 workers
ankra cluster ovh scale abc-123 2
cluster ovh k8s-version
Get the current Kubernetes version and distribution.
ankra cluster ovh k8s-version <cluster_id>
cluster ovh upgrade
Upgrade the Kubernetes (k3s) version on all nodes. Only supports upgrading one minor version at a time; downgrades are not supported.
ankra cluster ovh upgrade <cluster_id> <target_version>
# Upgrade to v1.35.1+k3s1
ankra cluster ovh upgrade abc-123 v1.35.1+k3s1
UpCloud Clusters
Provision, manage, and scale Kubernetes clusters on UpCloud.
cluster upcloud create
Create a new UpCloud cluster.
ankra cluster upcloud create \
--name my-cluster \
--credential-id <upcloud-credential-id> \
--ssh-key-credential-id <ssh-key-credential-id> \
--zone fi-hel1
| Flag | Default | Description |
|---|
--name | required | Cluster name |
--credential-id | required | UpCloud API credential ID |
--ssh-key-credential-id | required | SSH key credential ID |
--zone | required | UpCloud zone (e.g., fi-hel1, de-fra1, nl-ams1) |
--control-plane-count | 1 | Number of control plane nodes |
--control-plane-plan | 2xCPU-4GB | Plan for control plane nodes |
--worker-count | 1 | Number of worker nodes |
--worker-plan | 2xCPU-4GB | Plan for worker nodes |
--bastion-plan | 1xCPU-2GB | Plan for the bastion host |
--network-ip-range | 10.0.0.0/16 | Private network IP range |
--distribution | k3s | Kubernetes distribution |
--kubernetes-version | latest | Kubernetes version |
cluster upcloud deprovision
Deprovision an UpCloud cluster and delete all associated resources.
ankra cluster upcloud deprovision <cluster_id>
cluster upcloud workers
Get the current worker count and scaling limits.
ankra cluster upcloud workers <cluster_id>
cluster upcloud node-group
Manage node groups for an UpCloud cluster.
ankra cluster upcloud node-group list <cluster_id>
ankra cluster upcloud node-group add <cluster_id> --name <name> --instance-type <plan> --count <n>
ankra cluster upcloud node-group scale <cluster_id> <group_name> <count>
ankra cluster upcloud node-group upgrade <cluster_id> <group_name> <plan>
ankra cluster upcloud node-group delete <cluster_id> <group_name>
cluster upcloud scale
Scale all worker nodes up or down (legacy, prefer node-group scale).
ankra cluster upcloud scale <cluster_id> <worker_count>
# Scale up to 5 workers
ankra cluster upcloud scale abc-123 5
# Scale down to 2 workers
ankra cluster upcloud scale abc-123 2
cluster upcloud k8s-version
Get the current Kubernetes version and distribution.
ankra cluster upcloud k8s-version <cluster_id>
cluster upcloud upgrade
Upgrade the Kubernetes (k3s) version on all nodes. Only supports upgrading one minor version at a time; downgrades are not supported.
ankra cluster upcloud upgrade <cluster_id> <target_version>
OVH Credentials
Manage OVH API credentials and SSH key credentials.
credentials ovh list
List all OVH API credentials.
ankra credentials ovh list
credentials ovh create
Create an OVH API credential. You will be prompted securely for the application key, application secret, and consumer key.
ankra credentials ovh create --name my-ovh-cred --project-id <project-id>
# OVH Application Key: mykey
# OVH Application Secret: ****
# OVH Consumer Key: ****
# OVH credential 'my-ovh-cred' created successfully!
| Flag | Description |
|---|
--name | Credential name (required) |
--project-id | OVH Cloud project ID (required) |
credentials ovh ssh-key list
List all SSH key credentials.
ankra credentials ovh ssh-key list
ankra credentials ovh ssh-keys list, ankra credentials ovh ssh list
credentials ovh ssh-key create
Create an SSH key credential for OVH clusters.
# Generate a new keypair
ankra credentials ovh ssh-key create --name my-key --generate
# Provide your own public key
ankra credentials ovh ssh-key create --name my-key --public-key "ssh-ed25519 AAAA..."
| Flag | Description |
|---|
--name | Credential name (required) |
--public-key | SSH public key string |
--generate | Generate a new keypair (private key returned once) |
When using --generate, the private key is displayed only once. Save it immediately.
Hetzner Credentials
Manage Hetzner API credentials and SSH key credentials.
Aliases: ankra credentials hetzner, ankra creds hz
credentials hetzner list
List all Hetzner API credentials.
ankra credentials hetzner list
credentials hetzner create
Create a Hetzner API credential. The API token is prompted for securely (masked input, not stored in shell history).
ankra credentials hetzner create --name my-hetzner-token
# Hetzner API Token: ****
# Hetzner credential 'my-hetzner-token' created successfully!
| Flag | Description |
|---|
--name | Credential name (required) |
credentials hetzner ssh-key list
List all SSH key credentials.
ankra credentials hetzner ssh-key list
ankra credentials hetzner ssh-keys list, ankra credentials hetzner ssh list
credentials hetzner ssh-key create
Create an SSH key credential.
# Generate a new keypair
ankra credentials hetzner ssh-key create --name my-key --generate
# Provide your own public key
ankra credentials hetzner ssh-key create --name my-key --public-key "ssh-ed25519 AAAA..."
| Flag | Description |
|---|
--name | Credential name (required) |
--public-key | SSH public key string |
--generate | Generate a new keypair (private key returned once) |
When using --generate, the private key is displayed only once. Save it immediately.
UpCloud Credentials
Manage UpCloud API credentials and SSH key credentials.
Aliases: ankra credentials upcloud, ankra creds uc
credentials upcloud list
List all UpCloud API credentials.
ankra credentials upcloud list
credentials upcloud create
Create an UpCloud API credential. You will be prompted securely for the API token.
ankra credentials upcloud create --name my-upcloud-cred
# UpCloud API Token: ****
# UpCloud credential 'my-upcloud-cred' created successfully!
| Flag | Description |
|---|
--name | Credential name (required) |
credentials upcloud ssh-key list
List all SSH key credentials.
ankra credentials upcloud ssh-key list
ankra credentials upcloud ssh-keys list, ankra credentials upcloud ssh list
credentials upcloud ssh-key create
Create an SSH key credential for UpCloud clusters.
# Generate a new keypair
ankra credentials upcloud ssh-key create --name my-key --generate
# Provide your own public key
ankra credentials upcloud ssh-key create --name my-key --public-key "ssh-ed25519 AAAA..."
| Flag | Description |
|---|
--name | Credential name (required) |
--public-key | SSH public key string |
--generate | Generate a new keypair (private key returned once) |
When using --generate, the private key is displayed only once. Save it immediately.
Credentials
Aliases: ankra credentials, ankra credential, ankra cred, ankra creds
credentials list
List all credentials.
ankra credentials list
ankra credentials list --provider github # filter by provider
credentials get
Get details of a specific credential.
ankra credentials get <credential_id>
credentials validate
Check if a credential name is available.
ankra credentials validate my-new-credential
credentials delete
Delete a credential.
ankra credentials delete <credential_id>
API Tokens
Aliases: ankra tokens, ankra token
tokens list
List all API tokens.
tokens create
Create a new API token.
ankra tokens create my-ci-token
ankra tokens create my-temp-token --expires "2026-12-31T00:00:00Z"
tokens revoke
Revoke an API token (must be revoked before deletion).
ankra tokens revoke <token_id>
tokens delete
Delete a revoked API token.
ankra tokens delete <token_id>
Stack Profiles
List, export, and import reusable stack profiles in the active organisation.
# List stack profiles
ankra stack-profiles list
# Export a profile version as ClusterInfrastructureAsCode YAML
ankra stack-profiles export-iac <profile-id> --version 2 --output profile.yaml
# Import a profile from exported IaC (file is a positional argument)
ankra stack-profiles import profile.yaml --name my-profile --category general
Support
Create and track support requests for your organisation. Every request is reviewed by Ankra AI before it reaches the team; use --force on create to submit a flagged request anyway.
ankra support create --subject "Nodes NotReady" --description "..." --cluster prod
ankra support list
ankra support get <ticket-id>
ankra support comment <ticket-id> --message "Any update?"
ankra support attach <ticket-id> screenshot.png
ankra support close <ticket-id>
| Command | Description |
|---|
create | Create a request (--subject, --description required; --category, --severity, --cluster, --force) |
list | List requests (--status repeatable, -q/--query, --page, --page-size) |
get <id> | Show a request and its replies |
comment <id> | Add a reply (-m/--message) |
attach <id> <file>... | Attach screenshots or images |
close <id> | Close a request (--yes to skip the prompt) |
-o json|yaml for scripting.
Shell Completion
Generate or install shell completion scripts.
ankra completion bash # print bash completion script
ankra completion zsh # print zsh completion script
ankra completion fish # print fish completion script
ankra completion powershell # print powershell completion script
ankra completion install # install completions for current shell
ankra completion install --shell zsh # install for a specific shell
Agent Skills
Install the curated Ankra Agent Skills into a
Cursor/Claude skills directory so your AI agent follows Ankra’s recommended practices for the
CLI, ImportCluster YAML, stacks/addons, GitOps, CI/CD, SOPS secrets, Helm registries,
observability, alerts, Terraform, and cloud clusters. The skills are embedded in the CLI, so
installation works offline.
ankra skills list # list available skills (marks installed ones)
ankra skills install # install all into ~/.cursor/skills (personal)
ankra skills install --project . # install into ./.cursor/skills (project)
ankra skills install ankra-cli ankra-gitops # install only named skills
ankra skills install --force # overwrite existing skills
ankra skills uninstall # remove all Ankra skills
ankra skills uninstall ankra-cli # remove a named skill
ankra skills installs the static, curated skill set. To generate a SKILL.md describing one
of your own clusters, use ankra openclaw skill instead.
Global Flags
| Flag | Description |
|---|
--version | Show CLI version |
--help | Show help for any command |
--base-url | Base URL for the Ankra API |
--config | Config file (default: ~/.ankra.yaml) |
--token | API token for authentication |
Configuration
The CLI stores configuration in ~/.ankra.yaml:
token: your-api-token
base-url: https://platform.ankra.app
token_id: token-uuid
token_name: ankra-cli-hostname-username
--token flag (explicit CLI argument)- Config file token (saved by
ankra login)
ANKRA_API_TOKEN environment variable
The base URL can be overridden with --base-url or the ANKRA_BASE_URL environment variable.
Troubleshooting
Common Issues
PATH issues:
which ankra # verify installation location
echo $PATH # check PATH includes ankra location
ankra logout # clear credentials
ankra login # re-authenticate
ankra --help
ankra cluster --help
ankra chat --help
Error Messages
- “No active cluster selected” Run
ankra cluster select first
- “Resource not found” Verify the resource name and selected cluster
- “Unauthorized” Re-authenticate with
ankra login
Support & Resources
For more advanced usage, see the full documentation or contact support.
