When teams connect AI agents to Kubernetes, they often start the security review with one question:
Can this agent read Kubernetes Secrets?
That is a good question, but it is not sufficient.
An agent may be blocked from the Kubernetes Secrets API and still be able to expose sensitive data indirectly through exec.
That makes Kubernetes exec a secret-adjacent capability.
The misleading comfort of blocked Secret API access
Imagine a Kubernetes tool service account with this posture:
get/list/watch secrets: no
create pods/exec: yes
At the API layer, this looks reassuring. The agent cannot run:
kubectl get secrets
kubectl describe secret
But if the same agent can exec into a running pod, it may be able to inspect what the container can see at runtime.
That can include:
- mounted Secret volumes
- service account tokens
- environment variables
- application config files
- credentials cached on disk
- cloud identity tokens
- files written by init containers or sidecars
So the real posture is:
Kubernetes Secret API access: blocked
Runtime secret exposure through pod exec: possible
That distinction matters a lot when the user interface is natural language.
Why exec is powerful
Exec is not one permission. It is a door into a process environment.
Even harmless-looking prompts can become risky:
Can you check the environment of this pod?
Can you cat the config directory?
Can you print the token file?
The Kubernetes API may not expose Secrets to the agent, but the application container might.
This is why pods/exec should not be treated like a normal read-only permission. It is interactive runtime access.
Practical risk classification
For agentic Kubernetes workflows, I like to classify exec requests separately from ordinary reads.
Green: Pure Kubernetes API reads
Yellow: Exec with safe diagnostic intent
Red: Exec that may expose secrets, credentials, tokens, or broad filesystem state
Examples:
| Request | Suggested Risk | Reason |
|---|---|---|
| List pods | Green | Kubernetes API read |
| Describe deployment | Green | Kubernetes API read |
| Get pod logs | Green/Yellow | Logs may contain sensitive data |
Exec uname -a
|
Yellow | Runtime access, but narrow output |
Exec ps aux
|
Yellow | Process details may be sensitive |
Exec printenv
|
Red | Environment variables often contain secrets |
Exec cat /var/run/secrets/...
|
Red | Explicit token/secret access |
Exec find / -type f
|
Red | Broad filesystem inspection |
This model is intentionally simple. It is designed to make risk visible before execution.
Use approval gates, not just polite prompts
An LLM asking "Do you approve?" is not an enforcement mechanism.
For sensitive tools, the platform should pause the actual tool call and require a real approval decision before execution.
A better flow:
User:
Run uname in this pod.
Agent:
Risk: Yellow
Reason: pod exec enters a live container, but the requested command is narrow.
Approval gate:
Approve / Reject
Tool:
Runs only after approval.
For Red requests, the platform can either block them outright or require a stronger approval path.
Add command-level guardrails
Start with obvious patterns:
secret
token
password
credential
kubeconfig
printenv
/var/run/secrets
This will not catch everything, but it catches the requests that should never slip through casually.
Then add context:
- Is the namespace sensitive?
- Is the pod part of the platform control plane?
- Is the user asking for broad filesystem access?
- Is the command trying to dump environment variables?
- Is the command wrapped in a shell?
An exec request is not just a command. It is a command plus a target plus a user plus an operational context.
RBAC still matters
Guardrails do not replace Kubernetes RBAC.
RBAC should still be scoped tightly:
- avoid broad cluster-wide exec permissions
- prefer namespace scoping where possible
- separate read-only tools from write/exec tools
- use different service accounts for different risk tiers
- keep destructive tools out of default agents
The agent should not have more power than the platform team is willing to expose through a normal operational workflow.
Final thought
Agentic Kubernetes platforms should treat exec with respect.
It is not the same as get pods.
It is closer to temporary access into the runtime boundary of an application. Sometimes that access is exactly what an incident needs, but it should be visible, approved, logged, and risk-classified.
The safest rule is simple:
If an agent can exec into a pod, assume it may be able to see what that pod can see.
Top comments (0)