DEV Community

Devam Parikh
Devam Parikh

Posted on

Why Kubernetes Exec Is Secret-Adjacent in Agentic Operations

When teams connect AI agents to Kubernetes, they often start the security review with one question:

Can this agent read Kubernetes Secrets?

That is a good question, but it is not sufficient.

An agent may be blocked from the Kubernetes Secrets API and still be able to expose sensitive data indirectly through exec.

That makes Kubernetes exec a secret-adjacent capability.

The misleading comfort of blocked Secret API access

Imagine a Kubernetes tool service account with this posture:

get/list/watch secrets: no
create pods/exec: yes
Enter fullscreen mode Exit fullscreen mode

At the API layer, this looks reassuring. The agent cannot run:

kubectl get secrets
kubectl describe secret
Enter fullscreen mode Exit fullscreen mode

But if the same agent can exec into a running pod, it may be able to inspect what the container can see at runtime.

That can include:

  • mounted Secret volumes
  • service account tokens
  • environment variables
  • application config files
  • credentials cached on disk
  • cloud identity tokens
  • files written by init containers or sidecars

So the real posture is:

Kubernetes Secret API access: blocked
Runtime secret exposure through pod exec: possible
Enter fullscreen mode Exit fullscreen mode

That distinction matters a lot when the user interface is natural language.

Why exec is powerful

Exec is not one permission. It is a door into a process environment.

Even harmless-looking prompts can become risky:

Can you check the environment of this pod?
Enter fullscreen mode Exit fullscreen mode
Can you cat the config directory?
Enter fullscreen mode Exit fullscreen mode
Can you print the token file?
Enter fullscreen mode Exit fullscreen mode

The Kubernetes API may not expose Secrets to the agent, but the application container might.

This is why pods/exec should not be treated like a normal read-only permission. It is interactive runtime access.

Practical risk classification

For agentic Kubernetes workflows, I like to classify exec requests separately from ordinary reads.

Green:  Pure Kubernetes API reads
Yellow: Exec with safe diagnostic intent
Red:    Exec that may expose secrets, credentials, tokens, or broad filesystem state
Enter fullscreen mode Exit fullscreen mode

Examples:

Request Suggested Risk Reason
List pods Green Kubernetes API read
Describe deployment Green Kubernetes API read
Get pod logs Green/Yellow Logs may contain sensitive data
Exec uname -a Yellow Runtime access, but narrow output
Exec ps aux Yellow Process details may be sensitive
Exec printenv Red Environment variables often contain secrets
Exec cat /var/run/secrets/... Red Explicit token/secret access
Exec find / -type f Red Broad filesystem inspection

This model is intentionally simple. It is designed to make risk visible before execution.

Use approval gates, not just polite prompts

An LLM asking "Do you approve?" is not an enforcement mechanism.

For sensitive tools, the platform should pause the actual tool call and require a real approval decision before execution.

A better flow:

User:
  Run uname in this pod.

Agent:
  Risk: Yellow
  Reason: pod exec enters a live container, but the requested command is narrow.

Approval gate:
  Approve / Reject

Tool:
  Runs only after approval.
Enter fullscreen mode Exit fullscreen mode

For Red requests, the platform can either block them outright or require a stronger approval path.

Add command-level guardrails

Start with obvious patterns:

secret
token
password
credential
kubeconfig
printenv
/var/run/secrets
Enter fullscreen mode Exit fullscreen mode

This will not catch everything, but it catches the requests that should never slip through casually.

Then add context:

  • Is the namespace sensitive?
  • Is the pod part of the platform control plane?
  • Is the user asking for broad filesystem access?
  • Is the command trying to dump environment variables?
  • Is the command wrapped in a shell?

An exec request is not just a command. It is a command plus a target plus a user plus an operational context.

RBAC still matters

Guardrails do not replace Kubernetes RBAC.

RBAC should still be scoped tightly:

  • avoid broad cluster-wide exec permissions
  • prefer namespace scoping where possible
  • separate read-only tools from write/exec tools
  • use different service accounts for different risk tiers
  • keep destructive tools out of default agents

The agent should not have more power than the platform team is willing to expose through a normal operational workflow.

Final thought

Agentic Kubernetes platforms should treat exec with respect.

It is not the same as get pods.

It is closer to temporary access into the runtime boundary of an application. Sometimes that access is exactly what an incident needs, but it should be visible, approved, logged, and risk-classified.

The safest rule is simple:

If an agent can exec into a pod, assume it may be able to see what that pod can see.

Top comments (0)