ai agents need restricted kubectl access

Mike Anderson's June 2, 2026 dev.to article warns that AI agents should not be granted direct kubectl access to production clusters [DevTo]. Anderson proposes a concrete harness design that limits the agent to read-only operations and human-approved remediation. This design includes a dedicated service account with read-only RBAC and a strict command whitelist.

Anderson shows that an AI agent with a generic cluster-admin role could silently exfiltrate credentials even if the model never explicitly requests them [DevTo]. Additionally, prompt injection can turn data into commands, allowing an attacker to embed malicious instructions in a Deployment annotation [DevTo]. Without command filtering, the model can issue kubectl delete pod … or kubectl exec calls that bypass logging and human review [DevTo].

To mitigate these risks, Anderson recommends exporting the cluster state (kubectl get … -o yaml) and sanitizing fields such as data and managedFields to create an immutable evidence package [DevTo]. The AI then operates on static files rather than a live API, enabling full audit trails and repeatable scans. Final remediation must pass through Kyverno, OPA Gatekeeper, or Kubernetes Pod Security Admission, preserving the separation of duties between analysis and enforcement [DevTo].