Kubernetes RBAC for AI Agents: Least-Privilege Patterns


The Systemic Risk

An AI agent connected to Kubernetes is not harmless if its ServiceAccount is over-permissioned.

If a tool like K8sGPT, LangChain, Claude MCP, or a custom AI agent gets cluster-admin, a prompt-injection attack can turn into real API actions against the cluster.

The problem is not the LLM alone — the problem is giving the LLM-backed tool too much Kubernetes authority.


Why RBAC for AI Agents Needs a Different Security Model

Traditional automation is predictable.

AI agents are not.

They read logs, events, prompts, tool outputs, documentation, and user-provided instructions. Any of those inputs can become part of the model context.

That means an AI agent must be treated as an untrusted automation client.

The safest design is simple:

  • Dedicated ServiceAccount
  • Namespace-scoped Role
  • Minimal verbs
  • Explicit resource list
  • No Secrets access
  • No mutation rights
  • No cluster-wide binding

The Least-Privilege Pattern for AI Agents

The default pattern should be:

ServiceAccount → Role → RoleBinding → Namespace

Avoid this pattern unless there is a strict platform-level use case:

ServiceAccount → ClusterRole → ClusterRoleBinding → Entire Cluster

For AI agents, namespace isolation is the first security boundary.


ClusterRole vs Namespace Role

RBAC ObjectScopeSecurity Risk for AI AgentsRecommendation
RoleOne namespaceLower blast radiusDefault choice
RoleBindingOne namespaceControlled assignmentDefault binding
ClusterRoleCluster-wide or reusableEasy to over-scopeUse only with review
ClusterRoleBindingEntire clusterHighest blast radiusAvoid for AI agents

Why AI Agents Should Have Restricted Verbs

AI agents should rarely mutate Kubernetes resources.

For most diagnostic agents, these verbs are enough:

  • get
  • list
  • watch

Avoid giving these verbs by default:

  • create
  • update
  • patch
  • delete
  • deletecollection
  • impersonate
  • bind
  • escalate

The reason is direct:

If the agent can only read, prompt injection can influence recommendations.

If the agent can mutate, prompt injection can influence the cluster.


Recommended Verb Policy

VerbDefault DecisionReason
getAllow selectivelyRequired for object inspection
listAllow selectivelyRequired for namespace discovery
watchAllow selectivelyUseful for live state changes
createDeny by defaultCan create rogue workloads
patchDeny by defaultCan mutate running objects
updateDeny by defaultCan overwrite object state
deleteDeny by defaultDestructive action
impersonateDeny alwaysIdentity abuse risk
bindDeny alwaysPrivilege assignment risk
escalateDeny alwaysRBAC escalation risk

Production-Grade RBAC YAML for AI Agents

This example creates a safe diagnostic identity for an AI agent.

It allows the agent to:

  • Read Pods
  • List Pods
  • Watch Pods
  • Read Pod logs

It does not allow the agent to:

  • Read Secrets
  • Modify workloads
  • Delete resources
  • Escape the namespace
  • Change RBAC
  • Exec into containers

Least-Privilege YAML

apiVersion: v1
kind: Namespace
metadata:
  name: ai-diagnostics
  labels:
    security.infradecode.com/purpose: ai-agent-diagnostics
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8s-ai-diagnostics-agent
  namespace: ai-diagnostics
  labels:
    app.kubernetes.io/name: k8s-ai-diagnostics-agent
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: k8s-ai-diagnostics-readonly
  namespace: ai-diagnostics
  labels:
    security.infradecode.com/pattern: least-privilege-ai-agent
rules:
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
    # Read pod metadata and status only.
    # No create, update, patch, or delete permissions are granted.
    # This prevents prompt-injection from mutating workloads.

  - apiGroups: [""]
    resources:
      - pods/log
    verbs:
      - get
    # Pod logs are allowed for diagnostics.
    # Only get is required for log inspection.
    # No write operation is needed for an AI diagnostic agent.

  # Secrets are intentionally not included.
  # AI agents should not read credentials, tokens, passwords, or API keys.

  # pods/exec is intentionally not included.
  # AI agents should not open interactive execution paths into containers.

  # deployments, services, configmaps, and nodes are intentionally omitted.
  # Add them only after a reviewed use case exists.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k8s-ai-diagnostics-readonly-binding
  namespace: ai-diagnostics
  labels:
    security.infradecode.com/pattern: least-privilege-ai-agent
subjects:
  - kind: ServiceAccount
    name: k8s-ai-diagnostics-agent
    namespace: ai-diagnostics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: k8s-ai-diagnostics-readonly

Why This YAML Is intentionally Restrictive

This RBAC policy is built for diagnosis, not remediation.

The AI agent can inspect the state of Pods and logs inside one namespace.

It cannot take action on the cluster.

That distinction is important.

A diagnostic agent should explain issues.

A remediation controller should enforce controlled actions.

Do not combine both in the same identity.


Quick Summary: What is the optimal RBAC pattern for K8s AI Agents?

  • Use namespace-scoped Roles, not cluster-wide bindings.
  • Grant only get, list, watch on required resources.
  • Deny Secrets, mutation verbs, and impersonation by default.

Optional: Add Events Access Only If Required

Events can help AI agents explain scheduling failures, image pull errors, and Pod lifecycle issues.

But Events may expose operational context.

Add this only if required.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: k8s-ai-diagnostics-events-reader
  namespace: ai-diagnostics
rules:
  - apiGroups: [""]
    resources:
      - events
    verbs:
      - get
      - list
      - watch
    # Events help diagnose scheduling and lifecycle issues.
    # Enable only if event visibility is required for the agent.

Bind this Role only after review.

Do not add event access by default to every AI agent.


Verification and Auditing

RBAC is not complete until it is tested.

Use kubectl auth can-i to verify what the AI agent can and cannot do.


Set Variables

NS="ai-diagnostics"
SA="k8s-ai-diagnostics-agent"
IDENTITY="system:serviceaccount:${NS}:${SA}"

Verify Allowed Pod Read Access

kubectl auth can-i get pods \
--as="${IDENTITY}" \
-n "${NS}"

kubectl auth can-i list pods \
--as="${IDENTITY}" \
-n "${NS}"

kubectl auth can-i watch pods \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

yes
yes
yes

Verify Pod Log Access

kubectl auth can-i get pods \
--subresource=log \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

yes

Verify Delete Is Denied

kubectl auth can-i delete pods \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

no

Verify Patch Is Denied

kubectl auth can-i patch pods \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

no

Verify Update Is Denied

kubectl auth can-i update pods \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

no

Verify Create Is Denied

kubectl auth can-i create pods \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

no

Verify Secrets Access Is Denied

kubectl auth can-i get secrets \
--as="${IDENTITY}" \
-n "${NS}"

kubectl auth can-i list secrets \
--as="${IDENTITY}" \
-n "${NS}"

Expected output:

no
no

Verify Namespace Escape Is Blocked

kubectl auth can-i get pods \
--as="${IDENTITY}" \
-n kube-system

kubectl auth can-i list pods \
--as="${IDENTITY}" \
--all-namespaces

Expected output:

no
no

Verify RBAC Escalation Is Blocked

kubectl auth can-i create rolebindings \
--as="${IDENTITY}" \
-n "${NS}"

kubectl auth can-i create clusterrolebindings \
--as="${IDENTITY}"

kubectl auth can-i impersonate users \
--as="${IDENTITY}"

kubectl auth can-i bind clusterroles \
--as="${IDENTITY}"

kubectl auth can-i escalate clusterroles \
--as="${IDENTITY}"

Expected output:

no
no
no
no
no

Review Final Effective Permissions

kubectl auth can-i --list \
--as="${IDENTITY}" \
-n "${NS}"

Expected review result:

Only pods and pods/log should appear.

No secrets.

No delete.

No patch.

No update.

No impersonate.

No cluster-wide access.

Production Pitfalls to Avoid


1. Giving AI Agents Cluster-Wide View Access

Many teams assume view is safe.

It is not always safe for AI agents.

Cluster-wide read access can expose:

  • namespace names
  • workload topology
  • pod metadata
  • labels
  • annotations
  • runtime relationships
  • logs across environments

For AI systems, this data becomes context.

Context becomes attack surface.

Use namespace-scoped access unless cluster-wide visibility is strictly required.


2. Allowing AI Agents to Read Secrets

Do not grant AI agents access to Secrets.

This is one of the most dangerous mistakes.

Secrets may contain:

  • database credentials
  • API keys
  • webhook tokens
  • cloud credentials
  • signing keys
  • service tokens

Even read-only Secret access is dangerous.

If an AI agent needs to troubleshoot auth failures, provide sanitized error logs instead of raw Secret access.


3. Granting Mutation Verbs for Convenience

Do not give diagnostic agents these verbs:

create
update
patch
delete
deletecollection

These verbs turn an AI assistant into an active cluster operator.

That is a different risk category.

If remediation is needed, use a separate controlled workflow.


Safer Production Design

Use two separate identities.


Diagnostic Agent Identity

Allowed:

- get pods
- list pods
- watch pods
- get pod logs

Denied:

- secrets
- exec
- patch
- update
- delete
- impersonation
- cluster-wide access

Remediation Controller Identity

Allowed only when required:

- narrow CRD operations
- controlled remediation requests
- policy-approved actions

Required:

- approval gate
- audit logging
- rollback path
- scope limitation

The Correct Operating Model

AI agents should recommend.

Policy should enforce.

Humans should approve high-risk actions.

Controllers should execute only the approved changes.

This separation prevents prompt injection from becoming direct cluster compromise.


Final Security Position

Kubernetes AI agents must not inherit human administrator permissions.

They must use dedicated identities.

They must be scoped to namespaces.

They must be denied mutation verbs by default.

They must not read Secrets.

The access model must assume the agent can receive malicious instructions through logs, prompts, or tool outputs.

That is the security baseline.


🚀 InfraDecode Takeaway

AI agents can make Kubernetes diagnostics faster, but only if RBAC is designed correctly.

Use a dedicated ServiceAccount.

Bind it to a namespace-scoped Role.

Allow only the minimum read permissions required for diagnosis.

Deny Secrets, mutation verbs, impersonation, and cluster-wide access by default.

Least privilege is the boundary that prevents prompt injection from becoming cluster compromise.


Discover more from

Subscribe to get the latest posts sent to your email.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top