Two sources describe how to build agentic workflows that can operate on Kubernetes without turning a chat interface into an unsafe “cluster-admin” path. Both emphasize that connecting an LLM to Kubernetes tools is not sufficient; the platform needs clear boundaries for what the agent can read, change, and execute. A layered architecture is proposed: a chat surface invokes an agent runtime, the agent calls a Kubernetes tool server via controlled interfaces (e.g., MCP), and the tool server uses a scoped Kubernetes service account.
The sources converge on starting with read-only capabilities (listing pods, describing deployments, viewing events, fetching logs). They then add write/remediation actions behind an explicit human approval gate, with the agent classifying risk before execution and the platform enforcing the approval decision. A simple risk model is highlighted, commonly using Green (safe read-only), Yellow (sensitive reads or limited operational changes), and Red (destructive or secret-adjacent actions).
A key shared point is that blocking access to the Kubernetes Secrets API does not eliminate secret risk, because exec into running containers can expose mounted secret files, tokens, environment variables, and credentials. Both also stress that RBAC remains essential, errors from denied actions should be surfaced accurately, and chat invocation and approval interactions should be restricted to approved teams/channels and isolated by thread context.