Agentic SRE Advanced By Samson Tanimawo, PhD Published Mar 21, 2026 5 min read

Calling kubectl Safely from an Agent

kubectl is a sharp tool. The wrapper that whitelists verbs, classifies blast radius, and refuses anything outside scope. With the test suite that proves it.

Verb allowlist

Allow: get, describe, logs. These are read-only; safe in any context.

Conditional allow: scale, rollout (with a controlled namespace and replica delta).

Deny: delete, exec, port-forward, edit. These are too dangerous for unattended agent use.

Scope by namespace and resource

The agent's kubectl wrapper restricts namespace. "production" namespace requires extra approval.

Restricts resource type. The agent can list pods but not modify CRDs.

Restricts label selectors. "Anything in the dev namespace is fair game; production requires app=approved-set."

Blast-radius classification

Get/describe: blast 0. No state change.

Logs: blast 0 in normal operation; can be high if log lines are huge (cost). Cap output size.

Scale 1→3 on a Deployment: blast contained to the deployment.

Rollout undo: blast contained to the deployment but irreversible without effort.

Test suite for the wrapper

Each allowed verb on each resource type: pass.

Each denied verb: fail with a clear error.

Each conditional: pass with the right scope, fail without.

Edge cases: empty namespace, malformed selectors, very long outputs.

Observability of kubectl calls

Every kubectl call is logged with: agent run id, verb, resource, namespace, exit code, output size.

Aggregate dashboards: calls per agent role, calls per verb, error rates per verb.

Outlier alerts: a sudden spike in a normally-quiet verb is a flag worth investigating.