kubernetes-operations — agentic threat model
The kubernetes-operations agent presents a high-risk profile due to its ability to generate and configure critical infrastructure components like RBAC, network policies, and GitOps workflows. A compromise or prompt injection attack could lead to unauthorized cluster access, privilege escalation, or deployment of malicious workloads.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.90 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.90 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Claude Code uses underlying Claude models. The primary threat is prompt injection leading to the generation of backdoored Kubernetes manifests or overly permissive RBAC configurations.
Not certain from the listing — The agent likely reads local workspace files and cluster configurations to generate manifests, posing a risk of sensitive data exfiltration (e.g., secrets, configmaps) if the context is leaked.
The agent framework orchestrates multiple subagents. Vulnerabilities in Claude Code's tool execution or insecure handling of subagent outputs could allow an attacker to execute arbitrary commands on the host or cluster.
As a local CLI plugin, the agent operates within the user's local environment and potentially holds active kubeconfig credentials. Compromise of this layer allows direct cluster access and lateral movement.
Not certain from the listing — While the agent configures observability for the cluster, there is no mention of internal guardrails or logging to detect malicious manifest generation or unauthorized tool execution by the agent itself.
The agent directly generates security policies and RBAC configurations. Malicious or accidental misconfigurations at this layer can bypass cluster security controls, leading to privilege escalation.
The agent bundles multiple subagents (manifests, networking, GitOps). A compromise of one subagent (e.g., manifest generation) can cascade to others (e.g., GitOps auto-applying the malicious manifest to production).
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).