alexei-led/k8s-mcp-server — agentic threat model
The agent presents an extremely high-risk profile due to its ability to execute arbitrary Kubernetes, Helm, and ArgoCD commands, effectively granting cluster-admin level capabilities if misconfigured. While the Dockerized sandbox provides basic infrastructure isolation, the lack of application-level guardrails means a compromised or manipulated agent could easily destroy or compromise entire cluster environments.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying LLM used, but adversarial prompt injection could lead to unauthorized Kubernetes command generation.
Not certain from the listing — No explicit data operations or vector stores are mentioned, though the agent accesses cluster state and configuration data via CLIs.
The MCP server exposes highly sensitive tools (kubectl, helm, istioctl, argocd) and Unix pipes. Tool misuse or injection of malicious arguments into CLI commands represents a critical vulnerability.
The server runs in a Dockerized sandbox to isolate execution. However, if the container is misconfigured or has access to a highly privileged kubeconfig, container escape or lateral movement within the cluster is possible.
Not certain from the listing — There is no mention of built-in logging, auditing, or guardrails to inspect or block destructive commands before execution.
Security relies heavily on the scope of the provided kubeconfig. Without strict RBAC, the agent has over-privileged access, violating the principle of least privilege.
Not certain from the listing — No multi-agent or marketplace interactions are detailed, but exposing cluster control to an ecosystem increases cascading failure risks.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).