Kubernetes MCP (mcp-k8s-go) — agentic threat model
The Kubernetes MCP server presents a high-risk profile because it bridges LLMs directly to Kubernetes cluster orchestration APIs. Its security posture is entirely dependent on the external Kubernetes RBAC configuration, making prompt injection a direct path to cluster-wide compromise if over-privileged.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not bundle a specific LLM and is model-agnostic. However, adversarial prompt injection on the client-side LLM could easily manipulate the model into executing destructive Kubernetes commands.
Not certain from the listing — No dedicated vector database or RAG pipeline is mentioned, but the server queries active cluster state (etcd) which acts as the operational data layer, exposing sensitive configuration data and secrets to the LLM context.
High risk of tool misuse. The server exposes Kubernetes API operations as tools. If the orchestrating agent framework lacks strict tool-calling validation, an attacker can exploit these tools to modify workloads, delete namespaces, or extract secrets.
The server runs in an environment with access to kubeconfig or a ServiceAccount token. If the hosting container or the MCP server process is compromised, these high-value credentials can be exfiltrated, leading to direct cluster compromise.
Not certain from the listing — There is no mention of built-in audit logging, tool-call guardrails, or anomaly detection to monitor and block suspicious Kubernetes API requests generated by the LLM.
Security relies entirely on external Kubernetes RBAC. If the service account or kubeconfig used by the server is over-privileged (e.g., cluster-admin), the agent inherits extreme power, violating the principle of least privilege.
Not certain from the listing — While built for the Model Context Protocol (MCP) ecosystem, there is no explicit multi-agent coordination or marketplace trust model described in the repository listing.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).