AgentReadyHomeAgent Listing

← Sequential DevOps: Kubernetes MCP Server

Sequential DevOps: Kubernetes MCP Server — agentic threat model

9.9AIVSS 9.9 · Critical

This Kubernetes MCP server introduces high agentic risk due to its ability to mutate live cluster states, apply/delete manifests, and read sensitive logs, directly inheriting the active kubeconfig's permissions without built-in guardrails.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.12Factor sum 5.4/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server is model-agnostic and relies on external LLMs. The primary L1 threat is prompt injection or adversarial examples hijacking the model to execute destructive kubectl commands.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No dedicated vector database or RAG pipeline is described, but the agent reads live cluster logs and events, which could contain sensitive secrets, PII, or configuration data exposed to the LLM context.

L3 · Agent Frameworks✓ mapped

The agent framework layer is highly vulnerable to tool misuse and insecure tool integration. Because it exposes powerful tools to apply and delete manifests, any failure in the orchestration layer's input validation can lead to unauthorized cluster modifications.

L4 · Deployment & Infrastructure✓ mapped

The deployment layer inherits the host's active kubeconfig context. If the MCP server runs in an unsandboxed environment or with cluster-admin privileges, a compromise allows immediate lateral movement, container escapes, or full cluster takeover.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not mention built-in guardrails, real-time anomaly detection, or structured audit logging of the agent's actions, creating significant observability blind spots during execution.

L6 · Security & Compliance (cross-cutting)✓ mapped

The listing explicitly notes that RBAC scoping and action confirmation are critical but does not implement them natively. It relies entirely on the external kubeconfig's permissions, presenting a major authorization and policy enforcement gap.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be called by other host agents. This creates a severe cascading failure risk where a compromised upstream agent can abuse this tool to destroy or exfiltrate Kubernetes workloads.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).