How to Gate kubectl apply in AI Agent Deployments
SafeClaw by Authensor blocks kubectl apply and other mutating kubectl commands by default, preventing AI agents from creating, modifying, or deleting Kubernetes resources without explicit authorization. Install SafeClaw with npx @authensor/safeclaw and every kubectl mutation is intercepted, denied, and audit-logged before it reaches your cluster.
Why kubectl apply Is Dangerous When AI Agents Do It
kubectl apply creates or updates any Kubernetes resource — Deployments, Services, ConfigMaps, Secrets, RBAC roles, and more. An AI agent with kubectl access can deploy containers with arbitrary images, expose services publicly, modify ingress rules, escalate cluster privileges via RoleBindings, or delete namespaces. Kubernetes changes take effect immediately and propagate across the cluster. An agent that applies a malformed Deployment can trigger cascading pod failures. An agent that modifies a NetworkPolicy can open the cluster to lateral movement. Unlike staged deployments through GitOps pipelines, direct kubectl apply bypasses code review, approval gates, and canary analysis.
The Exact SafeClaw Policy to Gate kubectl apply
Add these rules to .safeclaw/policy.yaml:
rules:
- id: deny-kubectl-delete
action: shell.exec
match:
command: "kubectl delete*"
effect: deny
audit: true
message: "kubectl delete is permanently denied for AI agents."
- id: deny-kubectl-apply
action: shell.exec
match:
command: "kubectl apply*"
effect: deny
audit: true
message: "kubectl apply requires human execution or approval."
- id: deny-kubectl-create
action: shell.exec
match:
command: "kubectl create*"
effect: deny
audit: true
message: "kubectl create is blocked for AI agents."
- id: deny-kubectl-patch
action: shell.exec
match:
command: "kubectl patch*"
effect: deny
audit: true
message: "kubectl patch is blocked for AI agents."
- id: allow-kubectl-get
action: shell.exec
match:
command: "kubectl get*"
effect: allow
audit: true
- id: allow-kubectl-describe
action: shell.exec
match:
command: "kubectl describe*"
effect: allow
audit: true
- id: allow-kubectl-logs
action: shell.exec
match:
command: "kubectl logs*"
effect: allow
audit: true
This policy blocks all mutating operations (apply, create, patch, delete) while allowing read-only operations (get, describe, logs). The read-only allowances are still audit-logged, providing visibility into what cluster information the agent accesses.
What Happens When the Agent Tries
When an agent attempts kubectl apply -f deployment.yaml:
- SafeClaw intercepts the
shell.execaction. - The
deny-kubectl-applyrule matches. - The command is blocked. No API call to the Kubernetes cluster.
- Hash-chained audit entry:
{
"timestamp": "2026-02-13T10:42:18Z",
"action": "shell.exec",
"command": "kubectl apply -f deployment.yaml",
"effect": "deny",
"rule": "deny-kubectl-apply",
"agent": "infra-agent-05",
"hash": "f1b3d6...chain"
}The agent can still use kubectl get pods or kubectl logs to diagnose issues — it just cannot make changes.
How to Allow kubectl apply with Approval
For infrastructure agents that need to deploy to non-production namespaces:
rules:
- id: deny-kubectl-delete
action: shell.exec
match:
command: "kubectl delete*"
effect: deny
audit: true
message: "kubectl delete is permanently denied."
- id: approve-kubectl-apply-staging
action: shell.exec
match:
command: "kubectl apply--namespace staging"
effect: approval
audit: true
approvers:
- role: platform-engineer
timeout: 300
message: "Staging kubectl apply requires platform engineer approval."
- id: deny-kubectl-apply-all
action: shell.exec
match:
command: "kubectl apply*"
effect: deny
audit: true
message: "kubectl apply is only allowed in staging namespace with approval."
This routes staging deployments through approval while hard-denying everything else. The platform engineer sees the full command including the manifest file reference and namespace.
Verification
npx @authensor/safeclaw simulate --action 'shell.exec' --command 'kubectl apply -f deployment.yaml'
Expected: deny, rule: deny-kubectl-apply
npx @authensor/safeclaw simulate --action 'shell.exec' --command 'kubectl get pods'
Expected: allow, rule: allow-kubectl-get
Related Pages
- How to Gate docker run Commands in AI Agents
- How to Gate terraform apply in AI Agent Workflows
- DevOps Agent Infrastructure Safety
- Infrastructure Agent Recipe
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw