Approval workflows for AI coding agents on EKS

An AI coding agent that automatically generates Kubernetes manifests and pushes them to a production EKS cluster can speed up delivery, but it also creates a blind spot. The agent typically runs with a long‑lived service account that has broad RBAC permissions. When a new change is produced, the agent applies it directly, bypassing any human review. If the generated manifest contains a misconfiguration, a secret leak, or an unintended workload, the damage is immediate and hard to trace.

Teams recognize that an approval workflow is essential: before any manifest reaches the cluster, a responsible engineer should examine the change and explicitly grant permission. However, simply adding a review step in a CI pipeline does not solve the core problem. The request still travels straight to the EKS API server, the agent retains its credentials, and the cluster sees no record of who approved what. Without a control point on the data path, the system cannot enforce the approval, cannot mask sensitive fields in responses, and cannot produce a reliable audit trail.

Implementing approval workflows for AI agents on EKS

To close the gap, the enforcement point must sit between the AI agent and the Kubernetes control plane. This is where a Layer 7 gateway becomes the decisive boundary. The gateway receives the agent’s request, checks the policy, and only forwards the request after the required approval is recorded. Because the gateway owns the connection, it can also mask secret values returned by the API and record every kubectl command for replay.

Setup: defining who can request access

The first layer is identity. The AI agent authenticates to the gateway using an OIDC token issued by the organization’s identity provider. The token conveys the agent’s service account identity and any group memberships that determine whether the request is eligible for a Just‑In‑Time (JIT) approval. This step decides who is making the request, but it does not enforce any policy on its own.

The data path: the gateway as the only enforcement point

Once the token is validated, the request enters the gateway’s data path. Here, hoop.dev inspects the Kubernetes API call at the protocol level. Before the call reaches the EKS endpoint, the gateway checks whether an approval record exists for the specific manifest hash. If no approval is found, the gateway blocks the operation and returns a clear “approval required” response to the agent.

hoop.dev also applies inline masking to any fields that contain credentials or tokens, ensuring that downstream services never receive raw secrets. Because the gateway holds the cluster credentials, the AI agent never sees them, satisfying the “agent never sees the credential” principle.

Continue reading? Get the full guide.

AI Agent Security + Access Request Workflows: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Enforcement outcomes that only the gateway can provide

hoop.dev records each session, capturing the full command stream, timestamps, and the identity that initiated the request.
hoop.dev requires explicit approval before any mutating operation is allowed, turning an uncontrolled push into a governed workflow.
hoop.dev masks sensitive response fields in real time, preventing accidental leakage of secrets.
hoop.dev enables replay of any session, so auditors can see exactly what was applied and by whom.

All of these outcomes exist because the gateway sits in the data path; removing the gateway would eliminate the approval check, the masking, and the audit record.

Integrating the gateway with EKS

The gateway’s agent runs inside the same network as the EKS cluster. It assumes a dedicated IAM role that maps to a Kubernetes ClusterRoleBinding, granting it the minimal permissions needed to proxy API calls. The AI agent never contacts the cluster directly; every kubectl or API request is funneled through the gateway.

When an AI‑generated manifest is ready, the CI pipeline sends the manifest to the gateway via the standard kubectl client. The gateway checks the approval policy, masks any secret fields, and forwards the request to the EKS API server only after a human reviewer has signed off in the approval UI.

Getting started

To try this pattern, follow the getting‑started guide for deploying the gateway and configuring an EKS connection. The learn section provides deeper details on approval workflow configuration, session replay, and masking policies.

The full source code and contribution guidelines are available on GitHub. Reviewing the repository will give you insight into how the gateway intercepts Kubernetes traffic and enforces the policies described above.

FAQ

Do I need to change my existing Kubernetes RBAC?

No. The gateway maps the AI agent’s identity to a dedicated Kubernetes role via a ClusterRoleBinding. Existing roles for human operators remain untouched.

Can I use the same approval workflow for other cloud services?

Yes. The gateway’s policy engine is protocol‑agnostic, so you can define similar approval steps for databases, SSH, or HTTP APIs by configuring the appropriate connection type.

What happens if the gateway is unavailable?

Because all traffic must pass through the gateway, an outage blocks access, which is a safety feature. You can run the gateway in a highly available mode to minimise downtime.