All posts
June 18, 20264 min read

MCP gateways: what they mean for your blast radius (on Kubernetes)

When a newly hired data scientist leaves the company, the team forgets to rotate the service account that powers the internal LLM‑driven code‑assistant. The assistant continues to run in CI pipelines, issuing kubectl delete calls that wipe out an entire namespace before anyone notices. The incident illustrates how an AI‑enabled MCP gateway can dramatically expand the blast radius of a single credential. Most organizations treat MCP gateways as a convenience layer: an LLM talks to a local MCP se

Free White Paper

Blast Radius Reduction + Kubernetes RBAC: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When a newly hired data scientist leaves the company, the team forgets to rotate the service account that powers the internal LLM‑driven code‑assistant. The assistant continues to run in CI pipelines, issuing kubectl delete calls that wipe out an entire namespace before anyone notices. The incident illustrates how an AI‑enabled MCP gateway can dramatically expand the blast radius of a single credential.

Most organizations treat MCP gateways as a convenience layer: an LLM talks to a local MCP server, which then opens a direct tunnel to the Kubernetes API server using a static kubeconfig. That kubeconfig often contains cluster‑admin privileges because it is easier to manage than per‑user tokens. The result is a single point of failure that can execute any command the cluster permits, from scaling deployments to deleting persistent volumes.

Teams are beginning to adopt stronger identity practices. They move from static kubeconfigs to short‑lived OIDC tokens, restrict service accounts to specific namespaces, and enforce least‑privilege RBAC rules. Those steps are essential – they decide who can start a request and limit the set of actions a token can perform. However, the request still travels straight from the MCP server to the Kubernetes API server. No component in that path records each kubectl command, masks sensitive fields in responses, or requires a human to approve high‑impact operations. The blast radius remains large because the gateway offers no visibility or control over what actually reaches the cluster.

Why the data path matters for blast radius

The missing piece is an enforcement layer that sits in the data path. hoop.dev is built exactly for that purpose. By proxying every MCP request, hoop.dev becomes the only place where policy can be applied, where commands can be inspected, and where audit records can be generated. Because hoop.dev sits between the AI agent and the Kubernetes API, it can enforce just‑in‑time access, require approvals for dangerous actions, block unsafe commands, and record the entire session for replay.

How hoop.dev reduces blast radius

  • Command‑level blocking: hoop.dev can detect a kubectl delete --all or a kubectl apply that modifies a critical ConfigMap and reject it before it reaches the API server.
  • Just‑in‑time approvals: When an LLM tries to create a new namespace, hoop.dev can pause the request and present it to a designated approver. The operation only proceeds after explicit consent.
  • Session recording: Every interaction is captured, enabling post‑mortem analysis. If a rogue command slips through, the team can replay the exact sequence of API calls that caused the damage.
  • Inline masking: Sensitive fields such as secrets returned by kubectl get secret are redacted in logs, preventing accidental leakage.

These enforcement outcomes exist only because hoop.dev occupies the data path. Without it, the identity layer and RBAC rules can limit who can call the API, but they cannot stop a legitimate token from performing a destructive action once it is issued.

Deploying hoop.dev for MCP gateways

To bring these protections to an MCP‑driven workflow, deploy the hoop.dev gateway close to the Kubernetes cluster – typically as a Docker Compose service on a bastion host or as a pod in the same network. Configure the gateway to trust the same OIDC provider that issues the MCP server’s tokens. Then register the Kubernetes API as a connection, supplying the service‑account credential that the gateway will use. The MCP server talks to hoop.dev instead of the API server directly; hoop.dev inspects each request, applies the policies you define, and forwards only the allowed traffic.

Continue reading? Get the full guide.

Blast Radius Reduction + Kubernetes RBAC: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

This architecture satisfies the earlier precondition: identities are verified, and least‑privilege tokens are issued. The additional step – routing traffic through hoop.dev – provides the missing enforcement layer that contains blast radius.

Policy definition basics

Policies are expressed in simple YAML files that map identity attributes (group membership, email domain) to allowed Kubernetes verbs and resources. For example, you can allow a data‑science group to run kubectl get on any namespace but require approval for kubectl delete on production resources. Because hoop.dev enforces these rules at the protocol level, the MCP gateway never needs to embed any custom logic.

For a step‑by‑step walkthrough of deployment and policy authoring, see the getting‑started guide. Detailed policy examples are available in the learn section of the documentation.

What to watch for

  • Credential rotation: Even with hoop.dev, the underlying service‑account credential must be rotated regularly to prevent long‑lived secrets from becoming a single point of compromise.
  • Policy drift: As teams add new namespaces or resources, update the hoop.dev policy files promptly; otherwise, the gateway may unintentionally block legitimate work.
  • Approval latency: Human approvals add a step to the workflow. Design approval paths that balance security with operational speed, such as delegating low‑risk approvals to on‑call engineers.

FAQ

Does hoop.dev replace Kubernetes RBAC?

No. RBAC continues to enforce what a verified identity can do. hoop.dev adds an extra layer that can block, approve, or record actions before they ever reach the API server, thereby shrinking the blast radius beyond what RBAC alone provides.

Can I use hoop.dev with existing MCP servers?

Yes. The MCP server simply points its target endpoint to the hoop.dev gateway instead of the raw API server. All existing client tooling (kubectl, helm, etc.) continues to work unchanged because hoop.dev speaks the same wire protocol.

How does session replay help after an incident?

Because hoop.dev records every request and response, you can reconstruct the exact series of commands that led to a failure. This evidence is invaluable for root‑cause analysis and for demonstrating compliance with internal audit requirements.

Ready to tighten the blast radius of your AI‑driven Kubernetes workflows? Explore the source code and contribute on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot