All posts
June 18, 20264 min read

Nested agents: what they mean for your access reviews (on Kubernetes)

Why nested agents break access reviews Nested agents on Kubernetes make it almost impossible to know who actually touched a resource. Teams often deploy a sidecar that runs a proxy, then launch additional automation agents inside the same pod. Each agent inherits the pod’s service‑account token, which is usually granted cluster‑wide or namespace‑wide permissions. Because the token is shared, the audit logs record only the service‑account identity, not the individual automation process that issu

Free White Paper

Access Reviews & Recertification + Kubernetes API Server Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Why nested agents break access reviews

Nested agents on Kubernetes make it almost impossible to know who actually touched a resource. Teams often deploy a sidecar that runs a proxy, then launch additional automation agents inside the same pod. Each agent inherits the pod’s service‑account token, which is usually granted cluster‑wide or namespace‑wide permissions. Because the token is shared, the audit logs record only the service‑account identity, not the individual automation process that issued the request. When a security auditor asks for an access review, the answer is a list of vague service‑account names that mask the true actor.

This situation is the default for many organizations: a developer pushes code, a CI pipeline spins up a temporary pod, a monitoring agent runs inside that pod, and a security‑scan tool launches yet another nested process. All of them speak directly to the Kubernetes API server using the same credential. The result is a flood of indistinguishable API calls that provide no context for reviewers.

What a data‑path gateway can do

To make access reviews meaningful, the enforcement point must sit where the request flows, not merely at the identity source. A gateway that intercepts every Kubernetes API call can record the exact command, the originating process, and any approval workflow that preceded it. Because the gateway is the only place where traffic is examined, it can also apply just‑in‑time (JIT) policies, block dangerous operations, and mask sensitive fields in responses.

When the gateway sits in front of nested agents, each inner process still authenticates with its original OIDC token, but the token is validated by the gateway before any request reaches the API server. The gateway then attaches a short‑lived, request‑scoped credential that cannot be reused outside the approved flow. This design gives reviewers a complete, tamper‑resistant trail of who did what, when, and why.

How hoop.dev enables reliable reviews

hoop.dev is a Layer 7 gateway built exactly for this pattern. It proxies connections to Kubernetes, including exec and port‑forward sessions, and it sits in the data path between any nested agent and the cluster’s control plane. Because hoop.dev is the gateway, it records every session for replay, stores per‑command audit entries, and surfaces approval steps to the reviewer.

When a nested agent initiates a kubectl command, hoop.dev validates the OIDC token, checks group membership, and then decides whether the request can proceed immediately, needs a human approval, or must be blocked. If approval is required, the request is paused in the gateway until an authorized reviewer grants consent. Once approved, hoop.dev forwards the request using a short‑lived credential that it generates on the fly, ensuring the original token never touches the API server directly.

Continue reading? Get the full guide.

Access Reviews & Recertification + Kubernetes API Server Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

All of these enforcement outcomes, session recording, inline masking, JIT approval, and command blocking, are possible only because hoop.dev occupies the data‑path. Without the gateway, the nested agents would continue to speak straight to the API server, leaving auditors with only generic service‑account entries.

Deploying hoop.dev is straightforward. The quick‑start guide walks users through a Docker Compose deployment that runs the gateway alongside a network‑resident agent. Once the gateway is up, teams register their Kubernetes clusters as connections, and the gateway takes over all traffic from any pod‑local agents. Detailed steps are available in the getting‑started documentation and the broader learn section.

Pitfalls of ignoring nested agents

Skipping a data‑path control layer creates three hidden risks. First, credential sprawl: a single service‑account token is reused across many processes, expanding the blast radius of any compromise. Second, audit dilution: logs show only the service‑account name, so investigators cannot pinpoint the offending automation script. Third, policy evasion: without a gateway, a malicious nested process can issue privileged commands that bypass any JIT or approval workflow.

These pitfalls surface during routine compliance checks. Reviewers repeatedly encounter “unknown” entries, and they must request additional evidence from developers, slowing audit cycles and eroding confidence in the security program.

Design checklist for effective access reviews

  • Ensure every Kubernetes API call passes through a gateway that can capture the full request payload.
  • Require each request to be tied to a short‑lived, request‑scoped credential generated after identity verification.
  • Configure approval policies for high‑risk verbs such as delete, scale, and apply on critical namespaces.
  • Enable session recording so replay is possible for forensic analysis.
  • Mask sensitive fields in API responses, for example token values or secret data, to prevent accidental exposure in logs.

Following this checklist guarantees that an access review will surface concrete, actionable data rather than a list of ambiguous service accounts.

Integrating hoop.dev with CI/CD pipelines

Most teams already run build and deployment jobs inside Kubernetes pods. By pointing the CI runner’s kubeconfig at the hoop.dev gateway instead of the cluster endpoint, every automated deployment inherits the same guardrails as a human operator. The pipeline’s service‑account token is still the source of truth for identity, but hoop.dev validates it and injects a scoped credential for each step.

This approach provides three benefits. First, developers gain immediate feedback when a pipeline step is blocked by a policy, reducing the time spent debugging later. Second, each pipeline execution is recorded, giving auditors a complete view of who triggered a change and why. Third, the same approval workflow used for interactive users can be extended to automated jobs, ensuring that only vetted changes reach production.

FAQ

  • How does hoop.dev handle existing service‑account tokens? The gateway validates the token but never forwards it to the API server. Instead, it issues a short‑lived credential that is scoped to the specific request, preserving the original token’s confidentiality.
  • Will adding a gateway increase latency for Kubernetes commands? hoop.dev adds a minimal, predictable overhead because it processes traffic at the protocol layer. In practice the added latency is outweighed by the security and audit benefits it provides.
  • Can hoop.dev be used with multiple clusters? Yes. Each cluster is registered as a separate connection, and the same gateway can proxy traffic to all of them while preserving distinct audit streams.

Ready to bring visibility back to your access reviews? Explore the source code and contribute on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot