All posts
June 18, 20264 min read

Non-human identity: what it means for your blast radius (on Kubernetes)

A freshly provisioned CI pipeline runs under a service account that can create, delete, and patch any pod in the cluster. The same credential is also used by an automated backup job, a nightly security scan, and a third‑party monitoring agent. When the backup job is misconfigured it tries to write to a namespace it should never touch, and the scan tool accidentally deletes a deployment because the token it carries has cluster‑admin scope. This scenario shows why non‑human identities can explode

Free White Paper

Non-Human Identity Management + Blast Radius Reduction: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A freshly provisioned CI pipeline runs under a service account that can create, delete, and patch any pod in the cluster. The same credential is also used by an automated backup job, a nightly security scan, and a third‑party monitoring agent. When the backup job is misconfigured it tries to write to a namespace it should never touch, and the scan tool accidentally deletes a deployment because the token it carries has cluster‑admin scope.

This scenario shows why non‑human identities can explode your blast radius. A single token, once compromised or misused, can reach far beyond the intended workload. The problem is not the lack of an identity – the service account does give you a name to attach to the request – but the fact that the request flows straight to the Kubernetes API server without any guardrails that can see what is being done.

What non‑human identity alone does not solve

Switching from a shared password to a dedicated service account is a necessary step. It lets you audit which automation performed an action, and it enables you to grant the minimum set of RBAC permissions for that workload. However, the token still travels directly to the API server. The gateway that sits between the automation and the cluster is missing, so there is no place to enforce real‑time policies.

Because the request bypasses any proxy, you lose three critical controls:

  • Visibility into the exact command or API call before it is executed.
  • Ability to mask sensitive fields in responses, such as secrets returned by kubectl get secret.
  • Just‑in‑time approval for risky operations, like deleting a namespace or scaling a stateful set beyond a safe threshold.

In short, the setup gives you a named identity and a tighter RBAC policy, but it leaves the blast radius unchecked. If the service account is stolen, the attacker can still issue any API call the role permits, and you have no audit trail that captures the intent before the action happens.

Why the data path must host enforcement

To shrink the blast radius you need a control point that sits on the traffic between the automation and the Kubernetes API. That control point must be able to inspect the wire‑protocol, apply policies, and record what happened. It cannot be placed inside the pod or the CI runner, because a compromised process could simply bypass the checks.

When the gateway sits in the data path, it becomes the only place where every request can be examined. This is where enforcement outcomes are realized:

  • hoop.dev records every Kubernetes command so you have a replayable audit trail for forensic analysis.
  • hoop.dev masks secret data in API responses before it reaches the automation, preventing accidental leakage.
  • hoop.dev blocks dangerous commands such as kubectl delete namespace unless an explicit approval is provided.
  • hoop.dev routes high‑risk operations to a human approver in real time, turning a potentially catastrophic change into a controlled workflow.

All of these capabilities depend on the gateway being the sole point of entry for the connection. The identity system (OIDC, SAML, service account tokens) decides who is making the request, but without the gateway in the data path you cannot guarantee that the request is safe.

Continue reading? Get the full guide.

Non-Human Identity Management + Blast Radius Reduction: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How to watch for a widening blast radius

When you adopt non‑human identities for Kubernetes, keep an eye on these signals:

  1. Token scope creep: Regularly review RBAC bindings for service accounts. A token that suddenly has cluster‑admin privileges is a red flag.
  2. Unmonitored automation: Ensure every CI job, backup script, or monitoring agent goes through a proxy that can log the exact API calls.
  3. Missing approval steps: High‑impact actions such as deleting resources or changing replicas should trigger a workflow that requires a human decision.
  4. Secret exposure: Verify that responses containing secret objects are filtered or masked before they reach downstream processes.

Addressing these items without a data‑path gateway leaves you vulnerable to the same blast radius you were trying to reduce.

hoop.dev as the architectural answer

hoop.dev implements the required data‑path gateway for Kubernetes. It runs a lightweight agent inside your network, registers the cluster as a connection, and then proxies all traffic from users or automation through that agent. Because the gateway inspects the traffic at the protocol level, it can enforce the policies listed above without any code changes to the callers.

Getting started is straightforward. Follow the Getting started guide to deploy the gateway with Docker Compose or Kubernetes, configure OIDC authentication, and register your Kubernetes cluster. The Learn section provides deeper insight into masking, approval workflows, and session replay.

By placing hoop.dev in the data path, you gain:

  • Full visibility into who performed which Kubernetes API call and why.
  • Real‑time protection against accidental or malicious commands.
  • Evidence that satisfies audit requirements for reducing blast radius.

All of these outcomes are possible only because hoop.dev is the gateway that sits between the non‑human identity and the Kubernetes API.

FAQ

Does hoop.dev replace existing RBAC?

No. RBAC continues to define what a service account is allowed to do. hoop.dev adds a layer that can approve, block, or record each request before the API server enforces RBAC.

Can I use hoop.dev with existing CI pipelines?

Yes. You point your CI jobs at the hoop.dev endpoint instead of the raw API server. The gateway forwards the request after applying its policies, so no changes to your build scripts are required.

What happens to secret data returned by kubectl get secret?

hoop.dev can mask or redact secret fields in the response, ensuring that downstream tools never see the raw secret value unless explicitly allowed.

Take the next step

Explore the open‑source repository on GitHub to see how the gateway is built and to contribute improvements: https://github.com/hoophq/hoop.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot