Putting access controls around Devin: production access for AI coding agents (on Kubernetes)

Giving an AI coding agent unfettered production access is a recipe for data leaks and service disruption.

Most teams hand Devin a long‑lived Kubernetes service‑account token, mount it into the pod that runs the model, and let the agent issue kubectl or API calls directly against the cluster. The token is stored in a secret that developers can read, and the same credential is reused for weeks or months. Because the connection goes straight from the agent to the API server, there is no record of which commands were run, no way to redact sensitive fields in responses, and no gate that can pause a dangerous operation for human review. If the model misbehaves, the damage is already done and the audit trail is empty.

What organizations really need is a way to grant Devin production access only when a specific job requires it, and to do so with a clear approval step, real‑time masking of secrets, and immutable session logs. The request still reaches the Kubernetes API server, but without an intervening control point the organization cannot enforce just‑in‑time approval, cannot hide passwords returned by kubectl get secret, and cannot prove to auditors that the agent acted within policy.

Why production access matters for AI coding agents

AI agents can generate code, modify deployments, and read configuration data at a speed that far exceeds human operators. When they are given blanket production access, a single mis‑prompt can delete a namespace, expose database credentials, or trigger a cascade of failing services. The risk profile is amplified by the fact that AI agents do not have the same contextual awareness as a human engineer. Therefore, production access must be bounded, observable, and reversible.

Architectural requirement: a gateway on the data path

The only place to enforce the needed controls is between the identity that initiates the request and the Kubernetes API server itself. A gateway that sits on Layer 7 can inspect the HTTP/REST traffic, apply policy checks, and record the full request‑response exchange. Because the gateway terminates the connection, it can also mask fields in the response before they reach the agent, and it can block commands that match a deny list.

Introducing hoop.dev as the enforcement layer

hoop.dev fulfills the architectural requirement by acting as an identity‑aware proxy for Kubernetes. It receives the OIDC token that represents the user or service account, validates the token, and then forwards the request to the cluster only after applying the configured policies. hoop.dev records each session, masks sensitive fields in API responses, enforces just‑in‑time approval workflows, and blocks disallowed commands before they reach the API server.

Because hoop.dev sits in the data path, every enforcement outcome originates from it. It does not rely on the agent’s configuration, and it cannot be bypassed by changing a secret inside the pod.

Continue reading? Get the full guide.

AI Model Access Control + Kubernetes API Server Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Setup: defining who can act as Devin

The first step is to configure an OIDC identity that represents the AI coding agent. This identity is granted the minimal IAM role needed to request a short‑lived token. The role does not give permanent cluster permissions; instead, hoop.dev uses the token to decide whether a request should be allowed at the moment it arrives.

The data path: hoop.dev as the gateway

All Kubernetes API traffic from Devin is routed through hoop.dev. The gateway inspects each HTTP request, checks it against policy rules, and either forwards it, asks for human approval, or rejects it. Because the gateway terminates TLS, it can also rewrite response bodies to mask secrets such as database passwords before they are returned to the agent.

Enforcement outcomes

hoop.dev records each command and its result, creating an immutable audit log that can be replayed for forensic analysis.
hoop.dev masks fields that match a configured pattern, preventing the agent from seeing raw credential values.
hoop.dev requires a just‑in‑time approval step for any operation that modifies production workloads, ensuring a human reviews the intent.
hoop.dev blocks commands that match a deny list, such as deleting a namespace or scaling a stateful set beyond a safe threshold.

Implementing the solution

Start by deploying the hoop.dev gateway in the same network as your Kubernetes cluster. The official hoop.dev getting started guide walks you through a Docker Compose deployment, OIDC configuration, and how to register a Kubernetes connection. Once the gateway is running, define a policy that grants Devin production access only after a human approves the request. The policy also specifies which response fields to mask and which commands to block.

After the policy is in place, any request that originates from the AI agent is forced through hoop.dev. The agent never sees the cluster credentials directly, and every action is logged, masked, or blocked according to the policy you defined.

FAQ

Does hoop.dev store my Kubernetes credentials?

No. hoop.dev holds the credential only long enough to forward an approved request. The AI agent never receives the raw credential.

Can I audit past sessions?

Yes. hoop.dev records each session and stores the logs in a location you configure. Those logs can be replayed to see exactly what commands were issued and what responses were returned.

Is the solution open source?

Absolutely. The entire gateway is MIT licensed and the source code is available on GitHub. You can review, extend, or self‑host the project to meet your compliance needs.

For a deeper dive into policy configuration and advanced masking options, consult the hoop.dev feature documentation. This approach gives you production access for AI coding agents that is auditable, controllable, and safe.