|
| ▲ | __MatrixMan__ 8 days ago | parent | next [-] |
| If it can run kubectl it can run any other command too. Unless you're running it as a different user and have put a bit of thought into limiting what that user can do, that's likely too much leeway. That's only really relevant I'd you're leaving it unattended though. |
| |
| ▲ | gardnr 7 days ago | parent [-] | | You can control it with hooks. Most people I know run in yolo mode in a docker container. | | |
| ▲ | __MatrixMan__ 7 days ago | parent | next [-] | | What about being in a docker container lets you `kubectl get pod` but prevents you from `kubectl delete deployment`? | | |
| ▲ | dhorthy 7 days ago | parent [-] | | this is more about the service account than the runtime environment i think. you put your admin service account in docker the agent can still wreak havoc. Docker lets you hide the admin service account on your host FS from the agent. | | |
| ▲ | __MatrixMan__ 7 days ago | parent [-] | | Keeping the powerful credentials where the agent can't reach them does buy you a bit of safety. But I still think its a bit loose when compared with exposing an API to the model which can only do what you intend for that model to do. | | |
| ▲ | dhorthy 3 days ago | parent [-] | | sure fair enough. I guess i'm mostly being pragmatic here. Plus i'm not convinced that generating "kubectl"...json..."get"...json..."pod"... is easier for most models than "bash"...json..."kubectl get pod"... |
|
|
| |
| ▲ | popcorncowboy 7 days ago | parent | prev [-] | | Yes... a docker container... |
|
|
|
| ▲ | gexla 8 days ago | parent | prev | next [-] |
| Not sure about the MCP, but I find that using something (RAG or otherwise provide docs) to point the LLM specifically to what you're trying to use works better than just relying on its training data or browsing the internet. An issue I had was that it would use outdated docs, etc. |
|
| ▲ | CuriouslyC 8 days ago | parent | prev | next [-] |
| Claude is, some models aren't. In some cases the MCPs do get the models to use tools better as well due to the schema, but I doubt kubectl is one of them (using the git mcp in claude code... facepalm) |
| |
| ▲ | dhorthy 8 days ago | parent [-] | | Yeah fair enough lol…usually I end up building model-optimized scripts instead of mcp which just flood context window with json and uuids (looking at you, linear) - much better to have Claude write 100 lines of ts to drop a markdown file with the issue and all comments and no noise |
|
|
| ▲ | nsonha 8 days ago | parent | prev [-] |
| > on its own does it? Did you forget the prompts? MCP is just a protocol for tool/function calling which in turn is part of the prompt, quite an important part actually. Did you think AI works by prompts like "make magic happen" and it... just happens? Anyone who makes dumb arguments like this should not deserve a job in tech. |
| |
| ▲ | antihero 7 days ago | parent [-] | | I’ve literally asked Claude Code to look at and fix an issue on a cluster and it knows to use the cli utils. | | |
| ▲ | nsonha 7 days ago | parent [-] | | Because Claude has that as a built-in tool. Try Claude on web and see how useless AI is without tools. And don't even get me start with giving AI your entire system in one tool, it's good for toying around only. | | |
| ▲ | antihero 4 days ago | parent [-] | | Why would I use Claude on web to do that? Why would I use the wrong tool for the job? | | |
| ▲ | nsonha 3 days ago | parent [-] | | I am not saying you should. I am pointing out AI without tools (which I believe is what you think of when you refer to MCP) is useless. |
|
|
|
|
