| ▲ | __MatrixMan__ 7 days ago |
| What about being in a docker container lets you `kubectl get pod` but prevents you from `kubectl delete deployment`? |
|
| ▲ | dhorthy 7 days ago | parent [-] |
| this is more about the service account than the runtime environment i think. you put your admin service account in docker the agent can still wreak havoc. Docker lets you hide the admin service account on your host FS from the agent. |
| |
| ▲ | __MatrixMan__ 7 days ago | parent [-] | | Keeping the powerful credentials where the agent can't reach them does buy you a bit of safety. But I still think its a bit loose when compared with exposing an API to the model which can only do what you intend for that model to do. | | |
| ▲ | dhorthy 3 days ago | parent [-] | | sure fair enough. I guess i'm mostly being pragmatic here. Plus i'm not convinced that generating "kubectl"...json..."get"...json..."pod"... is easier for most models than "bash"...json..."kubectl get pod"... |
|
|
