| ▲ | dhorthy 7 days ago | |||||||
this is more about the service account than the runtime environment i think. you put your admin service account in docker the agent can still wreak havoc. Docker lets you hide the admin service account on your host FS from the agent. | ||||||||
| ▲ | __MatrixMan__ 7 days ago | parent [-] | |||||||
Keeping the powerful credentials where the agent can't reach them does buy you a bit of safety. But I still think its a bit loose when compared with exposing an API to the model which can only do what you intend for that model to do. | ||||||||
| ||||||||