undefined | Better HN

0 pointsdcherman1d ago0 comments

How so? Let's use a common CLI tool as an example - kubectl. Config is generally stored in ~/.kube in a variety of config files. Running `kubectl config view` already redacts the auth information from the config. LLMs could invoke `kubectl` commands without having knowledge of how it's authenticated.

0 comments

simonw1d ago

If the agent has permission to run kubectl config view what's to stop it from reading those config files directly?

dchermanOP1d ago

The same permissions model that works for other tools. In Claude Code terms, allow Bash(kubectl:*). Deny Read(**/.kube/**). That allows kubectl access without allowing the tool to read ~/.kube directly.

Your argument is the same for an MCP server - auth is stored somewhere on disk, what's to stop it from reading that file? The answer is the same as above.

simonw1d ago

Would that stop Claude from executing this code:

  python -c '
  print(open("~/.kube/config.txt").read())
  '

The point I'm making here is that with an MCP you can disable shell access entirely, at which point the agent cannot read credential files that it's not meant to be able to access.

1 more reply

j / k navigate · click thread line to collapse

0 pointsdcherman1d ago0 comments

0 comments

simonw1d ago

If the agent has permission to run kubectl config view what's to stop it from reading those config files directly?

dchermanOP1d ago

Your argument is the same for an MCP server - auth is stored somewhere on disk, what's to stop it from reading that file? The answer is the same as above.

simonw1d ago

Would that stop Claude from executing this code:

  python -c '
  print(open("~/.kube/config.txt").read())
  '

The point I'm making here is that with an MCP you can disable shell access entirely, at which point the agent cannot read credential files that it's not meant to be able to access.

1 more reply

j / k navigate · click thread line to collapse