Ch8 β Security π₯
βMy agent has cluster-admin,β said the student proudly. Budo bowed to the agent: βThen it is YOUR sensei now.β
Status: outline. Lab scaffolding in labs/ch08-security/.
This chapter has two halves because the red belt cuts both ways.
Half 1 β the security agent
budo sec β three skills against the dojo:
- Image triage: trivy scan output (deterministic) β agent prioritizes by reachability and context (is the vulnerable pkg in a internet-facing service? is there an exploit path?) β the judgment layer CVE scanners lack
- RBAC review: dump bindings β flag escalation paths (wildcard verbs,
pods/execon broad subjects, secrets read in default SAs) - K8s audit-log anomalies: enable kindβs audit log; agent baselines normal API patterns, then you exfiltrate a secret via an unusual path and see if itβs caught
Half 2 β securing your agents (the reckoning)
Every βbreak itβ since Ch1 was a deposit; this is the withdrawal. Formalized:
- Prompt injection: the Ch1 log attack and Ch3 PR attack, systematized. Untrusted-data delimiting, instruction/data separation, and the honest truth about why mitigations β fixes
- Privilege separation: the pattern that actually works β quarantined reader (sees untrusted data, has NO tools) + privileged executor (has tools, sees only the readerβs structured findings)
- Tool sandboxing: kubectl behind a scoped ServiceAccount per agent skill (read-only role for
budo logs, etc.); subprocess tools in a container jail; egress allow-lists - Approval gates as security boundary: audit of your own gate β can the model talk you into a
y? (Yes. We measure how.) - A threat model worksheet for every agent youβve built: capabilities Γ data sources Γ blast radius
Break it (meta)
Red-team day: 5 injection payloads (provided) against your full budo CLI. Score it honestly.
Belt test
Both seeded escalation paths + the audit-log exfil caught; the privilege-separation refactor applied to budo logs; red-team score documented with mitigations for every hit.