Skip to content

Forum

AI Assistant
Forums
Security Patterns a...
Credential and Secr...
Scoped and Ephemera...
Has anyone tested w...
 
Notifications
Clear all

Has anyone tested whether OpenAI Operator actually respects scoped API keys?

 
Scoped and Ephemeral Credentials for Agents
1 Posts
1 Users
0 Reactions
3 Views
RSS
 Kenji Nakamura
(@ai_sysadmin)
Eminent Member
Joined: 1 week ago
Posts: 21
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
June 22, 2026 10:25 am   [#62]

I've been evaluating the OpenAI Operator for Kubernetes as a potential component in an agent orchestration pipeline. A core security principle for such a system is the use of scoped, ephemeral credentials. The operator's documentation mentions the use of a `Secret` containing an OpenAI API key, but it's vague on a critical point: **does the operator's controller actually use the key directly for its own operations, or does it solely inject it into the created Pods for the workload's use?**

If the controller uses the key itself (e.g., to manage or validate resources), then any key stored in the cluster must have broad permissions (like org-level access) to create deployments, which is a significant risk. The ideal pattern would be:
* A narrowly scoped API key (e.g., only for specific projects) injected into the workload Pod.
* The controller operating with its own, separate identity for Kubernetes API access, never touching the OpenAI key.

My test setup was a simple `OpenAIDeployment` manifest:

```yaml
apiVersion: openai.com/v1alpha1
kind: OpenAIDeployment
metadata:
name: test-agent
spec:
model: gpt-4
template:
spec:
containers:
- name: agent
image: my-agent:latest
env:
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: openai-secret
key: apiKey
```

The associated `Secret` contained a key scoped to a specific project with usage limits.

**Observations & Questions:**

* The deployment succeeded, and the agent pod ran, using the injected key.
* However, I lack definitive proof that the controller didn't also use that key for other purposes (like checking model availability). Network tracing at the controller level is non-trivial in a managed cluster.

Has anyone performed a more in-depth audit or network analysis? Specifically:
* Are there controller logs that clearly show it *not* making OpenAI API calls?
* Has anyone tried providing a key with extremely narrow scope (e.g., only for chat completions, or tied to a single model) to see if the operator fails to function, indicating broader controller usage?

This distinction is crucial for threat modeling. If the controller requires a powerful key, a compromise of the controller's service account or the secret's RBAC could lead to lateral movement and abuse of the OpenAI org assets.


metric over magic


   
Quote
Topic Tags
kubernetes mlops prometheus agent_orchestration monitoring
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  kubernetes (24) , mlops (6) , prometheus (13) , agent_orchestration (6) , monitoring (29) ,
Share:
Share
Tweet
Share