Skip to content

ADR 005: Namespace Isolation for K8s and ECS

Status

Accepted

Context

Agent containers must be isolated from the Dispatcher and Controller infrastructure. On Kubernetes, this means a separate namespace. On ECS, this means a separate security group and task role.

Decision

Kubernetes

  • Agents run in a dedicated agents namespace (configurable via K8S_NAMESPACE)
  • Dispatcher's ServiceAccount has RBAC permissions only in the agents namespace (Jobs, Pods, Services, ConfigMaps)
  • Agents have no ServiceAccount token mounted (automountServiceAccountToken: false)
  • NetworkPolicy restricts agent-to-agent communication (optional, configurable)

ECS

  • Agents run with a dedicated task role that has no AWS API permissions by default
  • Security group allows outbound only (egress to Dispatcher endpoint + internet)
  • Task execution role has ECR pull + CloudWatch logs only
  • Dispatcher's IAM role can only RunTask/StopTask on the designated cluster

Consequences

  • Agents cannot access K8s API, AWS APIs, or other infrastructure by default
  • Operators must explicitly grant permissions for skills that need them (e.g., git clone needs SSH keys, not IAM roles)
  • The Dispatcher is the sole identity that can spawn and terminate agents
  • Terraform modules in terraform/ecs/ and terraform/gke/ enforce this at the infrastructure level