What about being in a docker container lets you `kubectl get pod` but prevents you from `kubectl delete deployment`?

this is more about the service account than the runtime environment i think. you put your admin service account in docker the agent can still wreak havoc. Docker lets you hide the admin service account on your host FS from the agent.

Keeping the powerful credentials where the agent can't reach them does buy you a bit of safety. But I still think its a bit loose when compared with exposing an API to the model which can only do what you intend for that model to do.

sure fair enough. I guess i'm mostly being pragmatic here.

Plus i'm not convinced that generating "kubectl"...json..."get"...json..."pod"... is easier for most models than "bash"...json..."kubectl get pod"...

Yes... a docker container...