Baker Street
← Back to Enterprise

Security

Defense in depth, not hope

Baker Street replaces hope-based security with platform-enforced guarantees at every layer. Five overlapping controls ensure that a failure at any single layer does not compromise the system.

1

Guardrails

Baker Street enforces AI action boundaries at the platform level. Rather than trusting agent code to self-limit, the orchestrator validates every action against configurable policies before execution.

AI action approval with allowlisted commands and argument patterns -- agents can only invoke pre-approved tools

Human-in-the-loop confirmation for sensitive operations, with configurable escalation thresholds

Scope limits per agent: token budgets, execution time caps, and resource ceilings enforced by the platform

2

Network Isolation

Every agent pod starts with zero network access. Connectivity is granted explicitly through Kubernetes NetworkPolicies, so a compromised agent cannot reach anything it should not.

Default-deny NetworkPolicies applied to every agent namespace -- no implicit connectivity

Egress allow-lists scoped per agent type, so a code-review agent cannot reach a production database

Namespace separation enforces hard boundaries between teams, projects, and environments

3

Pod Security

Agent containers run with the minimum privileges needed for their task. Kubernetes security contexts enforce these constraints at the kernel level, not the application level.

Non-root execution: containers run as unprivileged users with no ability to escalate

Read-only root filesystem prevents agents from modifying their own binaries or injecting code

Seccomp profiles and drop ALL capabilities reduce the kernel attack surface to the minimum required syscalls

4

Supply Chain

Baker Street verifies the integrity of every component before it enters the cluster. Unsigned or unapproved images are rejected at admission time, not discovered after deployment.

Signed container images with cosign verification -- only cryptographically attested artifacts deploy

SBOM generation for every release, enabling vulnerability scanning and license compliance review

Kyverno admission policies enforce image provenance, tag immutability, and registry restrictions cluster-wide

5

Secrets & Audit

Credentials never live in pod environment variables or config maps. Every action is logged with cryptographic integrity guarantees that make tampering detectable.

External Secrets Operator syncs credentials from your vault (HashiCorp Vault, AWS Secrets Manager, etc.) at runtime

HMAC-chained audit logging creates a tamper-evident trail -- altering any log entry breaks the chain

Audit events forward to external SIEM in real time, providing independent, immutable storage outside the cluster

Compliance MappingEnterprise Overview