MCP Dev Summit Bengaluru 2026

We had 47 runbooks in Confluence. During incidents nobody used them. So I converted them into MCP server tools where an agent picks the right steps based on what it sees in the cluster.
This was working fine until two things went wrong.
One, the MCP server had the same service account as our CI pipeline. Too many permissions. Agent went and listed every secret in the namespace. It wasn't doing anything wrong, just had access it should not have. That's when I understood MCP has no security story for infra tools.
Two, at 3 AM the agent connected two unrelated alerts, restarted the wrong deployment, and a small incident became bigger.
I fixed both. Built OPA policy gates that check every tool call before execution. RBAC is now per tool, not per server. Tokens last five minutes and expire after one action. After the 3 AM incident I added blast-radius checks and human approval for destructive operations.
In the demo I walk through an agent diagnosing a pod failure, clearing policy, running with a scoped token, and logging an audit trail. Then it tries something it should not and gets blocked.
This talk is about what it actually takes to give an agent kubectl access safely.