This is what we see! We want to make it very easy to be able to granularly manage your agents (in terms of files they have access to, env var values, network policy, etc.) on a per-task basis.
With regards to permissions, mileage varies based on SDK. Some have very granular hooks and permission protocols (Claude Agent SDK stands out in particular) while for others, you need a layer above it since it doesn't come out of the box.
There are companies that solve the pain of authn/z for agents and we've been playing with them to see how we could complement them. In general, we do think it's valuable to be provide this at the infra level as well rather than just the application level since the infra layer is the source of truth of what calls were made / what were blocked, etc.
K8s gives you orchestration of Docker containers. I don’t think it handles the container boundary any more than Docker does.
I don’t think it should be assumed to give network isolation, unless you’re also using extensions and something like Cilium for that purpose. I don’t think it’s the right primitive for agent sandboxes, or other kinds of agent infra.
(Obviously, you could still run a custom runtime inside k8s pods, or something like GCP’s k8s gVisor magic.)
This is more agent framework territory, eg. ADK. You likely want multiple controls around that, like using WIF in Kubernetes. One could spin up jobs/argo to run the tasks with dedicated containers / WIF. ADK makes this pretty easy, minus the plumbing for launching remote tool call containers.
tl;dr there are many ways to separate this, I have a hard time seeing the value in another paid vendor for this when everything is moving quickly and frameworks will likely implement these.
This is what we see! We want to make it very easy to be able to granularly manage your agents (in terms of files they have access to, env var values, network policy, etc.) on a per-task basis.
With regards to permissions, mileage varies based on SDK. Some have very granular hooks and permission protocols (Claude Agent SDK stands out in particular) while for others, you need a layer above it since it doesn't come out of the box.
There are companies that solve the pain of authn/z for agents and we've been playing with them to see how we could complement them. In general, we do think it's valuable to be provide this at the infra level as well rather than just the application level since the infra layer is the source of truth of what calls were made / what were blocked, etc.
K8s gives you orchestration of Docker containers. I don’t think it handles the container boundary any more than Docker does.
I don’t think it should be assumed to give network isolation, unless you’re also using extensions and something like Cilium for that purpose. I don’t think it’s the right primitive for agent sandboxes, or other kinds of agent infra.
(Obviously, you could still run a custom runtime inside k8s pods, or something like GCP’s k8s gVisor magic.)
> per-task authorization scope
This is more agent framework territory, eg. ADK. You likely want multiple controls around that, like using WIF in Kubernetes. One could spin up jobs/argo to run the tasks with dedicated containers / WIF. ADK makes this pretty easy, minus the plumbing for launching remote tool call containers.
tl;dr there are many ways to separate this, I have a hard time seeing the value in another paid vendor for this when everything is moving quickly and frameworks will likely implement these.