Exploring isolated code execution for Kagenti agents

[rrbanda]

Context

Some AI agents need to execute code that they generate at runtime (e.g., coding agents, data analysis agents).

Today, Kagenti provides:

• Authentication (Keycloak)
• Workload identity (SPIFFE/SPIRE)
• Network security (Istio mTLS)

However, agents run as standard Deployments, and any code they execute runs with the agent's full privileges. I'm wondering if there's a need for runtime isolation when agents execute untrusted or LLM-generated code.

A Potential Approach

I came across Agent Sandbox, a Kubernetes SIG Apps project that seems designed for this use case. From their README:

"AI Agent Runtimes: Isolated environments for executing untrusted, LLM-generated code"

It provides:

• A Sandbox CRD for managing isolated pods
• SandboxWarmPool for pre-warmed sandboxes
• A Python SDK for agents to use sandboxes programmatically
• Support for gVisor and Kata Containers as isolation runtimes

On OpenShift, this could potentially use OpenShift Sandboxed Containers as the underlying Kata runtime.

Worth noting: Agent Sandbox is an upstream Kubernetes project—the CRDs and controller are not Red Hat supported. Only OpenShift Sandboxed Containers (Kata) itself is supported.

How It Might Work

If I understand correctly, the pattern would be:

1. Kagenti deploys an Agent as a Deployment (as it does today)
2. Agent receives a task that requires code execution
3. Agent uses the Agent Sandbox Python SDK to obtain a Sandbox
4. Agent sends code to the Sandbox for execution
5. Sandbox executes code in a Kata VM and returns result
6. Agent returns response to caller

The Sandbox runs as a separate pod with its own identity, providing isolation from the agent.

Questions

1. Is this a real problem we should solve? Are there Kagenti users who need agents that execute untrusted code?
2. Has anyone looked at Agent Sandbox before? Any experience with it?
3. If there's interest, what scope makes sense?
   • Just documentation on how to manually integrate?
   • Deeper platform integration?
4. Agent Sandbox docs show minikube/GKE examples—would we need to validate on OpenShift first?
5. Any concerns with this approach?

References

• Agent Sandbox GitHub
• Agent Sandbox Docs
• Agent Sandbox Python SDK
• Kata Containers Guide
• OpenShift Sandboxed Containers

[Ladas]

Yeah, I was looking at this for few months. Getting to actually prototype several approaches, kata was one of them, custom controller managing pvc access per agent session another. And trying 2 more.

I think kagenti should have built-in generic agents like this loaded from example repo. With this, we can do agent similar to claude-code, with file based RAG capabilities and writing creating docs and scripts in sandboxed space. And we should e2e test these agents in kagenti/kagenti CI. Only weather agent has e2e tests now.