This is what we see! We want to make it very easy to be able to granularly manage your agents (in terms of files they have access to, env var values, network policy, etc.) on a per-task basis.

With regards to permissions, mileage varies based on SDK. Some have very granular hooks and permission protocols (Claude Agent SDK stands out in particular) while for others, you need a layer above it since it doesn't come out of the box.

There are companies that solve the pain of authn/z for agents and we've been playing with them to see how we could complement them. In general, we do think it's valuable to be provide this at the infra level as well rather than just the application level since the infra layer is the source of truth of what calls were made / what were blocked, etc.

K8s gives you orchestration of Docker containers. I don’t think it handles the container boundary any more than Docker does.

I don’t think it should be assumed to give network isolation, unless you’re also using extensions and something like Cilium for that purpose. I don’t think it’s the right primitive for agent sandboxes, or other kinds of agent infra.

(Obviously, you could still run a custom runtime inside k8s pods, or something like GCP’s k8s gVisor magic.)

> per-task authorization scope

This is more agent framework territory, eg. ADK. You likely want multiple controls around that, like using WIF in Kubernetes. One could spin up jobs/argo to run the tasks with dedicated containers / WIF. ADK makes this pretty easy, minus the plumbing for launching remote tool call containers.

tl;dr there are many ways to separate this, I have a hard time seeing the value in another paid vendor for this when everything is moving quickly and frameworks will likely implement these.

Are you an AI?

We don't support docker-in-docker yet, but that's something on our short term roadmap. We have the need for this ourselves! For now, you could call a different service to spin up your sandbox with the image of your codebase. Not ideal, but this is what we do now.

Yes, you can use your own subscriptions as long as you follow their guidelines

Hey I'm working on this problem (also a YC company but it's FOSS). It's a Dind approach https://coasts.dev/, I wonder if this works for your setup.

We overlap at the sandbox layer, but we're focused more on the layer above that: packaging agent code + deploying/versioning it, managing tasks over time, handling message persistence, and attaching durable workspaces to those tasks.

Yep, this whole area still feels pretty unsettled. The thing we've become convinced of is that workspace state needs to be a first-class product primitive instead of something tied to one sandbox. That's why we model filesystems separately from tasks and focus on durable mount/sync semantics.

We're currently rolling our own but we've been meaning to experiment with other tools.

howdy! two things on the archil front:

1. we're not NFS, we wrote our own protocol to get much better performance

2. we're planning on coming out with native branching this month, which should make these kinds of workloads much easier to build!

I'm using Dagger to checkpoint and all the fun stuff that can come after

We're trying to be a bit more opinionated one layer up: deployable agent runtimes with first-class tasks, persistent /workspace, and rollout/ops primitives like versions, rollback, logs, and secrets.

For example we make it easy to have automatic deployments from your github ci (using our cli), and you can monitor and manage all your deployments in our platform, along with logs, conversation transcripts etc.

I'd think of us more of the deployment, monitoring and storage layer rather than just the compute runtime.

Depends on your agent. We haven't used langgraph, but I'd think it's probably the best solution to deploy langchain agents. We're SDK agnostic. We're like langgraph, but for agents that works in a sandbox and needs access to a filesystem to do work.

I think people pick new tooling not because k8s lacks horsepower, but because running per-user filesystem-backed agents on k8s forces you to build and maintain a surprising amount of glue code. Newer platforms put versioned mounts, local-first dev cycles, secure ephemeral runtimes, and opinionated deployment so teams can focus on agent logic instead of writing Helm charts and CSI gymnastics.

If you repurpose k8s with ephemeral volumes or emptyDir, a sidecar, you'll likely get predictable ops and avoid vendor lock-in. Expect more operator work, fragile debugging across PVCs and sidecars, and the need to invest in local emulation or a Firecracker or gVisor sandbox if you want anything like laptop parity.

Honest answer: the problems start when you're running 50+ agents across 3 different model providers and the failure modes aren't "pod crashed" anymore. They're "model returned confidently wrong output and the next 4 steps ran on garbage."

K8s is great at keeping things alive. It's not built to reason about whether the thing that's alive is actually working correctly. Agent infra needs to handle rollback at the logic level, not just the container level.

I think there are some primitives for agents that need to be built out for better security and being able to reason about them.

Agents run on infra, they have network connectivity, they have ACLs and permissions that let them read+write+execute on resources, they can interact with other agents.

To manage them from both an infra and security perspective, we can use the existing underlying primitives, but it's also useful to build abstractions around them for management, kind of like how microservices encapsulate compute+storage+network together.

I think of agents as basically microservices that can act in non-deterministic ways, and the potential "blast radius" of their actions is very wide. So you need to be able to map what an agent can do, and it's much easier to do that if there are abstractions or automatic groupings instead of doing this all ourselves.

Unrelated but your comments on https://news.ycombinator.com/item?id=44736176 related to the Terminal agents coding craze have helped me feel less crazy. People using GitHub Copilot CLI and Claude Code, they either never review the code or end up opening up an IDE to review the code, and I'm sitting here like, why don't you use the terminal in your favorite IDE? You're using a Terminal as a chat interface, so why not just use a chat interface? Or use the terminal in VS Code which actually now integrates very well with Claude Code and GitHub Copilot CLI so you can see what's going on across the many files this thing is editing?

The hype is so large with the CLI coding tools I got FOMO, but as you were saying in that thread, I see no tangible improvement to the value I get out of AI coding tools by using the CLI alone. I use the CLI in VS Code, and I use the chat panel, and the only thing that seems to actually make a difference is the "context engineering" stuff of custom instructions, agent skills, prompt files, hooks, custom agents, all that stuff, which works no matter which interface you use to kick off your AI coding instructions.

Would be curious to hear your thoughts on the topic all these months later.

I think Kubernetes is a good candidate to run these sandboxes. It is just that you have to do a lot of annotations, node group management, pod security policies, etc., to name a few. Apply the principle of least privilege for access to mitigate risk.

I think Kata containers with Kubernetes is an even better sandboxing option for these agents to run remotely.

Shameless plugin here but we at Adaptive [1] do something similar.

[1] https://adaptive.live

We have also built something custom ourselves (with modal.com serverless containers), running thousands of on-demand coding agents each day and already the assumptions that Terminal Use is making (about using the file system and coding agent support) would not work for our use case.

At least on K8s you can control the network policy. That's the harder problem to solve. I suspect we'll see a lot of exfiltration via prompt injection in the next few years.