k8e.sh β Open Source Agentic AI Sandbox Matrix. A CNCF-conformant Kubernetes distribution in a single binary under 100MB, purpose-built for secure, isolated AI agent execution at scale. Up and running in 60 seconds. Inspired by K3s.
curl -sfL https://k8e.sh/install.sh | sh -That's it. Your agentic sandbox matrix is ready. π€
K8E is the Open Source Agentic AI Sandbox Matrix β a Kubernetes-native platform for running secure, isolated AI agent workloads at scale, packaged as a single binary under 100MB.
As autonomous AI agents increasingly generate and execute untrusted code, robust sandboxing infrastructure is no longer optional. K8E ships everything needed to spin up a production-grade cluster in under 60 seconds, with first-class primitives for agent isolation, resource governance, and ephemeral execution environments β purpose-built for the AI era.
π One cluster. Many agents. Zero trust between them.
| Capability | Description |
|---|---|
| π Hardware Isolation | Pluggable runtimes: gVisor (default), Kata Containers, Firecracker microVM |
| π Network Policies | Cilium eBPF toFQDNs egress control β per-session, no proxy process needed |
| βοΈ Resource Quotas | CPU/memory caps per agent session to prevent runaway costs |
| ποΈ Ephemeral Workspaces | Auto-cleanup after agent session ends |
| π§ Warm Pool | Pre-booted sandbox pods for sub-500ms session claim latency |
| π€ agent-sandbox compatible | Works with kubernetes-sigs/agent-sandbox |
| π SKILL + CLI | AI agents (claude code, codex, pi) connect via k8e-sandbox-cli CLI commands |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β K8E CLUSTER β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β CONTROL PLANE (Server Node) β β
β β ββββββββββββββββ βββββββββββββββ ββββββββββββ β β
β β β API Server β β Scheduler β β etcd β β β
β β ββββββββββββββββ βββββββββββββββ ββββββββββββ β β
β β ββββββββββββββββββββ ββββββββββββββββββββββββββββββββ β β
β β β Controller Mgr β β SandboxMatrix Controller β β β
β β ββββββββββββββββββββ ββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββ΄βββββββββββββ β
β βββββββββββββββΌββββββββββββ ββββββββββββΌβββββββββββββββ β
β β WORKER NODE β β WORKER NODE β β
β β βββββββββββββββββββ β β βββββββββββββββββββ β β
β β β sandbox-matrix β β β β sandbox-matrix β β β
β β β grpc-gateway β β β β grpc-gateway β β β
β β β :50051 (TLS) β β β β :50051 (TLS) β β β
β β ββββββββββ¬βββββββββ β β ββββββββββ¬βββββββββ β β
β β β β β β β β
β β ββββββββββΌβββββββββ β β ββββββββββΌβββββββββ β β
β β β Isolated Pods β β β β Isolated Pods β β β
β β β gVisor/Kata/FC β β β β gVisor/Kata/FC β β β
β β βββββββββββββββββββ β β βββββββββββββββββββ β β
β β Cilium CNI (eBPF) β β Cilium CNI (eBPF) β β
β βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β²
β gRPC (TLS)
ββββββββββ΄βββββββββ
β k8e-sandbox-cli β β CLI commands
ββββββββββ¬βββββββββ
β gRPC (TLS)
βΌ
β AI Agent β (claude code / codex / pi)
βββββββββββββββββββ
| Component | Version | Purpose |
|---|---|---|
| βΈοΈ Kubernetes | v1.35.x | Core orchestration engine |
| π· Cilium | Latest | eBPF networking & per-session egress policy |
| π¦ Containerd | v1.7.x | Container runtime |
| π etcd | v3.5.x | Distributed key-value store |
| π CoreDNS | v1.11.x | Cluster DNS |
| β Helm Controller | v0.16.x | GitOps & chart management |
| π Metrics Server | v0.7.x | Resource metrics |
| πΎ Local Path Provisioner | v0.0.30 | Persistent storage |
| π‘οΈ gVisor / Kata / Firecracker | β | Pluggable sandbox isolation runtimes |
| π€ Sandbox CLI | standalone | k8e-sandbox-cli β agent tool commands |
Install the runtime shim before K8E so it is auto-detected on first startup. gVisor is recommended β no KVM required.
curl -fsSL https://gvisor.dev/archive.key | gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] \
https://storage.googleapis.com/gvisor/releases release main" \
> /etc/apt/sources.list.d/gvisor.list
apt-get update && apt-get install -y runscK8E detects
runscat startup and automatically injects the gVisor stanza into its containerd config (/var/lib/k8e/agent/etc/containerd/config.toml). Do not runrunsc installβ K8E manages its own containerd configuration.
Need stronger isolation? See Sandbox Runtime Setup for Kata Containers and Firecracker.
curl -sfL https://k8e.sh/install.sh | sh -export KUBECONFIG=/etc/k8e/k8e.yaml
kubectl get nodes
kubectl get runtimeclass # should show: gvisor
kubectl -n sandbox-matrix get pods # Sandbox Matrix starts automaticallyDownload the standalone sandbox CLI, authenticate, and install the skill into your agent:
# Download sandbox CLI (~44MB)
curl -sLO https://github.com/xiaods/k8e/releases/latest/download/k8e-sandbox-cli-linux-amd64
chmod +x k8e-sandbox-cli-linux-amd64
# Create an API key on the server
k8e sandbox-apikey create my-agent
# β {"name":"my-agent","key":"k8e-abc123..."}
# Authenticate and obtain an mTLS client certificate
./k8e-sandbox-cli-linux-amd64 --endpoint <server-ip>:50051 --apikey k8e-abc123... login
# Install the skill
./k8e-sandbox-cli-linux-amd64 install-skill allLocal usage: If you're on the same machine as the K8E server, the CLI auto-discovers TLS certs and no login is needed β skip straight to
install-skill.
Platform binaries: k8e-sandbox-cli-{darwin,linux,windows}-{amd64,arm64}
Then ask your agent naturally:
"Run this Python snippet in a sandbox"
The agent executes k8e-sandbox-cli run automatically β no session management needed.
Supported agents: claude code, codex, pi.
K8E auto-detects installed runtimes and registers the corresponding RuntimeClass. Choose based on your isolation requirements:
| Runtime | Isolation | Requirement | Boot time |
|---|---|---|---|
| gVisor | Syscall interception (userspace kernel) | None | ~10ms |
| Kata Containers | VM-backed (QEMU) | Nested virt or bare metal | ~500ms |
| Firecracker | Hardware microVM (KVM) | /dev/kvm |
~125ms |
curl -fsSL https://gvisor.dev/archive.key | gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] \
https://storage.googleapis.com/gvisor/releases release main" \
> /etc/apt/sources.list.d/gvisor.list
apt-get update && apt-get install -y runscDo not run
runsc installβ K8E manages its own containerd config at/var/lib/k8e/agent/etc/containerd/config.tomland auto-injects the gVisor stanza on startup.
### Kata Containers
```bash
bash -c "$(curl -fsSL https://raw.githubusercontent.com/kata-containers/kata-containers/main/utils/kata-manager.sh) install-packages"
kata-runtime check
ls /dev/kvm # verify KVM is available
# Install firecracker-containerd shim + devmapper snapshotter
# See: https://github.com/firecracker-microvm/firecracker-containerd
mkdir -p /var/lib/firecracker-containerd/runtime
# Place hello-vmlinux.bin and default-rootfs.img hereInstall runtimes before starting K8E for zero-restart setup. If K8E is already running, restart it after installing a new runtime shim:
systemctl restart k8e
kubectl get runtimeclass
# NAME HANDLER AGE
# gvisor runsc 10s
# kata kata-qemu 10s
# firecracker firecracker 10s β only if /dev/kvm presentk8e-sandbox-cli is a standalone binary (~44MB) that gives AI agents direct access to K8E sandbox infrastructure β no server install needed.
AI Agent (claude code / codex / pi)
β shell command
βΌ
k8e-sandbox-cli run "print('hello')" --lang python
β gRPC (TLS)
βΌ
sandbox-grpc-gateway:50051
β
βΌ
Isolated Pod (gVisor / Kata / Firecracker)
On the server, create an API key for secure remote access:
k8e sandbox-apikey create my-agent
# β {"name":"my-agent","key":"k8e-abc123..."}On the client, download the standalone CLI, log in, and install the skill:
# 1. Download the platform-specific binary (~44MB)
curl -sLO https://github.com/xiaods/k8e/releases/latest/download/k8e-sandbox-cli-linux-amd64
chmod +x k8e-sandbox-cli-linux-amd64
# 2. Authenticate and obtain an mTLS client certificate
# Note: --endpoint and --apikey are global flags, placed before the subcommand
./k8e-sandbox-cli-linux-amd64 --endpoint <server-ip>:50051 --apikey k8e-abc123... login
# 3. Install the skill
./k8e-sandbox-cli-linux-amd64 install-skill allPlatform binaries: k8e-sandbox-cli-{darwin,linux,windows}-{amd64,arm64}
Then ask your agent naturally:
"Run this Python snippet in a sandbox"
The agent executes k8e-sandbox-cli run automatically β no session management needed.
| Command | Description |
|---|---|
k8e-sandbox-cli login |
Authenticate to gateway and obtain mTLS client certificate |
k8e-sandbox-cli run <code> |
Run code or shell command (auto-creates/manages session) |
k8e-sandbox-cli status |
Check sandbox service availability and current session |
k8e-sandbox-cli create |
Create a new session (custom runtime, egress, manifest, git-repo) |
k8e-sandbox-cli destroy <sid> |
Destroy a session and free resources |
k8e-sandbox-cli write <sid> <path> |
Write file to /workspace (content via stdin) |
k8e-sandbox-cli read <sid> <path> |
Read file from /workspace |
k8e-sandbox-cli list <sid> |
List files in /workspace (filter by --since timestamp) |
k8e-sandbox-cli subagent <parent-sid> |
Spawn child sandbox under parent session (max depth 1) |
k8e-sandbox-cli confirm <sid> <action> |
Gate irreversible action on human approval |
k8e-sandbox-cli approve <approval-id> |
Approve a pending confirm request |
k8e-sandbox-cli install-skill <target> |
Install skill file for AI agent (claude/codex/pi/all) |
k8e sandbox-apikey create <name> |
Create API key for remote sandbox access (server-side) |
k8e sandbox-apikey list |
List API key names (server-side) |
k8e sandbox-apikey delete <name> |
Delete an API key (server-side) |
See skills/k8e-sandbox/SKILL.md for full usage examples.
# Run Python code (auto-creates session)
k8e-sandbox-cli run "print('hello')" --lang python
# Shell command (default lang=bash)
k8e-sandbox-cli run "ls -la /workspace"
# TypeScript β type annotations run via tsx
k8e-sandbox-cli run "const nums: number[] = [1, 2, 3]; console.log(nums.reduce((a, b) => a + b, 0))" --lang ts
# Multi-line TypeScript via stdin (interfaces, async/await)
k8e-sandbox-cli run --lang ts <<'EOF'
interface User { name: string; age: number }
async function oldest(users: User[]): Promise<User> {
return users.reduce((a, b) => (a.age > b.age ? a : b));
}
const users: User[] = [{ name: "Ada", age: 36 }, { name: "Linus", age: 54 }];
oldest(users).then((u) => console.log(`Oldest: ${u.name} (${u.age})`));
EOF
# Multi-line via stdin
k8e-sandbox-cli run --lang python <<'EOF'
for i in range(10):
print(i)
EOF
# Default egress: pypi.org, files.pythonhosted.org, registry.npmjs.org,
# objects.githubusercontent.com, github.com, raw.githubusercontent.com
SID=$(k8e-sandbox-cli create | jq -r .session_id)
k8e-sandbox-cli write $SID /workspace/script.py <<'PYEOF'
import pandas as pd
print(pd.__version__)
PYEOF
k8e-sandbox-cli run "pip install pandas" --session-id $SID
k8e-sandbox-cli run "python3 /workspace/script.py" --session-id $SID
# Create session with custom runtime and egress
SID=$(k8e-sandbox-cli create --runtime firecracker --allowed-hosts pypi.org,github.com | jq -r .session_id)
# Clone git repo at session creation
SID=$(k8e-sandbox-cli create --git-repo https://github.com/user/repo.git --git-ref main | jq -r .session_id)
# Stream long-running output
k8e-sandbox-cli run "python3 train.py" --session-id $SID --raw
# Tenant-based cross-process session reuse
k8e-sandbox-cli run "echo hello" --tenant my-projectThe CLI auto-discovers the local cluster via TLS. For remote clusters, use k8e-sandbox-cli login once to set up mTLS credentials. Override when needed:
# Remote cluster: log in once (creates ~/.k8e/sandbox/{client.crt,client.key,ca.crt})
k8e-sandbox-cli --endpoint 10.0.0.1:50051 --apikey k8e-abc123... login
# After login, subsequent commands work without --apikey:
k8e-sandbox-cli run "echo hello"
# Or via environment variables:
K8E_SANDBOX_ENDPOINT=10.0.0.1:50051 K8E_SANDBOX_APIKEY=k8e-abc123... k8e-sandbox-cli login
# Override endpoint per-command:
K8E_SANDBOX_ENDPOINT=10.0.0.2:50051 k8e-sandbox-cli run "echo hello"# Get token from server node
cat /var/lib/k8e/server/node-token
# On worker machine
curl -sfL https://k8e.sh/install.sh | \
K8E_TOKEN=<token> \
K8E_URL=https://<server-ip>:6443 \
INSTALL_K8E_EXEC="agent" \
sh -curl -sfL https://k8e.sh/install.sh | INSTALL_K8E_EXEC="server --disable-sandbox-matrix" sh -K8E_TOKEN=<secret> # cluster join token
K8E_URL=https://<server>:6443 # server URL (agent nodes)
K8E_KUBECONFIG_OUTPUT=<path> # kubeconfig output path| Feature | K8E π | K3s | K8s (vanilla) | MicroK8s |
|---|---|---|---|---|
| Install time | ~60s | ~90s | ~20min | ~5min |
| Binary size | <100MB | ~70MB | ~1GB+ | ~200MB |
| Agentic Sandbox | β Native | β No | β No | |
| eBPF networking | β Cilium | β No | ||
| Sandbox CLI standalone | β Yes | β No | β No | β No |
| HA embedded etcd | β Yes | β Yes | β Yes | |
| CNCF conformant | β Yes | β Yes | β Yes | β Yes |
| Multi-arch | β Yes | β Yes | β Yes | β Yes |
git clone https://github.com/<your-username>/k8e.git && cd k8e
git checkout -b feat/my-feature
make && make test
git push origin feat/my-feature- π Bug Reports
- π‘ Feature Requests
- π Open PRs
Report vulnerabilities via GitHub Security Advisories. Do not open public issues for security bugs.
Apache License 2.0 β see LICENSE.
| Project | Contribution |
|---|---|
| π K3s | Lightweight Kubernetes foundation that inspired K8E |
| βΈοΈ Kubernetes | The orchestration engine everything is built on |
| π· Cilium | eBPF-powered networking and per-session egress control |
| π€ agent-sandbox | Kubernetes-native agent sandboxing primitives |
| π CNCF | Fostering the open-source cloud native ecosystem |
k8e.sh β Open Source Agentic AI Sandbox Matrix
If K8E powers your agents, give us a β β it means the world to us!