alt Hacker NewsThe K8s-vs-agent-infra debate here is interesting. K8s gives you process and network isolation. What it doesn't give you: per-task authorization scope.
An agent container has a credential surface defined at deploy time. That surface doesn't change between task 1 ("read this repo") and task 2 ("process this user upload"). If the agent is prompt-injected during task 1, it carries the same permissions into task 2.
The missing primitives aren't infra — they're policy: what is this agent authorized to do with the data it can reach, on a per-task basis? Can it write, or only read? Can it exfil to an external URL, or only to /output? And crucially: is there an append-only record of what it actually did, so you can audit post-incident?
K8s handles the container boundary. The authorization layer above that — task-scoped grants, observable action ledger, revocation mid-task — isn't solved by existing infra abstractions. That gap is real regardless of whether you use K8s, Modal, or something like this.
Replies
K8s gives you orchestration of Docker containers. I don’t think it handles the container boundary any more than Docker does.
I don’t think it should be assumed to give network isolation, unless you’re also using extensions and something like Cilium for that purpose. I don’t think it’s the right primitive for agent sandboxes, or other kinds of agent infra.
(Obviously, you could still run a custom runtime inside k8s pods, or something like GCP’s k8s gVisor magic.)
This is what we see! We want to make it very easy to be able to granularly manage your agents (in terms of files they have access to, env var values, network policy, etc.) on a per-task basis.
With regards to permissions, mileage varies based on SDK. Some have very granular hooks and permission protocols (Claude Agent SDK stands out in particular) while for others, you need a layer above it since it doesn't come out of the box.
There are companies that solve the pain of authn/z for agents and we've been playing with them to see how we could complement them. In general, we do think it's valuable to be provide this at the infra level as well rather than just the application level since the infra layer is the source of truth of what calls were made / what were blocked, etc.