Kars: A Kubernetes-Native Zero-Trust Runtime for AI Agents
Kars runs each AI agent in an isolated Kubernetes sandbox, routing every external call through a Rust-based zero-trust broker with no agent-held credentials.
Kars is an open-source reference runtime from Azure's Cloud Native team (the group behind AKS and Azure Linux) that treats every AI agent as untrusted code, running each one in an isolated Kubernetes sandbox. The motivation is straightforward: giving an agent real tools and real credentials creates a blast radius where a single prompt-injected agent could reach a cloud subscription, a GitHub org, or customer data.
Each sandbox pod pairs the agent container with a separate Rust-based inference router running under a different UID; the router alone holds the credentials the agent never sees and mediates every outbound call. It handles identity and token brokering via Entra Agent ID, inline content-safety checks through Foundry, token budgets and rate limiting, L7 egress allow/blocklists, an MCP gateway, policy-driven governance, and a tamper-evident, hash-chained audit log. Cross-framework agents communicate over AgentMesh using the Signal Protocol, so the relay only ever sees ciphertext.
The local dev loop mirrors production closely: kars dev --target local-k8s spins up a kind cluster using the same Helm chart, NetworkPolicies, and sidecars as AKS, and all policies, approval gates, and trust settings are expressed as GitOps-friendly Kubernetes resources reviewable as YAML rather than code. The project is not an official Microsoft product yet, and while it aims to align with community efforts like kubernetes-sigs/agent-sandbox and agentgateway, no formal integrations exist so far.