How we isolate autonomous agents
Pod-per-task isolation, locked-down egress, and short-lived credentials — the security model that lets you say yes to autonomy.
By Platform team
Giving an autonomous agent access to your codebase is a serious decision. Our answer is to give each one as little as possible, for as short a time as possible, in a box it cannot escape.
Every task runs in its own pod on a dedicated, tainted node pool. There is no shared state between tasks and no path to the Kubernetes API. When a task finishes, the pod is destroyed and a clean one takes its place.
Egress is firewalled to an allow-list. The cloud metadata endpoint and private network ranges are blocked outright, which closes the most common path a prompt-injection attack would use to reach cloud credentials.
Workers never hold a long-lived secret. They start with a single bootstrap token whose only power is to request scoped, short-lived credentials from the orchestrator — credentials that expire the moment the task is done.