Google announces AI Conformance and Agent Sandbox for Kubernetes

Channel KubeFM

Date December 1, 2025

Duration 4:56

Google Kubernetes Agent Sandbox Security

TL;DR

Google announces two open source projects for Kubernetes: AI Conformance (ensuring AI workloads have portable, standardized cluster requirements) and Agent Sandbox (providing secure isolation for running autonomous AI agents that can execute code and commands). Both projects aim to make Kubernetes the best platform for AI training, inference, and agentic workloads.

Key Takeaways

AI Conformance standardizes AI cluster requirements: Similar to Kubernetes conformance, AI Conformance ensures customers can pick any platform and know their AI workloads will be portable across vendors
Agent Sandbox addresses security for autonomous agents: As AI agents run commands and generate code, Agent Sandbox provides secure isolation to prevent them from "wreaking havoc" on environments
Both projects are open source under Kubernetes: Available to the entire community, with Google providing implementations on GKE
No additional cost for conformance: Customers pay only for compute used; these are better ways to run workloads, not premium features
Integrates existing isolation technologies: Agent Sandbox brings together technologies like gVisor with new CRDs to make secure agent hosting easier
Complements existing tools: Works alongside other agent-building tools like K-agent; Agent Sandbox focuses on hosting and running agents securely

Summary

Introduction

Gary Singh, Product Manager at Google, discusses two major announcements for the Kubernetes and CNCF community made at KubeCon.

AI Conformance

The first announcement is AI Conformance for Kubernetes. Just as Kubernetes conformance ensures workload portability across platforms, AI Conformance extends this to AI-specific workloads. This allows customers to confidently choose between different vendors knowing their AI training and inference workloads will work consistently.

The goal is to establish standards that make AI a more official part of the CNCF and Kubernetes ecosystem, giving users confidence in workload portability.

Agent Sandbox

The second announcement is Agent Sandbox, addressing the critical need for secure isolation when running agentic AI. As autonomous agents can run commands and generate code, organizations need ways to sandbox this activity within Kubernetes.

Agent Sandbox brings together various isolation technologies (like gVisor) into an integrated solution with new Custom Resource Definitions (CRDs). This makes it easier to host and run agents securely while still benefiting from agentic operations and code generation.

Business Model

Both projects are open source under Kubernetes. AI Conformance has no additional charge—it benefits the community by ensuring conformant clusters. For Agent Sandbox, pricing is simply based on compute usage on Kubernetes; Google is providing better tooling for running agents, not a premium service.

Future Roadmap

AI Conformance: Templates for creating AI conformant clusters are already available, with blog documentation
Agent Sandbox: Currently focused on open source implementation, with a Google-specific version coming that integrates with the broader Google Cloud ecosystem and models

Notable Quotes

"How do we sandbox and isolate this code to ensure that it doesn't—technical term—wreak havoc on your environment?"

"This starts to make Kubernetes the best place to not just run AI training and inference but now to actually run agentic workloads as well."

"We're just giving you a better way to run agents."

References

Google Cloud Blog - Latest announcements on AI Conformance and Agent Sandbox
Kubernetes - Both projects are open source under the Kubernetes organization
gVisor - Isolation technology integrated into Agent Sandbox
GKE (Google Kubernetes Engine) - Google's implementation of both projects
CNCF - Cloud Native Computing Foundation