The secure, Kubernetes-native runtime for AI agents: one hardened sandbox per agent, zero credentials in the agent, every call governed.
This is the documentation index. The top-level README is a faster on-ramp; come here when you need depth.
One hardened sandbox per agent. The agent has no network of its own — every external call (model, tool, MCP, peer) goes through an in-pod Rust inference router that enforces identity, content safety, budgets, governance, and a tamper-evident audit chain. The agent never holds a credential.
flowchart LR
subgraph Pod["KarsSandbox pod"]
Agent["agent runtime<br/>(UID 1000, no network)"]
Router["inference router<br/>(UID 1001, Rust)"]
Agent -->|localhost only| Router
end
Router --> Model["inference backend<br/>(Foundry / Copilot / …)"]
Router --> Mesh["AgentMesh relay<br/>(opaque ciphertext)"]
Router --> A2A["A2A peers"]
classDef pod fill:#e6f0ff,stroke:#0078d4,color:#0b1220
class Pod pod
| Running agents directly | Running agents on kars |
|---|---|
| API keys in the agent's environment | Zero credentials in the agent process; the router brokers every call |
| Governance bolted on per-app, in code | Declarative CRDs — approval gates, rate limits, tool allowlists, content-safety floors, token budgets as Kubernetes resources |
| Network egress wide open | Default-deny egress + L7 allowlist + blocklist; the agent has no socket of its own |
| Inter-agent traffic readable by the broker | End-to-end encrypted mesh (Signal Protocol); the relay sees only ciphertext |
| One framework, lock-in | Eight runtimes (OpenClaw, Hermes, MAF, LangGraph, …) on one wire format; switch with a one-field change |
| Trust boundary = the cluster | Trust boundary = the pod — optional Kata + AMD SEV-SNP per workload via one CRD field |
- Quickstart — a running agent on your laptop in three commands.
- Getting started — the full local walkthrough, then AKS.
- Architecture — the design and why.
- Architecture diagrams — every component, dev and prod side by side.
- Use cases — the six scenarios kars was built for.
| You are a… | Start here |
|---|---|
| Executive / decision-maker | Architecture → Blueprints → Use cases |
| Platform engineer | Getting started → Operations → CLI reference |
| Security engineer | Security model → STRIDE → Red-team playbook → MCP top-10 |
| Agent builder | Runtimes → CRD reference → CLI reference |
| Site reliability | Operations / GitOps → Conditions → Egress proxy |
This section mirrors the chapter groups in SUMMARY.md, which is the canonical, complete table of contents. Every published page has a home below; the descriptions are the curated entry points.
- Architecture — the canonical design doc.
- Architecture diagrams — dev, prod, mesh, A2A, MCP.
- Runtime catalog — the first-class runtime adapters and the BYO contract.
- A2A gateway — public-ingress topology and trust model.
- AGT boundary — what AGT enforces vs what kars enforces.
- Multi-tenant model — per-namespace tenant isolation, no shared state.
- Egress proxy — outbound network controls.
- CRD reference — all twelve CRDs with schema and examples.
- KarsEval operator guide — replaying the signed attack corpus against a sandbox.
- Lifecycle & reconciliation — what happens, end to end, when you apply each CRD.
- Conditions reference — every status condition the controller emits.
- Policy canonical format — signing canonicalization rules.
- kars OpenClaw plugin — the in-sandbox plugin (24 governance-aware tools, 10 skills) every kars-managed agent loads.
@kars/meshplugin — the companion local plugin (built from source, not yet published on npm) for pairing a local OpenClaw with a remote kars cluster.- Channels & external plugins — Telegram / Slack / Discord / WhatsApp channels + 3rd-party search/scrape API integrations via CLI flags.
- Operator TUI —
kars operator, the live cluster dashboard. - Permissions model — the Azure RBAC
kars upneeds, enumerated. - Per-sandbox identity — each sandbox runs under its own Entra Agent ID.
- Examples catalogue — every
examples/blueprint, each akubectl applyafterkars up.
- Index
- 01 — Developer inner loop
- 02 — Local Kubernetes dev loop
- 03 — Enterprise self-hosted
- 04 — Managed public offload
- 05 — Cross-org federation
- 06 — Sovereign / air-gapped
- Security model — the layered control plane.
- Feature maturity & status — the single ✅ / 🟡 / 🔵 / ⚪ source of truth for what is enforced today.
- Control mapping — enforced controls mapped to NIST SP 800-53 and CIS Kubernetes families.
- STRIDE — threat model.
- Red-team playbook — adversarial scenarios.
- CRD trust model — threat model and live proof for signed CRDs.
- Security validation — what CI verifies.
- MCP top-10 — how kars addresses each item.
- Upstream alignment — the OpenClaw extension contract.
- Operations index — fleet operations, GitOps, upgrades.
- A2A gateway (operations) — running the public ingress.
- GitOps — declarative fleet management.
- Helm packaging — chart layout and release.
- Image versioning — the
:latestconvention and rollout. - Upgrades & rollback —
kars upgrade, atomic Helm, one-command rollback. - Secret rotation — credential lifecycle.
- Supply chain — signing, SBOM, provenance.
- BYO strict mode — bring-your-own-model hardening.
- Branch protection — repo guardrails.
- Chaos tier — resilience testing.
- CLI reference — every command, every flag.
docs/internal/ holds historical phase audits, migration logs, and one-off proofs that exist for traceability but are not part of the public surface. They are excluded from the rendered site.
make docs-site-serve # serves at http://localhost:3000
make docs-site # builds to target/book/index.htmlThe site is built with mdBook. The chapter index is SUMMARY.md.