kubefence¶
Proof of Concept
This is experimental software — not for production use. It is provided as-is with no guarantees of stability, security, or support.
kubefence is a Kubernetes NRI (Node Resource Interface) plugin that transparently sandboxes container processes using nono, a kernel-enforced sandbox CLI built on Linux Landlock LSM.
It is designed for running untrusted workloads — such as AI agent generated code — inside a Kubernetes cluster, with strong isolation between the workload and the worker node.
What kubefence does¶
- Intercepts container creation via the NRI API and wraps every container process with the nono sandbox before it starts
- Applies Landlock filesystem restrictions at the kernel level — a compromised process inside the container cannot remove its own restrictions
- Delivers VM-level pod isolation through Kata Containers:
each pod runs inside a QEMU/KVM micro-VM, and
kubectl execis blocked at the hypervisor by the kata-agent OPA policy - Requires explicit opt-in via Kubernetes RuntimeClass — non-opted pods are skipped with zero overhead
How it works¶
- A pod is created with
runtimeClassName: kata-nono-sandbox - The NRI plugin receives the
CreateContainerevent from containerd or CRI-O - The plugin prepends
/nono/nono wrap --profile <profile> --to the container'sprocess.args - The container starts — nono applies the Landlock sandbox and
exec()s into the original command - The container process runs sandboxed under kernel enforcement; nono has replaced itself as PID 1
flowchart TD
A["Pod spec<br/>command: myapp --flag"]
B["OCI spec<br/>args: /nono/nono wrap --profile default -- myapp --flag"]
C["Container starts inside Kata VM<br/>nono applies Landlock restrictions"]
D["PID 1: myapp --flag<br/>Running under Landlock confinement<br/>kubectl exec blocked by kata-agent OPA"]
A -->|"NRI plugin rewrites args"| B
B -->|"runtime starts container"| C
C -->|"nono exec()s into original command"| DContainer images¶
Published images built by CI on every release:
| Image | Contents |
|---|---|
ghcr.io/kubefence/nono-nri-plugin:latest |
NRI plugin (10-nono-nri) + nono sandbox binary |
ghcr.io/kubefence/kata-kernel-landlock:latest |
Kata guest kernel with CONFIG_SECURITY_LANDLOCK=y |
ghcr.io/kubefence/kata-rootfs-nono:latest |
Kata rootfs with nono binary pre-installed |
ghcr.io/kubefence/charts/kubefence:latest |
Helm chart for deployment |
Documentation¶
| Section | What you will find |
|---|---|
| Architecture | How kubefence and nono work together, threat model, Kata vs runc |
| Installation | Helm install steps for Kata and runc paths, prerequisites |
| Configuration | All Helm values and TOML config fields explained |
| Usage | Opting pods in, nono profiles, verifying sandbox injection |
| Caveats | Known limitations and PoC constraints |
| Troubleshooting | Diagnostic steps for common failure modes |