Agentic AI security curriculum · Security overview
Sandboxing Options and Trade-offs: Kata, gVisor, Seatbelt, Docker, and Cloudflare Workers
Module 8 of 20 · Agentic AI Security Curriculum · May 2026
How to use this module
Use it as self-paced study or as instructor-led training. YAML, commands, and policy excerpts are illustrative; map them to your cloud, mesh, identity provider, and agent runtime—substitute your own names, namespaces, and tools while preserving the control intent.
Estimated time: ~35 minutes reading; add time for linked standards and team discussion.
Learning objectives
By the end of this module, you should be able to:
- Compare isolation technologies (VM-backed runtimes, user-space kernels, OS sandboxes).
- Choose sandbox tiers appropriate to risk (MCP/tool execution vs batch jobs).
- Discuss performance vs isolation trade-offs with stakeholders.
Prerequisites
Suggested discussion / lab: Pick one diagram in your environment (build, deploy, runtime) and mark where this module’s controls apply; note gaps versus the checklist in the body.
With network-level Zero Trust established (Module 7), the next critical layer is runtime isolation for the highest-risk workloads — especially MCP tool execution and agent code running. This module compares sandboxing technologies and explains why many security-focused platforms default to Kata Containers for MCP workloads.
Why Strong Sandboxing Is Non-Negotiable
Agentic systems routinely execute untrusted or dynamically generated code. Container namespaces alone are insufficient when an agent has access to tools like sandbox_exec, document processing, or external API calls. A breakout must be extremely difficult and contained.
Isolation Technologies Compared
| Technology | Isolation Type | Performance Overhead | Attack Surface Reduction | Typical high-trust agent usage |
|---|---|---|---|---|
| Docker (default) | Namespace + cgroups | Low | Low | Never in production |
| gVisor | Userspace kernel | Medium | High | Acceptable for non-MCP |
| Seatbelt | macOS sandbox profiles | Low | Medium | Local dev only |
| Kata Containers | Lightweight VM (hardware) | Medium-High | Very High | Default for all MCP workloads |
| Cloudflare Workers | V8 isolates / edge | Very Low | High (for edge functions) | Optional for lightweight tools |
Kata Containers as default for high-risk MCP workloads
Kata provides a full hardware VM boundary per pod using lightweight VMs (QEMU/KVM or Firecracker).
Key Advantages:
Kernel-level isolation: even if the container is fully compromised, the attacker cannot escape the VM. Strongest protection for MCP tool execution and sandboxed code. Enforced via Kyverno RuntimeClass policy and Helm defaults.
Kyverno Enforcement Example:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-kata-for-mcp
spec:
validationFailureAction: Enforce
rules:
- name: require-kata
match:
resources:
kinds: ['Pod']
namespaces: ['openclaw', 'clawql']
validate:
message: 'MCP and sandbox workloads must use Kata runtime'
pattern:
spec:
runtimeClassName: 'kata'
When to Use Lighter Options
gVisor: Acceptable for general non-execution workloads where Kata overhead is undesirable. Provides syscall interception without a full VM. Seatbelt / macOS Sandbox: Used only for local developer workstations. Cloudflare Workers: Suitable for lightweight, stateless edge functions that do not need full cluster access. Plain Docker: Strictly forbidden for any production MCP or agent execution path.
The Operator and Helm chart automatically apply the correct RuntimeClass based on workload type when security.kata.enabled: true.
Key Takeaways
Kata Containers deliver the strongest isolation for agentic MCP workloads by using hardware VM boundaries. Weaker options like gVisor or standard Docker are insufficient when agents can execute arbitrary code. RuntimeClass enforcement via Kyverno ensures the correct sandbox is always used. Choose isolation strength based on workload risk — never default to convenience over security.
Strong sandboxing completes the foundational runtime protection. The next modules focus on protecting the MCP interface itself.
Next module: MCP Runtime Protection – Panguard, ATR Rules, and Agentic Threat Mitigation.
Further reading (vendor-neutral)
These resources are independent of any single product; use them to deepen the topic for audits, architecture reviews, or procurement discussions.
Commercial training use
You may reuse this curriculum internally or in paid consulting / training engagements. Keep examples aligned to the customer’s actual stack; substitute your own runbooks, tool names, and compliance frameworks (SOC 2, ISO 27001, sector regulators) where cited examples use a reference architecture only.