How to run untrusted code on Kubernetes safely

Running untrusted code on Kubernetes poses security risks due to the shared host kernel model of standard containers, which can be susceptible to kernel vulnerabilities. To enhance security, Kubernetes offers stronger isolation mechanisms such as gVisor and Kata Containers, which provide syscall interception and hardware-level isolation, respectively, thus mitigating the risk of kernel-sharing vulnerabilities. Northflank offers a production-grade solution for running untrusted code on Kubernetes, using technologies like Kata Containers with Firecracker and Cloud Hypervisor to ensure each workload runs in its own microVM with a dedicated kernel, thereby reducing operational overhead and eliminating the need for extensive infrastructure setup. This approach allows organizations to maintain their existing Kubernetes investments while adopting advanced isolation techniques that protect against potential security breaches when executing untrusted or AI-generated code.