AI ACTION CONTROL · INNER RADAR LAYER

The Action Capsule.

A Kubernetes-native container plus in-container sandbox, around one model, agent or MCP server. Paired Gateway as the only egress.

A chatbot answers. An agent acts. When the runtime starts calling tools, writing to systems of record or running long tasks, you need a Capsule around it.

A standard Kubernetes pod with default-deny network policy contains a Kosmoy Action Capsule — the Docker container plus the in-container sandbox built on Linux primitives. The Capsule’s only egress is the paired Kosmoy AI Gateway, which fronts approved models, MCP servers, A2A peers and HTTPS APIs.KUBERNETES PODstandard pod · Helm / ArgoCDL3 / L4 · default-deny egress · pinned netnsKOSMOY ACTION CAPSULEDocker container + in-container sandboxLinux namespacescgroups v2Seccomp · capabilitiesLandlockAppArmor / SELinuxprofileL7 · in-pod forward proxyHTTP allow-list · TLS pinning · method & path · DNS pinned · auditRUNTIMEModel · Agent task · MCP serverCPU · memory · GPU · timeout · concurrencyrun-scoped lease · JIT credentialsNo provider keys reach this layer.only egressKOSMOY AI GATEWAY · PAIREDpolicy point · auth · routing · loggingApproved LLMsOpenAI · Anthropic · private · SLMApproved MCP serverspublic · private · scoped toolsApproved A2A peersagent-to-agent · run-scopedApproved HTTPS APIshost + path allow-list
The Capsule is the boundary. Default-deny egress at the network layer, an L7 proxy at the application layer, the paired AI Gateway as the only way out.

Five pillars.

Kubernetes-native

Helm-installable. ArgoCD-friendly. EKS, AKS, GKE, OpenShift, on-prem. No host or node changes.

Container + sandbox in one

A Capsule combines a Docker container with an in-container sandbox built on Linux primitives — namespaces, cgroups v2, Seccomp, Linux capabilities, Landlock, AppArmor / SELinux.

L3 / L4 + L7 controls

Default-deny egress at the network layer. An in-pod L7 proxy enforces the HTTP allow-list, TLS pinning and DNS pinning at the application layer.

Pre-flight authorisation

Every run is admitted before it executes. Run-scoped lease. JIT credentials issued for the run, revoked at the end.

Live kill switch

Stop a misbehaving Capsule mid-run. Cancel future schedules. Every action captured as evidence.

Capsule + Gateway pairing.

Each Capsule is paired with one Gateway. The Gateway defines what the Capsule can reach. A Gateway can also serve apps without a Capsule, so Gateways scale wider than Capsules.

Two patterns. First, map existing applications and route them through a Kosmoy AI Gateway. Second, run the runtime inside an Action Capsule and make the paired Gateway its only egress.Phase 1 · Gateway aloneMapdiscover existing AI callsCustom appRAG · chatbot · agent workflowKosmoy AI Gatewaypolicy · budget · logsApproved external AILLMs · MCP · A2A · APIsPhase 2 · Capsule + GatewayMission Controlsupervise · approve · stopAction Capsuleagent · model · MCP runtimePaired Gatewaythe only egressApproved egressmodels · MCP · A2A · HTTPS
Map first. Govern through the Gateway. Add Capsules when the runtime itself must be contained.

Module questions, answered straight.

What is an Action Capsule?

A Kosmoy Action Capsule is a Docker container plus an in-container sandbox, deployed inside a standard Kubernetes pod. The Capsule runs one model, one agent task or one MCP server. The only egress is the paired Kosmoy AI Gateway.

How is the Capsule isolated?

Application-level isolation built on standard Linux primitives — namespaces, cgroups v2, Seccomp-BPF, Linux capabilities, Landlock and AppArmor / SELinux profiles. No node patches, no custom container runtime.

How is network egress controlled?

Two layers. At L3 / L4 a Kubernetes NetworkPolicy applies default-deny egress and the netns is pinned. At L7 an in-pod forward proxy enforces an HTTP host + path allow-list, TLS pinning, method rules and pinned DNS. The only egress is the paired Kosmoy AI Gateway.

Why pair every Capsule with a Gateway?

Containment without controlled egress is just a wall with no door. The Gateway is the door — it logs, authorizes and policy-checks every step out.

How are compute resources enforced?

CPU, memory, GPU, timeout and concurrency limits are defined at Capsule creation. cgroups v2 enforce CPU / memory; the Action Plane enforces timeout and concurrency.

Related modules

See an Action Capsule running.

Walk through Capsule, paired Gateway and the live kill switch.

Book a demoEmail sales@kosmoy.com