Introducing Agyn: open-source Kubernetes runtime for AI agents
Shipping the new Agyn: a Kubernetes-native runtime for AI agents, with isolation, observability, and access controls built in. The control plane enterprises need to safely run thousands of different agents inside their own infrastructure.
Today we're releasing the new Agyn: an open-source Kubernetes-native runtime that lets companies deploy AI agents like Claude, Codex on their own infrastructure with isolation, secrets management, per-team observability, and zero-trust networking built in. Everything ships under AGPL-3.0.
Agyn today is a complete rebuild from where we started. Our first work was a configured AI engineering team for software engineering tasks, published as research at arxiv.org/abs/2602.01465 — and benchmarked in our SWE-bench Verified results. What we're shipping now is the runtime that lets you safely deploy and control any team of agents (or any single agent), for any function in your company.
Watch the demo
Here's what's in this release.
Agents defined in Terraform
resource "agyn_agent" "support" {
organization_id = agyn_organization.acme.id
name = "Support"
nickname = "support"
model = agyn_llm_model.gpt_4o.name
image = "ghcr.io/agynio/agent-runtime:v1.0.0"
init_image = "ghcr.io/agynio/agent-init-codex:v1.0.0"
idle_timeout = "5m"
availability = "internal"
}
resource "agyn_agent_mcp" "zendesk" {
agent_id = agyn_agent.support.id
name = "zendesk"
image = "ghcr.io/acme/zendesk-mcp:latest"
envs = [
{
name = "ZENDESK_TOKEN"
secret_id = agyn_secret.zendesk_token.id
},
]
}
The agent definition lives in version control like any other infrastructure artifact. Code review, rollback, GitOps, all standard infrastructure workflows. The agent harness is decomposed into separate Terraform modules, so configuration can be shared and reused across different agents.
Three pre-built agents, plus your own
| Agent | Init image | Source |
|---|---|---|
| Claude Code | agent-init-claude | Anthropic's coding agent CLI |
| Codex | agent-init-codex | OpenAI's coding agent CLI |
| agn | agent-init-agn | Our own agent loop |
Bring your own via a custom init container. Swap agents by changing one Terraform line: the rest of your setup keeps working unchanged.
Agent and MCP container isolation
Each agent runs in its own container, separate from other agents. Each MCP tool runs in its own container, separate from the agent that calls it. Credentials are injected into the MCP container at runtime, not into the agent. The model never sees them in its context, and a prompt-injected agent cannot read them from its own environment. Tools and agents are separate processes with separate trust boundaries. One team's agent cannot reach another team's secrets or data through shared infrastructure.
We've written previously about why isolated sandboxes are a hard requirement for AI agents — Agyn is the production answer to that argument.
Serverless agent runtime
Each invocation spins up a fresh container, runs to completion, and tears down. No idle compute, no warm pool to manage. Horizontal scaling is the default: a thousand concurrent invocations is a thousand containers, gone when done.
Zero-trust networking via OpenZiti
Agents reach internal databases and APIs through an OpenZiti overlay. No VPN tunnels, no public exposure. Each agent gets virtual private connections only to the services you explicitly allow.
Per-agent, per-org observability
Token usage and tool activity are tracked at two levels. Attribute spend to specific agents or org, without manually reconciling provider invoices.
What's landing this quarter
Three things in active development:
- Fine-grained access control: per-agent permissions for specific employees.
- Audit logs: durable, compliance-ready audit trails of every agent invocation and tool call.
The deploy, isolation, secrets, and observability foundation is live today.
How to try it
The fastest path is the local bootstrap:
git clone --branch latest https://github.com/agynio/bootstrap.git
cd bootstrap && ./apply.sh
That spins up a local cluster and walks you through deploying a sample agent. For a multi-agent setup that mirrors an enterprise deployment, agynio/demo-agent provisions a support, marketing, and data-engineer agent in one terraform apply.
- Full source: github.com/agynio/platform
- Architecture docs: github.com/agynio/architecture
Why we built this, and why open-source
Three things drive Agyn.
First, we believe every company will soon run far more AI agents than employees. Each function (marketing, support, finance, data, ops) will spawn multiple agents, often more than one per person. The companies that figure out how to deploy this scale safely will compound. The ones that leave agents running on individual laptops will fall behind. This is the shift from agentic demos to durable engineering we've been tracking for the past year.
Second, we believe the agent layer will be plural, not singular. Claude Code, Codex, custom team-specific agents, and models we haven't seen yet: companies will run all of them, often within the same organization. The runtime that sits underneath all of them needs to be independant. It cannot be owned by any single agent vendor.
Third, the management layer for AI agents has to be open-source for the same reasons Kubernetes had to be open-source. Companies running this in production need to inspect it, modify it, fork it if necessary, and trust it without a vendor relationship dictating their roadmap. The runtime is where security policy, data residency, and audit trails live. Closed proprietary infrastructure at that layer is a non-starter for any serious enterprise.
That's why Agyn is AGPL-3.0, and why the entire runtime (including the architecture docs and design rationale) is public. We want platform teams to verify what runs in their cluster. We want security teams to read the code. We want the projects we're building on, like OpenZiti, OpenFGA, and Kubernetes itself, to stay the foundation.
We're going to build a managed cloud version of Agyn for teams that don't want to operate the runtime themselves. But the runtime stays open.
What we're building toward: the standard layer that every company deploying AI agents internally runs on top of. Some version of that layer is going to exist. We think the version that does should be open.
If you have a fleet of internal agents you've prototyped but can't safely scale to other teams, this is for you.