███████╗██████╗ ██████╗ ███████╗ ██████╗ ██████╗ ██████╗ ███████╗
██╔════╝██╔══██╗██╔════╝ ██╔════╝██╔════╝██╔═══██╗██╔══██╗██╔════╝
█████╗ ██║ ██║██║ ███╗█████╗ ██║ ██║ ██║██████╔╝█████╗
██╔══╝ ██║ ██║██║ ██║██╔══╝ ██║ ██║ ██║██╔══██╗██╔══╝
███████╗██████╔╝╚██████╔╝███████╗╚██████╗╚██████╔╝██║ ██║███████╗
╚══════╝╚═════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝
The Open-Source, Self-Hosted AI Agent Platform for Kubernetes
The Kubernetes of AI Agents — framework-agnostic, MicroVM-isolated, data-sovereign
In 2026, AI agents run production workflows. They answer questions, write code, orchestrate business processes. And yet — every serious production deployment is locked inside a vendor's cloud.
AWS Bedrock AgentCore. Google Gemini Enterprise Agent Platform. Azure AI Foundry. Excellent products. But you do not control them. Your data lives on their infrastructure, under their policies, at their prices.
This is the same problem open source solved before:
Proprietary era Open-source disruption New status quo
───────────────── ────────────────────── ────────────────
Oracle → PostgreSQL → Postgres everywhere
Windows Server → Linux → Linux everywhere
VMware → KVM + containers → Kubernetes everywhere
AWS Bedrock → EdgeCore → Agents everywhere
EdgeCore is the Kubernetes of AI agents — open, self-hosted, Kubernetes-native, Apache 2.0. No rug-pull possible.
Read the full rationale: MANIFESTO.md · Why & Vision · Problem Space
EdgeCore is a production-grade AI Agent Platform that matches the capabilities of AWS AgentCore and Google's Agent Engine while adding what managed clouds cannot offer:
| Capability | EdgeCore | AWS AgentCore | Google Agent Engine |
|---|---|---|---|
| Vendor independence | ✅ | ❌ | ❌ |
| Air-gapped / on-prem | ✅ | ❌ | ❌ |
| MicroVM hardware isolation | ✅ | ❌ | ❌ |
| Framework agnostic | ✅ | Partial | ADK-preferred |
| Full data sovereignty | ✅ | ❌ | ❌ |
| Apache 2.0 license | ✅ | ❌ | ❌ |
| Kubernetes-native CRDs | ✅ | ❌ | ❌ |
| Custom isolation model | ✅ | ❌ | ❌ |
See the full gap analysis: SOTA Assessment (May 2026)
External World (Users, Other AI Systems, Event Sources)
|
v
+─────────────────────────────────+
│ Layer 1: Ingress │ Istio Gateway + JWT validation + mTLS
+─────────────────────────────────+
|
v
+─────────────────────────────────+
│ Layer 2: Control Plane │ EdgeCore Operator (Kubebuilder v4.4)
│ │ AgentDeployment / AgentSession /
│ │ AgentPolicy / AgentEvalJob CRDs
│ │ Kagent MCP+A2A Gateway · Keycloak IdP
+─────────────────────────────────+
|
v
+─────────────────────────────────+
│ Layer 3: Compute Plane │ Kata Containers + Firecracker MicroVMs
│ │ One kernel per agent (hardware isolation)
│ │ KEDA scale-to-zero autoscaling
+─────────────────────────────────+
|
v
+─────────────────────────────────+
│ Layer 4: Agent Container │ Any framework: ADK 2.0 / LangGraph /
│ │ CrewAI / Strands / PydanticAI / Custom
│ │ Contract: GET /health + OTEL export
│ │ Dapr sidecar for state + pub/sub
+─────────────────────────────────+
|
v
+─────────────────────────────────+
│ Layer 5: Service Mesh │ Istio mTLS · OPA policy on tool calls
+─────────────────────────────────+
|
v
+─────────────────────────────────+
│ Layer 6: LLM Gateway │ LiteLLM Proxy (100+ providers)
│ │ ModelCatalogEntry CRD · cost tracking
+─────────────────────────────────+
|
v
+─────────────────────────────────+
│ Layer 7: Platform Services │ Dapr + Redis / PostgreSQL
│ │ JuiceFS + MinIO · pgvector
│ │ External Secrets Operator + Vault
│ │ OTel + LGTM stack · AgentEvalJob
+─────────────────────────────────+
Deep dive: Architecture Overview · Compute Plane · Security & Identity
Every agent runs in a Kata+Firecracker MicroVM with its own Linux kernel. Container escapes cannot cross agent boundaries. Cold start in 150–300 ms.
The platform contract is minimal: a container image, GET /health, and OTEL export. Build agents with any framework:
| Framework | Version | Stars | Notes |
|---|---|---|---|
| Google ADK | v2.0 Beta (Py) / v1.0 (TS/Go/Java) | 19.4k | Graph workflows, Ambient Agents, A2A native |
| LangGraph | v1.1 stable | 30.9k | Durable execution, checkpointers, HITL |
| CrewAI | v1.14 | 50.4k | Multi-agent flows, built-in guardrails |
| OpenAI Agents SDK | v0.14.8 | 12k+ | Sandbox agents, voice pipeline, handoffs |
| PydanticAI | v1.89+ | — | Structured outputs, type-safe tools |
| Strands | v0.x | 6.3k | Model-driven, MCP native |
| Dapr Agents | v1.14 | 24k | Actor model, Dapr bindings |
- MCP v1 (Model Context Protocol) — universal tool calling, adopted by Anthropic, OpenAI, GitHub, VS Code
- A2A v1.0 (Agent-to-Agent) — Linux Foundation standard, Google/AWS/MS implementing
KEDA-managed deployments with minReplicas=0. Agents sleep between tasks. Warm pool delivers sub-50ms wakeup.
Layer 4: Semantic Guardrails (prompt injection detection, Llama Guard)
Layer 3: Identity (Keycloak OIDC, SPIFFE JWT-SVIDs, Kyverno admission)
Layer 2: Policy (OPA/Rego — policy-as-code, default deny on all tool calls)
Layer 1: Isolation (Kata+Firecracker MicroVM — one kernel per agent)
AgentEvalJob CRD runs quality gates on every deployment. LLM-as-judge. Golden datasets. Regression prevention. Integrates with Braintrust, Phoenix/Arize, and PromptFoo.
- macOS: OrbStack with K3S enabled — OR — Linux with K3S installed
- Docker
kubectlgo1.24+
kubectl apply -f operator/config/crd/bases
kubectl apply -f operator/config/namespaces
kubectl apply -f operator/config/rbaccd operator
make build
make runkubectl apply -f examples/hello-agent/deploy.yaml
kubectl get agentdeployments -A# Invoice classifier (PydanticAI + Ollama)
cd examples/invoice-classifier
pip install -r requirements.txt
python server.py
# Order router (Google ADK multi-agent + Ollama)
cd examples/order-router
pip install -r requirements.txt
python server.py
# Open WebUI AP assistant (connects to Open WebUI chat UI)
cd examples/openwebui-agent
pip install -r requirements.txt
python server.pyFull walkthrough: Tutorial 1 — Bootstrap · Tutorial 2 — First Agent · Local Dev Guide
| Example | Framework | Description |
|---|---|---|
| hello-agent | Go (stdlib) | Minimal agent: health endpoint, LLM gateway, context compression, OTEL |
| invoice-classifier | PydanticAI 1.89 + Ollama | Auto-classifies invoices, extracts line items, flags anomalies — structured output |
| order-router | Google ADK + Ollama (gemma4) | Multi-agent: orchestrator + inventory + shipping sub-agents; routes orders to optimal warehouse |
| openwebui-agent | PydanticAI + SSE | AP assistant connecting directly to Open WebUI via OpenAI Chat Completions API |
Each example ships with a Dockerfile, deploy.yaml (AgentDeployment CRD), and a test_*.py test suite.
EdgeCore's control plane is entirely CRD-driven. No proprietary SDKs.
# AgentDeployment — the core primitive
apiVersion: edgecore.io/v1
kind: AgentDeployment
metadata:
name: invoice-classifier
namespace: agents
spec:
image: edgecore/invoice-classifier:1.0.0
framework: pydantic-ai
compute:
runtime: kata-fc # kata-fc | gvisor | runc
cpu: "500m"
memory: "512Mi"
scaling:
minReplicas: 0 # scale-to-zero
maxReplicas: 10
hitl:
enabled: true # human-in-the-loop approval
approvalTimeoutSeconds: 300
artifacts:
enabled: true
retentionDays: 30
llmGateway: true # route all LLM calls through LiteLLM proxy
policyRef:
name: invoice-policyAll CRDs:
| CRD | Purpose |
|---|---|
AgentDeployment |
Lifecycle + compute + scaling for one agent |
AgentSession |
Per-user session with TTL and pod binding |
AgentPolicy |
OPA-backed tool and action policies |
AgentCatalogEntry |
Discovery registry with skill-based semantic search |
AgentEvalJob |
CI quality gate: golden datasets + LLM-as-judge |
AgentExpositionBinding |
Surface agent to UI/API/A2A with access control |
AgentAccessPolicy |
Who can invoke which agent |
ModelCatalogEntry |
LLM models registered in the gateway |
ToolRegistry / CLIToolRegistry |
MCP tool sets available to agents |
AmbientAgentTrigger |
Event-driven triggers (Kafka/NATS/webhook) |
CodingAgentDeployment |
Wrap CLI agents (Claude Code, Codex, Hermes) |
AgentWorkspace |
POSIX workspace (JuiceFS/tmpfs) for coding agents |
DelegatedCredential |
Short-lived RFC 8693 token exchange per task |
EdgeCore is a first-class host for external agents you already use:
| Category | Agents | Platform primitive |
|---|---|---|
| CLI / Server agents | Claude Code, OpenAI Codex CLI, GitHub Copilot CLI, Pi, Hermes Agent, OpenClaw | CodingAgentDeployment + AgentWorkspace CRDs |
| Local LLM inference | Llama 3.x, Mistral, Qwen, Phi (via vLLM / Ollama) | ModelCatalogEntry registered in LLM Gateway |
| External API agents | Any HTTP agent with OAuth or API key auth | AgentProxyBinding CRD |
Every BYOA agent gets: MicroVM isolation, secret injection, OTel observability, OPA policy enforcement, A2A interoperability, and catalog registration.
Phase 1: Core Operator + MicroVM Isolation ✅ IMPLEMENTED
Kubebuilder operator · AgentDeployment/Session CRDs
Kata+Firecracker runtime · Basic RBAC
Phase 2: State + SOTA Parity 🔨 DESIGNED
Dapr state + pub/sub · KEDA scale-to-zero
LiteLLM LLM Gateway · Ambient Agent Triggers
HITL first-class · Context Compression
Phase 3: Tool Governance + Quality 📋 DESIGNED
Kagent MCP Gateway · OPA/Rego enforcement
AgentEvalJob (evals-as-CI) · Multi-modal (voice/vision)
Phase 4: Identity + WASM 📋 DESIGNED
Keycloak + SPIFFE full integration
RFC 8693 Token Exchange · WASM stateless tools
Phase 5: Scale + BYOA 📋 DESIGNED
JuiceFS file-based state · MicroVM snapshots
CodingAgentDeployment · AgentWorkspace · Quotas
Phase 6: Full Observability + A2A Orchestration 📋 DESIGNED
LGTM stack (Loki/Grafana/Tempo/Mimir)
Quality alerting · Multi-agent orchestration patterns
Every phase is independently deployable and produces a working system. Each phase reduces a specific risk class.
Full details: Roadmap · Technical Implementation Plans · SOTA Assessment
| # | Tutorial | What You Build |
|---|---|---|
| 1 | Bootstrap the Platform | Full local stack: CRDs, operator, platform services |
| 2 | Deploy Your First Agent | AgentDeployment → operator → pod → eval → catalog |
| 3 | Add Governance & Identity | HITL approval, tool restrictions, API keys, token exchange |
| 4 | Observe, Debug, Iterate | Live reconciliation, persistence, troubleshooting |
| 5 | Multi-Agent Orchestration | Orchestrator + specialist pattern, A2A delegation (ADK order-router) |
| 6 | Bring Your Own Agent | Wrap Claude Code or Codex CLI into the governed platform |
| 7 | Evaluation as CI | Golden datasets, LLM-as-judge, pytest CI integration |
| 8 | Scale, State, Persistence | Scale-to-zero proof, workspace persistence, context compression |
| 9 | Advanced Security | Four-layer security: Kata + Istio mTLS + OPA + Content Guardrails |
| 10 | CLI Tools & Automation | CLIToolRegistry, AmbientAgentTrigger, event-driven CI |
MANIFESTO.md ← Why EdgeCore exists (start here)
docs/
00-sota-assessment ← Honest gap analysis vs AWS/Google/Azure (May 2026)
01-why-and-vision ← First-principles rationale
02-problem-space ← The 7 hard problems of agent infrastructure
03-architecture ← 7-layer system design, all CRDs, data flows
04-agent-frameworks ← ADK 2.0, LangGraph, CrewAI, OpenAI SDK, PydanticAI
05-compute-plane ← Kata+Firecracker MicroVMs, KEDA, WASM
06-gateway-and-protocols ← MCP v1, A2A v1.0, Kagent, CLI-as-MCP
07-memory-and-state ← Dapr, Redis, JuiceFS, pgvector, Artifacts API
08-security-and-identity ← 4-layer security pyramid, Keycloak, OPA
09-observability ← LGTM stack, agent tracing, quality gating
10-roadmap ← Six phases, SOTA gap closure plan
11-cli-tools ← CLI tools as first-class CRD citizens
12-agent-exposition ← OpenWebUI, developer API, multi-tenant routing
13-agent-catalog ← AgentCatalogEntry, skill-based discovery
14-delegated-auth ← RFC 8693 token exchange, Transaction Tokens
15-local-dev ← OrbStack+K3S macOS, Tilt hot-reload, dev tiers
16-evaluation ← AgentEvalJob, LLM-as-judge, evals-as-CI
17-multimodal ← Voice STT/LLM/TTS, Gemini Live, OpenAI Realtime
18-byoa ← Claude Code, Codex CLI, Hermes Agent, OpenClaw
technical/
00-why-first-principles ← The constraints that govern ALL phases
01-phase-1-core-operator ← Kubebuilder + MicroVM (8 weeks)
02-phase-2-state-parity ← Dapr + KEDA + SOTA G1–G4 (8 weeks)
03-phase-3-gateway-quality ← MCP + OPA + Evals + Multimodal (8 weeks)
04-phase-4-identity ← Keycloak + SPIFFE + TTS + WASM (4 weeks)
05-phase-5-scale-state ← JuiceFS + BYOA + Snapshots (6 weeks)
06-phase-6-observability ← LGTM + Quality Alerts + A2A (8 weeks)
tutorial/ ← Step-by-step tutorials (10 sessions)
examples/ ← Working agent code (4 agents)
operator/ ← Go Kubebuilder operator (Phase 1 implementation)
EdgeCore supports three dev tiers — no cloud account required:
| Tier | Stack | RAM | Use case |
|---|---|---|---|
| Tier 1 | Docker only | 2 GB | Fastest inner loop, no Kubernetes |
| Tier 2 | OrbStack + K3S (macOS) | 4 GB | Full CRD/operator experience, runc runtime |
| Tier 3 | K3S + Istio ambient | 8 GB | Production-parity concepts, mTLS |
edgecore dev up starts the full local stack. Tilt hot-reload propagates code changes in under 5 seconds.
EdgeCore takes security seriously at four independent layers:
- MicroVM — Kata+Firecracker gives each agent its own kernel; container escapes cannot cross boundaries
- mTLS + OPA — Istio encrypts all inter-service traffic; OPA enforces policy-as-code on every tool call
- Identity — Keycloak OIDC + SPIFFE JWT-SVIDs; RFC 8693 token exchange prevents confused deputy attacks
- Semantic Guardrails — Llama Guard detects prompt injection and unsafe content at every I/O boundary
Secrets are never baked into images. External Secrets Operator injects them as tmpfs-mounted env vars.
Security & Identity · Delegated Auth · Tutorial 9: Advanced Security
| Layer | Technology | Version | Purpose |
|---|---|---|---|
| Control plane | Kubebuilder | v4.4 | CRD-based operator framework |
| Isolation | Kata Containers + Firecracker | prod | MicroVM per agent |
| Autoscaling | KEDA | v2.15 | Scale-to-zero on any trigger |
| State | Dapr | v1.14 | Backend-agnostic state + pub/sub |
| Identity | Keycloak + SPIFFE | — | OIDC + workload identity |
| Policy | OPA / Rego | — | Policy-as-code, default deny |
| LLM Gateway | LiteLLM Proxy | — | 100+ providers, cost tracking |
| Observability | OpenTelemetry + LGTM | — | Traces, metrics, logs, dashboards |
| Service mesh | Istio | — | mTLS, traffic policy |
| Files | JuiceFS + MinIO | — | Distributed POSIX filesystem |
| Vector store | pgvector | — | Semantic memory |
| Secrets | External Secrets Operator | — | Vault / AWS SM / GCP SM |
| Protocols | MCP v1 + A2A v1.0 | stable | Tool calling + agent federation |
edgecore/
├── MANIFESTO.md # Why EdgeCore exists
├── Makefile # Top-level build + test targets
├── operator/ # Go Kubebuilder operator (Phase 1)
│ ├── api/v1/ # CRD type definitions
│ ├── cmd/ # Operator + HITL server entry points
│ ├── config/ # Kustomize manifests (CRDs, RBAC, etc.)
│ ├── internal/ # Controller, reconciler, HITL logic
│ └── go.mod
├── examples/
│ ├── hello-agent/ # Minimal Go agent (reference implementation)
│ ├── invoice-classifier/ # PydanticAI structured extraction
│ ├── order-router/ # Google ADK multi-agent system
│ └── openwebui-agent/ # Open WebUI chat UI integration
├── docs/ # 18 design + architecture documents
├── technical/ # 6-phase implementation plans (HOW to build)
├── tutorial/ # 10 step-by-step tutorials (HOW to use)
└── scripts/
└── validate-docs.py # Documentation validation CI
# Run all tests
make test
# Test the operator (Go)
make test-operator
# Test HITL logic
make test-hitl
# Validate CRD manifests (dry run against cluster)
make test-manifests
# Build the operator binary
make build-operatorEdgeCore is Apache 2.0. Community-owned. No rug-pull possible.
Contributions welcome:
- Operator features — implement Phase 2–6 capabilities from the roadmap and technical plans
- Agent examples — add new framework examples under
examples/ - Documentation — improve tutorials or design docs
- Integrations — new MCP tools, A2A adapters, framework integrations
See the SOTA Assessment for the seven open gaps (G1–G7) that are the highest-priority contributions.
Apache License 2.0 — free forever, community-owned.
| Topic | Document |
|---|---|
| Vision and first principles | Why & Vision |
| Honest competitive analysis | SOTA Assessment |
| Full architecture | Architecture Overview |
| Six delivery phases | Roadmap |
| MicroVM isolation | Compute Plane |
| MCP + A2A protocols | Gateway & Protocols |
| Memory, state, context | Memory & State |
| Security pyramid | Security & Identity |
| Traces and metrics | Observability |
| Voice + vision agents | Multi-modal |
| Claude Code, Codex, Hermes | Bring Your Own Agent |
| Local developer experience | Local Development |
| Quality gates in CI | Evaluation Framework |
| RFC 8693 token delegation | Delegated Authentication |
| Manifesto | MANIFESTO.md |
Open · Self-Hosted · Kubernetes-Native · AI Agent Platform
Apache 2.0 — free forever — community owned