Palana(第二部分):为AI智能体构建隔离、身份和可审计性
Introduction
简介
In Part 1, we introduced Palana, Grab’s Kubernetes-native secure execution platform for autonomous AI agents. We discussed the underlying need for isolated environments and covered its core design principles: treating isolation as the unit of trust, keeping credentials out of agent hands, and mediating all network access. In this second part, we’ll dive under the hood into Palana’s architecture, look at the agent lifecycle, and share the key lessons we learned from putting this system into production.
在第一部分中,我们介绍了Palana,这是 Grab 为自主 AI 代理打造的 Kubernetes 原生安全执行平台。我们讨论了隔离环境的潜在需求,并介绍了其核心设计原则:将隔离作为信任单元,防止代理获取凭证,以及中介所有网络访问。在第二部分中,我们将深入探讨 Palana 的底层架构,了解代理的生命周期,并分享我们将该系统投入生产环境后学到的关键经验。
Architecture overview
架构概述
The core request path looks like this:
核心请求路径如下所示:
Figure 1. Palana architecture overview.
图 1. Palana 架构概述。
The agent pod runs in a namespace owned by one user and one agent. It gets default-deny style network policy, domain name system (DNS), access to required platform services, and a persistent /data volume. Browser traffic enters through Traefik. LLM traffic goes to the LiteLLM wrapper in the gateway namespace. General Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) egress goes through the proxy namespace. Secrets are read from Vault only by the component authorized to use them.
Agent pod 运行在由一个用户和一个 agent 拥有的命名空间中。它获得默认拒绝(default-deny)风格的网络策略、域名系统(DNS)、访问所需平台服务的权限,以及一个持久的 /data 卷。浏览器流量通过 Traefik 进入。LLM 流量进入网关命名空间中的 LiteLLM 包装器。常规的超文本传输协议(HTTP)和安全超文本传输协议(HTTPS)出站流量通过代理命名空间。Secrets 仅由被授权使用的组件从 Vault 中读取。
The operator is responsible for turning a user request into the concrete Kubernetes shape:
运维人员负责将用户请求转化为具体的 Kubernetes 形态:
- The user creates an agent through
pcli(Palana command-line interface) or the portal. - 用户通过
pcli(Palana 命令行界面)或门户创建 agent。 - Palana writes a UserAgent or Agent custom resource with the raw user identity.
- Palana 使用原始用户身份写入 UserAgent 或 Agent 自定义资源。
- The operator creates the user and agent namespaces, service accounts, role bindings, storage, networ...