explaingit

aegrail/aegrail-engine

Analysis updated 2026-05-18

1GoAudience · ops devopsComplexity · 5/5Setup · hard

TLDR

A Go sidecar that enforces which network destinations an AI agent running in Kubernetes is allowed to reach, regardless of what language the agent is written in.

Mindmap

mindmap
  root((aegrail-engine))
    What it does
      Enforces egress allowlist
      Runs as Go sidecar
      Audits denied requests
    Tech stack
      Go
      Kubernetes
      Helm
    Use cases
      Block unauthorized requests
      Tamper evident audit log
      OWASP compliance
    Audience
      DevOps and platform teams
      AI security teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Block an AI agent from making unauthorized outbound network requests.

USE CASE 2

Get a tamper-evident audit log of every allowed and denied request.

USE CASE 3

Prove compliance with OWASP ASI02/ASI03 controls for AI systems in Kubernetes.

What is it built with?

GoKubernetesHelm

How does it compare?

aegrail/aegrail-engineanas727189/message-broker-systemanfernee/k8s-ipam-webhook
Stars111
LanguageGoGoGo
Last pushed2019-04-11
MaintenanceDormant
Setup difficultyhardmoderatehard
Complexity5/53/54/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires a Kubernetes cluster and Helm, the project is pre-release.

In plain English

aegrail-engine is a security enforcement layer for AI agents running in Kubernetes, the container orchestration platform used to manage software at scale in the cloud. It is a Go sidecar, meaning a small companion process that runs in the same pod (the smallest deployable unit in Kubernetes) as your AI agent, intercepting all outbound network traffic before it leaves. The problem it solves: an AI agent might try to make web requests to unauthorized services, and you want to stop that at the network level regardless of what programming language the agent is written in. The aegrail Python library can enforce rules inside a Python agent's own code, but that doesn't protect against agents written in other languages, or Python code that bypasses the library entirely by opening raw network connections. The engine closes that gap by sitting between the agent container and the outside world, enforcing an allowlist of approved destinations at the HTTP proxy level. Every request the agent makes gets checked against the per-agent allowlist. Approved requests pass through, denied requests are blocked and recorded as egress_denied events in an audit log. The log uses SHA-256 hashing to make records tamper-evident, meaning you can detect after the fact if anyone altered the logs. The engine is deployed using a Helm chart (a standard Kubernetes packaging format) and maps to OWASP ASI02/ASI03 control categories for AI system security. You would use this if you run AI agents in Kubernetes and need verifiable, language-agnostic proof that those agents only communicated with approved services. The project is pre-release as of the README date.

Copy-paste prompts

Prompt 1
Deploy aegrail-engine's Helm chart alongside my AI agent pod in Kubernetes.
Prompt 2
Set up a per-agent allowlist of approved destinations for aegrail-engine.
Prompt 3
Show me how aegrail-engine's SHA-256 audit log detects tampered records.

Frequently asked questions

What is aegrail-engine?

A Go sidecar that enforces which network destinations an AI agent running in Kubernetes is allowed to reach, regardless of what language the agent is written in.

What language is aegrail-engine written in?

Mainly Go. The stack also includes Go, Kubernetes, Helm.

How hard is aegrail-engine to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is aegrail-engine for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.