Alpha — Phases 0–5 complete

Run AI agents on your own cluster. Safely.

OpenConveyor is a Kubernetes-native orchestrator that runs AI coding agents as isolated, one-shot Jobs. Least-privilege by default. Trigger-agnostic. Agent-agnostic.

Star on GitHub See how it works

apiVersion: openconveyor.ai/v1alpha1 · kind: Task

Three friendly robots on a conveyor belt

The problem

AI agents are powerful. Running them is the scary part.

Handing an AI agent a task — fix this bug, close that ticket, upgrade this dependency — is only useful if you can trust it to stay in its lane. On a laptop it can touch every file. As a normal service it inherits every secret you forgot to revoke. Neither is a safe place to let something experiment on your behalf.

I built OpenConveyor so I could hand work off to agents without staying in the loop. Each task runs as a locked-down Kubernetes Job with only the secrets and network access it needs, for only as long as it needs them — and then it disappears.

You get the result. Security is already handled.

How it works

One resource in. One disposable pod out.

The whole system is a single custom resource — Task — and a controller that turns it into hardened, short-lived Kubernetes primitives.

Trigger GitHub · Linear Cron · Slash command Task CRD reconciled by the operator Hardened Job Least-privilege pod Auto-GC on completion

A trigger fires

A GitHub issue, a Linear ticket, a cron schedule, or a slash command.

The operator creates a Task

One CRD describes the agent, prompt, and exactly what it's allowed to reach.

The Task runs, then vanishes

A one-shot Pod under restricted PSS runs the agent and cleans itself up.

What's in the box

Four defaults that mean you can actually hand off the work.

Trigger-agnostic

Kick off work from wherever it already lives.

GitHub issues, Linear tickets, cron schedules, slash commands — point a webhook at the adapter or reconcile Tasks directly. No new dashboard to learn.

Agent-agnostic

Any container that reads a prompt and exits.

Claude Code, aider, your own wrapper — if it fits in an image, it runs. Switch providers by changing a single line in the Task spec.

Least privilege by default

The agent gets nothing you didn't hand it.

Default-deny egress. Zero RBAC unless declared. Secrets project as read-only files, listed explicitly in the Task. No implicit permissions, ever.

Kubernetes-native

Runs on the cluster you already have.

No cloud dependency, no control plane to host, no vendor lock-in. One operator, one CRD, restricted Pod Security Standards, garbage-collected Jobs.

The Task spec

One YAML file. Everything the agent can touch.

A Task names the agent, gives it a prompt, and explicitly lists the secrets it can read and the hosts it can reach. Anything not on those lists is denied.

  • agent.ref — swap Claude Code for any other container image.
  • permissions.secrets — mounted read-only, one file per secret.
  • permissions.egress — an allowlist enforced by NetworkPolicy.
  • timeout — mandatory. Runaway agents cannot exist.
task.yaml YAML 
apiVersion: openconveyor.ai/v1alpha1
kind: Task
metadata:
  name: fix-null-check
spec:
  agent:
    ref: claude-code-implementer
  prompt:
    inline: "Fix the null-pointer on line 42 of internal/auth/token.go."
  permissions:
    secrets:
      - anthropic-api-key
      - github-token
    egress:
      - api.anthropic.com
      - api.github.com
  timeout: 20m
install Shell 
# Install the operator
kubectl apply -k github.com/openconveyor/openconveyor/config/default

# Apply a Task
kubectl apply -f task.yaml

In practice

Three ways people are kicking it off.

Trigger: GitHub

Fix a bug from an issue

An issue gets labeled agent-fix. A Task is created with exactly the secrets needed to clone, push, and open a PR — nothing else.

Trigger: Linear

Close a ticket overnight

A Linear webhook fires on a tagged ticket. The agent works while you're asleep; you wake up to a diff to review, not a running process to babysit.

Trigger: Cron

Nightly dependency upgrade

A CronTask runs at 03:00, pinned to your registry's egress, reads a single token, opens a PR, and gets garbage-collected before breakfast.

Security model

Three defaults the agent cannot argue with.

Deny

Default-deny egress

Every Task runs behind a NetworkPolicy that blocks all egress. You declare exactly which hosts the agent can reach. Nothing else gets through.

Zero

Zero RBAC unless asked

The agent's ServiceAccount starts with no cluster permissions. If the Task needs to apply manifests, you declare a Role and the operator binds it — minimally.

Read

Secrets are read-only files

Listed secrets project as read-only files on a tmpfs volume. Not environment variables. Not something the agent can enumerate or leak through process listings.

Full treatment, including Pod Security Standards, timeouts, and garbage collection, is in the README security section .

About the creator

Portrait of Martijn Scholten

Martijn Scholten

Freelance Platform Engineer · Kubernetes, OpenShift, Azure

I'm a Freelance Platform Engineer with a software engineering background — which means I think about clusters the same way I think about code: small, composable primitives with clear boundaries.

I built OpenConveyor to kick off AI agents asynchronously on top of the Kubernetes primitives I already trust, with security built into the shape of the tool rather than bolted on later. I describe the change, the agent does the work, and I get the result back.

mrcontainer.nl GitHub LinkedIn