Show HN: Katakate – Self-hosted safe VMs for AI compute (github.com)

Katakate is an open-source (Apache‑2.0) project for running untrusted AI workloads in lightweight, self-hosted VM sandboxes at scale. It layers Kubernetes (K3s) orchestration with Kata Containers and Firecracker VMM to combine container workflows with hardware-level isolation, fast boots and a small attack surface. Target uses include AI agents that execute arbitrary code, custom serverless platforms, hardened CI/CD runners and blockchain execution layers for AI dApps. The project ships a k7 CLI, an API server and a Python SDK for sync/async usage, and is explicitly designed to support multi-node clusters, Docker builds inside sandboxes, and optional QEMU for GPU workloads. Technically, Katakate uses devmapper snapshotter with a thin-pool for efficient storage of many VMs per node, seccomp and dropped Linux capabilities by default, chrooting via Jailer, strict network policies (ingress blocked by default, egress CIDR whitelists, DNS always allowed), hashed API keys, and planned Cilium FQDN whitelisting. Requirements include KVM-enabled x86 hosts and a raw disk for thin-pool provisioning (best on bare metal/.metal instances); Hetzner Robot setups are tested. It’s currently in beta and under security review (some Jailer/Kata interactions under investigation), so it’s promising for ML/AI teams needing safer remote code execution but should be used cautiously for highly sensitive workloads.