Nightshift is open source. Star us on GitHub!
Nightshift

Open source agentic infrastructure

Build your own OpenAI Frontier or Claude Platform on the same technology they are using with full control over the deployment, governance, and security. Deploy across different clouds or on premise.

Star on GitHubGet in touch

Why Nightshift?

Agent Agnostic

Run any agent SDK (Claude, OpenAI, LangGraph, or your own) on the same runtime without lock-in.

Kubernetes-Aware

Leverages Tetragon and Cilium to recognize workload identities like pods and namespaces, so policies map directly to your cluster.

Kernel-level Enforcement

Nightshift blocks malicious activity at the kernel level using Tetragon and sandboxed runtimes like Kata.

Real-time Policy Engine

Define network and runtime policies with CiliumNetworkPolicy and TracingPolicy, enforced synchronously in the kernel.

Namespace Coverage

Agents and the work products they produce are automatically covered by security policies scoped to their namespace.

Centralized Secrets

Native support for HashiCorp Vault and OpenBao. Inject secrets into agents without ever writing them to disk.

How it works

Nightshift architecture diagram showing the Data Stores, Observer, nightshift-api, Kernel, Nightshift Workers, Secrets Vault, Connectors, and Telemetry zones and how they connect.

Defense in depth

Nightshift leverages Cilium and Tetragon for kernel-level enforcement. Agent pods run inside Kata micro-VMs with their own guest kernel, Cilium filters every packet leaving the pod via eBPF, and Tetragon hooks syscalls for runtime policy enforcement.

Tetragon

If traffic gets past the network layer, Tetragon hooks syscalls at the kernel level via kprobes. Malicious behavior is blocked before it ever touches userspace.

kprobesTracingPolicyReal-time
nightshiftapiRESTRunning Agentseach pod exposes metrics + logs observed at the kernelTetragon / Ciliumkernel-level event and metric pipelinePrometheusmetrics time-seriesLokilog aggregationGrafanaoperator dashboards · alerts · OpenTelemetry

Full visibility into every agent

Query logs, metrics, and processes from any running agent via REST API. Nightshift leverages Tetragon and Cilium to capture kernel-level events and ships everything to Grafana, Prometheus, and Loki for your operator team.

Deploy anywhere

One Helm chart. Any Kubernetes cluster. Cloud, on-premise, or air-gapped. Full control over your deployment, governance, and security.

~
# Add the Nightshift Helm repo
helm repo add nightshift
  https://charts.nightshift.sh

# Install into your cluster
helm install nightshift nightshift/nightshift
  --namespace nightshift
  --create-namespace

# Verify the deployment
kubectl get pods -n nightshift
NAME                          READY   STATUS
nightshift-d-0                1/1     Running
nightshift-d-1                1/1     Running

Latest from the community

Shipping Real Apps with Harness Engineering
Systems EngineeringMarch 30, 2026

Shipping Real Apps with Harness Engineering

Embracing The Harness

GC
Gianni Crivello
Containers, But Without The Magic Part 1: Networking
Systems EngineeringMarch 5, 2026

Containers, But Without The Magic Part 1: Networking

Spelling out container networking

GC
Gianni Crivello
You Are The BIOS Now: Building A Hypervisor In Python With KVM
Systems EngineeringFebruary 27, 2026

You Are The BIOS Now: Building A Hypervisor In Python With KVM

A beginner-friendly rewrite of the original Rust post

GC
Gianni Crivello

Join the community.

Star us on GitHub, join the Slack, or follow along on X.

Or, if you're interested in our opinionated managed offering, check out Cr0n