Stop Running LLM Workloads on Vanilla Kubernetes

TL;DR: Kubernetes schedules LLM workloads well, but it does not give them the isolation boundary they need once they start calling tools, executing code, or handling tenant data.

Open Source Summit North America made one thing obvious: the cloud native crowd has moved from "can Kubernetes run LLM workloads?" to "what breaks when we trust Kubernetes too much?"

That is the right question.

The default Kubernetes security model assumes a pod is mostly an application packaging unit. It gives you namespaces, cgroups, seccomp, AppArmor, service accounts, admission control, and network policy. All of that matters. None of it changes the central fact that normal containers share the host kernel.

For a stateless API, that tradeoff is usually fine. For an LLM tool runner that can read files, call APIs, invoke Python, shell out to package managers, and chain actions across systems, that boundary starts looking thin.

Stop Running LLM Workloads on Vanilla Kubernetes

Other newsrooms on this story

Related reading

Deploying Disaggregated LLM Inference Workloads on Kubernetes | NVIDIA…

I decided to build a Kubernetes alternative. Yes, I know I'm crazy

Kubernetes Cost Optimization May Be Doing More Harm Than Good

From Kernel to Cloud: Open Source Takes On Security Trade-Offs

10 Signals From CNCF 2025 Report That Cloud Native Has Entered Its Next Era

Kubernetes leadership warns of Ingress NGINX risks, but has also hastened its…