Kagent
Kagent is a Kubernetes-native AI agent framework that brings autonomous agents to cloud-native environments. It leverages Kubernetes primitives for agent lifecycle management, scaling, and orchestration.
What is Kagent?
Kagent provides a Kubernetes-native approach to running AI agents:
- CRD-based Configuration - Define agents as Kubernetes resources
- Native Scaling - Horizontal pod autoscaling for agent workloads
- MCP Support - Built-in Model Context Protocol for tool access
- A2A Communication - Agent-to-agent messaging via Kubernetes services
- GitOps Ready - Declarative agent definitions for Flux/ArgoCD
Why Use Agent Gateway with Kagent?
Kagent agents running in Kubernetes need enterprise governance:
| Kubernetes Challenge | Agent Gateway Solution |
|---|---|
| Multi-tenant clusters | Namespace-aware policies |
| Service-to-service auth | mTLS and JWT validation |
| Distributed tracing | OpenTelemetry integration |
| Cost allocation | Per-namespace token tracking |
| Compliance requirements | Centralized audit logging |
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ ┌──────────────┐ ┌─────────────────┐ ┌────────────┐ │
│ │ Kagent │───▶│ Agent Gateway │───▶│ LLM │ │
│ │ Agents │ │ (Deployment) │ │ Provider │ │
│ │ │ │ │ └────────────┘ │
│ │ ┌────────┐ │ │ - Auth/AuthZ │ │
│ │ │Agent A │ │ │ - Audit │ ┌────────────┐ │
│ │ └────────┘ │ │ - Metrics │───▶│ MCP │ │
│ │ ┌────────┐ │ │ - Rate Limit │ │ Servers │ │
│ │ │Agent B │ │ └─────────────────┘ └────────────┘ │
│ │ └────────┘ │ │ │
│ └──────────────┘ │ ┌────────────┐ │
│ └─────────────▶│ Other │ │
│ A2A │ Agents │ │
│ └────────────┘ │
└─────────────────────────────────────────────────────────────┘Deployment
1. Deploy Agent Gateway
Deploy Agent Gateway in your cluster:
apiVersion: apps/v1
kind: Deployment
metadata:
name: agentgateway
namespace: ai-platform
spec:
replicas: 3
selector:
matchLabels:
app: agentgateway
template:
metadata:
labels:
app: agentgateway
spec:
containers:
- name: agentgateway
image: ghcr.io/agentgateway/agentgateway:latest
ports:
- containerPort: 8080 # LLM
- containerPort: 8081 # MCP
- containerPort: 8082 # A2A
volumeMounts:
- name: config
mountPath: /etc/agentgateway
volumes:
- name: config
configMap:
name: agentgateway-config
---
apiVersion: v1
kind: Service
metadata:
name: agentgateway
namespace: ai-platform
spec:
selector:
app: agentgateway
ports:
- name: llm
port: 8080
- name: mcp
port: 8081
- name: a2a
port: 80822. Configure Agent Gateway
apiVersion: v1
kind: ConfigMap
metadata:
name: agentgateway-config
namespace: ai-platform
data:
config.yaml: |
listeners:
- name: llm
address: 0.0.0.0
port: 8080
protocol: HTTP
- name: mcp
address: 0.0.0.0
port: 8081
protocol: MCP
- name: a2a
address: 0.0.0.0
port: 8082
protocol: A2A
llm:
providers:
- name: openai
type: openai
api_key_secret: openai-credentials
security:
authentication:
type: kubernetes
service_account_validation: true3. Create ModelConfig for Agent Gateway
First, create a ModelConfig that points to Agent Gateway:
apiVersion: kagent.dev/v1alpha2
kind: ModelConfig
metadata:
name: gateway-model-config
namespace: ai-platform
spec:
provider: openai
model: gpt-4
apiKeySecretRef:
name: gateway-api-key
key: api-key
baseUrl: http://agentgateway.ai-platform.svc:8080/v14. Configure Kagent Agents
Point Kagent agents to use the gateway ModelConfig:
apiVersion: kagent.dev/v1alpha2
kind: Agent
metadata:
name: code-assistant
namespace: dev-team
spec:
description: A code review and documentation assistant
type: Declarative
declarative:
modelConfig: gateway-model-config
systemMessage: |-
You are an expert code reviewer and documentation writer.
Help users with code review, documentation, and best practices.
tools:
- type: McpServer
mcpServer:
name: filesystem-server
kind: RemoteMCPServer
toolNames:
- read_file
- write_file
- type: McpServer
mcpServer:
name: github-server
kind: RemoteMCPServer
toolNames:
- get_pull_request
- create_reviewGovernance Capabilities
Namespace-Aware Policies
Enforce policies per Kubernetes namespace:
authorization:
policies:
# Production namespace - restricted models
- name: prod-policy
match:
kubernetes:
namespace: production
resources:
- "model:gpt-4"
action: allow
# Dev namespace - broader access
- name: dev-policy
match:
kubernetes:
namespace: development
resources:
- "model:*"
action: allowService Account Authentication
Validate Kubernetes service accounts:
security:
authentication:
type: kubernetes
service_account_validation: true
allowed_namespaces:
- ai-agents
- dev-team
- prod-teamA2A Authorization
Control agent-to-agent communication:
a2a:
authorization:
- name: dev-team-agents
source:
namespace: dev-team
target:
namespace: dev-team
action: allow
- name: cross-namespace-restricted
source:
namespace: dev-team
target:
namespace: production
action: denyPer-Namespace Rate Limits
Allocate token budgets by team:
rate_limiting:
- name: dev-team-budget
match:
kubernetes:
namespace: dev-team
limit: 1000000 # tokens per day
window: 24h
limit_by: tokens
- name: prod-budget
match:
kubernetes:
namespace: production
limit: 5000000
window: 24h
limit_by: tokensObservability
Kubernetes-Native Metrics
Agent Gateway exposes Prometheus metrics compatible with kube-prometheus-stack:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: agentgateway
namespace: ai-platform
spec:
selector:
matchLabels:
app: agentgateway
endpoints:
- port: metrics
interval: 30sDistributed Tracing
Enable OpenTelemetry for cross-service tracing:
observability:
tracing:
enabled: true
exporter: otlp
endpoint: jaeger-collector.observability.svc:4317
propagation:
- w3c
- b3Audit Logging
Send audit logs to your SIEM:
observability:
logging:
enabled: true
format: json
output:
- type: stdout
- type: elasticsearch
endpoint: https://elasticsearch.logging.svc:9200
index: agentgateway-auditBest Practices
- Namespace Isolation - Separate teams with namespace-aware policies
- Resource Quotas - Set token budgets per namespace
- Audit Everything - Log all LLM, MCP, and A2A traffic
- GitOps Policies - Manage authorization policies declaratively