For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Kagent
Use agentgateway with kagent.
Kagent is a Kubernetes-native AI agent framework that brings autonomous agents to cloud-native environments. It leverages Kubernetes primitives for agent lifecycle management, scaling, and orchestration.
What is kagent?
Kagent provides a Kubernetes-native approach to running AI agents:
- CRD-based Configuration - Define agents as Kubernetes resources
- Native Scaling - Horizontal pod autoscaling for agent workloads
- MCP Support - Built-in Model Context Protocol for tool access
- A2A Communication - Agent-to-agent messaging via Kubernetes services
- GitOps Ready - Declarative agent definitions for Flux/ArgoCD
Why use agentgateway with kagent?
Kagent agents running in Kubernetes need enterprise governance:
| Kubernetes Challenge | agentgateway Solution |
|---|---|
| Multi-tenant clusters | Namespace-aware policies |
| Service-to-service auth | mTLS and JWT validation |
| Distributed tracing | OpenTelemetry integration |
| Cost allocation | Per-namespace token tracking |
| Compliance requirements | Centralized audit logging |
Before you begin
Follow the Get started guide to install agentgateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n agentgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS
- Follow the Ollama guide to install and setup Ollama.
Architecture
This guide sets up kagent and agentgateway in a kind cluster, as shown in the following diagram.
flowchart LR
subgraph KindCluster["kind cluster"]
kagentPods["kagent agent pods"]
agentGateway["agentgateway<br>(agentgateway-system ns)<br>• auth / authz<br>• rate limiting<br>• audit logging<br>• observability"]
end
kagentPods --> agentGateway
agentGateway --> ollama["Ollama<br>(host)"]
kagentPods:::internal
agentGateway:::internal
ollama:::external
classDef cluster stroke:#818cf8,fill:#eef2ff
classDef internal stroke:#a78bfa,fill:#f5f3ff
classDef external stroke:#fb923c,fill:#fff7ed
style kagentPods stroke:#a78bfa,fill:#ffffff
style agentGateway fill:#ffffff,stroke:#AA00FF
style ollama fill:#ffffff,stroke:#00C853
style KindCluster stroke:#2962FF,fill:#ffffff
Install kagent
Install kagent in your cluster. For more information, see the kagent docs.
Install kagent CRDs.
helm install kagent-crds oci://ghcr.io/kagent-dev/kagent/helm/kagent-crds \ --namespace kagent \ --create-namespaceInstall kagent.
helm install kagent oci://ghcr.io/kagent-dev/kagent/helm/kagent \ --namespace kagent \ --create-namespace \ --set providers.default=ollama \ --set providers.ollama.baseUrl=http://agentgateway-proxy.agentgateway-system.svc.cluster.local/v1 \ --set providers.ollama.apiKey=dummyVerify everything is up and running.
kubectl get pods -n kagentExample output:
argo-rollouts-conversion-agent-7f8cdbd6f7-6tvl2 1/1 Running 0 5h2m cilium-debug-agent-6588998448-gr8tc 1/1 Running 0 5h2m cilium-manager-agent-d9468b549-tbqmk 1/1 Running 0 5h2m cilium-policy-agent-68d6c9bbf8-tgrzc 1/1 Running 0 5h2m helm-agent-66845fccdb-65wj5 1/1 Running 0 5h2m istio-agent-6968fddf87-qtcrg 1/1 Running 0 5h2m k8s-agent-64858b5476-6nw76 1/1 Running 0 168m kagent-controller-9bfbc5b5b-lfxfx 1/1 Running 0 5h5m kagent-grafana-mcp-64c84f5b59-jpp98 1/1 Running 0 5h5m kagent-kmcp-controller-manager-877f8dd7c-brw5h 1/1 Running 0 5h5m kagent-postgresql-7956f487fd-fznnz 1/1 Running 0 5h5m kagent-querydoc-865fb84c44-kbl2m 1/1 Running 0 5h5m kagent-tools-55cc7db799-qrk5c 1/1 Running 0 5h5m kagent-ui-6d78884f6f-c64b5 1/1 Running 0 5h5m kgateway-agent-876d7c9dc-jpcbv 1/1 Running 0 5h2m observability-agent-7f8b568666-zvmbh 1/1 Running 0 5h2m promql-agent-5499d6db5-lvf77 1/1 Running 0 5h2m
Setup kagent
Create a
ModelConfigthat points to Ollama.kubectl apply -f- <<EOF apiVersion: kagent.dev/v1alpha2 kind: ModelConfig metadata: name: llama3-model-config namespace: kagent spec: model: llama3 provider: Ollama ollama: host: agentgateway-proxy.agentgateway-system.svc.cluster.local EOFVerify that kagent is accessible and correctly functioning.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n kagent kagent-ui -o jsonpath="{.spec.clusterIP}") echo $INGRESS_GW_ADDRESSOpen the kagent UI and try the default
k8s-agentto confirm everything works end-to-end.
Governance Capabilities
Agentgateway provides policies that you can use to govern your kagent environment.
Block requests with PII
Create an
AgentgatewayPolicyresource to deny requests to the LLM provider that include PII, such as aemailstring in the request body on. For more examples, see the Guardrails docs.kubectl apply -f - <<EOF apiVersion: agentgateway.dev/v1alpha1 kind: AgentgatewayPolicy metadata: name: prompt-guard namespace: agentgateway-system spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: ollama backend: ai: promptGuard: request: - response: message: "Rejected due to inappropriate content" regex: action: Reject matches: - "email" EOFVerify the policy by sending a prompt to your agent through the kagent UI that includes the word
email. You get a403response.
Cleanup
You can remove the resources that you created in this guide.kubectl delete agentgatewaypolicy prompt-guard -n agentgateway-system
kubectl delete modelconfig llama3-model-config -n kagent
helm uninstall kagent --namespace kagent
helm uninstall kagent-crds --namespace kagent
kubectl delete namespace kagent