kagent-dev · Lasse4 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,13 +35,15 @@
     "framer-motion": "^12.23.22",
     "gray-matter": "^4.0.3",
     "lucide-react": "^0.543.0",
+    "mermaid": "^11.15.0",
     "next": "^15.5.9",
     "next-mdx-remote": "^5.0.0",
     "next-themes": "^0.4.6",
     "prism-react-renderer": "^2.4.1",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",
     "react-markdown": "^10.1.0",
+    "rehype-mermaid": "^3.0.0",
     "rehype-unwrap-images": "^1.0.0",
     "remark-frontmatter": "^5.0.0",
     "remark-gfm": "^4.0.1",

diff --git a/public/images/kagent-default-k8s-agent.png b/public/images/kagent-default-k8s-agent.png
diff --git a/public/images/kagent-rejected-content.png b/public/images/kagent-rejected-content.png
diff --git a/src/app/docs/kagent/examples/agentgateway/page.mdx b/src/app/docs/kagent/examples/agentgateway/page.mdx
@@ -0,0 +1,154 @@
+---
+title: "agentgateway"
+pageOrder: 1
+description: "Add governance to your kagent deployment with agentgateway"
+---
+
+import { Tabs, Tab } from '@/components/mdx/tabs';
+import { Mermaid } from '@/components/mdx/mermaid';
+
+export const metadata = {
+  title: "Using agentgateway with kagent",
+  description: "Learn how to add governance to your kagent deployment using agentgateway",
+  author: "kagent.dev"
+};
+
+# Using agentgateway with kagent
+
+As your kagent deployment grows, you might need governance over how your agents communicate with LLM providers. [Agentgateway](https://agentgateway.dev) is a proxy purpose-built for AI workloads that sits between your kagent agents and your LLM provider. This way, you can apply AgentgatewayPolicy for things like access control, rate limiting, audit logging, and observability. 
+
+## Prerequisites
+
+1. A running kagent installation. If you haven't installed kagent yet, follow the [quick start](/docs/kagent/getting-started/quickstart) guide first.
+2. Follow the [agentgateway installation guide](https://agentgateway.dev/docs/kubernetes/latest/quickstart/install/) to install agentgateway in your cluster.
+3. Set up an LLM provider with agentgateway. This guide uses [the Ollama setup](https://agentgateway.dev/docs/kubernetes/latest/llm/providers/ollama/) as an example.
+
+## Architecture
+
+Once set up, kagent agent pods route all LLM requests through agentgateway (running in the `agentgateway-system` namespace). Agentgateway enforces your policies, auth/authz, rate limiting, audit logging, and observability. Before forwarding requests to Ollama on the host.
+
+<Mermaid chart={`
+flowchart LR
+ subgraph KindCluster["kind cluster"]
+        kagentPods["kagent agent pods"]
+        agentGateway["agentgateway<br>(agentgateway-system ns)<br>• auth / authz<br>• rate limiting<br>• audit logging<br>• observability"]
+  end
+    kagentPods --> agentGateway
+    agentGateway --> ollama["Ollama<br>(host)"]
+     kagentPods:::internal
+     agentGateway:::internal
+     ollama:::external
+    classDef cluster stroke:#818cf8,fill:#eef2ff
+    classDef internal stroke:#a78bfa,fill:#f5f3ff
+    classDef external stroke:#fb923c,fill:#fff7ed
+    style kagentPods stroke:#a78bfa,fill:#ffffff
+    style agentGateway fill:#ffffff,stroke:#AA00FF
+    style ollama fill:#ffffff,stroke:#00C853
+    style KindCluster stroke:#2962FF,fill:#ffffff
+`} />
+
+## Configure kagent to use agentgateway
+
+With agentgateway installed, point kagent at the agentgateway proxy instead of directly at Ollama.
+
+1. If you installed kagent without agentgateway, upgrade your installation to route through the proxy.
+
+   ```shell
+   helm upgrade kagent oci://ghcr.io/kagent-dev/kagent/helm/kagent \
+     --reuse-values
-     --reuse-values
+     --reuse-values \
-     --reuse-values
+     --reuse-values \
+     --namespace kagent \
+     --set providers.default=ollama \
+     --set providers.ollama.baseUrl=http://agentgateway-proxy.agentgateway-system.svc.cluster.local/v1 \
+     --set providers.ollama.apiKey=dummy
+   ```
+
+2. Create a `ModelConfig` that points to Ollama via the agentgateway proxy.
+
+   ```yaml
+   kubectl apply -f- <<EOF
+   apiVersion: kagent.dev/v1alpha2
+   kind: ModelConfig
+   metadata:
+     name: llama3-model-config
+     namespace: kagent
+   spec:
+     model: llama3
+     provider: Ollama
+     ollama:
+       host: agentgateway-proxy.agentgateway-system.svc.cluster.local
+   EOF
+   ```
+
+3. Verify that kagent is still accessible and correctly functioning.
+
+   <Tabs tabs={[
+     { id: 'loadbalancer', label: 'Cloud Provider LoadBalancer' },
+     { id: 'port-forward', label: 'Port-forward for local testing' }
+   ]} />
+
+   <div id="loadbalancer-tab">
+   ```shell
+   export INGRESS_GW_ADDRESS=$(kubectl get svc -n kagent kagent-ui -o jsonpath="{.spec.clusterIP}")
+   echo $INGRESS_GW_ADDRESS
+   ```
+   </div>
+
+   <div id="port-forward-tab">
+   ```shell
+   kubectl port-forward -n kagent service/kagent-ui 8082:8080
+   ```
+   </div>
+
+4. [Open the kagent UI](/docs/kagent/observability/launch-ui).
+5. Start a chat with an agent such as `k8s-agent` to confirm that requests flow through agentgateway.
+
+   ![kagent default k8s-agent UI](/images/kagent-default-k8s-agent.png "kagent default k8s-agent UI")
+
+## Apply governance policies
+
+With agentgateway in place, you can now apply policies to govern how your kagent agents interact with your LLM provider.
+
+### Block requests with PII
+
+1. Create an `AgentgatewayPolicy` resource to reject any request that contains PII, such as an email address. For more policy examples, see the [agentgateway guardrails docs](https://agentgateway.dev/docs/kubernetes/latest/llm/guardrails/regex/#block-requests-with-pii).
+
+   ```yaml
+   kubectl apply -f - <<EOF
+   apiVersion: agentgateway.dev/v1alpha1
+   kind: AgentgatewayPolicy
+   metadata:
+     name: prompt-guard
+     namespace: agentgateway-system
+   spec:
+     targetRefs:
+     - group: gateway.networking.k8s.io
+       kind: HTTPRoute
+       name: ollama
+     backend:
+       ai:
+         promptGuard:
+           request:
+           - response:
+               message: "Rejected due to inappropriate content"
+             regex:
+               action: Reject
+               matches:
+               - "email"
+   EOF
+   ```
+
+2. Verify the policy by sending a prompt to your agent through the kagent UI that includes the word `email`. You get a `403` response.
+
+   ![kagent rejected content](/images/kagent-rejected-content.png "kagent rejected content")
+
+## Cleanup
+
+1. Remove agentgateway-related resources from your kagent setup.
+   ```shell
+   kubectl delete agentgatewaypolicy prompt-guard -n agentgateway-system
+   kubectl delete modelconfig llama3-model-config -n kagent
+   ```
+
+2. If you no longer need agentgateway, [uninstall agentgateway](https://agentgateway.dev/docs/kubernetes/latest/operations/uninstall/).
+
+3. Upgrade your kagent installation to unset agentgateway as the proxy in front of your LLM provider.
diff --git a/src/app/docs/kagent/examples/page.mdx b/src/app/docs/kagent/examples/page.mdx
@@ -31,6 +31,7 @@ import QuickLink from '@/components/quick-link';
     <QuickLink title="Human-in-the-Loop" description="Configure tool approval gates and interactive user prompts for agent oversight." href="/docs/kagent/examples/human-in-the-loop" />
     <QuickLink title="Telegram Bot" description="Build a Telegram bot to manage your Kubernetes cluster through kagent and A2A." href="/docs/kagent/examples/telegram-bot" />
     <QuickLink title="Agent Sandbox" description="Run agents in isolated sandboxes with deny-by-default networking and filesystem restrictions." href="/docs/kagent/examples/agent-sandbox" />
+    <QuickLink title="agentgateway" description="Add governance to your kagent deployment with agentgateway" href="/docs/kagent/examples/agentgateway" />
     <QuickLink title="Agent Harness" description="Provision OpenClaw, NemoClaw, and Hermes sandboxes with the AgentHarness API." href="/docs/kagent/examples/agent-harness" />
     </div>
 </div>
diff --git a/src/components/mdx/mermaid.tsx b/src/components/mdx/mermaid.tsx
@@ -0,0 +1,20 @@
+'use client';
+
+import { useEffect, useRef, useId } from 'react';
+import mermaid from 'mermaid';
+
+export function Mermaid({ chart }: { chart: string }) {
+  const id = useId().replace(/:/g, '');
+  const ref = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    mermaid.initialize({ startOnLoad: false, theme: 'neutral' });
+    if (ref.current) {
+      mermaid.render(id, chart).then(({ svg }) => {
+        if (ref.current) ref.current.innerHTML = svg;
+      });
+    }
+  }, [chart, id]);
+
+  return <div ref={ref} />;
+}
diff --git a/src/config/navigation.json b/src/config/navigation.json
@@ -178,6 +178,11 @@
             "href": "/docs/kagent/examples/agent-sandbox",
             "description": "Run agents in isolated sandboxes with deny-by-default networking and filesystem restrictions."
           },
+          {
+            "title": "agentgateway",
+            "href": "/docs/kagent/examples/agentgateway",
+            "description": "Add governance to your kagent deployment with agentgateway"
+          },
           {
             "title": "Using kagent agents via MCP",
             "href": "/docs/kagent/examples/agents-mcp",