kagent-dev · Lasse4 · Jun 2, 2026
diff --git a/public/images/kagent-default-k8s-agent.png b/public/images/kagent-default-k8s-agent.png
diff --git a/public/images/kagent-rejected-content.png b/public/images/kagent-rejected-content.png
diff --git a/src/app/docs/kagent/examples/agentgateway/page.mdx b/src/app/docs/kagent/examples/agentgateway/page.mdx
@@ -0,0 +1,130 @@
+---
+title: "agentgateway"
+pageOrder: 1
+description: "Add governance to your kagent deployment with agentgateway"
+---
+
+import { Tabs, Tab } from '@/components/mdx/tabs';
+
+export const metadata = {
+  title: "Using agentgateway with kagent",
+  description: "Learn how to add governance to your kagent deployment using agentgateway",
+  author: "kagent.dev"
+};
+
+# Using agentgateway with kagent
+
+As your kagent deployment grows, you may need governance over how your agents communicate with LLM providers, things like access control, rate limiting, audit logging, and observability. [Agentgateway](https://agentgateway.dev) is a proxy purpose-built for AI workloads that sits between your kagent agents and your LLM provider to provide exactly this.
+
+## Prerequisites
+
+1. A running kagent installation. If you haven't installed kagent yet, follow the [quick start](/docs/kagent/getting-started/quickstart) guide first.
+2. Follow the [agentgateway installation guide](https://agentgateway.dev/docs/kubernetes/latest/quickstart/install/) to install agentgateway in your cluster.
+3. Follow the [Ollama guide](https://agentgateway.dev/docs/kubernetes/latest/llm/providers/ollama/) to install and configure Ollama as your LLM provider.
+
+## Architecture
+
+Once set up, kagent agent pods route all LLM requests through agentgateway (running in the `agentgateway-system` namespace). Agentgateway enforces your policies, auth/authz, rate limiting, audit logging, and observability. Before forwarding requests to Ollama on the host.
+
+## Configure kagent to use agentgateway
+
+With agentgateway installed, point kagent at the agentgateway proxy instead of directly at Ollama.
+
+1. If you installed kagent without agentgateway, upgrade your installation to route through the proxy.
+
+   ```shell
+   helm upgrade kagent oci://ghcr.io/kagent-dev/kagent/helm/kagent \
+     --namespace kagent \
+     --set providers.default=ollama \
+     --set providers.ollama.baseUrl=http://agentgateway-proxy.agentgateway-system.svc.cluster.local/v1 \
+     --set providers.ollama.apiKey=dummy
+   ```
+
+2. Create a `ModelConfig` that points to Ollama via the agentgateway proxy.
+
+   ```yaml
+   kubectl apply -f- <<EOF
+   apiVersion: kagent.dev/v1alpha2
+   kind: ModelConfig
+   metadata:
+     name: llama3-model-config
+     namespace: kagent
+   spec:
+     model: llama3
+     provider: Ollama
+     ollama:
+       host: agentgateway-proxy.agentgateway-system.svc.cluster.local
+   EOF
+   ```
+
+3. Verify that kagent is still accessible and correctly functioning.
+
+   <Tabs tabs={[
+     { id: 'loadbalancer', label: 'Cloud Provider LoadBalancer' },
+     { id: 'port-forward', label: 'Port-forward for local testing' }
+   ]} />
+
+   <div id="loadbalancer-tab">
+   ```shell
+   export INGRESS_GW_ADDRESS=$(kubectl get svc -n kagent kagent-ui -o jsonpath="{.spec.clusterIP}")
+   echo $INGRESS_GW_ADDRESS
+   ```
+   </div>
+
+   <div id="port-forward-tab">
+   ```shell
+   kubectl port-forward -n kagent service/kagent-ui 8082:8080
+   ```
+   </div>
+
+4. Open the kagent UI and try the default `k8s-agent` to confirm requests are flowing through agentgateway end-to-end.
+
+   ![kagent default k8s-agent UI](/images/kagent-default-k8s-agent.png "kagent default k8s-agent UI")
+
+## Apply governance policies
+
+With agentgateway in place, you can now apply policies to govern how your kagent agents interact with your LLM provider.
+
+### Block requests with PII
+
+1. Create an `AgentgatewayPolicy` resource to reject any request that contains PII, such as an email address. For more policy examples, see the [agentgateway guardrails docs](https://agentgateway.dev/docs/kubernetes/latest/llm/guardrails/regex/#block-requests-with-pii).
+
+   ```yaml
+   kubectl apply -f - <<EOF
+   apiVersion: agentgateway.dev/v1alpha1
+   kind: AgentgatewayPolicy
+   metadata:
+     name: prompt-guard
+     namespace: agentgateway-system
+   spec:
+     targetRefs:
+     - group: gateway.networking.k8s.io
+       kind: HTTPRoute
+       name: ollama
+     backend:
+       ai:
+         promptGuard:
+           request:
+           - response:
+               message: "Rejected due to inappropriate content"
+             regex:
+               action: Reject
+               matches:
+               - "email"
+   EOF
+   ```
+
+2. Verify the policy by sending a prompt to your agent through the kagent UI that includes the word `email`. You get a `403` response.
+
+   ![kagent rejected content](/images/kagent-rejected-content.png "kagent rejected content")
+
+## Cleanup
+
+To remove agentgateway-related resources from your kagent setup:
+
+```shell
+kubectl delete agentgatewaypolicy prompt-guard -n agentgateway-system
+kubectl delete modelconfig llama3-model-config -n kagent
+```
+
+To also remove agentgateway itself, follow the [agentgateway uninstall guide](https://agentgateway.dev/docs/kubernetes/latest/operations/uninstall/).
diff --git a/src/app/docs/kagent/examples/page.mdx b/src/app/docs/kagent/examples/page.mdx
@@ -31,5 +31,6 @@ import QuickLink from '@/components/quick-link';
     <QuickLink title="Human-in-the-Loop" description="Configure tool approval gates and interactive user prompts for agent oversight." href="/docs/kagent/examples/human-in-the-loop" />
     <QuickLink title="Telegram Bot" description="Build a Telegram bot to manage your Kubernetes cluster through kagent and A2A." href="/docs/kagent/examples/telegram-bot" />
     <QuickLink title="Agent Sandbox" description="Run agents in isolated sandboxes with deny-by-default networking and filesystem restrictions." href="/docs/kagent/examples/agent-sandbox" />
+    <QuickLink title="agentgateway" description="Add governance to your kagent deployment with agentgateway" href="/docs/kagent/examples/agentgateway" />
     </div>
 </div>
diff --git a/src/config/navigation.json b/src/config/navigation.json
@@ -157,6 +157,11 @@
             "title": "xAI (Grok)",
             "href": "/docs/kagent/supported-providers/xai",
             "description": "Learn how to configure xAI Grok models for kagent."
+          },
+          {
+            "title": "SAP AI Core",
+            "href": "/docs/kagent/supported-providers/sap-ai-core",
+            "description": "Learn how to configure SAP AI Core models for kagent."
           }
         ]
       },
@@ -224,6 +229,11 @@
             "title": "Human-in-the-Loop",
             "href": "/docs/kagent/examples/human-in-the-loop",
             "description": "Build a Kubernetes-native AI agent that pauses and asks for your approval before taking destructive actions."
+          },
+          {
+            "title": "agentgateway",
+            "href": "/docs/kagent/examples/agentgateway",
+            "description": "Add governance to your kagent deployment with agentgateway"
           }
         ]
       },