https://github.com/kagenti/kagenti-operator
Kubernetes operator for deploying and lifecycle management of Agents and Tools
https://github.com/kagenti/kagenti-operator
kubernetes lifecycle-management operator
Last synced: about 1 month ago
JSON representation
Kubernetes operator for deploying and lifecycle management of Agents and Tools
- Host: GitHub
- URL: https://github.com/kagenti/kagenti-operator
- Owner: kagenti
- License: apache-2.0
- Created: 2025-03-26T15:27:14.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2026-04-03T02:47:03.000Z (2 months ago)
- Last Synced: 2026-04-03T11:53:33.012Z (2 months ago)
- Topics: kubernetes, lifecycle-management, operator
- Language: Go
- Homepage:
- Size: 107 MB
- Stars: 8
- Watchers: 3
- Forks: 33
- Open Issues: 32
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# Kagenti Operator
[](LICENSE)
**Kagenti Operator** is a Kubernetes operator that automates the deployment, discovery, and security of AI agents in Kubernetes clusters.
## Overview
The Kagenti Operator manages the following Custom Resource Definitions (CRDs):
| Resource | Purpose |
|----------|---------|
| **[AgentCard](./kagenti-operator/docs/api-reference.md#agentcard)** | Discovers, indexes, and verifies agent metadata for Kubernetes-native agent discovery |
Agents are deployed as standard Kubernetes **Deployments** or **StatefulSets** with the `kagenti.io/type: agent` label. The operator automatically discovers labeled workloads and creates AgentCard resources for them.
### Key Features
- **Agent Deployment** — Deploy agents using standard Kubernetes Deployments or StatefulSets with the `kagenti.io/type: agent` label
- **Dynamic Agent Discovery** — Automatic indexing of agent metadata via the A2A protocol
- **Signature Verification** — JWS-based cryptographic verification of agent cards (RSA, ECDSA)
- **Identity Binding** — SPIFFE-based workload identity binding with allowlist enforcement
- **Network Policy Enforcement** — Automatic NetworkPolicy creation based on signature verification status
- **Flexible Configuration** — Complete control over pod specifications, service ports, and environment variables
- **Multi-Framework Support** — Works with LangGraph, CrewAI, AG2, and any A2A-compatible framework
## Architecture
```mermaid
graph TD;
subgraph Kubernetes
direction TB
style Kubernetes fill:#f0f4ff,stroke:#8faad7,stroke-width:2px
User[User/App]
style User fill:#ffecb3,stroke:#ffa000
Workload["Deployment / StatefulSet\n(with kagenti labels)"]
style Workload fill:#e1f5fe,stroke:#039be5
User -->|Creates| Workload
AgentCardSync[AgentCard Sync Controller]
style AgentCardSync fill:#ffe0b2,stroke:#fb8c00
AgentCardController[AgentCard Controller]
style AgentCardController fill:#ffe0b2,stroke:#fb8c00
NetworkPolicyController[NetworkPolicy Controller]
style NetworkPolicyController fill:#ffe0b2,stroke:#fb8c00
AgentPod[Agent Pod]
style AgentPod fill:#c8e6c9,stroke:#66bb6a
AgentCardCRD["AgentCard CR"]
style AgentCardCRD fill:#e1f5fe,stroke:#039be5
NetworkPolicy["NetworkPolicy"]
style NetworkPolicy fill:#ffcdd2,stroke:#e57373
Workload -->|Deploys| AgentPod
Workload -->|Watches| AgentCardSync
AgentCardSync -->|Auto-creates| AgentCardCRD
AgentCardCRD -->|Reconciles| AgentCardController
AgentCardController -->|Fetches /.well-known/agent-card.json| AgentPod
AgentCardController -->|Verifies signatures & identity| AgentCardCRD
AgentCardCRD -->|Reconciles| NetworkPolicyController
NetworkPolicyController -->|Creates| NetworkPolicy
end
```
The operator runs three controllers:
| Controller | Purpose |
|------------|---------|
| **AgentCard Sync Controller** | Watches Deployments/StatefulSets with agent labels and auto-creates AgentCard resources |
| **AgentCard Controller** | Fetches agent card data from running agents, verifies signatures, evaluates identity binding |
| **NetworkPolicy Controller** | Creates permissive or restrictive NetworkPolicies based on signature verification status |
## Quick Start
### Prerequisites
- Kubernetes cluster (v1.28+) or OpenShift (v4.19+)
- kubectl configured to access your cluster
### Install the Operator
**Option A — OpenShift (recommended for OCP)**
Use [`scripts/ocp/setup-kagenti.sh`](https://github.com/kagenti/kagenti/blob/main/scripts/ocp/setup-kagenti.sh) from the [kagenti](https://github.com/kagenti/kagenti) repo. It handles RBAC, SCCs, and Helm installation in one step.
By default the script installs the released operator version pinned as a chart dependency in the `kagenti` repo's `charts/kagenti/Chart.yaml`. For development with a local build of this operator, two flags let you override that:
```bash
# Use a local chart and/or a custom operator image instead of the released version
./scripts/ocp/setup-kagenti.sh \
--operator-repo /path/to/kagenti-operator \
--operator-image quay.io//kagenti-operator:dev
```
`--operator-repo` accepts a local clone of this repository and substitutes its `charts/kagenti-operator` chart in place of the pinned dependency. `--operator-image` overrides the container image the chart pulls.
**Option B — Plain Kubernetes (Helm)**
```bash
# Install the operator using OCI chart
helm install kagenti-operator \
oci://ghcr.io/kagenti/kagenti-operator/kagenti-operator-chart \
--version 0.2.0-alpha.19 \
--namespace kagenti-system \
--create-namespace
```
### Deploy Your First Agent
Deploy an agent as a standard Kubernetes Deployment with the required `kagenti.io/type: agent` label:
```bash
kubectl apply -f - <