This tutorial walks through setting up an AI, MCP, and Agent-to-Agent (A2A) Gateway with KubeLB using agentgateway.
agentgateway is an Envoy-based data plane that implements the Kubernetes Gateway API and adds first-class support for LLM traffic, Model Context Protocol (MCP) servers, and Agent-to-Agent (A2A) connectivity. Enabled as an addon in the kubelb-addons chart, it lets the management cluster terminate AI/agent traffic.
Refer to the upstream agentgateway documentation for the complete feature set (provider list, prompt guards, inference routing, rate limiting, observability, etc.). This page only covers enabling the addon and a minimal end-to-end example.
kubelb.enableGatewayAPI: true in the manager values).Enable the addon in values.yaml for the KubeLB manager chart:
kubelb:
enableGatewayAPI: true
kubelb-addons:
enabled: true
agentgateway:
enabled: true
Apply the chart. The addon installs the agentgateway control plane and the AgentgatewayBackend CRD (API group agentgateway.dev/v1alpha1).
Enabling the addon installs the AgentgatewayBackend CRD and registers the agentgateway GatewayClass that subsequent examples reference.
Provision a Gateway that uses the agentgateway GatewayClass. The proxy Deployment and Service are created automatically from this resource.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: agentgateway-proxy
namespace: kubelb
spec:
gatewayClassName: agentgateway
listeners:
- name: http
protocol: HTTP
port: 8080
allowedRoutes:
namespaces:
from: All
This example routes requests to OpenAI through agentgateway using the AgentgatewayBackend CRD.
export OPENAI_API_KEY="sk-..."
kubectl create secret generic openai-secret \
--namespace kubelb \
--from-literal=Authorization="${OPENAI_API_KEY}"
The literal key must be Authorization with the raw API key as its value; agentgateway prepends the Bearer prefix when forwarding requests to OpenAI.
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayBackend
metadata:
name: openai
namespace: kubelb
spec:
ai:
provider:
openai:
model: gpt-3.5-turbo
policies:
auth:
secretRef:
name: openai-secret
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: openai
namespace: kubelb
spec:
parentRefs:
- name: agentgateway-proxy
namespace: kubelb
rules:
- backendRefs:
- name: openai
namespace: kubelb
group: agentgateway.dev
kind: AgentgatewayBackend
agentgateway automatically rewrites incoming requests to OpenAI’s /v1/chat/completions endpoint.
Get the Gateway address, then send a chat-completion request:
export GATEWAY_IP=$(kubectl get gateway agentgateway-proxy -n kubelb \
-o jsonpath='{.status.addresses[0].value}')
curl "http://${GATEWAY_IP}:8080/v1/chat/completions" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{"role": "system", "content": "You are helpful."},
{"role": "user", "content": "Hello"}
]
}'
For additional providers (Anthropic, Gemini, Mistral, Ollama, etc.), failover, prompt guards, and token-based rate limiting, see the LLM consumption guide.
agentgateway can federate one or more Model Context Protocol (MCP) servers behind a single endpoint. The same AgentgatewayBackend CRD is used, with an mcp spec instead of ai:
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayBackend
metadata:
name: mcp-backend
namespace: kubelb
spec:
mcp:
targets:
- name: mcp-target
backendRef:
name: mcp-website-fetcher
port: 80
protocol: SSE
backendRef.name must resolve to a Kubernetes Service in the same namespace as the AgentgatewayBackend. Attach the backend to the Gateway with an HTTPRoute scoped to the /mcp path prefix so MCP traffic is not routed to an LLM or other backend:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: mcp
namespace: kubelb
spec:
parentRefs:
- name: agentgateway-proxy
namespace: kubelb
rules:
- matches:
- path:
type: PathPrefix
value: /mcp
backendRefs:
- name: mcp-backend
namespace: kubelb
group: agentgateway.dev
kind: AgentgatewayBackend
For static vs. dynamic targets, virtual MCP aggregation, tool-level access control, JWT auth, and rate limiting, see the MCP connectivity guide.
agentgateway also proxies Agent-to-Agent (A2A) traffic for connecting AI agents through the gateway. See the Agent connectivity guide for configuration.