+ For agent images that are in private container registries, you can use an image pull secret with the credentials to the registry.
+
+ First, create the Secret.
+ ```sh
+ kubectl create secret docker-registry my-registry-secret --docker-server=
--docker-username= --docker-password= -n kagent
+ ```
+
+ Then, add `imagePullSecrets` to refer to the Secret that you just created.
+ ```yaml
+ kubectl apply -f - <
## Testing the A2A endpoint
@@ -296,3 +339,22 @@ To use lifespan hooks in your ADK agent, create a lifespan function and pass it
lifespan=lifespan.lifespan # Pass the lifespan function
)
```
+
+### A2A max payload size
+
+BYO agents accept A2A requests with a default maximum payload size of 10 MB. For agents that need to handle larger payloads (for example, when processing large file attachments), set the `A2A_MAX_CONTENT_LENGTH` environment variable in the agent deployment.
+
+Example: Allow 50 MB payloads:
+
+```yaml
+spec:
+ type: BYO
+ byo:
+ deployment:
+ image: ghcr.io/my-org:latest
+ env:
+ - name: A2A_MAX_CONTENT_LENGTH
+ value: "52428800" # 50 MB in bytes
+```
+
+Set to `0`, `none`, or `unlimited` for no limit (use with caution).
diff --git a/src/app/docs/kagent/examples/skills/page.mdx b/src/app/docs/kagent/examples/skills/page.mdx
index 7f4a17c6..cb328a90 100644
--- a/src/app/docs/kagent/examples/skills/page.mdx
+++ b/src/app/docs/kagent/examples/skills/page.mdx
@@ -49,7 +49,6 @@ To create a container-based skill, package your skill files into a container ima
name: k8s-deploy-skill
description: Deploy simple applications to Kubernetes with customizable replicas and port
---
-
# Kubernetes simple deploy skill
Use this skill when users want to deploy a basic app on the Kubernetes cluster.
@@ -286,9 +285,9 @@ spec:
name: kagent-tool-server
kind: RemoteMCPServer
toolNames:
- - k8s_apply_manifest
- k8s_get_resources
- k8s_describe_resource
+ - k8s_apply_manifest
systemMessage: |
You are a Kubernetes assistant that helps users deploy and manage applications.
You have access to skills that can help automate common tasks.
diff --git a/src/app/docs/kagent/operations/operational-considerations/page.mdx b/src/app/docs/kagent/operations/operational-considerations/page.mdx
index 4998b923..2a48d89a 100644
--- a/src/app/docs/kagent/operations/operational-considerations/page.mdx
+++ b/src/app/docs/kagent/operations/operational-considerations/page.mdx
@@ -4,6 +4,8 @@ pageOrder: 1
description: "Important operational considerations when running kagent in production."
---
+import { Tabs, Tab } from '@/components/mdx/tabs';
+
export const metadata = {
title: "Operational Considerations",
description: "Important operational considerations when running kagent in production.",
@@ -14,6 +16,57 @@ export const metadata = {
Review the following operational considerations when running kagent in production environments, including database configuration, high availability, and secret management.
+## Secure execution environment
+
+Kagent supports Kubernetes security contexts to run agents and tool servers with reduced privileges. Configure `securityContext` and `podSecurityContext` on your Agent or ToolServer resources to enforce secure execution.
+
+Common settings include:
+
+- **`runAsNonRoot: true`**: Ensures the container does not run as root.
+- **`runAsUser`**: Specifies the user ID for the container process.
+- **`readOnlyRootFilesystem`**: Mounts the root filesystem as read-only when possible.
+
+
+
+
+Set these in `spec.declarative.deployment.podSecurityContext` and `spec.declarative.deployment.securityContext`.
+
+```yaml
+spec:
+ type: Declarative
+ declarative:
+ deployment:
+ podSecurityContext:
+ runAsNonRoot: true
+ runAsUser: 1000
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+```
+
+
+
+Set these in `spec.byo.deployment.podSecurityContext` and `spec.byo.deployment.securityContext`.
+
+```yaml
+spec:
+ type: BYO
+ byo:
+ deployment:
+ podSecurityContext:
+ runAsNonRoot: true
+ runAsUser: 1000
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+```
+
+
+At the Helm chart level, you can set global defaults with `podSecurityContext` and `securityContext` in your values. For more information, see the [Kubernetes SecurityContext documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+
## Automatic agent restart on secret updates
Kagent automatically restarts agents when you update the secrets that the agents reference. This restart ensures that agents pick up new API keys, TLS certificates, and other secret values without manual intervention.
@@ -60,6 +113,24 @@ controller:
- **Leader election**: Leader election uses Kubernetes leases and is handled automatically.
- **Failover**: If the leader fails, another replica automatically becomes the leader.
+## Proxy configuration for agent traffic
+
+When agents and MCP servers run behind an API gateway or proxy, you can configure kagent to route agent-to-agent and agent-to-MCP traffic through that proxy. Set `proxy.url` in your Helm values to the proxy endpoint.
+
+The proxy applies to:
+
+- Agent-to-agent traffic (when one agent invokes another as a tool)
+- Agent-to-MCP-server traffic (when agents call ToolServers, Services, or RemoteMCPServers with internal Kubernetes URLs)
+
+Example Helm configuration:
+
+```yaml
+proxy:
+ url: "http://proxy.kagent.svc.cluster.local:8080"
+```
+
+The controller rewrites internal URLs to use the proxy and sets the `x-kagent-host` header so the proxy can route requests to the correct backend. External URLs (for example, RemoteMCPServers pointing to `https://external.example.com`) are not rewritten.
+
### Use PostgreSQL for scaling
To scale the controller to multiple replicas, configure PostgreSQL as the database backend. You can enable PostgreSQL by using the Helm `--set` flag or values file.
diff --git a/src/app/docs/kagent/resources/helm/page.mdx b/src/app/docs/kagent/resources/helm/page.mdx
index 20aa3fb4..5e18e9bb 100644
--- a/src/app/docs/kagent/resources/helm/page.mdx
+++ b/src/app/docs/kagent/resources/helm/page.mdx
@@ -108,9 +108,9 @@ A Helm chart for kagent, built with Google ADK
| controller.service.ports.port | int | `8083` | |
| controller.service.ports.targetPort | int | `8083` | |
| controller.service.type | string | `"ClusterIP"` | |
-| controller.streaming.initialBufSize | string | `"4Ki"` | |
-| controller.streaming.maxBufSize | string | `"1Mi"` | |
-| controller.streaming.timeout | string | `"600s"` | |
+| controller.streaming.initialBufSize | string | `"4Ki"` | Initial size of the A2A streaming buffer. |
+| controller.streaming.maxBufSize | string | `"1Mi"` | Maximum size of the A2A streaming buffer. |
+| controller.streaming.timeout | string | `"600s"` | Timeout for A2A streaming connections. |
| controller.tolerations | list | `[]` | Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
| controller.volumeMounts | list | `[]` | |
| controller.volumes | list | `[]` | |
@@ -126,7 +126,7 @@ A Helm chart for kagent, built with Google ADK
| grafana-mcp.resources.requests.cpu | string | `"100m"` | |
| grafana-mcp.resources.requests.memory | string | `"128Mi"` | |
| imagePullPolicy | string | `"IfNotPresent"` | |
-| imagePullSecrets | list | `[]` | |
+| imagePullSecrets | list | `[]` | Image pull secrets for pulling agent and tool images from private registries. You can also set `imagePullSecrets` per agent in the Agent `deployment` spec. |
| kagent-tools.enabled | bool | `true` | |
| kagent-tools.fullnameOverride | string | `"kagent-tools"` | |
| kagent-tools.replicaCount | int | `1` | |
@@ -178,7 +178,7 @@ A Helm chart for kagent, built with Google ADK
| providers.openAI.apiKeySecretRef | string | `"kagent-openai"` | |
| providers.openAI.model | string | `"gpt-4.1-mini"` | |
| providers.openAI.provider | string | `"OpenAI"` | |
-| proxy.url | string | `""` | |
+| proxy.url | string | `""` | Proxy URL for routing agent-to-agent and agent-to-MCP traffic through a gateway (for example, `http://proxy.kagent.svc.cluster.local:8080`). When set, the controller routes internal Kubernetes URLs (agents, MCP servers, services) through this proxy. The proxy uses the `x-kagent-host` header for routing. Omit for direct connections. |
| querydoc.image.pullPolicy | string | `"IfNotPresent"` | |
| querydoc.image.registry | string | `"ghcr.io"` | |
| querydoc.image.repository | string | `"kagent-dev/doc2vec/mcp"` | |
diff --git a/src/app/docs/kagent/supported-providers/amazon-bedrock/page.mdx b/src/app/docs/kagent/supported-providers/amazon-bedrock/page.mdx
index 8a53e50a..833e46b9 100644
--- a/src/app/docs/kagent/supported-providers/amazon-bedrock/page.mdx
+++ b/src/app/docs/kagent/supported-providers/amazon-bedrock/page.mdx
@@ -1,68 +1,115 @@
---
title: "Amazon Bedrock"
pageOrder: 1
-description: "Use Amazon Bedrock models with kagent via the OpenAI Chat Completions API."
+description: "Use Amazon Bedrock models with kagent via the native Bedrock provider or the OpenAI Chat Completions API."
---
export const metadata = {
title: "Amazon Bedrock",
- description: "Use Amazon Bedrock models with kagent via the OpenAI Chat Completions API.",
+ description: "Use Amazon Bedrock models with kagent via the native Bedrock provider or the OpenAI Chat Completions API.",
author: "kagent.dev"
};
# Amazon Bedrock
-You can use Amazon Bedrock models with kagent by leveraging AWS Bedrock's [OpenAI Chat Completions API](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-chat-completions.html).
+You can use Amazon Bedrock models with kagent in two ways: the native Bedrock provider (recommended) or the OpenAI-compatible API interface.
-## Step 1: Prepare your AWS details
+## Option 1: Native Bedrock provider
+
+The native Bedrock provider uses AWS IAM credentials and the Bedrock API directly. Use this option when you want the simplest configuration and full Bedrock feature support.
+
+### Step 1: Prepare your AWS credentials
+
+1. Create an IAM user or role with permissions for Bedrock. You need at least `bedrock:InvokeModel` for the models you use. For more information, see the [AWS Bedrock model access docs](https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html).
+
+2. Choose the AWS region and Bedrock model. Refer to the [AWS Bedrock supported models documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html).
+ - Example regions: `us-east-1` or `us-west-2`
+ - Example model IDs: `us.anthropic.claude-sonnet-4-20250514-v1:0` or `amazon.titan-text-express-v1`
+
+3. Create a Kubernetes secret with your AWS credentials in the same namespace as your agent, typically `kagent`:
+
+ ```bash
+ kubectl create secret generic bedrock-credentials -n kagent \
+ --from-literal=AWS_ACCESS_KEY_ID= \
+ --from-literal=AWS_SECRET_ACCESS_KEY=
+ ```
+
+### Step 2: Create the ModelConfig
+
+```yaml
+kubectl apply -f - <
```
-4. Create a Kubernetes secret that stores your AWS API key in the same namespace as your agent, typically `kagent`.
+4. Create a Kubernetes secret that stores your AWS API key in the same namespace as your agent, typically `kagent`:
```bash
kubectl create secret generic kagent-bedrock -n kagent --from-literal AWS_API_KEY=$AWS_API_KEY
```
-## Step 2: Create the ModelConfig
-
-1. Create a ModelConfig resource that uses the OpenAI-compatible API interface.
-
- ```yaml
- kubectl apply -f - <.amazonaws.com/openai/v1`. |
-
-## Next Steps
-
- Now that you configured your Bedrock model, you can [create or update an agent](https://kagent.dev/docs/kagent/getting-started/first-agent) to use this model configuration.
+### Step 2: Create the ModelConfig
+
+```yaml
+kubectl apply -f - <.amazonaws.com/openai/v1`. |
+
+## Next steps
+
+Now that you have configured your Bedrock model, you can [create or update an agent](https://kagent.dev/docs/kagent/getting-started/first-agent) to use this model configuration.
diff --git a/src/config/navigation.json b/src/config/navigation.json
index 58a0822f..65f6ce82 100644
--- a/src/config/navigation.json
+++ b/src/config/navigation.json
@@ -99,7 +99,7 @@
{
"title": "Amazon Bedrock",
"href": "/docs/kagent/supported-providers/amazon-bedrock",
- "description": "Use Amazon Bedrock models with kagent via the OpenAI Chat Completions API."
+ "description": "Use Amazon Bedrock models with kagent via the native Bedrock provider or the OpenAI Chat Completions API."
},
{
"title": "Anthropic",