|
| 1 | +# Least Privilege for AI |
| 2 | + |
| 3 | +## A New Challenge |
| 4 | + |
| 5 | +Everyone deploys agents into production and constantly exposes critical data. MCP and A2A standardize |
| 6 | +the communcation between agents. How do we apply the usual IAM standards to MCP? |
| 7 | + |
| 8 | +MCP is based upun JSON RPC 2.0 with some key differences. It's a sstateful protocol and has capaibilty |
| 9 | +negotiation between the agent and the server. If you want authorization, it's baked into the MCP protocol, |
| 10 | +the catch is that you have to implement it yourself. This is also lovely if you have to use third party |
| 11 | +MCP servers. |
| 12 | + |
| 13 | +This is where [Kyverno-authz](https://kyverno.io/) comes in. It allows for declarative policies. The new |
| 14 | +idea is to make the existing ValidatingPolicy work with agents. |
| 15 | + |
| 16 | +[Agentgateway](https://agentgateway.dev/) is a high performance data-plane written in Rust _lol_. It routes |
| 17 | +all traffic like a traditional gateway, it's also an inference gateway. You can use a single API for all LLM |
| 18 | +consumption, so it can translate your API calls to Anthropic calls. For this talk, it supports external authorization |
| 19 | +like Kyverno. |
| 20 | + |
| 21 | +_Why AI gateway?_ AI communication is close to traditional, but not the same. You're rate limiting on tokens, |
| 22 | +not amount of calls for example. _Why can we not use an existing proxy for MCP?_ Traditional proxies are stateless, |
| 23 | +and are optimized for short-lived request/response communication. |
| 24 | + |
| 25 | +_I'm skipping a bunch of slop on how to apply manifests using an agent, just use kubectl apply._ |
| 26 | + |
| 27 | +Instead of directly letting your Agent (e.g. OpenCode) talk to your MCP server, it must go through |
| 28 | +agent gateway. The gateway will authenticate you using and existing IdP. Before executing an action in |
| 29 | +the MCP server, agent gateway will validate with Kyverno if the user is actually allowed to do the action. |
| 30 | + |
| 31 | +## Secure MCP Servers |
| 32 | + |
| 33 | +Agentgateway only solves the authorization from client to server, but the agent can still do what it wants. |
| 34 | +Kyverno's ValidatingPolicy can be used to validate the calls from the user to the MCP server. Kyverno has |
| 35 | +an MCP CEL library to for example validate `ToolCall.name`. |
| 36 | + |
| 37 | +## Links |
| 38 | + |
| 39 | +- <https://kagent.dev/> |
| 40 | +- <https://modelcontextprotocol.io/docs/tools/inspector> |
0 commit comments