Multi-layered guardrails
You can configure multiple prompt guards that run in sequence, creating defense-in-depth protection. Guards are evaluated in the order they appear in the configuration.
Example configuration that uses all three layers:
kubectl apply -f - <<EOF
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
name: content-safety-layered
namespace: agentgateway-system
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: openai
backend:
ai:
promptGuard:
request:
# Layer 1: Fast regex check for known patterns
- regex:
builtins:
- Ssn
- CreditCard
- Email
action: Reject
response:
message: "Request contains PII and cannot be processed"
# Layer 2: OpenAI moderation for harmful content
- openAIModeration:
policies:
auth:
secretRef:
name: openai-secret
model: omni-moderation-latest
response:
message: "Content blocked by moderation policy"
# Layer 3: Custom webhook for domain-specific checks
- webhook:
backendRef:
kind: Service
name: content-safety-webhook
port: 8000
response:
# Response guards run in same order
- regex:
builtins:
- Ssn
- CreditCard
action: Mask
- webhook:
backendRef:
kind: Service
name: content-safety-webhook
port: 8000
EOF