Setting Up KubernetesDeployer with GovernanceConfig for Agent Deployment

Setting up the KubernetesDeployer with GovernanceConfig requires mounting a Kubernetes ConfigMap containing YAML policy files into the Policy Server via Helm, enabling live policy enforcement across the Agent Mesh without cluster redeployment.

The Microsoft Agent Governance Toolkit (AGT) ships a production-ready Kubernetes deployment flow that couples the Agent Mesh runtime with a declarative GovernanceConfig. By configuring the KubernetesDeployer to reference policy ConfigMaps, operators can enforce governance rules on agent workloads while allowing the Policy Server to hot-reload policies at runtime.

Architecture Overview

The KubernetesDeployer provisions three stateless core components through Helm charts located in agent-governance-python/agent-mesh/charts/agentmesh/. Because these components lack local state, horizontal scaling is achieved by adjusting replica counts in the Helm values file.

• Policy Server (deployment-policy-server.yaml): Stores and evaluates governance policies (YAML) for agents at runtime. It mounts the Governance ConfigMap read-only and reloads policies on change.
• Trust Engine (deployment-trust-engine.yaml): Enforces policy decisions by injecting them into the agent’s execution context.
• Agent Mesh API Gateway (deployment-api-gateway.yaml): Exposes the agent-service API and forwards calls through the Trust Engine.

Prerequisites

Before configuring the KubernetesDeployer, ensure you have:

• A running Kubernetes cluster (1.24+).
• Helm 3.12+ installed locally.
• kubectl configured with cluster-admin privileges for the target namespace.

Step-by-Step Deployment

1. Create the Governance ConfigMap

The GovernanceConfig lives as a standard Kubernetes ConfigMap containing one or more policy YAML files. Create a manifest that references the AGT policy schema, as seen in examples/smolagents-governed/policies/research_governance_policy.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: agent-governance-policies
  namespace: agt
data:
  research_governance_policy.yaml: |
    policy:
      name: "ResearchSafety"
      description: "Enforce safe-search for research agents"
      rules:
        - id: "no-malicious-url"
          type: "url-allowlist"
          allow:
            - "https://arxiv.org/**"
            - "https://pubmed.ncbi.nlm.nih.gov/**"
        - id: "max-tokens"
          type: "quota"
          maxTokens: 2048
  loan_governance.yaml: |
    # Additional policy files can be added here

Apply the ConfigMap:

kubectl apply -f governance-configmap.yaml

2. Configure Helm Values

In agent-governance-python/agent-mesh/charts/agentmesh/values.yaml, reference the ConfigMap name and set the reload interval. The Trust Engine and API Gateway replicas can be adjusted for workload size:

policyServer:
  configMapName: agent-governance-policies
  reloadIntervalSeconds: 30

trustEngine:
  replicaCount: 2

apiGateway:
  replicaCount: 2
  env:
    - name: AGENT_GOVERNANCE_URL
      value: "http://policy-server.agt.svc.cluster.local:8080"

3. Deploy the Agent Mesh

Run helm upgrade to render the three deployments and inject the ConfigMap into the Policy Server pod:

helm upgrade --install agt-mesh \
  ./agent-governance-python/agent-mesh/charts/agentmesh \
  -f values.yaml \
  --namespace agt --create-namespace

Helm templates located at agent-governance-python/agent-mesh/charts/agentmesh/templates/deployment-policy-server.yaml handle mounting the ConfigMap as a read-only volume, while deployment-trust-engine.yaml and deployment-api-gateway.yaml establish the enforcement and ingress layers.

4. Launch Governed Agents

Agents connect to the Policy Server via the AGENT_GOVERNANCE_URL environment variable. Deploy an agent workload that points to the internal service endpoint:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: claude-desktop-agent
  namespace: agt
spec:
  replicas: 1
  selector:
    matchLabels:
      app: claude-desktop
  template:
    metadata:
      labels:
        app: claude-desktop
    spec:
      containers:
        - name: agent
          image: ghcr.io/microsoft/agent-clause-desktop:latest
          env:
            - name: AGENT_GOVERNANCE_URL
              value: "http://policy-server.agt.svc.cluster.local:8080"
          ports:
            - containerPort: 8080

Agents automatically query the Trust Engine for policy decisions on each request. As implemented in agent-governance-python/agent-os/examples/integrations/governance_quickstart.py, this integration requires no code changes beyond the environment variable configuration.

Validating Policies

Before loading policies into the cluster, validate YAML syntax and schema compliance using the governance gate script:

python scripts/governance_gate.py --policy-file examples/smolagents-governed/policies/research_governance_policy.yaml

This utility checks for malformed rules or missing required fields that would cause the Policy Server to fail startup, preventing deployment-time errors in production environments.

Summary

• KubernetesDeployer relies on Helm charts in agent-governance-python/agent-mesh/charts/agentmesh/ to provision the Policy Server, Trust Engine, and API Gateway.
• GovernanceConfig is implemented as a Kubernetes ConfigMap mounted into the Policy Server, supporting live policy reloads without pod restarts.
• The Policy Server merges multiple policy files from a single ConfigMap at startup, enabling complex multi-domain governance.
• Agents consume governance decisions via the AGENT_GOVERNANCE_URL environment variable pointing to the Policy Server service.
• All mesh components are stateless, allowing horizontal scaling by adjusting replicaCount in values.yaml.

Frequently Asked Questions

How does the Policy Server detect policy updates without restarting?

The Policy Server watches the mounted ConfigMap volume for filesystem changes. When reloadIntervalSeconds (configured in values.yaml) elapses or an inotify event fires, the server re-parses the YAML policies and updates its in-memory rule engine. Because the ConfigMap is mounted read-only from the node’s filesystem, Kubernetes updates propagate naturally when kubectl apply modifies the ConfigMap object.

Can I run multiple governance policies simultaneously?

Yes. The Governance ConfigMap can contain multiple policy YAML files under different keys in the data section. The Policy Server, as defined in deployment-policy-server.yaml, loads all files from the mount path and merges them into a unified policy set. Each policy file follows the AGT schema demonstrated in examples/smolagents-governed/policies/research_governance_policy.yaml, allowing heterogeneous rule sets (e.g., URL allowlists and token quotas) to coexist.

What network address should agents use to reach the Policy Server?

Agents should target the internal Kubernetes DNS name http://policy-server.agt.svc.cluster.local:8080, where agt is the namespace deployed via the Helm chart. This endpoint is injected into the Agent Mesh API Gateway and agent pods via the AGENT_GOVERNANCE_URL environment variable. Traffic remains inside the cluster, minimizing latency and avoiding external exposure of the governance control plane.

How do I scale the Trust Engine and Policy Server horizontally?

Because the components are stateless, scaling requires only updating the replicaCount field in agent-governance-python/agent-mesh/charts/agentmesh/values.yaml and running helm upgrade. The Trust Engine pods share no session state, so load balancing across replicas is handled automatically by the Kubernetes Service. Note that while the Policy Server supports multiple replicas for availability, all instances serve the same synchronized ConfigMap data.

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}