KrakenD as the Agent Gateway Implementation

The Agent Gateway KrakenD Operator is a Kubernetes operator that implements the AgentGateway contract using KrakenD, an open-source API gateway with declarative JSON pipeline configuration. It watches AgentGateway resources that claim the krakend class, discovers all exposed agents in the cluster, generates a KrakenD configuration, and deploys a KrakenD instance that routes traffic to those agents.

The operator also ships two custom KrakenD plugins — agentcard-rw for A2A agent-card path rewriting and openai-a2a for OpenAI-compatible model-list and chat-completion endpoints — making agent traffic accessible to both A2A-native clients and OpenAI-compatible clients from a single gateway deployment.

The AgentGateway and AgentGatewayClass CRDs in the Agent Runtime Operator define a declaration-only contract: what the platform wants (replicas, timeout, guardrail references) without dictating how the gateway is implemented. A separate implementation operator is needed to turn that declaration into a running workload.

KrakenD was chosen as the first reference implementation for several reasons. Its entire routing configuration is expressed as a single JSON document, which maps cleanly to a Kubernetes ConfigMap — the operator regenerates the JSON whenever agents are added or removed and Kubernetes rolls the pod automatically when the config hash changes. KrakenD’s plugin system allows custom request-handling behaviour to be compiled in and loaded at startup, which is how A2A path translation and the OpenAI-compatible API surface are provided without forking the KrakenD binary. Finally, KrakenD is stateless and horizontally scalable, matching the replica-based model that AgentGateway.spec.replicas expresses.

The operator plugs into the Agent Runtime Operator ecosystem via the AgentGatewayClass resource. On startup the operator ensures that an AgentGatewayClass named krakend exists with spec.controller: runtime.agentic-layer.ai/agent-gateway-krakend-controller. Any AgentGateway resource whose spec.agentGatewayClassName is krakend is then claimed and reconciled by this operator.

When the operator reconciles an AgentGateway, it lists all Agent resources across all namespaces with spec.exposed: true, builds a KrakenD JSON configuration from the discovered agents, stores it in a ConfigMap, and creates or updates a KrakenD Deployment and Service in the same namespace as the gateway. Agent changes trigger re-reconciliation via a watch on Agent resources, so the generated configuration stays current without manual intervention.

A2A clients can reach each agent at /{namespace}/{agent-name} (or the shorthand /{agent-name} when the name is unique). OpenAI-compatible clients can enumerate agents at GET /models and route requests at POST /chat/completions using the namespaced agent name as the model value. For the broader architectural context — how AgentGateway and AgentGatewayClass compose in the Agentic Layer — see AgentGateway and the Gateway/Class Pluggability Pattern.