Only deny messages about a specific topic.v3.8+
Only deny messages about a specific topic. For example, only deny messages about exploiting vulnerabilities.
For a detailed walkthrough, see Use AI Semantic Prompt Guard plugin to govern your LLM traffic.
Prerequisites
-
AI Proxy plugin or AI Proxy Advanced plugin configured with an LLM service.
-
A Redis instance.
-
Port
6379, or your custom Redis port is open and reachable from Kong Gateway.
Environment variables
-
OPENAI_API_KEY: Your OpenAI API key -
REDIS_HOST: The host where your Redis instance runs
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
service: serviceName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-semantic-prompt-guard
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
route: routeName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-semantic-prompt-guard
kubectl annotate -n kong ingress konghq.com/plugins=ai-semantic-prompt-guard
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
consumer: consumerName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=ai-semantic-prompt-guard
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
consumer_group: consumerGroupName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=ai-semantic-prompt-guard
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}