Allow and deny using pgvector as a vector databasev3.12+
The AI Semantic Response Guard plugin analyzes the full response from an LLM service and filters it based on semantic similarity to configured allow or deny patterns.
Deny rules take precedence over allow rules. Responses matching a deny pattern are blocked, even if they also match an allow pattern. Responses not matching any allow pattern are blocked when allow rules are set.
Prerequisites
-
AI Proxy plugin or AI Proxy Advanced plugin configured with an LLM service.
-
A PostgreSQL database with pgvector extension installed and reachable from Kong Gateway.
-
Port
5432, or your custom PostgreSQL port, is open and reachable from Kong Gateway.
Environment variables
-
OPENAI_API_KEY: Your OpenAI API key -
PGVECTOR_HOST: The host where your pgvector-enabled PostgreSQL instance runs -
PGVECTOR_USER: Database user for pgvector -
PGVECTOR_PASSWORD: Database password for pgvector
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-semantic-response-guard
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: ${{ env "DECK_PGVECTOR_HOST" }}
port: 5432
database: kong-pgvector
user: ${{ env "DECK_PGVECTOR_USER" }}
password: ${{ env "DECK_PGVECTOR_PASSWORD" }}
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-semantic-response-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: '$PGVECTOR_HOST'
port: 5432
database: kong-pgvector
user: '$PGVECTOR_USER'
password: '$PGVECTOR_PASSWORD'
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
plugin: ai-semantic-response-guard
" | kubectl apply -f -
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_response_guard" "my_ai_semantic_response_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "pgvector"
distance_metric = "cosine"
threshold = 0.7
dimensions = 1024
pgvector = {
host = var.pgvector_host
port = 5432
database = "kong-pgvector"
user = var.pgvector_user
password = var.pgvector_password
ssl = false
ssl_required = false
ssl_verify = false
ssl_version = "tlsv1_2"
timeout = 5000
}
}
rules = {
allow_responses = ["Troubleshooting networks and connectivity issues", "Managing cloud platforms (AWS, Azure, GCP)", "Security hardening and incident response strategies", "DevOps pipelines, automation, and observability", "Software engineering concepts and language syntax", "IT governance, compliance, and regulatory guidance", "Continuous integration and deployment practices", "Writing documentation and explaining technical concepts", "Operating system administration and configuration", "Best practices for collaboration and productivity tools"]
deny_responses = ["Unauthorized penetration testing or hacking tutorials", "Methods for bypassing software licensing or DRM", "Step-by-step instructions for exploiting vulnerabilities", "Techniques to evade or disable security controls", "Collecting or exposing personal or employee data", "Using AI for impersonation, phishing, or fraud", "Manipulative social engineering techniques", "Advice on breaking internal IT or security policies", "Entertainment, dating, or other non-work topics", "Political, religious, or otherwise sensitive discussions unrelated to work"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "pgvector_password" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-semantic-response-guard
service: serviceName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: ${{ env "DECK_PGVECTOR_HOST" }}
port: 5432
database: kong-pgvector
user: ${{ env "DECK_PGVECTOR_USER" }}
password: ${{ env "DECK_PGVECTOR_PASSWORD" }}
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-response-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: '$PGVECTOR_HOST'
port: 5432
database: kong-pgvector
user: '$PGVECTOR_USER'
password: '$PGVECTOR_PASSWORD'
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
plugin: ai-semantic-response-guard
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-semantic-response-guard
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_response_guard" "my_ai_semantic_response_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "pgvector"
distance_metric = "cosine"
threshold = 0.7
dimensions = 1024
pgvector = {
host = var.pgvector_host
port = 5432
database = "kong-pgvector"
user = var.pgvector_user
password = var.pgvector_password
ssl = false
ssl_required = false
ssl_verify = false
ssl_version = "tlsv1_2"
timeout = 5000
}
}
rules = {
allow_responses = ["Troubleshooting networks and connectivity issues", "Managing cloud platforms (AWS, Azure, GCP)", "Security hardening and incident response strategies", "DevOps pipelines, automation, and observability", "Software engineering concepts and language syntax", "IT governance, compliance, and regulatory guidance", "Continuous integration and deployment practices", "Writing documentation and explaining technical concepts", "Operating system administration and configuration", "Best practices for collaboration and productivity tools"]
deny_responses = ["Unauthorized penetration testing or hacking tutorials", "Methods for bypassing software licensing or DRM", "Step-by-step instructions for exploiting vulnerabilities", "Techniques to evade or disable security controls", "Collecting or exposing personal or employee data", "Using AI for impersonation, phishing, or fraud", "Manipulative social engineering techniques", "Advice on breaking internal IT or security policies", "Entertainment, dating, or other non-work topics", "Political, religious, or otherwise sensitive discussions unrelated to work"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "pgvector_password" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-semantic-response-guard
route: routeName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: ${{ env "DECK_PGVECTOR_HOST" }}
port: 5432
database: kong-pgvector
user: ${{ env "DECK_PGVECTOR_USER" }}
password: ${{ env "DECK_PGVECTOR_PASSWORD" }}
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-response-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: '$PGVECTOR_HOST'
port: 5432
database: kong-pgvector
user: '$PGVECTOR_USER'
password: '$PGVECTOR_PASSWORD'
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
plugin: ai-semantic-response-guard
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-semantic-response-guard
Copied!
kubectl annotate -n kong ingress konghq.com/plugins=ai-semantic-response-guard
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_response_guard" "my_ai_semantic_response_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "pgvector"
distance_metric = "cosine"
threshold = 0.7
dimensions = 1024
pgvector = {
host = var.pgvector_host
port = 5432
database = "kong-pgvector"
user = var.pgvector_user
password = var.pgvector_password
ssl = false
ssl_required = false
ssl_verify = false
ssl_version = "tlsv1_2"
timeout = 5000
}
}
rules = {
allow_responses = ["Troubleshooting networks and connectivity issues", "Managing cloud platforms (AWS, Azure, GCP)", "Security hardening and incident response strategies", "DevOps pipelines, automation, and observability", "Software engineering concepts and language syntax", "IT governance, compliance, and regulatory guidance", "Continuous integration and deployment practices", "Writing documentation and explaining technical concepts", "Operating system administration and configuration", "Best practices for collaboration and productivity tools"]
deny_responses = ["Unauthorized penetration testing or hacking tutorials", "Methods for bypassing software licensing or DRM", "Step-by-step instructions for exploiting vulnerabilities", "Techniques to evade or disable security controls", "Collecting or exposing personal or employee data", "Using AI for impersonation, phishing, or fraud", "Manipulative social engineering techniques", "Advice on breaking internal IT or security policies", "Entertainment, dating, or other non-work topics", "Political, religious, or otherwise sensitive discussions unrelated to work"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "pgvector_password" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-semantic-response-guard
consumer: consumerName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: ${{ env "DECK_PGVECTOR_HOST" }}
port: 5432
database: kong-pgvector
user: ${{ env "DECK_PGVECTOR_USER" }}
password: ${{ env "DECK_PGVECTOR_PASSWORD" }}
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-response-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: '$PGVECTOR_HOST'
port: 5432
database: kong-pgvector
user: '$PGVECTOR_USER'
password: '$PGVECTOR_PASSWORD'
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
plugin: ai-semantic-response-guard
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=ai-semantic-response-guard
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_response_guard" "my_ai_semantic_response_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "pgvector"
distance_metric = "cosine"
threshold = 0.7
dimensions = 1024
pgvector = {
host = var.pgvector_host
port = 5432
database = "kong-pgvector"
user = var.pgvector_user
password = var.pgvector_password
ssl = false
ssl_required = false
ssl_verify = false
ssl_version = "tlsv1_2"
timeout = 5000
}
}
rules = {
allow_responses = ["Troubleshooting networks and connectivity issues", "Managing cloud platforms (AWS, Azure, GCP)", "Security hardening and incident response strategies", "DevOps pipelines, automation, and observability", "Software engineering concepts and language syntax", "IT governance, compliance, and regulatory guidance", "Continuous integration and deployment practices", "Writing documentation and explaining technical concepts", "Operating system administration and configuration", "Best practices for collaboration and productivity tools"]
deny_responses = ["Unauthorized penetration testing or hacking tutorials", "Methods for bypassing software licensing or DRM", "Step-by-step instructions for exploiting vulnerabilities", "Techniques to evade or disable security controls", "Collecting or exposing personal or employee data", "Using AI for impersonation, phishing, or fraud", "Manipulative social engineering techniques", "Advice on breaking internal IT or security policies", "Entertainment, dating, or other non-work topics", "Political, religious, or otherwise sensitive discussions unrelated to work"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "pgvector_password" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-semantic-response-guard
consumer_group: consumerGroupName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: ${{ env "DECK_PGVECTOR_HOST" }}
port: 5432
database: kong-pgvector
user: ${{ env "DECK_PGVECTOR_USER" }}
password: ${{ env "DECK_PGVECTOR_PASSWORD" }}
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-response-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "pgvector",
"distance_metric": "cosine",
"threshold": 0.7,
"dimensions": 1024,
"pgvector": {
"host": "'$PGVECTOR_HOST'",
"port": 5432,
"database": "kong-pgvector",
"user": "'$PGVECTOR_USER'",
"password": "'$PGVECTOR_PASSWORD'",
"ssl": false,
"ssl_required": false,
"ssl_verify": false,
"ssl_version": "tlsv1_2",
"timeout": 5000
}
},
"rules": {
"allow_responses": [
"Troubleshooting networks and connectivity issues",
"Managing cloud platforms (AWS, Azure, GCP)",
"Security hardening and incident response strategies",
"DevOps pipelines, automation, and observability",
"Software engineering concepts and language syntax",
"IT governance, compliance, and regulatory guidance",
"Continuous integration and deployment practices",
"Writing documentation and explaining technical concepts",
"Operating system administration and configuration",
"Best practices for collaboration and productivity tools"
],
"deny_responses": [
"Unauthorized penetration testing or hacking tutorials",
"Methods for bypassing software licensing or DRM",
"Step-by-step instructions for exploiting vulnerabilities",
"Techniques to evade or disable security controls",
"Collecting or exposing personal or employee data",
"Using AI for impersonation, phishing, or fraud",
"Manipulative social engineering techniques",
"Advice on breaking internal IT or security policies",
"Entertainment, dating, or other non-work topics",
"Political, religious, or otherwise sensitive discussions unrelated to work"
]
}
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-response-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: pgvector
distance_metric: cosine
threshold: 0.7
dimensions: 1024
pgvector:
host: '$PGVECTOR_HOST'
port: 5432
database: kong-pgvector
user: '$PGVECTOR_USER'
password: '$PGVECTOR_PASSWORD'
ssl: false
ssl_required: false
ssl_verify: false
ssl_version: tlsv1_2
timeout: 5000
rules:
allow_responses:
- Troubleshooting networks and connectivity issues
- Managing cloud platforms (AWS, Azure, GCP)
- Security hardening and incident response strategies
- DevOps pipelines, automation, and observability
- Software engineering concepts and language syntax
- IT governance, compliance, and regulatory guidance
- Continuous integration and deployment practices
- Writing documentation and explaining technical concepts
- Operating system administration and configuration
- Best practices for collaboration and productivity tools
deny_responses:
- Unauthorized penetration testing or hacking tutorials
- Methods for bypassing software licensing or DRM
- Step-by-step instructions for exploiting vulnerabilities
- Techniques to evade or disable security controls
- Collecting or exposing personal or employee data
- Using AI for impersonation, phishing, or fraud
- Manipulative social engineering techniques
- Advice on breaking internal IT or security policies
- Entertainment, dating, or other non-work topics
- Political, religious, or otherwise sensitive discussions unrelated to work
plugin: ai-semantic-response-guard
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=ai-semantic-response-guard
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_response_guard" "my_ai_semantic_response_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "pgvector"
distance_metric = "cosine"
threshold = 0.7
dimensions = 1024
pgvector = {
host = var.pgvector_host
port = 5432
database = "kong-pgvector"
user = var.pgvector_user
password = var.pgvector_password
ssl = false
ssl_required = false
ssl_verify = false
ssl_version = "tlsv1_2"
timeout = 5000
}
}
rules = {
allow_responses = ["Troubleshooting networks and connectivity issues", "Managing cloud platforms (AWS, Azure, GCP)", "Security hardening and incident response strategies", "DevOps pipelines, automation, and observability", "Software engineering concepts and language syntax", "IT governance, compliance, and regulatory guidance", "Continuous integration and deployment practices", "Writing documentation and explaining technical concepts", "Operating system administration and configuration", "Best practices for collaboration and productivity tools"]
deny_responses = ["Unauthorized penetration testing or hacking tutorials", "Methods for bypassing software licensing or DRM", "Step-by-step instructions for exploiting vulnerabilities", "Techniques to evade or disable security controls", "Collecting or exposing personal or employee data", "Using AI for impersonation, phishing, or fraud", "Manipulative social engineering techniques", "Advice on breaking internal IT or security policies", "Entertainment, dating, or other non-work topics", "Political, religious, or otherwise sensitive discussions unrelated to work"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "pgvector_password" {
type = string
}
Copied!