From 1922b85f364e8131a55ef21f9cba01fc7ea33204 Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Tue, 7 Apr 2026 09:31:48 -0400 Subject: [PATCH 1/8] Update page.mdx Signed-off-by: Kristin Brown --- src/app/docs/kagent/operations/upgrade/page.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/app/docs/kagent/operations/upgrade/page.mdx b/src/app/docs/kagent/operations/upgrade/page.mdx index 7151b657..8e1ada80 100644 --- a/src/app/docs/kagent/operations/upgrade/page.mdx +++ b/src/app/docs/kagent/operations/upgrade/page.mdx @@ -24,6 +24,10 @@ Follow these steps to upgrade kagent to the latest version and keep your cluster 3. Back up your current configuration, including agent definitions and custom settings. +4. **v0.9.0 and later**: Back up your PostgreSQL database before upgrading. + +5. **v0.9.0 and later**: You must be running at least v0.8.0 before upgrading to v0.9.0. + ## Upgrade kagent 1. Get the Helm values file for your current kagent release. From fd1d061497daaeeb30e70a27f805cc9e8c0a3941 Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Tue, 7 Apr 2026 09:32:21 -0400 Subject: [PATCH 2/8] Update page.mdx Signed-off-by: Kristin Brown --- src/app/docs/kagent/resources/release-notes/page.mdx | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/app/docs/kagent/resources/release-notes/page.mdx b/src/app/docs/kagent/resources/release-notes/page.mdx index 01f6dfa8..1742b8a5 100644 --- a/src/app/docs/kagent/resources/release-notes/page.mdx +++ b/src/app/docs/kagent/resources/release-notes/page.mdx @@ -18,6 +18,18 @@ The kagent documentation shows information only for the latest release. If you r For more details on the changes between versions, review the [kagent GitHub releases](https://github.com/kagent-dev/kagent/releases). +# v0.9 + +Review this summary of significant changes from kagent version 0.8 to v0.9. + +## Database migration changes + +**Before you upgrade:** + +* You must be running at least v0.8.0 before upgrading to v0.9.0. +* Back up your PostgreSQL database before upgrading. For details on your database configuration, see the [Database configuration guide](/docs/kagent/operations/operational-considerations/#database-configuration). + + # v0.8 Review this summary of significant changes from kagent version 0.7 to v0.8. From 1ebd91d16f9340a54498cff8f41c35b40f1d57cd Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Tue, 7 Apr 2026 09:45:21 -0400 Subject: [PATCH 3/8] Update page.mdx Signed-off-by: Kristin Brown --- src/app/docs/kagent/operations/upgrade/page.mdx | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/app/docs/kagent/operations/upgrade/page.mdx b/src/app/docs/kagent/operations/upgrade/page.mdx index 8e1ada80..fe3caa59 100644 --- a/src/app/docs/kagent/operations/upgrade/page.mdx +++ b/src/app/docs/kagent/operations/upgrade/page.mdx @@ -22,11 +22,12 @@ Follow these steps to upgrade kagent to the latest version and keep your cluster 2. Read the [release notes](/docs/kagent/resources/release-notes) for the version you are upgrading to. Pay attention to any breaking changes or deprecations that might affect your configuration. -3. Back up your current configuration, including agent definitions and custom settings. +3. Back up your current configuration, including the following: + - Agent definitions + - Any custom settings + - PostgreSQL database -4. **v0.9.0 and later**: Back up your PostgreSQL database before upgrading. - -5. **v0.9.0 and later**: You must be running at least v0.8.0 before upgrading to v0.9.0. +4. **v0.9.0 and later**: You must be running at least v0.8.0 before upgrading to v0.9.0. ## Upgrade kagent From f90851ea44ac79ac3efe8cf3bf1f872ccc3784a1 Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Tue, 7 Apr 2026 09:45:42 -0400 Subject: [PATCH 4/8] Update page.mdx Signed-off-by: Kristin Brown --- src/app/docs/kagent/resources/release-notes/page.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/app/docs/kagent/resources/release-notes/page.mdx b/src/app/docs/kagent/resources/release-notes/page.mdx index 1742b8a5..83ddba74 100644 --- a/src/app/docs/kagent/resources/release-notes/page.mdx +++ b/src/app/docs/kagent/resources/release-notes/page.mdx @@ -22,8 +22,6 @@ For more details on the changes between versions, review the [kagent GitHub rele Review this summary of significant changes from kagent version 0.8 to v0.9. -## Database migration changes - **Before you upgrade:** * You must be running at least v0.8.0 before upgrading to v0.9.0. From d1b174f3f3a4bf2ea5520d391b3a5b02eb3c14e0 Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Thu, 23 Apr 2026 08:52:47 -0400 Subject: [PATCH 5/8] Update page.mdx Signed-off-by: Kristin Brown --- .../kagent/resources/release-notes/page.mdx | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/src/app/docs/kagent/resources/release-notes/page.mdx b/src/app/docs/kagent/resources/release-notes/page.mdx index 83ddba74..2009f71a 100644 --- a/src/app/docs/kagent/resources/release-notes/page.mdx +++ b/src/app/docs/kagent/resources/release-notes/page.mdx @@ -26,7 +26,82 @@ Review this summary of significant changes from kagent version 0.8 to v0.9. * You must be running at least v0.8.0 before upgrading to v0.9.0. * Back up your PostgreSQL database before upgrading. For details on your database configuration, see the [Database configuration guide](/docs/kagent/operations/operational-considerations/#database-configuration). +* The `rbac.clusterScoped` Helm value is removed. RBAC scope is now derived from `rbac.namespaces`. If you set `rbac.clusterScoped` in your Helm values, update your configuration to use `rbac.namespaces` instead. +**What's included:** + +* Agent Sandbox — run agents in isolated sandboxes with network controls using the Kubernetes agent-sandbox project. +* OIDC proxy authentication — optional enterprise authentication via oauth2-proxy with support for Cognito, Okta, Dex, and other OIDC providers. +* SAP AI Core provider — new model provider for SAP AI Core via the Orchestration Service. +* Database migration tooling — the database backend is refactored from GORM + AutoMigrate to golang-migrate + sqlc. +* Bedrock embedding support — native Bedrock embedding models for agent memory. + +## Agent Sandbox + +You can now run agents in isolated sandboxes using the [Kubernetes agent-sandbox](https://github.com/kubernetes-sigs/agent-sandbox) project. A new `SandboxAgent` CRD creates sandboxed agent instances with restricted filesystem and network access, providing stronger isolation for untrusted or experimental workloads. + +Sandbox agents support configurable network allowlists for both Go and Python runtimes, so you can control which external endpoints the agent is permitted to reach. + +To use agent sandboxes, install the agent-sandbox controller in your cluster: + +```bash +export VERSION="v0.3.10" +kubectl apply -f https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${VERSION}/manifest.yaml +kubectl apply -f https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${VERSION}/extensions.yaml +``` + +Then create a `SandboxAgent` resource with the same spec as a regular `Agent` resource. + +## OIDC Proxy Authentication + +kagent now supports optional OIDC proxy-based authentication through an [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy/) subchart. This feature enables integration with enterprise identity providers such as Cognito, Okta, and Dex. + +When `controller.auth.mode` is set to `"proxy"`, the controller trusts JWT tokens from the `Authorization` header injected by oauth2-proxy and extracts user identity from configurable JWT claims. The default mode remains `"unsecure"`, which preserves the existing behavior with no authentication required. + +This release adds authentication only. Access control is not yet implemented. + +**What's included:** + +* A `ProxyAuthenticator` backend that extracts user identity (email, name, groups) from JWT claims. +* A `/api/me` endpoint that returns the current user's identity. +* A login page with SSO redirect and a user menu in the UI. +* NetworkPolicies that restrict UI and controller access to oauth2-proxy when auth is enabled. + +To enable OIDC authentication: + +```yaml +controller: + auth: + mode: proxy + +oauth2-proxy: + enabled: true + extraEnv: + - name: OIDC_ISSUER_URL + value: "https://your-idp.example.com" + - name: OIDC_REDIRECT_URL + value: "https://kagent.example.com/oauth2/callback" +``` + +## SAP AI Core Provider + +You can now use [SAP AI Core](https://help.sap.com/docs/sap-ai-core) as a model provider via the Orchestration Service. Configure a ModelConfig resource with the SAP AI Core provider to use SAP-hosted models with your agents. + +## Additional Changes + +* **Bedrock embedding support** — native Bedrock embedding models are now available for agent memory, extending the existing AWS Bedrock provider. +* **Token exchange for model auth** — a new authentication mechanism that supports token exchange for model configurations. +* **Prompt templates in UI** — prompt templates are now manageable directly in the UI. +* **Require approval toggle in UI** — you can now enable or disable the `requireApproval` setting for tools directly in the UI. +* **Enhanced Go ADK model config** — broader model and provider support in the Go runtime. +* **RBAC scope changes** — the `rbac.clusterScoped` Helm value is removed. RBAC scope is now derived from `rbac.namespaces`. +* **IPv6/dual-stack support** — agent bind host and UI probes now support IPv6 and dual-stack configurations. +* **AWS LoadBalancer annotations** — the UI Service now supports AWS LoadBalancer service annotations for easier AWS deployment. +* **Database migration tooling** — the database backend is refactored from GORM + AutoMigrate to golang-migrate + sqlc for more reliable schema migrations. +* **SSH auth for git-based skills** — fixed SSH authentication when loading skills from private Git repositories. +* **MCP connection error handling** — MCP connection errors are now returned to the LLM as context instead of raising exceptions. +* **Default model update** — the retired `claude-3-5-haiku-20241022` model is replaced with `claude-haiku-4-5`. +* **PostgreSQL 18.3-alpine** — the bundled PostgreSQL image is updated to reduce CVE surface area. # v0.8 From 998dfe39763e67df668c7669a1f9cdee8aff99de Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Thu, 23 Apr 2026 09:01:41 -0400 Subject: [PATCH 6/8] Update page.mdx Signed-off-by: Kristin Brown --- src/app/docs/kagent/resources/release-notes/page.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/docs/kagent/resources/release-notes/page.mdx b/src/app/docs/kagent/resources/release-notes/page.mdx index 2009f71a..64375b77 100644 --- a/src/app/docs/kagent/resources/release-notes/page.mdx +++ b/src/app/docs/kagent/resources/release-notes/page.mdx @@ -101,7 +101,7 @@ You can now use [SAP AI Core](https://help.sap.com/docs/sap-ai-core) as a model * **SSH auth for git-based skills** — fixed SSH authentication when loading skills from private Git repositories. * **MCP connection error handling** — MCP connection errors are now returned to the LLM as context instead of raising exceptions. * **Default model update** — the retired `claude-3-5-haiku-20241022` model is replaced with `claude-haiku-4-5`. -* **PostgreSQL 18.3-alpine** — the bundled PostgreSQL image is updated to reduce CVE surface area. + # v0.8 From aaa51ea083e1d7987acdac7c7229135725bf9314 Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Thu, 23 Apr 2026 09:10:52 -0400 Subject: [PATCH 7/8] Update src/app/docs/kagent/resources/release-notes/page.mdx Co-authored-by: Art Signed-off-by: Kristin Brown --- src/app/docs/kagent/resources/release-notes/page.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/docs/kagent/resources/release-notes/page.mdx b/src/app/docs/kagent/resources/release-notes/page.mdx index 64375b77..26fab38e 100644 --- a/src/app/docs/kagent/resources/release-notes/page.mdx +++ b/src/app/docs/kagent/resources/release-notes/page.mdx @@ -63,7 +63,7 @@ This release adds authentication only. Access control is not yet implemented. **What's included:** * A `ProxyAuthenticator` backend that extracts user identity (email, name, groups) from JWT claims. -* A `/api/me` endpoint that returns the current user's identity. +* An `/api/me` endpoint that returns the current user's identity. * A login page with SSO redirect and a user menu in the UI. * NetworkPolicies that restrict UI and controller access to oauth2-proxy when auth is enabled. From 778aea0431a58da4180447432d976d695a1c040d Mon Sep 17 00:00:00 2001 From: Kristin Brown Date: Thu, 23 Apr 2026 09:11:25 -0400 Subject: [PATCH 8/8] Changed order Signed-off-by: Kristin Brown --- src/app/docs/kagent/resources/release-notes/page.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/app/docs/kagent/resources/release-notes/page.mdx b/src/app/docs/kagent/resources/release-notes/page.mdx index 26fab38e..eb255754 100644 --- a/src/app/docs/kagent/resources/release-notes/page.mdx +++ b/src/app/docs/kagent/resources/release-notes/page.mdx @@ -89,6 +89,7 @@ You can now use [SAP AI Core](https://help.sap.com/docs/sap-ai-core) as a model ## Additional Changes +* **Default model update** — the retired `claude-3-5-haiku-20241022` model is replaced with `claude-haiku-4-5`. * **Bedrock embedding support** — native Bedrock embedding models are now available for agent memory, extending the existing AWS Bedrock provider. * **Token exchange for model auth** — a new authentication mechanism that supports token exchange for model configurations. * **Prompt templates in UI** — prompt templates are now manageable directly in the UI. @@ -100,7 +101,7 @@ You can now use [SAP AI Core](https://help.sap.com/docs/sap-ai-core) as a model * **Database migration tooling** — the database backend is refactored from GORM + AutoMigrate to golang-migrate + sqlc for more reliable schema migrations. * **SSH auth for git-based skills** — fixed SSH authentication when loading skills from private Git repositories. * **MCP connection error handling** — MCP connection errors are now returned to the LLM as context instead of raising exceptions. -* **Default model update** — the retired `claude-3-5-haiku-20241022` model is replaced with `claude-haiku-4-5`. + # v0.8