|
| 1 | +—---With KYA —---- |
| 2 | +Agent Client with KYA Registration and Policy-Based Authorization |
| 3 | + |
| 4 | +``` |
| 5 | +\+-------------------------------------------+ |
| 6 | +| START: Agent (Github action, claude, cursor| |
| 7 | +\+-------------------------------------------+ |
| 8 | + | |
| 9 | + v |
| 10 | +\+--------------------------+ |
| 11 | +| AI Gateway (Envoy) | |
| 12 | +| (mcp.prod.env.corp.net) |
| 13 | +\+--------------------------+ |
| 14 | + | |
| 15 | + v |
| 16 | +\+--------------------------+ |
| 17 | +| KYA Registration/Attestation| |
| 18 | +| 1. Agent registers with attributes/proves identity (KYA credential/VC) |
| 19 | +\+--------------------------+ |
| 20 | + | Token Request (KYA Proof, Location, Time Context) |
| 21 | + v |
| 22 | +\+--------------------------+ |
| 23 | +| Authorization Service | |
| 24 | +| (Policy Evaluation) | |
| 25 | +| 1. Validate KYA Attestation |
| 26 | +| 2. Evaluate Policy (based on Location, Time, etc.) |
| 27 | +| 3. Issue Initial Token (e.g., JWT with claims) |
| 28 | +\+--------------------------+ |
| 29 | + | Initial Token Issued |
| 30 | + | |
| 31 | +\+--------------------------+ |
| 32 | +| Agent Client (Send Request)| |
| 33 | +\+--------------------------+ |
| 34 | + | Request sent with Initial Token (e.g., JWT) |
| 35 | + v |
| 36 | +\+--------------------------+ |
| 37 | +| AI Gateway (Envoy) | |
| 38 | +| (mcp.staging/prod.env.corp.net) |
| 39 | +\+--------------------------+ |
| 40 | + | MCPRoute intercepts request |
| 41 | + v |
| 42 | +\+--------------------------+ |
| 43 | +| Initial Token Validation | |
| 44 | +| 1. Extract Initial Token |
| 45 | +| 2. Validate Token (domain, org, signature, claims, expiration) |
| 46 | +\+--------------------------+ |
| 47 | + | |
| 48 | + +--\[Validation Fails\]---\> Request Rejected (END) |
| 49 | + | |
| 50 | + +--\[Validation Success\]--\> Token Exchange Request |
| 51 | + v |
| 52 | +\+--------------------------+ |
| 53 | +| Token Exchange Service | |
| 54 | +| 1. Exchanges Initial Token for | |
| 55 | +| API/Domain specific Token | |
| 56 | +| after Caller/Callee badge/cert verification | |
| 57 | +\+--------------------------+ |
| 58 | + | New Token attached to request |
| 59 | + v |
| 60 | +\+--------------------------+ |
| 61 | +| Routing | |
| 62 | +\+--------------------------+ |
| 63 | + / \ |
| 64 | + / \ |
| 65 | + v v |
| 66 | +\+-----------------+ +----------------------+ |
| 67 | +| Flux MCP Server | | Victoria Metrics MCP | |
| 68 | +| (:9090/mcp) | | (:8080/mcp) | |
| 69 | +\+-----------------+ \+----------------------+ |
| 70 | + | Remote or local origin access | |
| 71 | + v v |
| 72 | +\+-------------------------------------------+ |
| 73 | +| connects to API/tool( eg read-only mode) using| |
| 74 | +| API/domain specific Token | |
| 75 | +\+--------------------------------------------+ |
| 76 | + | |
| 77 | + v |
| 78 | + +-------+ |
| 79 | + | END | |
| 80 | + +-------+ |
| 81 | + +------------------------------+ |
| 82 | + | Connects to \`vmselect\` service | |
| 83 | + | in telemetry-system namespace | |
| 84 | + | using API/domain specific Token | |
| 85 | + +------------------------------+ |
| 86 | + | |
| 87 | + v |
| 88 | + +-------+ |
| 89 | + | END | |
| 90 | + +-------+ |
| 91 | +``` |
0 commit comments