Allow and deny messagesv3.8+
Allow messages about a topic as long as they don’t contain information about another topic.
For example, only allow questions about DevOps that aren’t related to exploiting vulnerabilities. Topics on the deny list take precedence over the allowed topics.
For a detailed walkthrough, see Use AI Semantic Prompt Guard plugin to govern your LLM traffic.
Prerequisites
-
AI Proxy plugin or AI Proxy Advanced plugin configured with an LLM service.
-
A Redis instance.
-
Port
6379, or your custom Redis port is open and reachable from Kong Gateway.
Environment variables
-
OPENAI_API_KEY: Your OpenAI API key -
REDIS_HOST: The host where your Redis instance runs
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Copied to clipboard!
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Copied to clipboard!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied to clipboard!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
allow_prompts = ["Network troubleshooting and diagnostics", "Cloud infrastructure management (AWS, Azure, GCP)", "Cybersecurity best practices and incident response", "DevOps workflows and automation", "Programming concepts and language usage", "IT policy and compliance guidance", "Software development lifecycle and CI/CD", "Documentation writing and technical explanation", "System administration and configuration", "Productivity and collaboration tools usage"]
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Copied to clipboard!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied to clipboard!
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
service: serviceName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Copied to clipboard!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-semantic-prompt-guard
Copied to clipboard!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied to clipboard!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
allow_prompts = ["Network troubleshooting and diagnostics", "Cloud infrastructure management (AWS, Azure, GCP)", "Cybersecurity best practices and incident response", "DevOps workflows and automation", "Programming concepts and language usage", "IT policy and compliance guidance", "Software development lifecycle and CI/CD", "Documentation writing and technical explanation", "System administration and configuration", "Productivity and collaboration tools usage"]
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Copied to clipboard!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied to clipboard!
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
route: routeName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Copied to clipboard!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-semantic-prompt-guard
Copied to clipboard!
kubectl annotate -n kong ingress konghq.com/plugins=ai-semantic-prompt-guard
Copied to clipboard!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied to clipboard!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
allow_prompts = ["Network troubleshooting and diagnostics", "Cloud infrastructure management (AWS, Azure, GCP)", "Cybersecurity best practices and incident response", "DevOps workflows and automation", "Programming concepts and language usage", "IT policy and compliance guidance", "Software development lifecycle and CI/CD", "Documentation writing and technical explanation", "System administration and configuration", "Productivity and collaboration tools usage"]
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Copied to clipboard!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied to clipboard!
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
consumer: consumerName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Copied to clipboard!
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=ai-semantic-prompt-guard
Copied to clipboard!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied to clipboard!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
allow_prompts = ["Network troubleshooting and diagnostics", "Cloud infrastructure management (AWS, Azure, GCP)", "Cybersecurity best practices and incident response", "DevOps workflows and automation", "Programming concepts and language usage", "IT policy and compliance guidance", "Software development lifecycle and CI/CD", "Documentation writing and technical explanation", "System administration and configuration", "Productivity and collaboration tools usage"]
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Copied to clipboard!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied to clipboard!
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: ai-semantic-prompt-guard
consumer_group: consumerGroupName|Id
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: ${{ env "DECK_REDIS_HOST" }}
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-semantic-prompt-guard",
"config": {
"embeddings": {
"auth": {
"header_name": "Authorization",
"header_value": "Bearer '$OPENAI_API_KEY'"
},
"model": {
"name": "text-embedding-3-small",
"provider": "openai"
}
},
"search": {
"threshold": 0.7
},
"vectordb": {
"strategy": "redis",
"distance_metric": "cosine",
"threshold": 0.5,
"dimensions": 1024,
"redis": {
"host": "'$REDIS_HOST'",
"port": 6379
}
},
"rules": {
"match_all_conversation_history": true,
"allow_prompts": [
"Network troubleshooting and diagnostics",
"Cloud infrastructure management (AWS, Azure, GCP)",
"Cybersecurity best practices and incident response",
"DevOps workflows and automation",
"Programming concepts and language usage",
"IT policy and compliance guidance",
"Software development lifecycle and CI/CD",
"Documentation writing and technical explanation",
"System administration and configuration",
"Productivity and collaboration tools usage"
],
"deny_prompts": [
"Hacking techniques or penetration testing without authorization",
"Bypassing software licensing or digital rights management",
"Instructions on exploiting vulnerabilities or writing malware",
"Circumventing security controls or access restrictions",
"Gathering personal or confidential employee information",
"Using AI to impersonate or phish others",
"Social engineering tactics or manipulation techniques",
"Guidance on violating company IT policies",
"Content unrelated to work, such as entertainment or dating",
"Political, religious, or sensitive non-work-related discussions"
]
}
}
}
'
Copied to clipboard!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-semantic-prompt-guard
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
embeddings:
auth:
header_name: Authorization
header_value: Bearer $OPENAI_API_KEY
model:
name: text-embedding-3-small
provider: openai
search:
threshold: 0.7
vectordb:
strategy: redis
distance_metric: cosine
threshold: 0.5
dimensions: 1024
redis:
host: '$REDIS_HOST'
port: 6379
rules:
match_all_conversation_history: true
allow_prompts:
- Network troubleshooting and diagnostics
- Cloud infrastructure management (AWS, Azure, GCP)
- Cybersecurity best practices and incident response
- DevOps workflows and automation
- Programming concepts and language usage
- IT policy and compliance guidance
- Software development lifecycle and CI/CD
- Documentation writing and technical explanation
- System administration and configuration
- Productivity and collaboration tools usage
deny_prompts:
- Hacking techniques or penetration testing without authorization
- Bypassing software licensing or digital rights management
- Instructions on exploiting vulnerabilities or writing malware
- Circumventing security controls or access restrictions
- Gathering personal or confidential employee information
- Using AI to impersonate or phish others
- Social engineering tactics or manipulation techniques
- Guidance on violating company IT policies
- Content unrelated to work, such as entertainment or dating
- Political, religious, or sensitive non-work-related discussions
plugin: ai-semantic-prompt-guard
" | kubectl apply -f -
Copied to clipboard!
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=ai-semantic-prompt-guard
Copied to clipboard!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied to clipboard!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_semantic_prompt_guard" "my_ai_semantic_prompt_guard" {
enabled = true
config = {
embeddings = {
auth = {
header_name = "Authorization"
header_value = "Bearer var.openai_api_key"
}
model = {
name = "text-embedding-3-small"
provider = "openai"
}
}
search = {
threshold = 0.7
}
vectordb = {
strategy = "redis"
distance_metric = "cosine"
threshold = 0.5
dimensions = 1024
redis = {
host = var.redis_host
port = 6379
}
}
rules = {
match_all_conversation_history = true
allow_prompts = ["Network troubleshooting and diagnostics", "Cloud infrastructure management (AWS, Azure, GCP)", "Cybersecurity best practices and incident response", "DevOps workflows and automation", "Programming concepts and language usage", "IT policy and compliance guidance", "Software development lifecycle and CI/CD", "Documentation writing and technical explanation", "System administration and configuration", "Productivity and collaboration tools usage"]
deny_prompts = ["Hacking techniques or penetration testing without authorization", "Bypassing software licensing or digital rights management", "Instructions on exploiting vulnerabilities or writing malware", "Circumventing security controls or access restrictions", "Gathering personal or confidential employee information", "Using AI to impersonate or phish others", "Social engineering tactics or manipulation techniques", "Guidance on violating company IT policies", "Content unrelated to work, such as entertainment or dating", "Political, religious, or sensitive non-work-related discussions"]
}
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
Copied to clipboard!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "redis_host" {
type = string
}
Copied to clipboard!