Example — protect an agent end-to-end
This is a full worked example: take a customer-support chatbot from “no controls” to a namespace
where every tool call is enforced. Every manifest here also ships in the repo under
crds/examples/.
1. Describe the agent class
Section titled “1. Describe the agent class”An NrvqClass documents what kind of agent this is — its intended tool surface and trust
defaults. It seeds the policy/intent generators; it does not enforce on its own.
apiVersion: norviq.io/v1alpha1kind: NrvqClassmetadata: name: customer-supportspec: description: Customer-facing chatbot agents for orders, refunds, and product help allowedTools: [search_kb, get_customer, get_order, update_order_status, send_email] blockedTools: [execute_sql, delete_record, spawn_pod, exec_shell] maxCallsPerMinute: 60 initialTrustScore: 0.8 trustThreshold: 0.4kubectl apply -f class-customer-support.yaml2. Enforce with a policy
Section titled “2. Enforce with a policy”An NrvqPolicy supplies the actual decision. Start with a strict preset in block mode,
targeting the class:
apiVersion: norviq.io/v1alpha1kind: NrvqPolicymetadata: name: chatbot-strict namespace: chatbot-prodspec: target: agentClass: customer-support enforcementMode: block preset: strict # strict | moderate | permissive — or supply custom `rego` priority: 200Add a namespace baseline as a floor for everything in the namespace, regardless of class.
Running it in audit first lets you watch before you block:
apiVersion: norviq.io/v1alpha1kind: NrvqPolicymetadata: name: prod-baseline namespace: chatbot-prodspec: target: namespace: chatbot-prod # applies to every agent in the namespace enforcementMode: audit preset: permissive priority: 50kubectl apply -f policy-strict-chatbot.yamlkubectl apply -f policy-namespace-baseline.yaml
# confirm the controller synced them to the enginekubectl get nrvqpolicy -n chatbot-prodResolution is by numeric priority — the highest-priority policy wins, with the most-restrictive
decision breaking ties. Here the class policy (200) outranks the namespace baseline (50) because
those priorities encode that intent; a namespace policy with a higher number would win instead. See
Concepts → Policy tiers.
3. Deploy the agent and turn on enforcement
Section titled “3. Deploy the agent and turn on enforcement”Label the namespace so the mutating webhook injects the enforcement sidecar into every pod, then tell each agent pod which class it is:
kubectl label namespace chatbot-prod norviq-injection=enabledapiVersion: apps/v1kind: Deploymentmetadata: name: support-agent namespace: chatbot-prodspec: template: metadata: labels: norviq.io/agent-class: customer-support # binds this pod to the class above spec: containers: - name: agent image: your-org/support-agent:latestkubectl apply -f agent-deployment.yaml# the sidecar is injected automatically; no image change to your agent4. Confirm it enforces
Section titled “4. Confirm it enforces”An allowed tool call passes; a destructive one is blocked before it runs:
# a normal call — allowednorviq audit list -n chatbot-prod -d allow --range 1h
# prove a block: run the built-in red team against the classnorviq redteam run --namespace chatbot-prod --agent customer-supportYou should see the suite’s execute_sql / exec_shell attempts land as block in the audit log,
while its benign search_kb probe is allowed. Watch it live in the console’s audit stream, or graph the
agent’s real reach under Asset Graph / Attack Graph — see
Asset & attack graphs for the full discovery-and-defense loop.
- Writing policies — author custom Rego instead of a preset
- CLI reference —
norviq policy,norviq audit,norviq redteam - Deployment — HA, cloud (AKS), and multi-cluster fleet