Skip to content

Kubernetes Deployment

Deploy GLACIS sidecars on Kubernetes for on-premises or cloud-native environments with strict network controls.

Why Kubernetes?

Zero-egress enforcement: NetworkPolicy restricts all outbound traffic
On-premises: Deploy in your own data center
Multi-cloud: Works on any Kubernetes cluster
Fine-grained control: Full control over networking and security

Prerequisites

Kubernetes cluster (1.24+)
kubectl configured
GLACIS organization and API key

Quick Start

Create namespace and secrets

kubectl create namespace glacis

kubectl create secret generic glacis-secrets -n glacis \
  --from-literal=api-key=glc_your_api_key \
  --from-literal=openai-key=sk-your-openai-key

Apply deployment

kubectl apply -f https://raw.githubusercontent.com/glacis-io/sidecar/main/deploy/kubernetes/deployment.yaml

Apply NetworkPolicy

kubectl apply -f https://raw.githubusercontent.com/glacis-io/sidecar/main/deploy/kubernetes/network-policy.yaml

Deployment Manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: glacis-sidecar
  namespace: glacis
spec:
  replicas: 3
  selector:
    matchLabels:
      app: glacis-sidecar
  template:
    metadata:
      labels:
        app: glacis-sidecar
    spec:
      containers:
      - name: sidecar
        image: ghcr.io/glacis-io/sidecar:latest
        ports:
        - containerPort: 8080
        env:
        - name: GLACIS_ORG_ID
          value: "org_your_org_id"
        - name: GLACIS_API_KEY
          valueFrom:
            secretKeyRef:
              name: glacis-secrets
              key: api-key
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "500m"

NetworkPolicy (Zero-Egress)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: glacis-zero-egress
  namespace: glacis
spec:
  podSelector:
    matchLabels:
      app: glacis-sidecar
  policyTypes:
  - Egress
  egress:
  # Allow only GLACIS services
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 443
  # Allow DNS
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: UDP
      port: 53

Service

apiVersion: v1
kind: Service
metadata:
  name: glacis-sidecar
  namespace: glacis
spec:
  selector:
    app: glacis-sidecar
  ports:
  - port: 80
    targetPort: 8080
  type: ClusterIP

Performance

Metric	Value
Cold start	0ms (always on)
Request overhead	~10ms
Memory	128-256Mi

Next Steps