Quick Start with Helm
Manual Deployment
Namespace
namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: Koreshield
ConfigMap
configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: Koreshield-config
namespace: Koreshield
data:
config.yaml: |
sensitivity: medium
log_level: info
prometheus_enabled: true
Secret
Never commit secrets to version control. Use environment-specific secret management solutions.
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: Koreshield-secrets
namespace: Koreshield
type: Opaque
stringData:
api-key: ks_prod_xxxxxxxxxxxx
database-url: postgresql://user:pass@postgres:5432/Koreshield
redis-url: redis://redis:6379
Deployment
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: Koreshield
namespace: Koreshield
spec:
replicas: 3
selector:
matchLabels:
app: Koreshield
template:
metadata:
labels:
app: Koreshield
version: v2.0.0
spec:
containers:
- name: Koreshield
image: Koreshield/Koreshield:2.0.0
ports:
- containerPort: 8080
name: http
- containerPort: 9090
name: metrics
env:
- name: Koreshield_API_KEY
valueFrom:
secretKeyRef:
name: Koreshield-secrets
key: api-key
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: Koreshield-secrets
key: database-url
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: Koreshield-secrets
key: redis-url
resources:
requests:
memory: "2Gi"
cpu: "1"
limits:
memory: "4Gi"
cpu: "2"
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 10
periodSeconds: 5
volumeMounts:
- name: config
mountPath: /app/config
readOnly: true
volumes:
- name: config
configMap:
name: Koreshield-config
Service
service.yaml
apiVersion: v1
kind: Service
metadata:
name: Koreshield
namespace: Koreshield
labels:
app: Koreshield
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
- port: 9090
targetPort: 9090
protocol: TCP
name: metrics
selector:
app: Koreshield
Ingress
ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: Koreshield
namespace: Koreshield
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/rate-limit: "100"
spec:
ingressClassName: nginx
tls:
- hosts:
- Koreshield.yourdomain.com
secretName: Koreshield-tls
rules:
- host: Koreshield.yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: Koreshield
port:
number: 80
Helm Values
values.yaml
replicaCount: 3
image:
repository: Koreshield/Koreshield
tag: "2.0.0"
pullPolicy: IfNotPresent
apiKey: "" # Set via --set or secrets
service:
type: ClusterIP
port: 80
ingress:
enabled: true
className: nginx
host: Koreshield.yourdomain.com
tls:
enabled: true
secretName: Koreshield-tls
resources:
requests:
memory: 2Gi
cpu: 1
limits:
memory: 4Gi
cpu: 2
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
postgresql:
enabled: true
auth:
database: Koreshield
username: Koreshield
redis:
enabled: true
architecture: standalone
prometheus:
enabled: true
serviceMonitor:
enabled: true
Auto-Scaling
Horizontal Pod Autoscaler
hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: Koreshield
namespace: Koreshield
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: Koreshield
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
Vertical Pod Autoscaler
vpa.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: Koreshield
namespace: Koreshield
spec:
targetRef:
apiVersion: apps/v1
kind: Deployment
name: Koreshield
updatePolicy:
updateMode: "Auto"
Monitoring
ServiceMonitor for Prometheus
servicemonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: Koreshield
namespace: Koreshield
spec:
selector:
matchLabels:
app: Koreshield
endpoints:
- port: metrics
interval: 30s
Storage
Persistent Volume Claim
pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: Koreshield-data
namespace: Koreshield
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
storageClassName: fast-ssd
Security
Network Policy
networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: Koreshield
namespace: Koreshield
spec:
podSelector:
matchLabels:
app: Koreshield
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
Pod Security Policy
Pod Security Policies are deprecated in Kubernetes 1.25+. Consider using Pod Security Standards instead.
psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: Koreshield
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- configMap
- secret
- emptyDir
- persistentVolumeClaim
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
Multi-Region Deployment
multi-region.yaml
# Cluster 1 (us-east)
apiVersion: apps/v1
kind: Deployment
metadata:
name: Koreshield-us-east
spec:
replicas: 3
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- us-east-1
---
# Cluster 2 (eu-west)
apiVersion: apps/v1
kind: Deployment
metadata:
name: Koreshield-eu-west
spec:
replicas: 3
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- eu-west-1
Upgrade Strategy
upgrade-strategy.yaml
apiVersion: apps/v1
kind: Deployment
spec:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
Commands
# Deploy all resources
kubectl apply -f namespace.yaml
kubectl apply -f secret.yaml
kubectl apply -f configmap.yaml
kubectl apply -f deployment.yaml
kubectl apply -f service.yaml
kubectl apply -f ingress.yaml