# Kubernetes Deployment

## Helm Install

```bash
helm install bascule charts/bascule/
```

### Common Options

```bash
# NodePort access
helm install bascule charts/bascule/ --set service.type=NodePort

# Authorized keys from a Secret
kubectl create secret generic bascule-keys --from-file=authorized_keys=$HOME/.ssh/authorized_keys
helm install bascule charts/bascule/ --set auth.authorizedKeysSecret=bascule-keys

# Custom shell image
helm install bascule charts/bascule/ --set shell.image.tag=net-ops
```

## Architecture

The chart deploys a Pod with two containers:

- **bascule** — the SSH proxy (port 2222)
- **shell** — the operator environment (configured image, sleeps until exec'd)

Operators SSH to Bascule. Bascule exec's into the shell container for each session. Multiple operators share the Pod with separate exec sessions.

## Security Defaults

- **NetworkPolicy**: egress restricted to DNS + K8s API
- **RBAC**: minimal Role (pods/exec in own namespace only)
- **SecurityContext**: no privilege escalation, cap-drop ALL on shell container
- **Host key**: persisted via volume (stable across restarts)

## Values Reference

See [values.yaml](../charts/bascule/values.yaml) for all options.

| Key | Default | Description |
|-----|---------|-------------|
| `shell.image.tag` | `k8s-ops` | Shell image variant |
| `auth.mode` | `authorized-keys` | Auth mode |
| `service.type` | `LoadBalancer` | Service type |
| `maxSessions` | `100` | Max concurrent SSH sessions |
| `networkPolicy.enabled` | `true` | Enable network restrictions |