tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/docs/kubernetes.md
Tyler King 2fa92f8635 docs: comprehensive documentation + developer experience polish 
New files:
  CONTRIBUTING.md — dev setup, code style, PR process
  CLAUDE.md — workspace context for Claude Code
  Makefile — build, test, lint, fmt, docker, helm-lint, dev, ci
  .editorconfig — consistent formatting
  rustfmt.toml — Rust formatting config
  docs/kubernetes.md — Helm install, values, architecture
  docs/bascule-shell.md — client shell install, config, TPM
  charts/bascule/README.md — Helm quick start

Updated:
  README.md — accurate feature matrix, clear shipped vs planned
  config/bascule.example.toml — full reference (72 lines, all fields)

All 15 README links verified valid.
Helm lint clean. Build passes. 0 substrate deps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 10:53:08 -04:00

1.5 KiB
Raw Blame History

Kubernetes Deployment

Helm Install

helm install bascule charts/bascule/

Common Options

# NodePort access
helm install bascule charts/bascule/ --set service.type=NodePort

# Authorized keys from a Secret
kubectl create secret generic bascule-keys --from-file=authorized_keys=$HOME/.ssh/authorized_keys
helm install bascule charts/bascule/ --set auth.authorizedKeysSecret=bascule-keys

# Custom shell image
helm install bascule charts/bascule/ --set shell.image.tag=net-ops

Architecture

The chart deploys a Pod with two containers:

  • bascule — the SSH proxy (port 2222)
  • shell — the operator environment (configured image, sleeps until exec'd)

Operators SSH to Bascule. Bascule exec's into the shell container for each session. Multiple operators share the Pod with separate exec sessions.

Security Defaults

  • NetworkPolicy: egress restricted to DNS + K8s API
  • RBAC: minimal Role (pods/exec in own namespace only)
  • SecurityContext: no privilege escalation, cap-drop ALL on shell container
  • Host key: persisted via volume (stable across restarts)

Values Reference

See values.yaml for all options.

Key Default Description
shell.image.tag k8s-ops Shell image variant
auth.mode authorized-keys Auth mode
service.type LoadBalancer Service type
maxSessions 100 Max concurrent SSH sessions
networkPolicy.enabled true Enable network restrictions