tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/docs/kubernetes.md
Tyler King 2fa92f8635 docs: comprehensive documentation + developer experience polish 
New files:
  CONTRIBUTING.md — dev setup, code style, PR process
  CLAUDE.md — workspace context for Claude Code
  Makefile — build, test, lint, fmt, docker, helm-lint, dev, ci
  .editorconfig — consistent formatting
  rustfmt.toml — Rust formatting config
  docs/kubernetes.md — Helm install, values, architecture
  docs/bascule-shell.md — client shell install, config, TPM
  charts/bascule/README.md — Helm quick start

Updated:
  README.md — accurate feature matrix, clear shipped vs planned
  config/bascule.example.toml — full reference (72 lines, all fields)

All 15 README links verified valid.
Helm lint clean. Build passes. 0 substrate deps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 10:53:08 -04:00

49 lines
1.5 KiB
Markdown
Raw Blame History

# Kubernetes Deployment
## Helm Install
```bash
helm install bascule charts/bascule/
```
### Common Options
```bash
# NodePort access
helm install bascule charts/bascule/ --set service.type=NodePort
# Authorized keys from a Secret
kubectl create secret generic bascule-keys --from-file=authorized_keys=$HOME/.ssh/authorized_keys
helm install bascule charts/bascule/ --set auth.authorizedKeysSecret=bascule-keys
# Custom shell image
helm install bascule charts/bascule/ --set shell.image.tag=net-ops
```
## Architecture
The chart deploys a Pod with two containers:
- **bascule** — the SSH proxy (port 2222)
- **shell** — the operator environment (configured image, sleeps until exec'd)
Operators SSH to Bascule. Bascule exec's into the shell container for each session. Multiple operators share the Pod with separate exec sessions.
## Security Defaults
- **NetworkPolicy**: egress restricted to DNS + K8s API
- **RBAC**: minimal Role (pods/exec in own namespace only)
- **SecurityContext**: no privilege escalation, cap-drop ALL on shell container
- **Host key**: persisted via volume (stable across restarts)
## Values Reference
See [values.yaml](../charts/bascule/values.yaml) for all options.
| Key | Default | Description |
|-----|---------|-------------|
| `shell.image.tag` | `k8s-ops` | Shell image variant |
| `auth.mode` | `authorized-keys` | Auth mode |
| `service.type` | `LoadBalancer` | Service type |
| `maxSessions` | `100` | Max concurrent SSH sessions |
| `networkPolicy.enabled` | `true` | Enable network restrictions |
Reference in a new issue View git blame Copy permalink