Kubernetes Deployment
For scaled or managed production, RedCloud’s backend runs on Kubernetes.
Summary
Section titled “Summary”The manifest k8s/deployment.yaml defines three objects for the backend. PostgreSQL and the license server are provided externally in this model, and the referenced Secrets and ServiceAccount are created by you.
What the manifest creates
Section titled “What the manifest creates”| Object | Details |
|---|---|
Deployment redcloud | 2 replicas, image redcloud/cspm:latest, container port 9900. Uses a Workload Identity service account (redcloud-vertex-ksa) bound to a GCP service account for Vertex AI. Environment comes from the redcloud-secrets Secret. Requests 512Mi / 250m, limits 2Gi / 1000m. Liveness and readiness probes hit /health. |
Service redcloud | ClusterIP, port 80 → targetPort 9900. |
PersistentVolumeClaim redcloud-scans-pvc | ReadWriteOnce, 10Gi, mounted at /app/out for scan output. |
What you provide
Section titled “What you provide”These are referenced by the manifest but created separately:
| Object | Purpose |
|---|---|
Secret redcloud-secrets | All environment configuration (see Configuration) — HMAC_KEY, API_KEY, ENCRYPTION_KEY, DATABASE_URL, license, etc. |
Secret gcp-sa-key | GCP service-account key, mounted read-only at /app/credentials. |
ServiceAccount redcloud-vertex-ksa | Kubernetes SA wired to a GCP SA via Workload Identity (e.g. roles/aiplatform.user). |
| PostgreSQL 16 | Reachable via the DATABASE_URL in redcloud-secrets (managed service or in-cluster). |
| License server | Reachable via LICENSE_SERVER_URL (HTTPS in production). |
Deploy
Section titled “Deploy”# Create the secrets first (example — use your own secret management)kubectl create secret generic redcloud-secrets --from-env-file=.envkubectl create secret generic gcp-sa-key --from-file=sa-key.json=./credentials/sa-key.json
# Apply the backend manifestkubectl apply -f k8s/deployment.yaml
# Expose it (Ingress / Gateway in front of the ClusterIP Service)kubectl get pods -l app=redcloudFront the redcloud Service with your Ingress / load balancer, terminating TLS there. If you use Google Cloud IAP, set the IAP environment variables and configure the backend audience (see Configuration).
Notes & limitations
Section titled “Notes & limitations”- The shipped manifest covers the backend only; bring your own PostgreSQL, license server, and Ingress.
- Scan output uses a single ReadWriteOnce PVC; size it for your scan volume and retention.