Client Deployment Guide¶

This guide walks through deploying the Kysira platform into a client's own Kubernetes cluster.

Step 0 — Get your credentials¶

Log in to app.kysira.com and navigate to Settings → Access. Copy your GHCR username and GHCR token — you'll need them in Step 1 to pull Kysira container images.

Prerequisites¶

Requirement	Notes
Kubernetes cluster	k3s, EKS, GKE, AKS, or any CNCF-conformant cluster
`kubectl` access	`kubectl get nodes` should return Ready
`helm` ≥ 3.12	`helm version`
cert-manager	Installed with a working `ClusterIssuer`
Ingress controller	Traefik (k3s default) or nginx
DNS control	Ability to add A records for two subdomains
GHCR credentials	Provided by Kysira (see below)

cert-manager¶

If cert-manager is not already installed:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml
kubectl rollout status deployment/cert-manager-webhook -n cert-manager --timeout=120s

Create a letsencrypt-prod ClusterIssuer:

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: traefik   # or nginx
EOF

Step 1 — Image pull secret¶

Kysira images are hosted on GitHub Container Registry (ghcr.io). You need a pull secret in the namespace where Kysira will run.

kubectl create namespace kysira

kubectl create secret docker-registry ghcr-pull \
  --docker-server=ghcr.io \
  --docker-username=<provided-username> \
  --docker-password=<provided-token> \
  --namespace kysira

Kysira will provide the username and token. If images are made public in future, this step will be optional.

Step 2 — Configure values¶

Copy the example values file and fill in your settings:

cp deploy/values-example.yaml my-values.yaml

Minimum required changes:

kysira-proxy:
  config:
    targetURL: "http://your-app:3000"   # in-cluster URL of the app to protect

  ingress:
    hosts:
      - host: your-app.example.com      # domain end-users hit
    tls:
      - secretName: kysira-proxy-tls
        hosts: [your-app.example.com]

kysira-dashboard:
  ingress:
    hosts:
      - host: dashboard.example.com     # domain for the monitoring dashboard
    tls:
      - secretName: kysira-dashboard-tls
        hosts: [dashboard.example.com]

If you use a different ingress class or ClusterIssuer name, update ingress.className and the cert-manager.io/cluster-issuer annotation in each section.

Resource sizing: layer a resource preset on top of your values file:

# small  = CX11  (2 vCPU, 4 GB RAM)
# medium = CX22  (4 vCPU, 8 GB RAM)
# large  = CX33+ (4 vCPU, 8 GB RAM, autoscaling enabled)
--values deploy/values-resources-medium.yaml

Step 3 — Deploy¶

helm upgrade --install kysira oci://ghcr.io/kysira/charts/kysira-platform \
  --namespace kysira --create-namespace \
  --values my-values.yaml \
  --wait --timeout 20m

The first deploy takes longer (~5 min) as the inference container loads ML models.

Step 4 — DNS¶

Point two A records at your cluster's ingress IP:

your-app.example.com       → <ingress-ip>
dashboard.example.com      → <ingress-ip>

Find the ingress IP:

kubectl get svc -n kube-system | grep traefik   # k3s / Traefik
kubectl get svc -n ingress-nginx                 # nginx ingress

cert-manager will issue TLS certificates automatically once DNS propagates (usually within a few minutes).

Step 5 — Smoke test¶

# Proxy health
curl https://your-app.example.com/_kysira/health

# Dashboard API
curl https://dashboard.example.com/api/events

# Fire a test SQL injection (shadow mode — passes through, appears in dashboard)
curl "https://your-app.example.com/search?q=1'+OR+'1'='1"

Open https://dashboard.example.com — the test request should appear in the live feed with a high SQLi score.

Configuration reference¶

Proxy modes¶

Mode	Behaviour
`shadow`	All traffic passes. Threats are logged and surfaced in the dashboard. Safe default for initial rollout.
`active`	Requests scoring above `scoreThreshold` are killed with a TCP RST before reaching your app.

Switch modes from the dashboard UI or via Helm:

helm upgrade kysira oci://ghcr.io/kysira/charts/kysira-platform \
  --namespace kysira --reuse-values \
  --set "kysira-proxy.config.mode=active"

Key proxy settings¶

Value	Default	Description
`kysira-proxy.config.targetURL`	—	Required. In-cluster URL of your application
`kysira-proxy.config.mode`	`shadow`	`shadow` or `active`
`kysira-proxy.config.scoreThreshold`	`0.95`	Kill threshold [0–1]
`kysira-proxy.config.sinks`	`file,stdout`	Event sinks: `file`, `stdout`, `http`
`kysira-proxy.config.httpSinkURL`	—	SIEM/webhook endpoint for the `http` sink
`kysira-proxy.image.registry`	`ghcr.io`	Override to use a private mirror

Upgrading¶

helm upgrade kysira oci://ghcr.io/kysira/charts/kysira-platform \
  --namespace kysira \
  --values my-values.yaml \
  --wait --timeout 20m

Uninstalling¶

helm uninstall kysira --namespace kysira
kubectl delete namespace kysira