---Kubernetes & Helm Deployment | Panovista

Kubernetes & Helm Deployment

For enterprise production environments, Panovista is designed to be deployed directly into your Kubernetes clusters. Because the proxy is entirely stateless and consumes less than 20MB of memory, it scales horizontally alongside your AI application pods with near-zero resource overhead.


The Sidecar Pattern

In Kubernetes, the most secure way to deploy Panovista is as a sidecar container within the exact same Pod as your primary AI application. This ensures that unencrypted prompts and internal tool calls never leave the Pod’s local network (localhost) before being intercepted and sanitized.

Example Pod Manifest

Below is a standard Kubernetes Deployment manifest demonstrating the sidecar pattern:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ai-agent-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: ai-agent
  template:
    metadata:
      labels:
        app: ai-agent
    spec:
      containers:
        # 1. Your Primary AI Application
        - name: ai-agent-app
          image: your-company/ai-agent:v2.1.0
          env:
            # Point the SDK to the local sidecar proxy on localhost
            - name: OPENAI_BASE_URL
              value: "http://127.0.0.1:8080/v1"
          
        # 2. The Panovista Security Proxy
        - name: panovista-sidecar
          image: panovista/proxy:v1.2.0
          ports:
            - containerPort: 8080
          env:
            - name: UPSTREAM_PROVIDER
              value: "anthropic"
            # Inject keys securely via Kubernetes Secrets
            - name: PROVIDER_API_KEY
              valueFrom:
                secretKeyRef:
                  name: llm-provider-secrets
                  key: api-key
          volumeMounts:
            - name: panovista-policies
              mountPath: /etc/panovista/policies
              readOnly: true
              
      volumes:
        # Mount your RBAC and DLP schemas via a ConfigMap
        - name: panovista-policies
          configMap:
            name: panovista-security-config

Deploying via Helm

For teams managing multiple environments (staging, UAT, production), we maintain an official Helm chart that automates the sidecar injection and ConfigMap management.

1. Add the Panovista Helm Repository

helm repo add panovista https://charts.panovista.io
helm repo update

2. Install the Chart

Create a values.yaml file with your specific schema configurations, then deploy it to your target namespace:

helm install panovista-proxy panovista/panovista-sidecar \
  --namespace secure-ai-agents \
  --create-namespace \
  -f values.yaml

Horizontal Pod Autoscaling (HPA)

Because Panovista uses a lock-free Go engine and holds zero state, it scales flawlessly using standard Kubernetes HPA metrics. When your AI application experiences a surge in traffic, the sidecar simply scales up alongside it based on CPU or memory thresholds without requiring external database provisioning.