# Example agent deployment with lifecycle sidecar # This would be created by the gateway for each user --- apiVersion: apps/v1 kind: Deployment metadata: name: agent-user-abc123 namespace: dexorder-agents labels: app.kubernetes.io/name: agent app.kubernetes.io/component: user-agent dexorder.io/component: agent dexorder.io/user-id: user-abc123 dexorder.io/deployment: agent-user-abc123 spec: replicas: 1 selector: matchLabels: dexorder.io/user-id: user-abc123 template: metadata: labels: dexorder.io/component: agent dexorder.io/user-id: user-abc123 dexorder.io/deployment: agent-user-abc123 spec: serviceAccountName: agent-lifecycle # Share PID namespace so sidecar can monitor main container shareProcessNamespace: true # Security context securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: # Main agent container - name: agent image: ghcr.io/dexorder/agent:latest imagePullPolicy: Always # Security context (required by admission policy) securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true capabilities: drop: - ALL # Resource limits (required by admission policy) resources: requests: memory: "256Mi" cpu: "100m" limits: memory: "1Gi" cpu: "1000m" # Environment variables env: - name: USER_ID value: "user-abc123" - name: IDLE_TIMEOUT_MINUTES value: "15" - name: IDLE_CHECK_INTERVAL_SECONDS value: "60" - name: ENABLE_IDLE_SHUTDOWN value: "true" - name: MCP_SERVER_PORT value: "3000" - name: ZMQ_CONTROL_PORT value: "5555" # Ports ports: - name: mcp containerPort: 3000 protocol: TCP - name: zmq-control containerPort: 5555 protocol: TCP # Volume mounts volumeMounts: - name: agent-data mountPath: /app/data - name: tmp mountPath: /tmp - name: shared-run mountPath: /var/run/agent # Liveness probe (agent's MCP server) livenessProbe: httpGet: path: /health port: mcp initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 5 # Readiness probe readinessProbe: httpGet: path: /ready port: mcp initialDelaySeconds: 5 periodSeconds: 10 # Lifecycle sidecar - name: lifecycle-sidecar image: ghcr.io/dexorder/lifecycle-sidecar:latest imagePullPolicy: Always # Security context securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true capabilities: drop: - ALL # Resource limits resources: requests: memory: "32Mi" cpu: "10m" limits: memory: "64Mi" cpu: "50m" # Environment variables (injected via downward API) env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: DEPLOYMENT_NAME valueFrom: fieldRef: fieldPath: metadata.labels['dexorder.io/deployment'] - name: USER_TYPE value: "free" # Gateway sets this based on license - name: MAIN_CONTAINER_PID value: "1" # In shared PID namespace, main container is typically PID 1 # Volume mounts volumeMounts: - name: shared-run mountPath: /var/run/agent readOnly: true # Volumes volumes: # Persistent data (user files, state) - name: agent-data persistentVolumeClaim: claimName: agent-user-abc123-data # Temporary writable filesystem (read-only rootfs) - name: tmp emptyDir: medium: Memory sizeLimit: 128Mi # Shared between main container and sidecar - name: shared-run emptyDir: medium: Memory sizeLimit: 1Mi # Restart policy restartPolicy: Always # Termination grace period terminationGracePeriodSeconds: 30 --- # PVC for agent persistent data apiVersion: v1 kind: PersistentVolumeClaim metadata: name: agent-user-abc123-data namespace: dexorder-agents labels: dexorder.io/user-id: user-abc123 spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: standard # Or your preferred storage class --- # Service to expose agent MCP endpoint apiVersion: v1 kind: Service metadata: name: agent-user-abc123 namespace: dexorder-agents labels: dexorder.io/user-id: user-abc123 spec: type: ClusterIP selector: dexorder.io/user-id: user-abc123 ports: - name: mcp port: 3000 targetPort: mcp protocol: TCP - name: zmq-control port: 5555 targetPort: zmq-control protocol: TCP