ai/deploy/k8s/base/agent-deployment-example.yaml

# Example agent deployment with lifecycle sidecar
# This would be created by the gateway for each user
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: agent-user-abc123
  namespace: dexorder-agents
  labels:
    app.kubernetes.io/name: agent
    app.kubernetes.io/component: user-agent
    dexorder.io/component: agent
    dexorder.io/user-id: user-abc123
    dexorder.io/deployment: agent-user-abc123
spec:
  replicas: 1
  selector:
    matchLabels:
      dexorder.io/user-id: user-abc123
  template:
    metadata:
      labels:
        dexorder.io/component: agent
        dexorder.io/user-id: user-abc123
        dexorder.io/deployment: agent-user-abc123
    spec:
      serviceAccountName: agent-lifecycle
      
      # Share PID namespace so sidecar can monitor main container
      shareProcessNamespace: true
      
      # Security context
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      
      containers:
        # Main agent container
        - name: agent
          image: ghcr.io/dexorder/agent:latest
          imagePullPolicy: Always
          
          # Security context (required by admission policy)
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 1000
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          
          # Resource limits (required by admission policy)
          resources:
            requests:
              memory: "256Mi"
              cpu: "100m"
            limits:
              memory: "1Gi"
              cpu: "1000m"
          
          # Environment variables
          env:
            - name: USER_ID
              value: "user-abc123"
            - name: IDLE_TIMEOUT_MINUTES
              value: "15"
            - name: IDLE_CHECK_INTERVAL_SECONDS
              value: "60"
            - name: ENABLE_IDLE_SHUTDOWN
              value: "true"
            - name: MCP_SERVER_PORT
              value: "3000"
            - name: ZMQ_CONTROL_PORT
              value: "5555"
          
          # Ports
          ports:
            - name: mcp
              containerPort: 3000
              protocol: TCP
            - name: zmq-control
              containerPort: 5555
              protocol: TCP
          
          # Volume mounts
          volumeMounts:
            - name: agent-data
              mountPath: /app/data
            - name: tmp
              mountPath: /tmp
            - name: shared-run
              mountPath: /var/run/agent
          
          # Liveness probe (agent's MCP server)
          livenessProbe:
            httpGet:
              path: /health
              port: mcp
            initialDelaySeconds: 10
            periodSeconds: 30
            timeoutSeconds: 5
          
          # Readiness probe
          readinessProbe:
            httpGet:
              path: /ready
              port: mcp
            initialDelaySeconds: 5
            periodSeconds: 10
        
        # Lifecycle sidecar
        - name: lifecycle-sidecar
          image: ghcr.io/dexorder/lifecycle-sidecar:latest
          imagePullPolicy: Always
          
          # Security context
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 1000
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          
          # Resource limits
          resources:
            requests:
              memory: "32Mi"
              cpu: "10m"
            limits:
              memory: "64Mi"
              cpu: "50m"
          
          # Environment variables (injected via downward API)
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: DEPLOYMENT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.labels['dexorder.io/deployment']
            - name: USER_TYPE
              value: "free"  # Gateway sets this based on license
            - name: MAIN_CONTAINER_PID
              value: "1"  # In shared PID namespace, main container is typically PID 1
          
          # Volume mounts
          volumeMounts:
            - name: shared-run
              mountPath: /var/run/agent
              readOnly: true
      
      # Volumes
      volumes:
        # Persistent data (user files, state)
        - name: agent-data
          persistentVolumeClaim:
            claimName: agent-user-abc123-data
        
        # Temporary writable filesystem (read-only rootfs)
        - name: tmp
          emptyDir:
            medium: Memory
            sizeLimit: 128Mi
        
        # Shared between main container and sidecar
        - name: shared-run
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi
      
      # Restart policy
      restartPolicy: Always
      
      # Termination grace period
      terminationGracePeriodSeconds: 30
---
# PVC for agent persistent data
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: agent-user-abc123-data
  namespace: dexorder-agents
  labels:
    dexorder.io/user-id: user-abc123
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: standard  # Or your preferred storage class
---
# Service to expose agent MCP endpoint
apiVersion: v1
kind: Service
metadata:
  name: agent-user-abc123
  namespace: dexorder-agents
  labels:
    dexorder.io/user-id: user-abc123
spec:
  type: ClusterIP
  selector:
    dexorder.io/user-id: user-abc123
  ports:
    - name: mcp
      port: 3000
      targetPort: mcp
      protocol: TCP
    - name: zmq-control
      port: 5555
      targetPort: zmq-control
      protocol: TCP