Kubernetes Deployment

What you'll accomplish: Deploy Hoziron to Kubernetes using the official Helm chart with production settings including PDB, HPA, resource limits, and network policies.

Overview

Install with Helm

helm install hoziron ./charts/hoziron \
  -f ./charts/hoziron/values-prod.yaml \
  --set secrets.anthropicApiKey=$ANTHROPIC_API_KEY

Production values

The values-prod.yaml file configures:

• Multiple replicas for availability
• Resource requests and limits
• PodDisruptionBudget (PDB) — prevents all pods from being evicted simultaneously
• HorizontalPodAutoscaler (HPA) — scales based on CPU/memory pressure

Pod Disruption Budget

Ensures at least one pod remains available during voluntary disruptions:

pdb:
  enabled: true
  minAvailable: 1

Horizontal Pod Autoscaler

hpa:
  enabled: true
  minReplicas: 2
  maxReplicas: 5
  targetCPUUtilizationPercentage: 70

Network policies

Restrict egress to only LLM provider endpoints:

networkPolicy:
  enabled: true
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
      ports:
        - port: 443
          protocol: TCP

Security context

securityContext:
  runAsNonRoot: true
  runAsUser: 65532
  fsGroup: 65532
  readOnlyRootFilesystem: true

TLS

Disable native TLS — the ingress controller handles it:

[server]
listen = "0.0.0.0:4200"

[server.tls]
enabled = false

Graceful shutdown

Set terminationGracePeriodSeconds to at least 30s:

terminationGracePeriodSeconds: 30

The daemon catches SIGTERM and flushes memory stores before exiting.

Verify

kubectl get pods -l app.kubernetes.io/name=hoziron
kubectl port-forward svc/hoziron 4200:4200
curl http://localhost:4200/health

Next steps

• Configure TLS and networking
• Set up observability
• Security hardening

Related:

• Docker Compose deployment
• TLS and networking
• Air-gapped deployment