Kubernetes (roadmap)

Caution

First-class Kubernetes support with Helm chart and CRDs is a roadmap item (see ADR-005). This page documents what works today and what’s planned.

Today: manual DaemonSet

You can run tyr-agent as a privileged DaemonSet right now. The server runs as a normal Deployment.

Server

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tyr-server
spec:
  replicas: 1
  selector: { matchLabels: { app: tyr-server } }
  template:
    metadata: { labels: { app: tyr-server } }
    spec:
      containers:
        - name: tyr-server
          image: ghcr.io/terranchi/tyr/tyr-server:latest
          ports:
            - { name: grpc, containerPort: 7700 }
            - { name: rest, containerPort: 7701 }
          env:
            - name: DATABASE_URL
              valueFrom: { secretKeyRef: { name: tyr-db, key: url } }
            - { name: TYR_REST_NO_TLS, value: "true" }
          readinessProbe:
            httpGet: { path: /health, port: rest }
---
apiVersion: v1
kind: Service
metadata: { name: tyr-server }
spec:
  selector: { app: tyr-server }
  ports:
    - { name: grpc, port: 7700, targetPort: 7700 }
    - { name: rest, port: 7701, targetPort: 7701 }

Put an Ingress + TLS in front of the REST port for the UI. Expose the gRPC port (7700) via a LoadBalancer or internal DNS reachable by all agent nodes.

Agent DaemonSet

apiVersion: apps/v1
kind: DaemonSet
metadata: { name: tyr-agent, namespace: tyr-system }
spec:
  selector: { matchLabels: { app: tyr-agent } }
  template:
    metadata: { labels: { app: tyr-agent } }
    spec:
      hostPID: true
      hostNetwork: true
      containers:
        - name: tyrd
          image: ghcr.io/terranchi/tyr/tyr-agent:latest
          args:
            - --server
            - http://tyr-server.tyr-system.svc:7700
            - --name
            - $(NODE_NAME)
            - --enforce
            - --tls-capture
          env:
            - name: NODE_NAME
              valueFrom: { fieldRef: { fieldPath: spec.nodeName } }
            - name: TYR_ENROLLMENT_TOKEN
              valueFrom: { secretKeyRef: { name: tyr-enrollment, key: token } }
          securityContext:
            privileged: true
            capabilities:
              add: [SYS_ADMIN, BPF, NET_ADMIN, PERFMON, SYS_PTRACE, SYS_RESOURCE]
          volumeMounts:
            - { name: sys-debug,   mountPath: /sys/kernel/debug, readOnly: true }
            - { name: sys-bpf,     mountPath: /sys/fs/bpf }
            - { name: sys-tracing, mountPath: /sys/kernel/tracing, readOnly: true }
            - { name: modules,     mountPath: /lib/modules, readOnly: true }
            - { name: data,        mountPath: /var/lib/tyr }
      volumes:
        - { name: sys-debug,   hostPath: { path: /sys/kernel/debug } }
        - { name: sys-bpf,     hostPath: { path: /sys/fs/bpf, type: DirectoryOrCreate } }
        - { name: sys-tracing, hostPath: { path: /sys/kernel/tracing } }
        - { name: modules,     hostPath: { path: /lib/modules } }
        - { name: data,        hostPath: { path: /var/lib/tyr, type: DirectoryOrCreate } }

Caveats

• Every node runs its own identity — each pod registers as a separate daemon. A node reboot re-uses /var/lib/tyr so the same identity persists.
• Enrollment tokens scale by --max-uses matching your cluster size.
• The hostPath /var/lib/tyr means deleting a node’s state forces re-enrollment.

Roadmap

Feature	Status
Helm chart	Planned
TyrPolicy CRD — author in YAML natively	Planned
Automatic enrollment via service account	Planned
Node-selector-based policy targeting	Planned
Sidecar injection for non-host-PID modes	Under review

Follow progress in ADR-005 or open a discussion on GitHub.