bao-kms-providerSearch GitHub

Deployment

Use this section to select a deployment model and apply the matching system identity, file paths, and runtime hardening. The tested preview deployment models are systemd and static pod.

Pick A Model First

  1. Choosing A Model to compare systemd and static-pod against your control-plane topology, kubeadm posture, and operational constraints.
  2. systemd Deployment for a hardened systemd unit on the control-plane host.
  3. Static Pod Deployment for a kubelet-managed static pod alongside the API server.
  4. Linux Identity Model for the user, group, file ownership, and permission model that both deployment styles depend on.
  5. Observability Deployment for Prometheus scrape wiring and the maintained Grafana dashboard sample.

Use Another Section If

  • the question is about getting a binary onto the host or wiring EncryptionConfiguration: go to Start Here .
  • the question is about ongoing operation, rotation, or recovery: go to Operations .
  • the question is about runtime hardening and trust boundaries beyond the host identity: go to Security .

Browse

In This Section

Choosing A Model Compare systemd and static-pod deployment for bao-kms-provider against control-plane lifecycle, bootstrap dependencies, and operational constraints. systemd Deployment Hardened systemd unit, directory setup, and startup procedure for running bao-kms-provider as a host service. Static Pod Deployment Static pod manifest, image preload, host preparation, and bootstrap risk profile for running bao-kms-provider as a kubelet-managed pod. Linux Identity Model User, group, file ownership, and runtime directory creation model for running bao-kms-provider in systemd or static pod mode. Observability Deployment Deploy the Prometheus scrape, alert rules, and Grafana dashboard samples for bao-kms-provider.