Kubernetes Deployment

Deploy Prisma AIRS MCP on Kubernetes

Overview

Kubernetes deployment provides production-grade features including high availability, automatic scaling, and zero-downtime deployments. This guide covers deploying Prisma AIRS MCP to Kubernetes with Traefik Ingress Controller.

Prerequisites

  • Kubernetes cluster (1.24+)
  • kubectl configured with cluster access
  • Traefik Ingress Controller (for HTTPS routing)
  • Prisma AIRS API key from Strata Cloud Manager

Quick Start

1. Clone the Repository

# Clone for Kubernetes manifests
git clone https://github.com/cdot65/prisma-airs-mcp.git
cd prisma-airs-mcp

2. Create Namespace

kubectl create namespace prisma-airs-mcp-server

3. Create Secret

# Create secret using the manage-secrets script
./k8s/scripts/manage-secrets.sh create prisma-airs-mcp-server 'your-api-key-here'

# Or create manually
kubectl create secret generic prisma-airs-mcp-secrets \
  --from-literal=airs.api.key='your-api-key-here' \
  -n prisma-airs-mcp-server

4. Deploy Application

# Deploy using the deployment script
pnpm run k8s:deploy:latest

# Or deploy manually with Kustomize
kubectl apply -k k8s/overlays/production

# Check deployment status
pnpm run k8s:status

# View rollout status
pnpm run k8s:rollout:status

5. Verify Deployment

# Verify deployment is successful
pnpm run k8s:verify

# Check pod logs
pnpm run k8s:logs

# Port-forward to test locally
kubectl port-forward -n prisma-airs-mcp-server svc/prisma-airs-mcp 3000:3000

# Test health endpoint
curl http://localhost:3000/health

Architecture

Components

The Kubernetes deployment includes:

  1. Deployment - Manages pod replicas with rolling updates
  2. Service - Internal load balancing for pods
  3. ConfigMap - Non-sensitive configuration
  4. Secret - API keys and sensitive data
  5. IngressRoute - Traefik routing configuration
  6. NetworkPolicy - Network security rules

Resource Structure

k8s/
├── base/                    # Base Kubernetes resources
│   ├── kustomization.yaml
│   ├── deployment.yaml
│   ├── service.yaml
│   └── configmap.yaml
└── overlays/               # Environment-specific configs
    ├── development/
    ├── staging/
    └── production/
        ├── kustomization.yaml
        ├── deployment-patch.yaml
        └── ingressroute-patch.yaml

Traefik IngressRoute

Traefik Overview

The deployment uses Traefik IngressRoute for:

  • Path-based routing (/prisma-airs → service)
  • Automatic path stripping
  • Security headers
  • Rate limiting
  • TLS termination

Default Configuration

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
    name: prisma-airs-mcp-route
spec:
    routes:
        - match: Host(`your-domain.com`) && PathPrefix(`/prisma-airs`)
          kind: Rule
          services:
              - name: prisma-airs-mcp
                port: 3000
          middlewares:
              - name: strip-prisma-airs-prefix
              - name: security-headers

Path Routing

The IngressRoute configuration:

  1. Matches requests to /prisma-airs/*
  2. Strips the /prisma-airs prefix
  3. Forwards to the MCP service on port 3000

Example routing:

  • https://your-domain.com/prisma-airshttp://service:3000/
  • https://your-domain.com/prisma-airs/healthhttp://service:3000/health

TLS/SSL Configuration

Option 1: Let’s Encrypt (Automatic)

Using cert-manager for automatic certificates:

# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

# Create ClusterIssuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: traefik
EOF

# Update IngressRoute with TLS
cat <<EOF | kubectl apply -f -
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: prisma-airs-mcp-route
  namespace: prisma-airs-mcp-server
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`your-domain.com`) && PathPrefix(`/prisma-airs`)
      kind: Rule
      services:
        - name: prisma-airs-mcp
          port: 3000
  tls:
    certResolver: letsencrypt
EOF

Option 2: Manual Certificate

Using existing certificates:

# Create TLS secret
kubectl create secret tls prisma-airs-tls \
  --cert=path/to/tls.crt \
  --key=path/to/tls.key \
  -n prisma-airs-mcp-server

# Reference in IngressRoute
spec:
  tls:
    secretName: prisma-airs-tls

Option 3: Wildcard Certificate

Copy existing wildcard certificate:

# Run the provided script
./k8s/scripts/copy-tls-cert.sh

# Or manually copy
kubectl get secret wildcard-cert -n source-namespace -o yaml | \
  sed 's/namespace: source-namespace/namespace: prisma-airs-mcp-server/' | \
  kubectl apply -f -

Customization

Domain Configuration

Edit k8s/overlays/production/ingressroute-patch.yaml:

- op: replace
  path: /spec/routes/0/match
  value: Host(`your-domain.com`) && PathPrefix(`/prisma-airs`)

Apply changes:

kubectl apply -k k8s/overlays/production

Resource Limits

Customize in k8s/overlays/production/deployment-patch.yaml:

resources:
    limits:
        cpu: '2'
        memory: '1Gi'
    requests:
        cpu: '500m'
        memory: '256Mi'

Scaling

# Manual scaling
kubectl scale deployment prisma-airs-mcp -n prisma-airs-mcp-server --replicas=3

# Autoscaling
kubectl autoscale deployment prisma-airs-mcp \
  -n prisma-airs-mcp-server \
  --cpu-percent=70 \
  --min=2 \
  --max=10

Deployment Scripts

Quick Deployment

The project includes deployment scripts:

# Production deployment (latest tag)
pnpm run k8s:deploy:latest

# Versioned deployment
pnpm run k8s:deploy:version

# Or use the deploy script directly
./k8s/scripts/deploy.sh deploy production

# Check deployment status
./k8s/scripts/deploy.sh status prisma-airs-mcp-server

Rollback

# Rollback using script
pnpm run k8s:rollback

# Or manually:
# View deployment history
kubectl rollout history deployment/prisma-airs-mcp -n prisma-airs-mcp-server

# Rollback to previous version
kubectl rollout undo deployment/prisma-airs-mcp -n prisma-airs-mcp-server

# Rollback to specific revision
kubectl rollout undo deployment/prisma-airs-mcp -n prisma-airs-mcp-server --to-revision=2

Monitoring

Health Checks

The deployment includes:

  • Liveness Probe: Restarts unhealthy pods
  • Readiness Probe: Controls traffic routing
  • Startup Probe: Allows slow startup

View Logs

# View logs using pnpm script
pnpm run k8s:logs

# All pods
kubectl logs -l app=prisma-airs-mcp -n prisma-airs-mcp-server -f

# Specific pod
kubectl logs prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server

# Previous pod logs
kubectl logs prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server --previous

Metrics

# Resource usage
kubectl top pods -n prisma-airs-mcp-server

# Detailed pod information
kubectl describe pod prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server

Security

Network Policies

The deployment includes NetworkPolicy for:

  • Ingress only from Traefik
  • Egress to AIRS API endpoints
  • DNS resolution

Pod Security

securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    capabilities:
        drop:
            - ALL

Secret Management

For production, consider:

  • Sealed Secrets
  • External Secrets Operator
  • HashiCorp Vault
  • Cloud provider secret managers

Troubleshooting

Common Issues

Pods Not Starting

# Check pod events
kubectl describe pod prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server

# Check logs
kubectl logs prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server

IngressRoute Not Working

# Check IngressRoute status
kubectl get ingressroute -n prisma-airs-mcp-server

# Check Traefik logs
kubectl logs -n traefik-system deployment/traefik | grep prisma-airs

# Verify middleware
kubectl get middleware -n prisma-airs-mcp-server

Secret Issues

# Verify secret exists
kubectl get secret prisma-airs-mcp-secrets -n prisma-airs-mcp-server

# Verify secret using script
./k8s/scripts/manage-secrets.sh verify prisma-airs-mcp-server

# Check secret content (base64 encoded)
kubectl get secret prisma-airs-secret -n prisma-airs-mcp-server -o yaml

Debugging

Access Pod Shell

kubectl exec -it prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server -- sh

Port Forwarding

# Forward to local port
kubectl port-forward -n prisma-airs-mcp-server svc/prisma-airs-mcp 3000:3000

# Test locally
curl http://localhost:3000/health

Check DNS Resolution

# From within pod
kubectl exec -it prisma-airs-mcp-xxxxx -n prisma-airs-mcp-server -- nslookup service.api.aisecurity.paloaltonetworks.com

Enterprise Features

Scalability & Performance

Performance Metrics

  • Throughput: 10,000+ requests/second per pod
  • Latency: <100ms p99 (with caching)
  • Availability: 99.9% uptime
  • Scaling: Auto-scales from 2 to 50 pods

Optimization Strategies

  1. Intelligent Caching

    • In-memory cache with 5-minute TTL
    • Cache hit rate >80% for repeated scans
    • Automatic cache invalidation

  2. Connection Pooling

    • Reuse HTTPS connections to AIRS API
    • Configurable pool size and timeout
    • Automatic retry with exponential backoff

  3. Resource Optimization

    • CPU: 0.5-2 cores per pod
    • Memory: 512MB-2GB per pod
    • Efficient memory management

Security & Compliance

Security Features

  • Encryption: TLS 1.3 for all communications
  • Authentication: API key management with rotation
  • Authorization: Role-based access control (RBAC)
  • Audit Logging: Complete audit trail for compliance
  • Network Security: Kubernetes network policies

Compliance Considerations

  • SOC 2 Type II compliant architecture
  • ISO 27001 security controls
  • GDPR-ready with data privacy features
  • HIPAA-compliant deployment options

Monitoring & Operations

Monitoring Stack

  • Metrics: Prometheus for metrics collection
  • Visualization: Grafana dashboards
  • Logging: Structured JSON logging
  • Alerting: Configure alerts for key metrics

Key Metrics to Monitor

# Example Prometheus queries
- Total Requests: sum(rate(http_requests_total[5m]))
- Error Rate: sum(rate(http_requests_total{status=~"5.."}[5m]))
- P99 Latency: histogram_quantile(0.99, http_request_duration_seconds)
- Cache Hit Rate: sum(rate(cache_hits_total[5m])) / sum(rate(cache_requests_total[5m]))

Multi-Region Deployment

Deploy to multiple regions for global availability:

# Deploy to us-east
kubectl --context=us-east apply -k k8s/overlays/production

# Deploy to eu-west
kubectl --context=eu-west apply -k k8s/overlays/production

Backup and Disaster Recovery

# Backup configuration
kubectl get all,cm,secret,ingressroute -n prisma-airs-mcp-server -o yaml > backup.yaml

# Restore from backup
kubectl apply -f backup.yaml

Next Steps

  • Review the Configuration Reference
  • Set up monitoring with Prometheus/Grafana
  • Configure alerts for production
  • Implement CI/CD pipeline
  • Optimize performance and caching
  • Plan for disaster recovery
Edit this page on GitHub