BAUXITENETWORKS

Kubernetes Sidecar Deployment

The most secure way to deploy Bauxite is as a Sidecar container within your application Pod. This ensures that PII is scrubbed before it ever leaves the pod’s network boundary.

Deployment Architecture

Your application container communicates with Bauxite via localhost:9090. Bauxite redacts the prompt and forwards the request to the LLM provider over the public internet or a private VPC link.

mTLS Enforcement

In production, we recommend enabling mTLS to ensure that only your application can talk to the sidecar, preventing unauthorized access from other compromised containers in the same namespace.

Kubernetes Manifest (Sidecar)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-ai-service
spec:
  template:
    spec:
      containers:
        # 1. Your Application
        - name: app
          image: your-repo/ai-app:latest
          env:
            - name: OPENAI_BASE_URL
              value: "http://127.0.0.1:9090/v1"

        # 2. Bauxite Intercept (The Shield)
        - name: bauxite-intercept
          image: bauxite/intercept:latest
          args: ["--config", "/etc/bauxite/config.yaml"]
          volumeMounts:
            - name: config-volume
              mountPath: /etc/bauxite
            - name: certs
              mountPath: /etc/bauxite/certs
          resources:
            limits:
              memory: "128Mi" # Recommended for Shield tier
              cpu: "200m"
          securityContext:
            runAsNonRoot: true
            readOnlyRootFilesystem: true
      volumes:
        - name: config-volume
          configMap:
            name: bauxite-config
        - name: certs
          secret:
            secretName: bauxite-mtls-certs

Sidecar Hardening

1. Read-Only Root

Always run with readOnlyRootFilesystem: true. Bauxite only needs write access to its persistent SQLite database (if enabled), which should be mounted to a separate emptyDir or persistent volume.

2. mTLS Configuration

To enforce mTLS in the sidecar, update your config.yaml:

server:
  tls:
    enabled: true
    cert_file: "/etc/bauxite/certs/tls.crt"
    key_file: "/etc/bauxite/certs/tls.key"
    client_ca_file: "/etc/bauxite/certs/ca.crt" # Enables mTLS

Verification

Verify the sidecar is intercepting traffic:

kubectl logs <pod-name> -c bauxite-intercept

Expected log: level=INFO msg=bauxite_starting addr=:9090 tls_enabled=true mtls_enforcement_enabled=true