Skip to content

Deployment Guide

This guide details the workflow for deploying secure, audited workloads onto any Kubernetes cluster using Lucid.

🚀 The Zero-Touch Deployment Workflow

Lucid uses a "Zero-Touch" security model. You keep your standard Kubernetes manifests, and the Lucid CLI and Operator handle the security transformation at deploy-time.

Step 1: Build & Verify

Before deploying, ensure your Auditor container is compliant with the Lucid Standard.

# 1. Build your auditor image
docker build -t my-auditor:v1 .

# 2. Verify compliance using the CLI
lucid auditor verify my-auditor:v1

Step 2: Notarize (Trust Registry)

To prevent unauthorized code from running in your secure perimeter, every image must be notarized. This registers the container's cryptographic digest with the Lucid Verifier.

# Set your API Key
export LUCID_API_KEY="your-prod-key"

# Publish and sign the image
lucid auditor publish my-auditor:v1

Step 3: Define the Safety Policy

Define your safety guardrails in an auditors.yaml file. This separates security logic from infrastructure.

Example: auditors.yaml 

chain:
  - name: pii-scanner
    image: "my-registry/pii-auditor:v1"
    port: 8081

See the Policy as Code guide for full schema details.

Step 4: Deploy with Automatic TEE Injection

Deploy your workload using lucid deploy apply. When the CLI detects the lucid.io/secured: "true" label in your manifest, it automatically transforms it into a secure TEE workload.

# Apply the manifest. Sidecars and TEE runtimes are injected automatically.
lucid deploy apply --file my-deployment.yaml --auditors auditors.yaml

🔍 What happens under the hood?

The CLI and Operator work together to: 1. Inject sidecars: Adds all Auditors defined in your chain to the Pod. 2. Configure Networking: Routes traffic through the Auditor sequence. 3. Enforce TEE Runtime: Adds runtimeClassName: kata-remote (or equivalent) to ensure hardware encryption.

☁️ Cloud Provider Requirements

To use real Hardware Root of Trust, your cluster must be provisioned with TEE-capable nodes.

Provider Requirement
Azure DCsv3 or ECsv3 nodes (Intel SGX).
GCP N2DL nodes (AMD SEV-SNP) with "Confidential Computing" enabled.
AWS Nitro-based instances with Enclaves enabled.

For detailed infrastructure setup instructions, see Cluster Setup.