Home Pricing FAQ About
Kubernetes Deployment

Enterprise Deployment Guide

Deploy NIS2 Shield on Kubernetes for hospitals, municipalities, and large enterprises. Production-ready Helm chart with security hardening.

Prerequisites

Required

  • Kubernetes 1.25+ (OpenShift, EKS, GKE, RKE2, K3s)
  • Helm 3.10+
  • kubectl configured for your cluster
  • PersistentVolume provisioner (for database)

Recommended

  • Ingress controller (nginx, traefik)
  • cert-manager for TLS certificates
  • External Secrets Operator or Vault
  • Prometheus Operator (for monitoring)

Quick Start (Demo/Development)

1

Clone the repository

git clone https://github.com/nis2shield/infrastructure.git
cd infrastructure
2

Install with default values

helm install nis2shield ./charts/nis2shield \
  --namespace nis2 \
  --create-namespace
3

Access the application

kubectl port-forward svc/nis2shield-webapp 8080:8000 -n nis2
# Visit http://localhost:8080

Production Configuration

Create a values-prod.yaml file with your production settings: 

# values-prod.yaml
webapp:
  image:
    repository: your-registry/nis2-app
    tag: v1.0.0
  replicaCount: 3
  ingress:
    enabled: true
    className: nginx
    hosts:
      - host: app.yourdomain.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: app-tls
        hosts:
          - app.yourdomain.com

database:
  persistence:
    size: 50Gi

replicator:
  enabled: true
  dryRun: false
  cloud:
    apiUrl: https://backup.yourdomain.com/api
    tokenSecret: cloud-backup-credentials
  encryption:
    publicKeySecret: encryption-keys

networkPolicies:
  enabled: true
helm install nis2shield ./charts/nis2shield \
  --namespace nis2-prod \
  --create-namespace \
  -f values-prod.yaml

Security Hardening

The Helm chart implements Kubernetes security best practices for NIS2 compliance:

Pod Security

  • runAsNonRoot: true
  • readOnlyRootFilesystem: true
  • allowPrivilegeEscalation: false
  • capabilities: drop: ALL
  • seccompProfile: RuntimeDefault

Network Policies

  • ✅ Database accessible only from webapp pods
  • ✅ Default deny ingress policy
  • ✅ Ingress allowed only from controller
  • ✅ Egress restricted (optional)

Secrets Management

  • ✅ Auto-generated database password
  • ✅ External secret references
  • ✅ Vault annotations ready
  • ✅ Encryption keys in Secrets

Service Account

  • ✅ Dedicated ServiceAccount per release
  • automountServiceAccountToken: false
  • ✅ RBAC bindings (when needed)

Encrypted Twin (Business Continuity)

Enable the Crypto-Replicator for zero-trust cloud backup. The cloud cannot decrypt your data.

1. Generate RSA Key Pair

# Generate keys (keep private key OFFLINE!)
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

# Create Kubernetes secret
kubectl create secret generic encryption-keys \
  --from-file=public.pem=public.pem \
  -n nis2-prod

2. Configure Cloud Backup Token

kubectl create secret generic cloud-backup-credentials \
  --from-literal=cloud-token=your-api-token \
  -n nis2-prod

3. Enable in values.yaml

replicator:
  enabled: true
  dryRun: false  # Important!
  cloud:
    apiUrl: https://your-backup-api.com
    tokenSecret: cloud-backup-credentials
    tokenKey: cloud-token
  encryption:
    publicKeySecret: encryption-keys
    publicKeySecretKey: public.pem
    keyId: prod-2024

Keep Private Key Safe!

Store private.pem in a secure offline location (HSM, air-gapped system). You'll need it for disaster recovery.

Using External Database (RDS, Cloud SQL)

For production, you may want to use a managed database like AWS RDS or Google Cloud SQL: 

database:
  enabled: true
  external:
    enabled: true
    host: mydb.xxxxx.eu-west-1.rds.amazonaws.com
    port: 5432
    database: nis2_production
    username: nis2admin
    existingSecret: rds-credentials  # Must contain 'password' key
# Create the secret first
kubectl create secret generic rds-credentials \
  --from-literal=password=your-db-password \
  -n nis2-prod

Operations

Upgrading

helm upgrade nis2shield ./charts/nis2shield \
  -n nis2-prod \
  -f values-prod.yaml

Rollback

# List history
helm history nis2shield -n nis2-prod

# Rollback to previous version
helm rollback nis2shield 1 -n nis2-prod

Checking Status

# Get pods
kubectl get pods -n nis2-prod -l app.kubernetes.io/instance=nis2shield

# Check logs
kubectl logs -n nis2-prod -l app.kubernetes.io/component=webapp

# Describe deployment
kubectl describe deployment nis2shield-webapp -n nis2-prod

Uninstalling

helm uninstall nis2shield -n nis2-prod

# Note: PVCs are not deleted automatically
kubectl delete pvc -n nis2-prod -l app.kubernetes.io/instance=nis2shield