Deploy Crawdad as a sidecar container in your Kubernetes pods. The sidecar shares the pod's network namespace — your agent connects to localhost:7749.
kubectl create secret generic crawdad-secret \ --from-literal=license-key=crd_live_YOUR_KEY
spec:
containers:
- name: agent
image: your-agent-image:latest
env:
- name: CRAWDAD_HOST
value: "localhost"
- name: CRAWDAD_PORT
value: "7749"
- name: crawdad-sidecar
image: crawdad/sidecar:latest
env:
- name: CRAWDAD_LICENSE_KEY
valueFrom:
secretKeyRef:
name: crawdad-secret
key: license-key
- name: CRAWDAD_BIND
value: "0.0.0.0"
ports:
- containerPort: 7749
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "64Mi"
cpu: "200m"
readinessProbe:
httpGet:
path: /v1/health
port: 7749
initialDelaySeconds: 2
periodSeconds: 10
livenessProbe:
httpGet:
path: /v1/health
port: 7749
initialDelaySeconds: 5
periodSeconds: 30
Containers in the same Kubernetes pod share a network namespace. Your agent connects to localhost:7749 — same as running on a single machine. All scanning happens inside the sidecar container. Content stays within the pod by default.
The Crawdad sidecar uses under 64MB RSS and minimal CPU. The recommended limits above are conservative — adjust based on your traffic.
The sidecar exposes GET /v1/health which returns {"status":"ok"}. Use this for both readiness and liveness probes. The readiness probe ensures your agent doesn't start until the sidecar is ready.
A complete deployment YAML is included in the Crawdad distribution under deploy/kubernetes-sidecar.yaml. Contact contact@getcrawdad.dev for assistance.