Deploy Crawdad as a sidecar container in your Kubernetes pods. The sidecar shares the pod's network namespace — your agent connects to localhost:7749.
kubectl create secret generic crawdad-secret \ --from-literal=license-key=crd_live_YOUR_KEY
spec:
containers:
- name: agent
image: your-agent-image:latest
env:
- name: CRAWDAD_HOST
value: "localhost"
- name: CRAWDAD_PORT
value: "7749"
- name: crawdad-sidecar
image: crawdad/sidecar:latest
env:
- name: CRAWDAD_LICENSE_KEY
valueFrom:
secretKeyRef:
name: crawdad-secret
key: license-key
- name: CRAWDAD_BIND
value: "0.0.0.0"
ports:
- containerPort: 7749
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "64Mi"
cpu: "200m"
readinessProbe:
httpGet:
path: /v1/health
port: 7749
initialDelaySeconds: 2
periodSeconds: 10
livenessProbe:
httpGet:
path: /v1/health
port: 7749
initialDelaySeconds: 5
periodSeconds: 30
Containers in the same Kubernetes pod share a network namespace. Your agent connects to localhost:7749 — same as running on a single machine. All scanning happens inside the sidecar container. Content never leaves the pod.
The Crawdad sidecar uses under 64MB RSS and minimal CPU. The recommended limits above are conservative — adjust based on your traffic.
The sidecar exposes GET /v1/health which returns {"status":"ok"}. Use this for both readiness and liveness probes. The readiness probe ensures your agent doesn't start until the sidecar is ready.
A complete deployment YAML is included in the Crawdad distribution under deploy/kubernetes-sidecar.yaml. Contact contact@getcrawdad.dev for assistance.