Skip to main content

Private Cloud Installation (AWS)

This guide walks you through the installation of Pangea Private Cloud services, enabling you to run Pangea AI security solutions within your cloud environment.

Overview of Pangea Private Cloud installation process

  1. Install the Pangea Private Cloud Operator using Helm.
  2. Deploy a PostgreSQL database for service data.
  3. Install the PangeaCluster resource to deploy Pangea services and UI.
  4. Verify that all services are running and healthy.
  5. Update the deployment to enable additional services as needed.
  6. Monitor, scale, and maintain the deployment.

Install Pangea Cluster Operator

Pangea services are deployed and managed using the Pangea Private Cloud Operator. The operator includes a Custom Resource Definition (CRD) for the PangeaCluster resource, automating the installation, configuration, scaling, and lifecycle management of Pangea services within your Kubernetes cluster.

Set up namespace

Create a dedicated namespace for the operator. Optionally, you can set this namespace as the default for your current context.

Create namespace
kubectl create namespace pangea-private-cloud-operator
Set namespace as default for current context
kubectl config set-context --current --namespace pangea-private-cloud-operator

Create Kubernetes secret for Pangea registry

Use your Pangea's private OCI registry credentials to create a Kubernetes secret for pulling Docker images. For example:

Export registry credentials
export PANGEA_REGISTRY_USERNAME="psa_txznaa...yi34is"
export PANGEA_REGISTRY_PASSWORD="pck_ol74sv...74d44p"
Create a Kubernetes secret for the Pangea registry
kubectl create secret docker-registry pangea-registry \
--docker-server="registry.pangea.cloud" \
--docker-username="$PANGEA_REGISTRY_USERNAME" \
--docker-password="$PANGEA_REGISTRY_PASSWORD" \
--namespace pangea-private-cloud-operator \
--dry-run=client -o yaml | kubectl apply -f -

Install operator

  1. Install the Pangea Private Cloud Operator in its namespace using a Helm chart from the Pangea registry.

    Sign in to the Pangea registry
    helm registry login registry.pangea.cloud \
    --username "$PANGEA_REGISTRY_USERNAME" \
    --password-stdin <<< "$PANGEA_REGISTRY_PASSWORD"
  2. Create a custom Helm values file and specify the image pull secret for the Pangea registry.

    my-values.yaml
    image:
    imagePullSecrets:
    - name: pangea-registry
  3. Get the latest version of the Pangea Private Cloud Operator Helm chart from the Pangea registry.

    Concatenate the client ID and client secret with a colon (:) and base64 encode the result to authorize your request.

    tip

    On a Linux-based system, you can use the base64 utility to encode the client credentials:

    Use HTTP Basic authentication scheme for authenticating a client
    export PANGEA_REGISTRY_CREDENTIAL=$(echo -n $PANGEA_REGISTRY_USERNAME:$PANGEA_REGISTRY_PASSWORD | base64)
    Get latest version of the Pangea Private Cloud Operator Helm chart
    curl --location 'https://registry.pangea.cloud/v2/private-cloud/charts/tags/list' \
    --header "Authorization: Basic $PANGEA_REGISTRY_CREDENTIAL"
    Example output
    {
    "name": "private-cloud/charts",
    "tags": [
    "0.8.10",
    "0.8.6",
    "0.8.7",
    "0.8.8",
    "0.8.9"
    ]
    }
    Set the desired operator version
    export PANGEA_PRIVATE_CLOUD_OPERATOR_VERSION="<pangea-private-cloud-operator-version>"
  4. Install the operator using Helm, referencing your custom values file and specifying the desired version of the operator.

    Install Pangea Private Cloud Operator
    helm install pangea-cluster-operator \
    oci://registry.pangea.cloud/private-cloud/charts \
    --values "my-values.yaml" \
    --namespace pangea-private-cloud-operator \
    --version $PANGEA_PRIVATE_CLOUD_OPERATOR_VERSION
    Verify operator installation
    kubectl get all --namespace pangea-private-cloud-operator
    Example output
    NAME                                                     READY   STATUS    RESTARTS   AGE
    pod/pangea-cluster-operator-controller-5676f8894-4f2z8 1/1 Running 0 79s

    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    service/pangea-cluster-operator-controller-manager-metrics-service ClusterIP 172.20.99.156 <none> 8443/TCP 79s

    NAME READY UP-TO-DATE AVAILABLE AGE
    deployment.apps/pangea-cluster-operator-controller 1/1 1 1 79s

    NAME DESIRED CURRENT READY AGE
    replicaset.apps/pangea-cluster-operator-controller-5676f8894 1 1 1 79s

Deploy Pangea services

After installing the operator, deploy Pangea services and UI by creating a PangeaCluster resource.

Set up namespace

Create a dedicated namespace for your Pangea Private Cloud deployment. Optionally, you can set this namespace as the default for your current context.

Create namespace
kubectl create namespace pangea-private-cloud
Set namespace as default for current context
kubectl config set-context --current --namespace pangea-private-cloud

Create Kubernetes secret for Pangea registry

Use your Pangea's private OCI registry credentials to create a Kubernetes secret for pulling Docker images. For example:

Export registry credentials
export PANGEA_REGISTRY_USERNAME="psa_txznaa...yi34is"
export PANGEA_REGISTRY_PASSWORD="pck_ol74sv...74d44p"
Create a Kubernetes secret for the Pangea registry
kubectl create secret docker-registry pangea-registry \
--docker-server="registry.pangea.cloud" \
--docker-username="$PANGEA_REGISTRY_USERNAME" \
--docker-password="$PANGEA_REGISTRY_PASSWORD" \
--namespace pangea-private-cloud \
--dry-run=client -o yaml | kubectl apply -f -

Deploy database

Pangea services require a PostgreSQL database to store user data, authentication records, authorization policies, and other service-related information.

The example below shows a sample PostgreSQL deployment configuration.

Set database credentials
export DB_USERNAME="pangea_user"
export DB_PASSWORD="pangea_user"
Create a Kubernetes secret for the database credentials
kubectl create secret generic db-secret \
--from-literal=username="$DB_USERNAME" \
--from-literal=password="$DB_PASSWORD" \
--namespace pangea-private-cloud

Before deploying PostgreSQL, ensure your cluster has a valid StorageClass that supports the ReadWriteOnce (RWO) access mode, and that it is referenced in the storageClassName field of your manifest.

postgres.yaml - PostgreSQL StatefulSet and Service
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-initdb
namespace: pangea-private-cloud
data:
init-databases.sql: |
CREATE DATABASE authn OWNER pangea_user;
CREATE DATABASE authz OWNER pangea_user;
CREATE DATABASE embargo OWNER pangea_user;
CREATE DATABASE msf OWNER pangea_user;
CREATE DATABASE gateway OWNER pangea_user;
CREATE DATABASE hotpg OWNER pangea_user;
CREATE DATABASE puc OWNER pangea_user;
CREATE DATABASE bmserviceglobal OWNER pangea_user;
CREATE DATABASE vault OWNER pangea_user;
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
namespace: pangea-private-cloud
spec:
serviceName: postgres
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
initContainers:
- name: init-postgres-storage
image: busybox:1.35
command: ["sh", "-c"]
args:
- |
echo "Checking PVC mount..."
if [ ! -d /var/lib/postgresql ]; then
echo "ERROR: PVC not mounted at /var/lib/postgresql"
exit 1
fi
echo "Creating pgdata directory if needed..."
mkdir -p /var/lib/postgresql/pgdata
chown 999:999 /var/lib/postgresql/pgdata
echo "PVC ready!"
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql
containers:
- name: postgres
image: docker.io/pgvector/pgvector:pg16
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
- name: PGDATA
value: /var/lib/postgresql/pgdata
- name: POSTGRES_INITDB_ARGS
value: "-c max_connections=1024 -c idle_in_transaction_session_timeout=300000 -c statement_timeout=600000"
ports:
- containerPort: 5432
readinessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U $POSTGRES_USER -d postgres
initialDelaySeconds: 15
periodSeconds: 5
livenessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U $POSTGRES_USER -d postgres
initialDelaySeconds: 45
periodSeconds: 10
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql
- name: initdb
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: initdb
configMap:
name: postgres-initdb
volumeClaimTemplates:
- metadata:
name: postgres-storage
spec:
storageClassName: <storage-class-name>
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: pangea-private-cloud
spec:
type: ClusterIP
ports:
- port: 5432
targetPort: 5432
selector:
app: postgres
Deploy PostgreSQL
kubectl apply --filename postgres.yaml --namespace pangea-private-cloud

Configure S3 access

Some Pangea services require file storage access for audit logs and large payloads. Create an S3 bucket and configure access for the pods that need it.

Required S3 permissions:

  • s3:ListBucket on the bucket ARN
  • s3:GetObject, s3:PutObject, s3:DeleteObject on bucket objects

After configuring pods to use a Kubernetes ServiceAccount associated with an IAM role that has S3 access (using Pod Identity or IRSA ), reference the ServiceAccount in your PangeaCluster:

pangea-cluster.yaml - PangeaCluster custom resource
...
spec:
...
common:
...
csp:
bucket_name: <bucket-name>
services:
...
gateway:
enabled: true
serviceAccountName: <service-account-name>
audit:
enabled: true
database:
name: hotpg
serviceAccountName: <service-account-name>

A complete example of a PangeaCluster manifest is provided below.

Deploy PangeaCluster

Create a PangeaCluster custom resource to define and deploy Pangea services and the UI. Required services are enabled by default, and you can configure additional services based on your use case.

Required services

  • authn - AuthN enables user and service-to-service authentication.

  • gateway - Acts as the entry point for requests, routing them to the appropriate services.

  • access - Manages access control to platform resources.

  • authz - AuthZ provides authorization services to determine whether a user or system can perform specific actions.

  • bmservice - Manages metering for usage tracking.

  • puc-service - Powers service configuration through the Pangea User Console (PUC).

  • console - Hosts the Pangea User Console, providing a UI for managing and monitoring services.

  • vault - Vault securely stores and manages secrets, tokens, and encryption keys, and provides API-based access to them.

  • audit - Secure Audit Log records a tamperproof audit trail of application and service events.

    note

    Secure Audit Log integrates with other services to provide Activity Log functionality. The following services have Activity Log enabled by default:

Additional services

The following security services can be added to Private Cloud deployments:

  • ai-guard - AI Guard protects data and interactions with LLMs by blocking malicious prompts and safeguarding sensitive information.
  • prompt-guard - Prompt Guard detects prompt injection and jailbreak attempts in AI applications. This service integrates with AI Guard.
  • redact - Redact removes sensitive information such as PII and confidential data from text. This service integrates with AI Guard.
  • embargo - Embargo restricts access to resources based on country or region.
  • intelligence - Detects malicious entities and data using threat intelligence feeds from major providers:

Example PangeaCluster manifest

Define the Pangea services for your Private Cloud deployment in the services field of the PangeaCluster manifest. The example below shows a configuration for deploying services that secure AI-powered application flows.

Before you proceed, replace the following placeholders:

  • <pangea-private-cloud-operator-version> - Version of the Pangea Private Cloud Operator you installed
  • <bucket-name> - Name of your S3 bucket
  • <service-account-name> - ServiceAccount with S3 access permissions
pangea-cluster.yaml - PangeaCluster custom resource
apiVersion: cluster.pangea.cloud/v1beta1
kind: PangeaCluster
metadata:
name: pangea-cluster
namespace: pangea-private-cloud
labels:
reconcile: "true"
spec:
version: <pangea-private-cloud-operator-version>
common:
image:
registry: registry.pangea.cloud
tag: <pangea-private-cloud-operator-version>
database:
host: postgres.pangea-private-cloud.svc.cluster.local
port: 5432
name: msf
auth:
usernameSecretRef:
name: db-secret
key: username
passwordSecretRef:
name: db-secret
key: password
csp:
bucket_name: <bucket-name>
imagePullSecrets:
- name: pangea-registry
services:
authn:
enabled: true
gateway:
enabled: true
serviceAccountName: <service-account-name>
access:
enabled: true
authz:
enabled: true
bmservice:
enabled: true
puc-service:
enabled: true
database:
name: puc
console:
enabled: true
vault:
enabled: true
audit:
enabled: true
database:
name: hotpg
serviceAccountName: <service-account-name>
ai-guard:
enabled: true
resources:
limits:
cpu: 750m
memory: 7Gi
requests:
cpu: 250m
memory: 5Gi
startupProbe:
initialDelaySeconds: 1
failureThreshold: 30
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
prompt-guard:
enabled: true
resources:
limits:
cpu: 1000m
memory: 7Gi
requests:
cpu: 1000m
memory: 5Gi
startupProbe:
initialDelaySeconds: 1
failureThreshold: 30
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
redact:
enabled: true
resources:
limits:
cpu: 1000m
memory: 6Gi
requests:
cpu: 1000m
memory: 3Gi
startupProbe:
initialDelaySeconds: 1
failureThreshold: 30
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
kubectl apply --filename pangea-cluster.yaml
note

AI Guard, Prompt Guard, and Redact are resource-intensive services that may require special configuration for reliable performance. These services support AI security use cases and typically require higher CPU and memory allocations than other Pangea services.

Updating PangeaCluster deployment

To add services to an existing deployment, update the services field in the PangeaCluster manifest and reapply the configuration.

pangea-cluster.yaml - Add Pangea services
  ...
services:
...
embargo:
enabled: true
intelligence:
enabled: true
Update PangeaCluster with additional services
kubectl apply -f pangea-cluster.yaml

Verify deployment

Use Pangea support tool

Check the health of your deployment using the Pangea support tool:

  1. Download the script and make it executable.

    curl -sS https://registry.pangea.cloud/help.sh > help.sh
    chmod 755 help.sh
  2. Verify the script's integrity using the checksum provided by Pangea.

    Example checksum file
    b3ee79308adacca97fd03b43c59d7d926d1fddec96dc41a97025496972e52f0e  help.sh
    Verify the script's integrity using the checksum received from Pangea
    sha256sum --check help.sh.sha256
  3. If the output is help.sh: OK, run the tool.

    Execute the Pangea support tool
    ./help.sh
note

To run the support tool without verification, you can pipe the script directly into your shell:

Run Pangea support tool without verification
curl -sS https://registry.pangea.cloud/help.sh | sh

The script lists operators, clusters, databases, statuses, and service‑health details.

Example output of the Pangea support tool
k8s context  : arn:aws:eks:us-west-2:180197846871:cluster/dev
tool version : 0.1.3
==
OPERATORS
=========
deploy/pangea-cluster-operator-controller in pangea-private-cloud-operator
wants 1 replica(s)
controller-manager registry.pangea.cloud/private-cloud/operator:0.8.10 Always
has
pod/pangea-cluster-operator-controller-576d95759d-qw9kp
registry.pangea.cloud/private-cloud/operator:0.8.10 / registry.pangea.cloud/private-cloud/operator@sha256:aa157e727536f9bb0c47a9de7412dc11ba5cccd4256d1b5736c95180aaca3683

CLUSTERS
========
crd/pangeaclusters.cluster.pangea.cloud:
pangea-cluster in pangea-private-cloud
database
user db-secret/username
pass db-secret/password
postgres.pangea-private-cloud.svc.cluster.local:5432/msf

status: : poi_iyqafy2n5zimxs53hu44zrkdxpsfbshq Ready
service images : registry.pangea.cloud 0.8.10
version : 0.8.10

services
access okay
ai-guard okay
audit okay
authn okay
authz okay
bmservice okay
gateway okay
prompt-guard okay
puc-service okay
redact okay
vault okay

If you see any issues with the deployment or service health, proceed to the Troubleshooting section.

Open admin console

To access the Pangea User Console and service APIs, forward a local port to the pangea-cluster-console service. Both the UI and API traffic are routed through this gateway endpoint.

Forward local port to the Pangea User Console
kubectl port-forward services/pangea-cluster-console 8000:8000 --namespace pangea-private-cloud

Open your browser and navigate to http://localhost:8000 . When prompted, sign up and create your organization and first project.

On the Console home page, click a service in the left-hand navigation to activate it. Follow the prompts and accept the default settings for quick setup.

On the service Overview page, note the configuration details, including the default token. You can use this information to test the service APIs.

Try service APIs

The example below shows how to use the Secure Audit Log service to capture application events.

Set environment variables
export PANGEA_AUDIT_TOKEN="pts_zabthp...hteya3"
Test API request to the Secure Audit Log service
curl -sSLX POST 'localhost:8000/api/audit/v1/log' \
-H "Authorization: Bearer $PANGEA_AUDIT_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"event": {
"message": "I am a test log message"
}
}'
Example output
{
"request_id": "prq_5xjv6u6ayd3hux64vcuj5f4b6cyfhwmg",
"status": "Success",
"summary": "Logged 1 record(s)",
"result": {
"hash": "8ab152cf05f5f722b8ca6ca84b35e70abc0e010ca059ef428c2914c1eda27ec2"
},
...
}

You can view the logged event in the Pangea User Console under View Logs on the Secure Audit Log service page.

Troubleshooting

Check status of PangeaCluster resources

Check status of deployed resources
kubectl get all,pvc,secrets --namespace pangea-private-cloud
Example output
kubectl get all,pvc,secrets
NAME READY STATUS RESTARTS AGE
pod/pangea-cluster-access-585699db57-zcct6 1/1 Running 0 16h
pod/pangea-cluster-ai-guard-b94f4f976-rkbjz 1/1 Running 0 16h
pod/pangea-cluster-audit-7dbdddd56-l4pjc 1/1 Running 0 16h
pod/pangea-cluster-authn-65d798984f-4bnnw 1/1 Running 0 16h
pod/pangea-cluster-authz-6fdfd647b9-vwhtn 1/1 Running 0 16h
pod/pangea-cluster-bootstrap-ui-authn-h9mm7 0/1 Completed 0 16h
pod/pangea-cluster-console-66fdf79c7b-jljzw 1/1 Running 0 16h
pod/pangea-cluster-embargo-5654b6cfb8-twrgj 0/1 CrashLoopBackOff 128 (3m13s ago) 10h
pod/pangea-cluster-gateway-594df449bc-fl5c6 1/1 Running 0 16h
pod/pangea-cluster-migrate-authn-pqnmx 0/1 Completed 0 16h
pod/pangea-cluster-migrate-authz-pds97 0/1 Completed 0 16h
pod/pangea-cluster-migrate-embargo-njpvz 0/1 Completed 0 10h
pod/pangea-cluster-migrate-gateway-pp568 0/1 Completed 0 16h
pod/pangea-cluster-migrate-puc-service-l9jxl 0/1 Completed 0 16h
pod/pangea-cluster-publish-ai-guard-5r9sp 0/1 Completed 0 16h
pod/pangea-cluster-publish-audit-q28cn 0/1 Completed 0 16h
pod/pangea-cluster-publish-authz-4vpm6 0/1 Completed 0 16h
pod/pangea-cluster-puc-service-7dc48cc55b-ggqg7 1/1 Running 0 16h
pod/postgres-0 1/1 Running 0 54m

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/pangea-cluster-access ClusterIP 172.20.233.4 <none> 8000/TCP,8001/TCP 16h
service/pangea-cluster-ai-guard ClusterIP 172.20.233.210 <none> 8000/TCP 16h
service/pangea-cluster-audit ClusterIP 172.20.190.129 <none> 8000/TCP 16h
service/pangea-cluster-authn ClusterIP 172.20.204.46 <none> 8000/TCP,8001/TCP 16h
service/pangea-cluster-authz ClusterIP 172.20.171.100 <none> 8000/TCP 16h
service/pangea-cluster-console ClusterIP 172.20.218.247 <none> 8000/TCP 16h
service/pangea-cluster-gateway ClusterIP 172.20.135.178 <none> 8000/TCP,8001/TCP 16h
service/pangea-cluster-puc-service ClusterIP 172.20.249.250 <none> 8000/TCP 16h
service/postgres ClusterIP 172.20.93.66 <none> 5432/TCP 9d

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/pangea-cluster-access 1/1 1 1 16h
deployment.apps/pangea-cluster-ai-guard 1/1 1 1 16h
deployment.apps/pangea-cluster-audit 1/1 1 1 16h
deployment.apps/pangea-cluster-authn 1/1 1 1 16h
deployment.apps/pangea-cluster-authz 1/1 1 1 16h
deployment.apps/pangea-cluster-console 1/1 1 1 16h
deployment.apps/pangea-cluster-embargo 0/1 1 0 10h
deployment.apps/pangea-cluster-gateway 1/1 1 1 16h
deployment.apps/pangea-cluster-puc-service 1/1 1 1 16h

NAME DESIRED CURRENT READY AGE
replicaset.apps/pangea-cluster-access-585699db57 1 1 1 16h
replicaset.apps/pangea-cluster-ai-guard-b94f4f976 1 1 1 16h
replicaset.apps/pangea-cluster-audit-7dbdddd56 1 1 1 16h
replicaset.apps/pangea-cluster-authn-65d798984f 1 1 1 16h
replicaset.apps/pangea-cluster-authz-6fdfd647b9 1 1 1 16h
replicaset.apps/pangea-cluster-console-66fdf79c7b 1 1 1 16h
replicaset.apps/pangea-cluster-embargo-5654b6cfb8 1 1 0 10h
replicaset.apps/pangea-cluster-gateway-594df449bc 1 1 1 16h
replicaset.apps/pangea-cluster-puc-service-7dc48cc55b 1 1 1 16h

NAME READY AGE
statefulset.apps/postgres 1/1 9d

NAME STATUS COMPLETIONS DURATION AGE
job.batch/pangea-cluster-bootstrap-ui-authn Complete 1/1 10s 16h
job.batch/pangea-cluster-migrate-authn Complete 1/1 10s 16h
job.batch/pangea-cluster-migrate-authz Complete 1/1 9s 16h
job.batch/pangea-cluster-migrate-embargo Complete 1/1 19s 10h
job.batch/pangea-cluster-migrate-gateway Complete 1/1 10s 16h
job.batch/pangea-cluster-migrate-puc-service Complete 1/1 24s 16h
job.batch/pangea-cluster-publish-access Complete 1/1 5s 16h
job.batch/pangea-cluster-publish-ai-guard Complete 1/1 16s 16h
job.batch/pangea-cluster-publish-audit Complete 1/1 14s 16h
job.batch/pangea-cluster-publish-authz Complete 1/1 6s 16h
job.batch/pangea-cluster-publish-cluster Complete 1/1 55s 16h

NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
persistentvolumeclaim/postgres-storage-postgres-0 Bound pvc-3d015ac1-aaa1-4673-b401-90330027f639 1Gi RWO pangea-ephemeral <unset> 9d

NAME TYPE DATA AGE
secret/db-secret Opaque 2 10d
secret/pangea-cluster-access-access-s2stoken Opaque 1 16h
secret/pangea-cluster-access-authn-s2stoken Opaque 1 16h
secret/pangea-cluster-access-authz-s2stoken Opaque 1 16h
secret/pangea-cluster-access-vault-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-audit-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-domain-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-ip-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-prompt-guard-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-redact-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-url-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-user-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-vault-s2stoken Opaque 1 16h
secret/pangea-cluster-audit-bmservice-s2stoken Opaque 1 16h
secret/pangea-cluster-audit-redact-s2stoken Opaque 2 16h
secret/pangea-cluster-audit-vault-s2stoken Opaque 1 16h
secret/pangea-cluster-authn-secrets Opaque 5 16h
secret/pangea-cluster-authz-audit-s2stoken Opaque 2 16h
secret/pangea-cluster-gateway-bmservice-s2stoken Opaque 1 16h
secret/pangea-cluster-gateway-route-token Opaque 1 16h
secret/pangea-cluster-org-config-token Opaque 1 16h
secret/pangea-cluster-tls-2f9c4 Opaque 1 16h
secret/pangea-registry kubernetes.io/dockerconfigjson 1 10d

Common issues and resolutions

IssueResolution
Pending pod statusVerify that the PostgreSQL database is running and reachable.
CrashLoopBackOff pod statusCheck the database configuration and credentials.
Image pull failuresEnsure your Pangea registry secret is correctly configured and present in the namespace.
Unauthorized (403) API responseConfirm that you are using a valid and correctly scoped API token.

Report issues

If you encounter deployment or service health issues that you cannot resolve, contact Pangea Support for assistance.

Next steps

Configure ingress

The steps above let you quickly deploy and test Pangea services in your environment. To make your environment accessible, configure an ingress controller. For production deployments, ensure ingress is terminated with TLS.

Configure services and access their APIs

Your Pangea User Console provides an intuitive interface for configuring services and managing access. It includes contextual links to related documentation, which you can access directly if needed:

  • Services - Explore how to configure Pangea services and use them to implement security guardrails in your applications.
  • APIs - Access interactive reference documentation for service and management APIs.
  • SDKs - Reference guides for integrating Pangea SDKs into your applications.

Implement guardrails in your applications

The Integration Options guide outlines patterns for implementing AI security guardrails using Pangea services. These include integrations through API gateways and AI frameworks, with SDKs and direct API calls available when needed.

Uninstall Private Cloud

Delete Pangea Cluster

Delete PangeaCluster resources
kubectl delete PangeaCluster pangea-cluster --namespace pangea-private-cloud
Delete Pangea registry secret form the cluster namespace
kubectl delete secret pangea-registry --namespace pangea-private-cloud

Uninstall Private Cloud operator

Uninstall the operator
helm uninstall pangea-cluster-operator --namespace pangea-private-cloud-operator
Delete the Pangea registry secret from the operator namespace
kubectl delete secret pangea-registry --namespace pangea-private-cloud-operator

Delete database resources

For example:

Remove the PostgreSQL deployment and associated resources
kubectl delete statefulsets.apps postgres --namespace pangea-private-cloud
kubectl delete services postgres --namespace pangea-private-cloud
kubectl delete persistentvolumeclaims postgres-storage-postgres-0 --namespace pangea-private-cloud
kubectl delete configmap postgres-initdb --namespace pangea-private-cloud
Delete the database credentials secret
kubectl delete secret db-secret --namespace pangea-private-cloud

Delete namespaces

Delete Pangea Private Cloud namespace
kubectl delete namespace pangea-private-cloud
Delete operator namespace
kubectl delete namespace pangea-private-cloud-operator
note

Deleting Pangea resources from the cluster does not remove external persistent data. This includes audit logs stored in S3, database snapshots, and any other infrastructure managed outside of Kubernetes. Make sure to manually delete or archive this data if required.

Was this article helpful?

Contact us

Secure AI from cloud to code

636 Ramona St Palo Alto, CA 94301

©2025 Pangea. All rights reserved.

PrivacyYour Privacy ChoicesTerms of UseLegal Notices
Contact Us