Private Cloud Installation (AWS)
This guide walks you through the installation of Pangea Private Cloud services, enabling you to run Pangea AI security solutions within your cloud environment.
Overview of Pangea Private Cloud installation process
- Install the Pangea Private Cloud Operator using Helm.
- Deploy a PostgreSQL database for service data.
- Install the PangeaCluster resource to deploy Pangea services and UI.
- Verify that all services are running and healthy.
- Update the deployment to enable additional services as needed.
- Monitor, scale, and maintain the deployment.
Install Pangea Cluster Operator
Pangea services are deployed and managed using the Pangea Private Cloud Operator.
The operator includes a Custom Resource Definition (CRD) for the PangeaCluster resource, automating the installation, configuration, scaling, and lifecycle management of Pangea services within your Kubernetes cluster.
Set up namespace
Create a dedicated namespace for the operator. Optionally, you can set this namespace as the default for your current context.
kubectl create namespace pangea-private-cloud-operator
kubectl config set-context --current --namespace pangea-private-cloud-operator
Create Kubernetes secret for Pangea registry
Use your Pangea's private OCI registry credentials to create a Kubernetes secret for pulling Docker images. For example:
export PANGEA_REGISTRY_USERNAME="psa_txznaa...yi34is"
export PANGEA_REGISTRY_PASSWORD="pck_ol74sv...74d44p"
kubectl create secret docker-registry pangea-registry \
--docker-server="registry.pangea.cloud" \
--docker-username="$PANGEA_REGISTRY_USERNAME" \
--docker-password="$PANGEA_REGISTRY_PASSWORD" \
--namespace pangea-private-cloud-operator \
--dry-run=client -o yaml | kubectl apply -f -
Install operator
-
Install the Pangea Private Cloud Operator in its namespace using a Helm chart from the Pangea registry.
Sign in to the Pangea registryhelm registry login registry.pangea.cloud \
--username "$PANGEA_REGISTRY_USERNAME" \
--password-stdin <<< "$PANGEA_REGISTRY_PASSWORD" -
Create a custom Helm values file and specify the image pull secret for the Pangea registry.
my-values.yamlimage:
imagePullSecrets:
- name: pangea-registry -
Get the latest version of the Pangea Private Cloud Operator Helm chart from the Pangea registry.
Concatenate the client ID and client secret with a colon (
:) and base64 encode the result to authorize your request.tipOn a Linux-based system, you can use the
base64utility to encode the client credentials:Use HTTP Basic authentication scheme for authenticating a clientexport PANGEA_REGISTRY_CREDENTIAL=$(echo -n $PANGEA_REGISTRY_USERNAME:$PANGEA_REGISTRY_PASSWORD | base64)Get latest version of the Pangea Private Cloud Operator Helm chartcurl --location 'https://registry.pangea.cloud/v2/private-cloud/charts/tags/list' \
--header "Authorization: Basic $PANGEA_REGISTRY_CREDENTIAL"Example output{
"name": "private-cloud/charts",
"tags": [
"0.8.10",
"0.8.6",
"0.8.7",
"0.8.8",
"0.8.9"
]
}Set the desired operator versionexport PANGEA_PRIVATE_CLOUD_OPERATOR_VERSION="<pangea-private-cloud-operator-version>" -
Install the operator using Helm, referencing your custom values file and specifying the desired version of the operator.
Install Pangea Private Cloud Operatorhelm install pangea-cluster-operator \
oci://registry.pangea.cloud/private-cloud/charts \
--values "my-values.yaml" \
--namespace pangea-private-cloud-operator \
--version $PANGEA_PRIVATE_CLOUD_OPERATOR_VERSIONVerify operator installationkubectl get all --namespace pangea-private-cloud-operatorExample outputNAME READY STATUS RESTARTS AGE
pod/pangea-cluster-operator-controller-5676f8894-4f2z8 1/1 Running 0 79s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/pangea-cluster-operator-controller-manager-metrics-service ClusterIP 172.20.99.156 <none> 8443/TCP 79s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/pangea-cluster-operator-controller 1/1 1 1 79s
NAME DESIRED CURRENT READY AGE
replicaset.apps/pangea-cluster-operator-controller-5676f8894 1 1 1 79s
Deploy Pangea services
After installing the operator, deploy Pangea services and UI by creating a PangeaCluster resource.
Set up namespace
Create a dedicated namespace for your Pangea Private Cloud deployment. Optionally, you can set this namespace as the default for your current context.
kubectl create namespace pangea-private-cloud
kubectl config set-context --current --namespace pangea-private-cloud
Create Kubernetes secret for Pangea registry
Use your Pangea's private OCI registry credentials to create a Kubernetes secret for pulling Docker images. For example:
export PANGEA_REGISTRY_USERNAME="psa_txznaa...yi34is"
export PANGEA_REGISTRY_PASSWORD="pck_ol74sv...74d44p"
kubectl create secret docker-registry pangea-registry \
--docker-server="registry.pangea.cloud" \
--docker-username="$PANGEA_REGISTRY_USERNAME" \
--docker-password="$PANGEA_REGISTRY_PASSWORD" \
--namespace pangea-private-cloud \
--dry-run=client -o yaml | kubectl apply -f -
Deploy database
Pangea services require a PostgreSQL database to store user data, authentication records, authorization policies, and other service-related information.
The example below shows a sample PostgreSQL deployment configuration.
export DB_USERNAME="pangea_user"
export DB_PASSWORD="pangea_user"
kubectl create secret generic db-secret \
--from-literal=username="$DB_USERNAME" \
--from-literal=password="$DB_PASSWORD" \
--namespace pangea-private-cloud
Before deploying PostgreSQL, ensure your cluster has a valid StorageClass that supports the ReadWriteOnce (RWO) access mode, and that it is referenced in the storageClassName field of your manifest.
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-initdb
namespace: pangea-private-cloud
data:
init-databases.sql: |
CREATE DATABASE authn OWNER pangea_user;
CREATE DATABASE authz OWNER pangea_user;
CREATE DATABASE embargo OWNER pangea_user;
CREATE DATABASE msf OWNER pangea_user;
CREATE DATABASE gateway OWNER pangea_user;
CREATE DATABASE hotpg OWNER pangea_user;
CREATE DATABASE puc OWNER pangea_user;
CREATE DATABASE bmserviceglobal OWNER pangea_user;
CREATE DATABASE vault OWNER pangea_user;
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
namespace: pangea-private-cloud
spec:
serviceName: postgres
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
initContainers:
- name: init-postgres-storage
image: busybox:1.35
command: ["sh", "-c"]
args:
- |
echo "Checking PVC mount..."
if [ ! -d /var/lib/postgresql ]; then
echo "ERROR: PVC not mounted at /var/lib/postgresql"
exit 1
fi
echo "Creating pgdata directory if needed..."
mkdir -p /var/lib/postgresql/pgdata
chown 999:999 /var/lib/postgresql/pgdata
echo "PVC ready!"
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql
containers:
- name: postgres
image: docker.io/pgvector/pgvector:pg16
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
- name: PGDATA
value: /var/lib/postgresql/pgdata
- name: POSTGRES_INITDB_ARGS
value: "-c max_connections=1024 -c idle_in_transaction_session_timeout=300000 -c statement_timeout=600000"
ports:
- containerPort: 5432
readinessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U $POSTGRES_USER -d postgres
initialDelaySeconds: 15
periodSeconds: 5
livenessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U $POSTGRES_USER -d postgres
initialDelaySeconds: 45
periodSeconds: 10
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql
- name: initdb
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: initdb
configMap:
name: postgres-initdb
volumeClaimTemplates:
- metadata:
name: postgres-storage
spec:
storageClassName: <storage-class-name>
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: pangea-private-cloud
spec:
type: ClusterIP
ports:
- port: 5432
targetPort: 5432
selector:
app: postgres
kubectl apply --filename postgres.yaml --namespace pangea-private-cloud
Configure S3 access
Some Pangea services require file storage access for audit logs and large payloads. Create an S3 bucket and configure access for the pods that need it.
Required S3 permissions:
s3:ListBucketon the bucket ARNs3:GetObject,s3:PutObject,s3:DeleteObjecton bucket objects
After configuring pods to use a Kubernetes ServiceAccount associated with an IAM role that has S3 access (using Pod Identity or IRSA ), reference the ServiceAccount in your PangeaCluster:
...
spec:
...
common:
...
csp:
bucket_name: <bucket-name>
services:
...
gateway:
enabled: true
serviceAccountName: <service-account-name>
audit:
enabled: true
database:
name: hotpg
serviceAccountName: <service-account-name>
A complete example of a PangeaCluster manifest is provided below.
Deploy PangeaCluster
Create a PangeaCluster custom resource to define and deploy Pangea services and the UI.
Required services are enabled by default, and you can configure additional services based on your use case.
Required services
-
authn- AuthN enables user and service-to-service authentication. -
gateway- Acts as the entry point for requests, routing them to the appropriate services. -
access- Manages access control to platform resources. -
authz- AuthZ provides authorization services to determine whether a user or system can perform specific actions. -
bmservice- Manages metering for usage tracking. -
puc-service- Powers service configuration through the Pangea User Console (PUC). -
console- Hosts the Pangea User Console, providing a UI for managing and monitoring services. -
vault- Vault securely stores and manages secrets, tokens, and encryption keys, and provides API-based access to them. -
audit- Secure Audit Log records a tamperproof audit trail of application and service events.noteSecure Audit Log integrates with other services to provide Activity Log functionality. The following services have Activity Log enabled by default:
Additional services
The following security services can be added to Private Cloud deployments:
ai-guard- AI Guard protects data and interactions with LLMs by blocking malicious prompts and safeguarding sensitive information.prompt-guard- Prompt Guard detects prompt injection and jailbreak attempts in AI applications. This service integrates with AI Guard.redact- Redact removes sensitive information such as PII and confidential data from text. This service integrates with AI Guard.embargo- Embargo restricts access to resources based on country or region.intelligence- Detects malicious entities and data using threat intelligence feeds from major providers:
Example PangeaCluster manifest
Define the Pangea services for your Private Cloud deployment in the services field of the PangeaCluster manifest.
The example below shows a configuration for deploying services that secure AI-powered application flows.
Before you proceed, replace the following placeholders:
<pangea-private-cloud-operator-version>- Version of the Pangea Private Cloud Operator you installed<bucket-name>- Name of your S3 bucket<service-account-name>- ServiceAccount with S3 access permissions
apiVersion: cluster.pangea.cloud/v1beta1
kind: PangeaCluster
metadata:
name: pangea-cluster
namespace: pangea-private-cloud
labels:
reconcile: "true"
spec:
version: <pangea-private-cloud-operator-version>
common:
image:
registry: registry.pangea.cloud
tag: <pangea-private-cloud-operator-version>
database:
host: postgres.pangea-private-cloud.svc.cluster.local
port: 5432
name: msf
auth:
usernameSecretRef:
name: db-secret
key: username
passwordSecretRef:
name: db-secret
key: password
csp:
bucket_name: <bucket-name>
imagePullSecrets:
- name: pangea-registry
services:
authn:
enabled: true
gateway:
enabled: true
serviceAccountName: <service-account-name>
access:
enabled: true
authz:
enabled: true
bmservice:
enabled: true
puc-service:
enabled: true
database:
name: puc
console:
enabled: true
vault:
enabled: true
audit:
enabled: true
database:
name: hotpg
serviceAccountName: <service-account-name>
ai-guard:
enabled: true
resources:
limits:
cpu: 750m
memory: 7Gi
requests:
cpu: 250m
memory: 5Gi
startupProbe:
initialDelaySeconds: 1
failureThreshold: 30
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
prompt-guard:
enabled: true
resources:
limits:
cpu: 1000m
memory: 7Gi
requests:
cpu: 1000m
memory: 5Gi
startupProbe:
initialDelaySeconds: 1
failureThreshold: 30
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
redact:
enabled: true
resources:
limits:
cpu: 1000m
memory: 6Gi
requests:
cpu: 1000m
memory: 3Gi
startupProbe:
initialDelaySeconds: 1
failureThreshold: 30
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
kubectl apply --filename pangea-cluster.yaml
AI Guard, Prompt Guard, and Redact are resource-intensive services that may require special configuration for reliable performance. These services support AI security use cases and typically require higher CPU and memory allocations than other Pangea services.
Updating PangeaCluster deployment
To add services to an existing deployment, update the services field in the PangeaCluster manifest and reapply the configuration.
...
services:
...
embargo:
enabled: true
intelligence:
enabled: true
kubectl apply -f pangea-cluster.yaml
Verify deployment
Use Pangea support tool
Check the health of your deployment using the Pangea support tool:
-
Download the script and make it executable.
curl -sS https://registry.pangea.cloud/help.sh > help.sh
chmod 755 help.sh -
Verify the script's integrity using the checksum provided by Pangea.
Example checksum fileb3ee79308adacca97fd03b43c59d7d926d1fddec96dc41a97025496972e52f0e help.shVerify the script's integrity using the checksum received from Pangeasha256sum --check help.sh.sha256 -
If the output is
help.sh: OK, run the tool.Execute the Pangea support tool./help.sh
To run the support tool without verification, you can pipe the script directly into your shell:
curl -sS https://registry.pangea.cloud/help.sh | sh
The script lists operators, clusters, databases, statuses, and service‑health details.
k8s context : arn:aws:eks:us-west-2:180197846871:cluster/dev
tool version : 0.1.3
==
OPERATORS
=========
deploy/pangea-cluster-operator-controller in pangea-private-cloud-operator
wants 1 replica(s)
controller-manager registry.pangea.cloud/private-cloud/operator:0.8.10 Always
has
pod/pangea-cluster-operator-controller-576d95759d-qw9kp
registry.pangea.cloud/private-cloud/operator:0.8.10 / registry.pangea.cloud/private-cloud/operator@sha256:aa157e727536f9bb0c47a9de7412dc11ba5cccd4256d1b5736c95180aaca3683
CLUSTERS
========
crd/pangeaclusters.cluster.pangea.cloud:
pangea-cluster in pangea-private-cloud
database
user db-secret/username
pass db-secret/password
postgres.pangea-private-cloud.svc.cluster.local:5432/msf
status: : poi_iyqafy...sfbshq Ready
service images : registry.pangea.cloud 0.8.10
version : 0.8.10
services
access okay
ai-guard okay
audit okay
authn okay
authz okay
bmservice okay
gateway okay
prompt-guard okay
puc-service okay
redact okay
vault okay
If you see any issues with the deployment or service health, proceed to the Troubleshooting section.
Open admin console
To access the Pangea User Console and service APIs, forward a local port to the pangea-cluster-console service.
Both the UI and API traffic are routed through this gateway endpoint.
kubectl port-forward services/pangea-cluster-console 8000:8000 --namespace pangea-private-cloud
Open your browser and navigate to http://localhost:8000 . When prompted, sign up and create your organization and first project.
On the Console home page, click a service in the left-hand navigation to activate it. Follow the prompts and accept the default settings for quick setup.
On the service Overview page, note the configuration details, including the default token. You can use this information to test the service APIs.
Try service APIs
The example below shows how to use the Secure Audit Log service to capture application events.
export PANGEA_AUDIT_TOKEN="pts_zabthp...hteya3"
curl -sSLX POST 'localhost:8000/api/audit/v1/log' \
-H "Authorization: Bearer $PANGEA_AUDIT_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"event": {
"message": "I am a test log message"
}
}'
{
"request_id": "prq_5xjv6u6ayd3hux64vcuj5f4b6cyfhwmg",
"status": "Success",
"summary": "Logged 1 record(s)",
"result": {
"hash": "8ab152cf05f5f722b8ca6ca84b35e70abc0e010ca059ef428c2914c1eda27ec2"
},
...
}
You can view the logged event in the Pangea User Console under View Logs on the Secure Audit Log service page.
Troubleshooting
Check status of PangeaCluster resources
kubectl get all,pvc,secrets --namespace pangea-private-cloud
kubectl get all,pvc,secrets
NAME READY STATUS RESTARTS AGE
pod/pangea-cluster-access-585699db57-zcct6 1/1 Running 0 16h
pod/pangea-cluster-ai-guard-b94f4f976-rkbjz 1/1 Running 0 16h
pod/pangea-cluster-audit-7dbdddd56-l4pjc 1/1 Running 0 16h
pod/pangea-cluster-authn-65d798984f-4bnnw 1/1 Running 0 16h
pod/pangea-cluster-authz-6fdfd647b9-vwhtn 1/1 Running 0 16h
pod/pangea-cluster-bootstrap-ui-authn-h9mm7 0/1 Completed 0 16h
pod/pangea-cluster-console-66fdf79c7b-jljzw 1/1 Running 0 16h
pod/pangea-cluster-embargo-5654b6cfb8-twrgj 0/1 CrashLoopBackOff 128 (3m13s ago) 10h
pod/pangea-cluster-gateway-594df449bc-fl5c6 1/1 Running 0 16h
pod/pangea-cluster-migrate-authn-pqnmx 0/1 Completed 0 16h
pod/pangea-cluster-migrate-authz-pds97 0/1 Completed 0 16h
pod/pangea-cluster-migrate-embargo-njpvz 0/1 Completed 0 10h
pod/pangea-cluster-migrate-gateway-pp568 0/1 Completed 0 16h
pod/pangea-cluster-migrate-puc-service-l9jxl 0/1 Completed 0 16h
pod/pangea-cluster-publish-ai-guard-5r9sp 0/1 Completed 0 16h
pod/pangea-cluster-publish-audit-q28cn 0/1 Completed 0 16h
pod/pangea-cluster-publish-authz-4vpm6 0/1 Completed 0 16h
pod/pangea-cluster-puc-service-7dc48cc55b-ggqg7 1/1 Running 0 16h
pod/postgres-0 1/1 Running 0 54m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/pangea-cluster-access ClusterIP 172.20.233.4 <none> 8000/TCP,8001/TCP 16h
service/pangea-cluster-ai-guard ClusterIP 172.20.233.210 <none> 8000/TCP 16h
service/pangea-cluster-audit ClusterIP 172.20.190.129 <none> 8000/TCP 16h
service/pangea-cluster-authn ClusterIP 172.20.204.46 <none> 8000/TCP,8001/TCP 16h
service/pangea-cluster-authz ClusterIP 172.20.171.100 <none> 8000/TCP 16h
service/pangea-cluster-console ClusterIP 172.20.218.247 <none> 8000/TCP 16h
service/pangea-cluster-gateway ClusterIP 172.20.135.178 <none> 8000/TCP,8001/TCP 16h
service/pangea-cluster-puc-service ClusterIP 172.20.249.250 <none> 8000/TCP 16h
service/postgres ClusterIP 172.20.93.66 <none> 5432/TCP 9d
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/pangea-cluster-access 1/1 1 1 16h
deployment.apps/pangea-cluster-ai-guard 1/1 1 1 16h
deployment.apps/pangea-cluster-audit 1/1 1 1 16h
deployment.apps/pangea-cluster-authn 1/1 1 1 16h
deployment.apps/pangea-cluster-authz 1/1 1 1 16h
deployment.apps/pangea-cluster-console 1/1 1 1 16h
deployment.apps/pangea-cluster-embargo 0/1 1 0 10h
deployment.apps/pangea-cluster-gateway 1/1 1 1 16h
deployment.apps/pangea-cluster-puc-service 1/1 1 1 16h
NAME DESIRED CURRENT READY AGE
replicaset.apps/pangea-cluster-access-585699db57 1 1 1 16h
replicaset.apps/pangea-cluster-ai-guard-b94f4f976 1 1 1 16h
replicaset.apps/pangea-cluster-audit-7dbdddd56 1 1 1 16h
replicaset.apps/pangea-cluster-authn-65d798984f 1 1 1 16h
replicaset.apps/pangea-cluster-authz-6fdfd647b9 1 1 1 16h
replicaset.apps/pangea-cluster-console-66fdf79c7b 1 1 1 16h
replicaset.apps/pangea-cluster-embargo-5654b6cfb8 1 1 0 10h
replicaset.apps/pangea-cluster-gateway-594df449bc 1 1 1 16h
replicaset.apps/pangea-cluster-puc-service-7dc48cc55b 1 1 1 16h
NAME READY AGE
statefulset.apps/postgres 1/1 9d
NAME STATUS COMPLETIONS DURATION AGE
job.batch/pangea-cluster-bootstrap-ui-authn Complete 1/1 10s 16h
job.batch/pangea-cluster-migrate-authn Complete 1/1 10s 16h
job.batch/pangea-cluster-migrate-authz Complete 1/1 9s 16h
job.batch/pangea-cluster-migrate-embargo Complete 1/1 19s 10h
job.batch/pangea-cluster-migrate-gateway Complete 1/1 10s 16h
job.batch/pangea-cluster-migrate-puc-service Complete 1/1 24s 16h
job.batch/pangea-cluster-publish-access Complete 1/1 5s 16h
job.batch/pangea-cluster-publish-ai-guard Complete 1/1 16s 16h
job.batch/pangea-cluster-publish-audit Complete 1/1 14s 16h
job.batch/pangea-cluster-publish-authz Complete 1/1 6s 16h
job.batch/pangea-cluster-publish-cluster Complete 1/1 55s 16h
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
persistentvolumeclaim/postgres-storage-postgres-0 Bound pvc-3d015ac1-aaa1-4673-b401-90330027f639 1Gi RWO pangea-ephemeral <unset> 9d
NAME TYPE DATA AGE
secret/db-secret Opaque 2 10d
secret/pangea-cluster-access-access-s2stoken Opaque 1 16h
secret/pangea-cluster-access-authn-s2stoken Opaque 1 16h
secret/pangea-cluster-access-authz-s2stoken Opaque 1 16h
secret/pangea-cluster-access-vault-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-audit-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-domain-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-ip-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-prompt-guard-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-redact-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-url-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-user-intel-s2stoken Opaque 1 16h
secret/pangea-cluster-ai-guard-vault-s2stoken Opaque 1 16h
secret/pangea-cluster-audit-bmservice-s2stoken Opaque 1 16h
secret/pangea-cluster-audit-redact-s2stoken Opaque 2 16h
secret/pangea-cluster-audit-vault-s2stoken Opaque 1 16h
secret/pangea-cluster-authn-secrets Opaque 5 16h
secret/pangea-cluster-authz-audit-s2stoken Opaque 2 16h
secret/pangea-cluster-gateway-bmservice-s2stoken Opaque 1 16h
secret/pangea-cluster-gateway-route-token Opaque 1 16h
secret/pangea-cluster-org-config-token Opaque 1 16h
secret/pangea-cluster-tls-2f9c4 Opaque 1 16h
secret/pangea-registry kubernetes.io/dockerconfigjson 1 10d
Common issues and resolutions
| Issue | Resolution |
|---|---|
Pending pod status | Verify that the PostgreSQL database is running and reachable. |
CrashLoopBackOff pod status | Check the database configuration and credentials. |
| Image pull failures | Ensure your Pangea registry secret is correctly configured and present in the namespace. |
Unauthorized (403) API response | Confirm that you are using a valid and correctly scoped API token. |
Report issues
If you encounter deployment or service health issues that you cannot resolve, contact Pangea Support for assistance.
Next steps
Configure ingress
The steps above let you quickly deploy and test Pangea services in your environment. To make your environment accessible, configure an ingress controller. For production deployments, ensure ingress is terminated with TLS.
Configure services and access their APIs
Your Pangea User Console provides an intuitive interface for configuring services and managing access. It includes contextual links to related documentation, which you can access directly if needed:
- Admin Guide - Learn how to configure a Pangea project and manage service access.
- Services - Explore how to configure Pangea services and use them to implement security guardrails in your applications.
- APIs - Access interactive reference documentation for service and management APIs.
- SDKs - Reference guides for integrating Pangea SDKs into your applications.
Implement guardrails in your applications
The Integration Options guide outlines patterns for implementing AI security guardrails using Pangea services. These include integrations through API gateways and AI frameworks, with SDKs and direct API calls available when needed.
Uninstall Private Cloud
Delete Pangea Cluster
kubectl delete PangeaCluster pangea-cluster --namespace pangea-private-cloud
kubectl delete secret pangea-registry --namespace pangea-private-cloud
Uninstall Private Cloud operator
helm uninstall pangea-cluster-operator --namespace pangea-private-cloud-operator
kubectl delete secret pangea-registry --namespace pangea-private-cloud-operator
Delete database resources
For example:
kubectl delete statefulsets.apps postgres --namespace pangea-private-cloud
kubectl delete services postgres --namespace pangea-private-cloud
kubectl delete persistentvolumeclaims postgres-storage-postgres-0 --namespace pangea-private-cloud
kubectl delete configmap postgres-initdb --namespace pangea-private-cloud
kubectl delete secret db-secret --namespace pangea-private-cloud
Delete namespaces
kubectl delete namespace pangea-private-cloud
kubectl delete namespace pangea-private-cloud-operator
Deleting Pangea resources from the cluster does not remove external persistent data. This includes audit logs stored in S3, database snapshots, and any other infrastructure managed outside of Kubernetes. Make sure to manually delete or archive this data if required.
Was this article helpful?