• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Self managed Deepfactor portal
  • Install Self managed Deepfactor portal
  • Kubernetes Cluster
  • Customizing Deepfactor portal deployment

Deploy Deepfactor Portal With Resource Limits

Deepfactor portal runs multiple microservices as pods in the kubernetes cluster. We provide the flexibility of updating the resource limits and hpa configuration for each of these pods. However, for most use cases, you will not need to change these values. If you are running larger workloads, please refer to the following section

Resource limits and hpa config for larger workloads

Resource limits configuration #

The following section provides the resource limits configuration for all the Deepfactor portal pods. As mentioned above, the default limits should work for most common workloads. In order to modify the resource limits, please follow the steps outlined below:

1. Create resource.yaml file

Please edit the resource limits as appropriate for your load and infrastructure.

apisvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 250Mi
        cpu: 200m
      limits:
        memory: 500Mi
        cpu: 500m

alertstreamsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 500Mi
        cpu: 1
      limits:
        memory: 1Gi
        cpu: 2

authsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 50Mi
        cpu: 25m
      limits:
        memory: 100Mi
        cpu: 50m

eventsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 150Mi
        cpu: 250m
      limits:
        memory: 250Mi
        cpu: 500m

notificationsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 50Mi
        cpu: 150m
      limits:
        memory: 250Mi
        cpu: 500m

persistentsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 250Mi
        cpu: 250m
      limits:
        memory: 500Mi
        cpu: 500m

proxysvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 100Mi
        cpu: 50m
      limits:
        memory: 200Mi
        cpu: 100m

symbolsvc:
  containers:
    resources:
      requests:
        memory: 250Mi
        cpu: 250m
      limits:
        memory: 500Mi
        cpu: 2

statussvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m

dfstartup:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m

policyctl:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 500Mi
        cpu: 250m
      limits:
        memory: 500Mi
        cpu: 250m

ttlctl:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m

nginx:
  opa:
    resources:
      requests:
        memory: 250Mi
        cpu: 250m
      limits:
        memory: 400Mi
        cpu: 500m
  containers:
    resources:
      requests:
        memory: 250Mi
        cpu: 250m
      limits:
        memory: 1Gi
        cpu: 1


frontend:
  containers:
    resources:
      requests:
        memory: 250Mi
        cpu: 250m
      limits:
        memory: 1Gi
        cpu: 1

webappsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 500Mi
        cpu: 250m
      limits:
        memory: 1Gi
        cpu: 500m
archivestore:
  containers:
    resources:
      requests:
        memory: 100Mi
        cpu: 50m
      limits:
        memory: 200Mi
        cpu: 100m

clickhouse:
  storage:
    className: gp2
    requests: 300Gi
  containers:
    resources:
      requests:
        memory: 1Gi
        cpu: 1
      limits:
        memory: 8Gi
        cpu: 4

postgres:
  storage:
    className: gp2
    requests: 100Gi
  containers:
    resources:
      requests:
        memory: 1Gi
        cpu: 1
      limits:
        memory: 8Gi
        cpu: 4

updatersvc:
  containers:
    resources:
      requests:
        memory: 50Mi
        cpu: 50m
      limits:
        memory: 100Mi
        cpu: 100m

cert-manager:
  resources:
    requests:
      cpu: 50m
      memory: 50Mi
    limits:
      cpu: 100m
      memory: 200Mi
  webhook:
    resources:
      requests:
        cpu: 50m
        memory: 50Mi
      limits:
        cpu: 100m
        memory: 200Mi
  startupapicheck:
    resources:
      requests:
        cpu: 25m
        memory: 25Mi
      limits:
        cpu: 50m
        memory: 100Mi
  cainjector:
    resources:
      requests:
        cpu: 50m
        memory: 50Mi
      limits:
        cpu: 100m
        memory: 200Mi


migrationsvc:
  initContainers:
    wait:
      resources:
        requests:
          memory: 25Mi
          cpu: 25m
        limits:
          memory: 50Mi
          cpu: 50m
  containers:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m

jobCleanup:
  containers:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m

nats:
  bootconfig:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m
  nats:
    resources:
      requests:
        memory: 2Gi
        cpu: 2
      limits:
        memory: 4Gi
        cpu: 4
  reloader:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m
  exporter:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m
  natsbox:
    resources:
      requests:
        memory: 25Mi
        cpu: 25m
      limits:
        memory: 50Mi
        cpu: 50m

 

2. Pass the above resource.yaml file in helm install/upgrade command

helm install df-stable deepfactor/deepfactor -n deepfactor 
  -f override.yaml 
  -f resource.yaml 
  --set dfstartup.config.password=YOUR_PORTAL_PASSWORD 
  --set dfstartup.config.portalToken= 
   "YOUR_DEEPFACTOR_LICENSE_KEY_FROM_MY.DEEPFACTOR.IO" 
  --set clusterName=CLUSTER_NAME_OF_YOUR_CHOICE

#

Resource limits and hpa config for larger workloads #

If you are running larger workloads, we recommend updating resource limits and hpa configuration as shown in the yaml below. We have arrived at this configuration by measuring the average and peak cpu/memory utilization for larger workloads in our labs.

hpa:
  enabled: true
  
apisvc:
  replicas: 2

alertstreamsvc:
  replicas: 2

eventsvc:
  replicas: 2

persistentsvc:
  replicas: 2
  
clickhouse:
  containers:
    resources:
      requests:
        memory: 8Gi
        cpu: 2
      limits:
        memory: 16Gi
        cpu: 4
        
postgres:
  containers:
    resources:
      requests:
        memory: 4Gi
        cpu: 1
      limits:
        memory: 8Gi
        cpu: 4
        
nats:
  nats:
    resources:
      requests:
        memory: 4Gi
        cpu: 2
      limits:
        memory: 8Gi
        cpu: 4
    jetstream:
      memStorage:
        size: 2Gi
Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on December 13, 2023
Customizing your Deepfactor Portal Deployment in K8sDeploying Deepfactor Portal using external IP

Powered by BetterDocs

Table of Contents
  • Resource limits configuration
    • Resource limits and hpa config for larger workloads
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure