Search K
Appearance
Install F5 AI Security using Helm
Use this guide to install the F5 AI Security Operator on a Kubernetes cluster using Helm.
Before you begin
Before you begin, ensure you have:
- Kubernetes cluster: A running cluster with
kubectlconfigured and access to the target namespace. - Helm 3: Helm 3 installed and configured. Run
helm versionto verify. - Harbor registry credentials: A username and password to access
harbor.calypsoai.app. Contact your F5 team if you don't have these. For background on how Harbor manages registry authentication, see the Harbor documentation. - PostgreSQL database: An external PostgreSQL instance with a hostname and admin password. F5 recommends using an external database in production.
- F5 AI Security license: A valid license string obtained from your F5 team. Your license must cover the specific products you plan to deploy -- Guardrails, Red Team, or both. Contact your F5 team to confirm your license entitlements before enabling inference models.
Overview
Use this guide to install the F5 AI Security Operator on-premises using Helm. The operator manages AI Security platform components -- including the moderator, job manager, and inference services -- through a Kubernetes custom resource. By the end of this guide, you'll have a running operator and a configured SecurityOperator custom resource connected to your external database.
Gather required artifacts
Log in to the Harbor registry to access the operator Helm chart and required images. Harbor structures the registry at harbor.calypsoai.app. For more information, see Working with OCI artifacts.
Log in to the registry.
shellhelm registry login harbor.calypsoai.appCreate the
f5-ai-secnamespace and a pull secret for the Harbor registry.shellkubectl create namespace f5-ai-sec kubectl create secret docker-registry regcred \ --docker-server='harbor.calypsoai.app' \ --docker-username='<REGISTRY_USERNAME>' \ --docker-password='<REGISTRY_PASSWORD>' \ -n f5-ai-sec
This creates the namespace and stores your registry credentials as a Kubernetes secret named regcred.
Install the operator using Helm
Install the F5 AI Security Operator Helm chart into the f5-ai-sec namespace. This deploys the operator controller, CRD, service account, and RBAC required to manage AI Security platform resources through the SecurityOperator custom resource.
Install the chart.
shellhelm install f5-ai-security-operator \ oci://harbor.calypsoai.app/calypsoai/f5-ai-security-operator-helm \ --version 1.3.1 \ -n f5-ai-secVerify the installation.
shellhelm list -n f5-ai-sec kubectl get crd securityoperators.ai.security.f5.com kubectl get pods -n f5-ai-sec kubectl logs -n f5-ai-sec deploy/controller-manager
Confirm that the CRD is registered and the controller manager pod is running before continuing.
Create the SecurityOperator custom resource
Create a file named
securityoperator.yamlwith the following content.yamlapiVersion: ai.security.f5.com/v1alpha1 kind: SecurityOperator metadata: name: security-operator-demo namespace: f5-ai-sec spec: registryAuth: existingSecret: "regcred" # Uncomment to install PostgreSQL in the cluster. # F5 does not recommend this for production deployments. # postgresql: # enabled: true # values: # postgresql: # auth: # password: "<POSTGRES_PASSWORD>" jobManager: enabled: true moderator: enabled: true values: env: CAI_MODERATOR_BASE_URL: https://i-am-a-hostname.example.com # Uncomment to connect to an external PostgreSQL server. # CAI_MODERATOR_DB_HOST: <MY_EXTERNAL_DB_HOSTNAME> secrets: CAI_MODERATOR_DB_ADMIN_PASSWORD: "<YOUR_DB_PASSWORD>" CAI_MODERATOR_DEFAULT_LICENSE: "<YOUR_F5_AI_SECURITY_LICENSE>" inference: enabled: true values: inference: guardrails: enabled: true # Deploys the model required for the Guardrails product redteam: enabled: true # Deploys the model required for the Red Team productSet the required values listed in the following table before applying the manifest.
Parameter Description CAI_MODERATOR_DEFAULT_LICENSEYour F5 AI Security license string, obtained from your F5 team. CAI_MODERATOR_BASE_URLThe public hostname for the moderator service, for example: https://your-hostname.example.com.CAI_MODERATOR_DB_HOSTThe hostname of your external PostgreSQL database. Uncomment this line to use an external database. CAI_MODERATOR_DB_ADMIN_PASSWORDThe admin password for your external PostgreSQL database. Note: You must supply a valid license and a reachable moderator URL for the deployment to start correctly. Verify both values with your F5 team before applying the manifest.
Choose which AI Security products to deploy by setting the
enabledflag underinference.values.inference.The
inferencesection controls which product models are deployed. Enable only the products your license covers.Product Field Set to Guardrails only inference.values.inference.guardrails.enabledtrue,inference.values.inference.redteam.enabledtofalseRed Team only inference.values.inference.redteam.enabledtrue,inference.values.inference.guardrails.enabledtofalseAll products All fields trueDeploying both products requires more cluster resources. Confirm your cluster has sufficient CPU and memory before enabling both.
Apply the manifest.
shellkubectl apply -f securityoperator.yaml
System requirements
Inference layer
| Component | Guardrails | Red Team | Both products |
|---|---|---|---|
| CPU (x86) | 4 cores | 4 cores | 8 cores |
| Memory | 16 GB | 16 GB | 32 GB |
| GPU memory | 24 GB CUDA-compatible | 48 GB CUDA-compatible | 48 GB CUDA-compatible |
Backend
| Component | Guardrails | Red Team |
|---|---|---|
| CPU (x86) | 16 cores | 16 cores + 4 cores (Prefect scheduler) |
| Memory | 32 GB | 32 GB + 8 GB (Prefect scheduler) |
| Database | PostgreSQL | PostgreSQL |
Verify the installation
Check that the
SecurityOperatorresource is created and the pods are running.shellkubectl get securityoperator -n f5-ai-sec kubectl get pods -n f5-ai-secAll pods should reach
Runningstatus. If any pod stays inPendingorCrashLoopBackOff, check the logs for that pod.Review the controller logs to confirm there are no errors.
shellkubectl logs -n f5-ai-sec deploy/controller-manager
References
For more information, see: