A3S Docs
A3S Box

Helm Deployment

Deploy A3S Box as a Kubernetes RuntimeClass using Helm

Helm Deployment

Deploy A3S Box as a Kubernetes CRI runtime using the official Helm chart. The chart installs a DaemonSet, RuntimeClass, RBAC, and ConfigMap.

Prerequisites

  • Kubernetes 1.26+
  • Helm 3.x
  • Nodes with KVM support (/dev/kvm accessible)
  • Node label: a3s-box.io/runtime: "true"

Install

helm install a3s-box deploy/helm/a3s-box/ \
  -n a3s-box-system --create-namespace

Custom Values

helm install a3s-box deploy/helm/a3s-box/ \
  -n a3s-box-system --create-namespace \
  --set image.tag=v0.5.3 \
  --set config.logLevel=debug \
  --set config.imageCacheSize=21474836480 \
  --set resources.limits.memory=1Gi

Uninstall

helm uninstall a3s-box -n a3s-box-system

Chart Values

Prop

Type

What Gets Deployed

DaemonSet

Runs a3s-box-cri on every labeled node. The pod mounts:

  • /dev/kvm — hardware virtualization
  • /var/run/a3s-box/ — CRI socket directory
  • Host network for kubelet communication
securityContext:
  privileged: true  # Required for /dev/kvm access

RuntimeClass

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: a3s-box
handler: a3s-box
overhead:
  podFixed:
    memory: "30Mi"
    cpu: "50m"

RBAC

  • ServiceAccount: a3s-box-cri
  • ClusterRole with permissions for node status, pods, and events

Running Pods

Once deployed, schedule pods on A3S Box by setting runtimeClassName:

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  runtimeClassName: a3s-box
  containers:
    - name: alpine
      image: alpine:latest
      command: ["sleep", "3600"]

TEE-Enabled Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-workload
  annotations:
    a3s.box/tee: "sev-snp"
    a3s.box/tee-generation: "genoa"
    a3s.box/workload-id: "secure-inference"
spec:
  runtimeClassName: a3s-box
  containers:
    - name: app
      image: my-app:latest
      resources:
        limits:
          cpu: "2"
          memory: "1Gi"

TDX-Enabled Pod

apiVersion: v1
kind: Pod
metadata:
  name: tdx-workload
  annotations:
    a3s.box/tee: "tdx"
    a3s.box/workload-id: "my-tdx-workload"
spec:
  runtimeClassName: a3s-box
  containers:
    - name: app
      image: my-app:latest

Intel TDX has config support but runtime is pending. Use sev-snp for production TEE workloads.

Prometheus Metrics

The CRI pod exposes 19 Prometheus metrics on port 9090 at /metrics. Enable scraping via annotations:

# values.yaml
podAnnotations:
  prometheus.io/scrape: "true"
  prometheus.io/port: "9090"
  prometheus.io/path: "/metrics"

Key metrics:

Prop

Type

Health Checks

The Helm chart configures liveness and readiness probes:

livenessProbe:
  initialDelaySeconds: 5
  periodSeconds: 10

readinessProbe:
  initialDelaySeconds: 3
  periodSeconds: 5

Node Labeling

Label nodes that should run A3S Box:

kubectl label node <node-name> a3s-box.io/runtime=true

To remove:

kubectl label node <node-name> a3s-box.io/runtime-

Kubernetes CRI

Container Runtime Interface implementation for running Box as a Kubernetes RuntimeClass

CLI Reference

Complete reference for all 52 Docker-compatible CLI commands

On this page

Helm DeploymentPrerequisitesInstallCustom ValuesUninstallChart ValuesWhat Gets DeployedDaemonSetRuntimeClassRBACRunning PodsTEE-Enabled PodTDX-Enabled PodPrometheus MetricsHealth ChecksNode Labeling