Every contribution helps! / Chaque contribution compte ! π
π«π· Version FranΓ§aise | π¬π§ English Version
- π«π· Guide Complet (FR)
- π¬π§ Complete Guide (EN)
- ποΈ Architecture
- π Quick Start
- π Documentation
- π‘οΈ Security Features
- π Monitoring
- π€ Contributing
- π License
- π Support
Ce guide complet vous accompagne pas à pas dans l'installation, la sécurisation et l'utilisation d'Phoenix sur un Mac Studio M3 Ultra. L'architecture propose 3 modes de déploiement (local, k3d, cloud Koyeb) avec une installation one-click via un script d'onboarding interactif, tout en conservant l'accès natif au GPU M3 pour les LLM locaux (Ollama, LM Studio).
β οΈ SΓ©curitΓ© : Cette configuration intΓ¨gre les correctifs post-CVE-2026-25253 (RCE critique, CVSS 8.8). Image minimale requise : 2026.1.29.
- β
Installation one-click : script d'onboarding interactif (
setup.sh) - β 3 profils de dΓ©ploiement : local (Docker), k3d (Zero-Trust), cloud (Koyeb)
- β DΓ©ploiement ultra-sΓ©curisΓ© post-CVE-2026-25253
- β Utilisation optimale du GPU Apple Silicon (M1/M2/M3)
- β Architecture Zero-Trust avec proxy Squid whitelist (mode k3d)
- β Monitoring avec Prometheus et Grafana (mode k3d)
- β Sauvegardes automatisΓ©es avec stratΓ©gie 3-2-1
- β ConformitΓ© OWASP, CVE, RGPD, WCAG
- β Token d'authentification gateway obligatoire
- β Containers non-root, read-only, PID limits
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MAC STUDIO M3 ULTRA β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β KUBERNETES (k3s) β β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ β β
β β β Phoenix βββββββΆβ Squid Proxy βββββββΆ Internet β β
β β β :18789 β β :3128 β (whitelist) β β
β β β (IsolΓ©) β β (Whitelist) β β β
β β ββββββββββ¬βββββββββ βββββββββββββββββββ β β
β β β β β
β β β host.docker.internal β β
β β βΌ β β
β βββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββΌβββββββββββ β
β β OLLAMA ββββ GPU Metal (192GB Unified Memory) β
β β :11434 β β
β β (Natif macOS) β ModΓ¨les: Llama 3.1 70B, Qwen, Mistral... β
β ββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Composant | Version Minimum | RecommandΓ© |
|---|---|---|
| macOS | 13.0 (Ventura) | 14.0+ (Sonoma) |
| RAM | 8 GB (Docker) | 64-192 GB (LLM locaux) |
| Stockage | 100 GB SSD | 500 GB+ NVMe |
| Docker Desktop | 4.25+ | Dernière version |
| Ollama | 0.3+ (optionnel) | Dernière version |
| Phoenix | β₯ 2026.1.29 | 2026.1.30 |
# 1. Cloner le projet
git clone https://github.com/EthanThePhoenix38/Phoenix.git && cd Phoenix
# 2. Lancer l'onboarding interactif (génère .env + lance la stack)
./scripts/setup.shLe script setup.sh vous guide Γ travers :
- VΓ©rification des prΓ©requis (Docker, RAM, architecture)
- Choix du profil : π local Β· π‘οΈ k3d Β· βοΈ koyeb
- Configuration sΓ©curitΓ© (token gateway, auth, sandbox)
- ClΓ©s API (Anthropic, OpenAI, Google, Mistral)
- Lancement automatique de la stack
cd docker
cp .env.example .env
# Γditer .env (OBLIGATOIRE : changer PHOENIX_GATEWAY_TOKEN et GRAFANA_PASSWORD)
docker compose --profile <local|k3d|koyeb> up -d| Profil | Usage | Proxy Squid | LLM Locaux | Monitoring | API Keys |
|---|---|---|---|---|---|
π local |
Dev / Usage personnel | β | β Ollama, LM Studio | β | Optionnelles |
π‘οΈ k3d |
Production locale / Zero-Trust | β Whitelist stricte | β Ollama, LM Studio | β Prometheus + Grafana | Optionnelles |
βοΈ koyeb |
Cloud Koyeb | β | β | β | Obligatoires |
π Ouvrir le guide interactif (GitBook-style viewer)
| Partie | Chapitres | Description |
|---|---|---|
| Partie 1 | Chapitres 1-5 | Fondations : Introduction, PrΓ©requis, Architecture |
| Partie 2 | Chapitres 6-10 | Kubernetes : Installation k3s, Namespaces, Pods |
| Partie 3 | Chapitres 11-15 | SΓ©curitΓ© : NetworkPolicies, Secrets, Proxy Squid |
| Partie 4 | Chapitres 16-20 | OpΓ©rations : Monitoring, Alertes, Sauvegardes |
| Partie 5 | Chapitres 21-24 | AvancΓ© : HA, Scaling, Troubleshooting |
| Annexes | A-C | Glossaire, Commandes, Ressources |
This comprehensive guide walks you through installing, securing, and using Phoenix on a Mac Studio M3 Ultra. The architecture provides 3 deployment profiles (local, k3d, cloud Koyeb) with a one-click interactive onboarding script, while maintaining native M3 GPU access for local LLMs (Ollama, LM Studio).
β οΈ Security: This configuration includes post-CVE-2026-25253 hardening (critical RCE, CVSS 8.8). Minimum image version: 2026.1.29.
- β
One-click installation: interactive onboarding script (
setup.sh) - β 3 deployment profiles: local (Docker), k3d (Zero-Trust), cloud (Koyeb)
- β Ultra-secure deployment post-CVE-2026-25253
- β Optimal use of Apple Silicon GPU (M1/M2/M3)
- β Zero-Trust architecture with Squid proxy whitelist (k3d mode)
- β Monitoring with Prometheus and Grafana (k3d mode)
- β Automated backups with 3-2-1 strategy
- β OWASP, CVE, GDPR, WCAG compliance
- β Mandatory gateway authentication tokens
- β Non-root containers, read-only fs, PID limits
# 1. Clone the project
git clone https://github.com/EthanThePhoenix38/Phoenix.git && cd Phoenix
# 2. Run the interactive onboarding (generates .env + launches the stack)
./scripts/setup.shThe setup.sh script guides you through:
- Prerequisites check (Docker, RAM, architecture)
- Profile selection: π local Β· π‘οΈ k3d Β· βοΈ koyeb
- Security configuration (gateway token, auth, sandbox)
- API keys (Anthropic, OpenAI, Google, Mistral)
- Automatic stack launch
| Profile | Use Case | Squid Proxy | Local LLMs | Monitoring | API Keys |
|---|---|---|---|---|---|
π local |
Dev / Personal use | β | β Ollama, LM Studio | β | Optional |
π‘οΈ k3d |
Local production / Zero-Trust | β Strict whitelist | β Ollama, LM Studio | β Prometheus + Grafana | Optional |
βοΈ koyeb |
Koyeb cloud | β | β | β | Required |
π Open interactive guide (GitBook-style viewer)
| Part | Chapters | Description |
|---|---|---|
| Part 1 | Chapters 1-5 | Foundations: Introduction, Prerequisites, Architecture |
| Part 2 | Chapters 6-10 | Kubernetes: k3s Installation, Namespaces, Pods |
| Part 3 | Chapters 11-15 | Security: NetworkPolicies, Secrets, Squid Proxy |
| Part 4 | Chapters 16-20 | Operations: Monitoring, Alerts, Backups |
| Part 5 | Chapters 21-24 | Advanced: HA, Scaling, Troubleshooting |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LAYER 0: Authentication β
β Gateway Token (mandatory), mDNS off β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 1: Network Isolation β
β Bind 127.0.0.1, NetworkPolicies (k3d) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 2: Proxy Control (k3d only) β
β Squid Proxy (domain whitelist) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 3: Container Security β
β Non-root, read-only fs, PID limits, no caps β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 4: Secrets Management β
β .env (chmod 600), no hardcoded credentials β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 5: Sandbox Isolation β
β Per-agent sandbox, non-main thread β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 6: Monitoring & Audit (k3d) β
β Prometheus, Grafana, security audit --deep β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
PhoenixBook/
βββ π book/ # Documentation (24 chapitres)
β βββ π fr/ # Documentation franΓ§aise
β βββ π en/ # English documentation
βββ π kubernetes/
β βββ namespace.yaml # Namespace isolΓ©
β βββ deployment.yaml # Deployment sΓ©curisΓ©
β βββ service.yaml # Services ClusterIP
β βββ configmap.yaml # Configurations
β βββ secrets.yaml # Template secrets
β βββ network-policy.yaml # Policies Zero-Trust
βββ π docker/
β βββ Dockerfile # Multi-stage build sΓ©curisΓ©
β βββ docker-compose.yml # Stack multi-profil (local/k3d/koyeb)
β βββ squid.conf # Config proxy whitelist (k3d)
β βββ .env.example # Template config ultra-sΓ©curisΓ©
β βββ .env.koyeb # RΓ©fΓ©rence config cloud Koyeb
βββ π scripts/
β βββ setup.sh # π Onboarding one-click interactif
β βββ install-k3s.sh # Installation k3s
β βββ deploy-phoenix.sh # DΓ©ploiement K8s
β βββ setup-ollama.sh # Config Ollama
β βββ backup.sh # Sauvegardes 3-2-1
βββ π PRODUCTION/ # Fichiers de production
βββ π assets/ # Assets (images, etc.)
βββ README.md # Ce fichier
βββ CHANGELOG.md # Historique des changements
βββ CITATION.cff # Citation acadΓ©mique
βββ LICENSE # MIT License
βββ index.html # GitBook viewer interactif
π Configuration conforme aux recommandations post-CVE-2026-25253 (CSRF β RCE, CVSS 8.8)
| Feature | Description (FR/EN) | Profil |
|---|---|---|
| Gateway Auth Token | Token obligatoire pour toute connexion / Mandatory token for all connections | Tous |
| mDNS Disabled | DΓ©couverte rΓ©seau dΓ©sactivΓ©e / Network discovery disabled | Tous |
| Secure Control UI | Auth non-sΓ©curisΓ©e interdite / Insecure auth disabled | Tous |
| Bind localhost | Port exposΓ© uniquement sur 127.0.0.1 / Port bound to localhost only | local, k3d |
| DM Pairing | Couplage sΓ©curisΓ© obligatoire / Secure pairing required | Tous |
| Zero-Trust Network | Trafic bloquΓ© par dΓ©faut / All traffic blocked by default | k3d |
| Proxy Whitelist | Seuls les domaines approuvΓ©s accessibles / Only approved domains accessible | k3d |
| Non-root Containers | User non-privilΓ©giΓ© (UID 1000) / Unprivileged user (UID 1000) | Tous |
| Read-only Filesystem | FS en lecture seule + tmpfs ciblΓ©s / Read-only fs + targeted tmpfs | Tous |
| No Capabilities | cap_drop: ALL + no-new-privileges / All capabilities dropped |
Tous |
| PID Limits | Anti fork-bomb (256 PIDs) / Fork bomb protection | Tous |
| Sandbox Isolation | Scope per-agent, thread non-main / Per-agent scope, non-main thread | Tous |
| Secret Management | .env chmod 600, jamais en dur / Never hardcoded, restricted permissions |
Tous |
| Audit Logging | phoenix security audit --deep / Deep security audit |
Tous |
| Resource Limits | CPU/Memory/PID limits / Prevent resource exhaustion | Tous |
# AccΓ©der Γ Prometheus / Access Prometheus
kubectl port-forward -n monitoring svc/prometheus 9090:9090
# AccΓ©der Γ Grafana / Access Grafana
kubectl port-forward -n monitoring svc/grafana 3000:3000Si vous utilisez ce guide, merci de le citer / If you use this guide, please cite it:
@misc{bernier2026phoenix,
author = {Bernier, Ethan},
title = {Phoenix Secure K8s Guide},
year = {2026},
publisher = {GitHub},
url = {https://github.com/EthanThePhoenix38/Phoenix}
}Voir CITATION.cff pour plus de dΓ©tails.
Les contributions sont bienvenues ! / Contributions are welcome!
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Ce projet est sous licence MIT - voir le fichier LICENSE pour plus de dΓ©tails.
Ethan Bernier
- π ORCID: 0009-0008-9839-5763
- π GitHub: @EthanThePhoenix38
- π§ Email: ethan.bernier.data@gmail.com
Ce guide est gratuit et open source. Si vous le trouvez utile :
This guide is free and open source. If you find it useful:
| Platform | Link |
|---|---|
| β Ko-fi | ko-fi.com/EthanThePhoenix |
| π³ PayPal | paypal.me/VanessaBernier |
| β GitHub | Star this repo! / Donnez une Γ©toile ! |
Made with β€οΈ by Ethan Bernier
π¦ Phoenix Secure Kubernetes Deployment - Version 1.0.0 - 2026