Installation of Kubescape in cluster

Prerequisites

  • Make sure you have an Kubescape account - if not, sign-up here
  • You need to have installation access to your cluster (you should be able to create Deployments, CronJobs, ConfigMaps and Secrets)
  • You must have Kubectl and Helm

Cluster requirements

ARMO cluster components require minimum 300Mib RAM and 400m CPU

Install a pre-registered cluster

  1. Navigate to Kubescape portal
  2. Click on "Add Cluster"
  1. Select the in cluster installation and follow the steps

Install without pre-registering the cluster

  1. Add ARMO helm repo
helm repo add armo https://armosec.github.io/armo-helm/

Or, if already installed, run an upgrade:

helm repo update
  1. Install the Helm Chart
helm upgrade --install armo  armo/armo-cluster-components -n armo-system --create-namespace --set clusterName=`kubectl config current-context` --set accountGuid=<account ID>

Post-install validation

Please check after installation that all components are running correctly

$ kubectl -n armo-system get deployments
NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
armo-collector              1/1     1            1           47h
armo-kubescape              1/1     1            1           47h
armo-notification-service   1/1     1            1           47h
armo-vuln-scan              1/1     1            1           47h
armo-web-socket             1/1     1            1           47h

Prometheus Exporter

Read more about the integration with Prometheus

Supported Helm values

KeyTypeDefaultDescription
armoCollector.enabledbooltrueenable/disable the armoCollector
armoCollector.env[0]object{"name":"PRINT_REPORT","value":"false"}print in verbose mode (print all reported data)
armoCollector.image.repositorystring"quay.io/armosec/cluster-collector"source code (private repo)
armoKubescape.downloadArtifactsbooltruedownload policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus)
armoKubescape.enableHostScanbooltrueenable host scanner feature
armoKubescape.enabledbooltrueenable/disable kubescape scanning
armoKubescape.image.repositorystring"quay.io/armosec/kubescape"source code (public repo)
armoKubescape.serviceMonitor.enabledboolfalseenable/disable service monitor for prometheus (operator) integration
armoKubescape.skipUpdateCheckboolfalseskip check for a newer version
armoKubescape.submitbooltruesubmit results to ARMO SaaS: https://portal.armo.cloud/
armoKubescapeScanScheduler.enabledbooltrueenable/disable a kubescape scheduled scan using a CronJob
armoKubescapeScanScheduler.image.repositorystring"quay.io/armosec/http_request"source code (public repo)
armoKubescapeScanScheduler.scanSchedulestring"0 0 * * *"scan schedule frequency
armoNotificationService.enabledbooltrueenable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings
armoNotificationService.image.repositorystring"quay.io/armosec/notification-server"source code (private repo)
armoScanScheduler.enabledbooltrueenable/disable image vulnerability a schedule scan using a CronJob
armoScanScheduler.image.repositorystring"curlimages/curl"image: curlimages/curl
armoScanScheduler.scanSchedulestring"0 0 * * *"scan schedule frequency
armoVulnScanner.enabledbooltrueenable/disable image vulnerability scanning
armoVulnScanner.image.repositorystring"quay.io/armosec/images-vulnerabilities-scan"source code (private repo)
armoWebsocket.enabledbooltrueenable/disable kubescape and image vulnerability scanning
armoWebsocket.image.repositorystring"quay.io/armosec/action-trigger"source code (private repo)
aws_iam_role_arnstringnilAWS IAM arn role
clientIDstring""client ID, read more
cloudRegionstringnilcloud region
cloud_provider_enginestringnilcloud provider engine
gkeProjectstringnilGKE project
gke_service_accountstringnilGKE service account
secretKeystring""secret key, read more
triggerNewImageScanstring"disable"enable/disable trigger image scan for new images

Did this page help you?