Installation of Kubescape in cluster


  • Make sure you have an Kubescape account - if not, sign-up here
  • You need to have installation access to your cluster (you should be able to create Deployments, CronJobs, ConfigMaps and Secrets)
  • You must have Kubectl and Helm

Cluster requirements

ARMO cluster components require minimum 300Mib RAM and 400m CPU

Install a pre-registered cluster

  1. Navigate to Kubescape portal
  2. Click on "Add Cluster"
  1. Select the in cluster installation and follow the steps

Install without pre-registering the cluster

  1. Add ARMO helm repo
helm repo add armo

Or, if already installed, run an upgrade:

helm repo update
  1. Install the Helm Chart
helm upgrade --install armo  armo/armo-cluster-components -n armo-system --create-namespace --set clusterName=`kubectl config current-context` --set accountGuid=<account ID>

Post-install validation

Please check after installation that all components are running correctly

$ kubectl -n armo-system get deployments
NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
armo-collector              1/1     1            1           47h
armo-kubescape              1/1     1            1           47h
armo-notification-service   1/1     1            1           47h
armo-vuln-scan              1/1     1            1           47h
armo-web-socket             1/1     1            1           47h

Prometheus Exporter

Read more about the integration with Prometheus

Supported Helm values

armoCollector.enabledbooltrueenable/disable the armoCollector
armoCollector.env[0]object{"name":"PRINT_REPORT","value":"false"}print in verbose mode (print all reported data)
armoCollector.image.repositorystring""source code (private repo)
armoKubescape.downloadArtifactsbooltruedownload policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus)
armoKubescape.enableHostScanbooltrueenable host scanner feature
armoKubescape.enabledbooltrueenable/disable kubescape scanning
armoKubescape.image.repositorystring""source code (public repo)
armoKubescape.serviceMonitor.enabledboolfalseenable/disable service monitor for prometheus (operator) integration
armoKubescape.skipUpdateCheckboolfalseskip check for a newer version
armoKubescape.submitbooltruesubmit results to ARMO SaaS:
armoKubescapeScanScheduler.enabledbooltrueenable/disable a kubescape scheduled scan using a CronJob
armoKubescapeScanScheduler.image.repositorystring""source code (public repo)
armoKubescapeScanScheduler.scanSchedulestring"0 0 * * *"scan schedule frequency
armoNotificationService.enabledbooltrueenable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings
armoNotificationService.image.repositorystring""source code (private repo)
armoScanScheduler.enabledbooltrueenable/disable image vulnerability a schedule scan using a CronJob
armoScanScheduler.image.repositorystring"curlimages/curl"image: curlimages/curl
armoScanScheduler.scanSchedulestring"0 0 * * *"scan schedule frequency
armoVulnScanner.enabledbooltrueenable/disable image vulnerability scanning
armoVulnScanner.image.repositorystring""source code (private repo)
armoWebsocket.enabledbooltrueenable/disable kubescape and image vulnerability scanning
armoWebsocket.image.repositorystring""source code (private repo)
aws_iam_role_arnstringnilAWS IAM arn role
clientIDstring""client ID, read more
cloudRegionstringnilcloud region
cloud_provider_enginestringnilcloud provider engine
gkeProjectstringnilGKE project
gke_service_accountstringnilGKE service account
secretKeystring""secret key, read more
triggerNewImageScanstring"disable"enable/disable trigger image scan for new images

Did this page help you?