Installation of Kubescape in cluster
Prerequisites
- Make sure you have an Kubescape account - if not, sign-up here
- You need to have installation access to your cluster (you should be able to create Deployments, CronJobs, ConfigMaps and Secrets)
- You must have Kubectl and Helm
Cluster requirements
ARMO cluster components require minimum 300Mib RAM and 400m CPU
Install a pre-registered cluster
- Navigate to Kubescape portal
- Click on "
Add Cluster"
- Select the in cluster installation and follow the steps
Install without pre-registering the cluster
- Add ARMO helm repo
helm repo add armo https://armosec.github.io/armo-helm/
Or, if already installed, run an upgrade:
helm repo update
- Install the Helm Chart
helm upgrade --install armo armo/armo-cluster-components -n armo-system --create-namespace --set clusterName=`kubectl config current-context` --set accountGuid=<account ID>
Post-install validation
Please check after installation that all components are running correctly
$ kubectl -n armo-system get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
armo-collector 1/1 1 1 47h
armo-kubescape 1/1 1 1 47h
armo-notification-service 1/1 1 1 47h
armo-vuln-scan 1/1 1 1 47h
armo-web-socket 1/1 1 1 47h
Prometheus Exporter
Read more about the integration with Prometheus
Supported Helm values
| Key | Type | Default | Description |
|---|---|---|---|
| armoCollector.enabled | bool | true | enable/disable the armoCollector |
| armoCollector.env[0] | object | {"name":"PRINT_REPORT","value":"false"} | print in verbose mode (print all reported data) |
| armoCollector.image.repository | string | "quay.io/armosec/cluster-collector" | source code (private repo) |
| armoKubescape.downloadArtifacts | bool | true | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) |
| armoKubescape.enableHostScan | bool | true | enable host scanner feature |
| armoKubescape.enabled | bool | true | enable/disable kubescape scanning |
| armoKubescape.image.repository | string | "quay.io/armosec/kubescape" | source code (public repo) |
| armoKubescape.serviceMonitor.enabled | bool | false | enable/disable service monitor for prometheus (operator) integration |
| armoKubescape.skipUpdateCheck | bool | false | skip check for a newer version |
| armoKubescape.submit | bool | true | submit results to ARMO SaaS: https://portal.armo.cloud/ |
| armoKubescapeScanScheduler.enabled | bool | true | enable/disable a kubescape scheduled scan using a CronJob |
| armoKubescapeScanScheduler.image.repository | string | "quay.io/armosec/http_request" | source code (public repo) |
| armoKubescapeScanScheduler.scanSchedule | string | "0 0 * * *" | scan schedule frequency |
| armoNotificationService.enabled | bool | true | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings |
| armoNotificationService.image.repository | string | "quay.io/armosec/notification-server" | source code (private repo) |
| armoScanScheduler.enabled | bool | true | enable/disable image vulnerability a schedule scan using a CronJob |
| armoScanScheduler.image.repository | string | "curlimages/curl" | image: curlimages/curl |
| armoScanScheduler.scanSchedule | string | "0 0 * * *" | scan schedule frequency |
| armoVulnScanner.enabled | bool | true | enable/disable image vulnerability scanning |
| armoVulnScanner.image.repository | string | "quay.io/armosec/images-vulnerabilities-scan" | source code (private repo) |
| armoWebsocket.enabled | bool | true | enable/disable kubescape and image vulnerability scanning |
| armoWebsocket.image.repository | string | "quay.io/armosec/action-trigger" | source code (private repo) |
| aws_iam_role_arn | string | nil | AWS IAM arn role |
| clientID | string | "" | client ID, read more |
| cloudRegion | string | nil | cloud region |
| cloud_provider_engine | string | nil | cloud provider engine |
| gkeProject | string | nil | GKE project |
| gke_service_account | string | nil | GKE service account |
| secretKey | string | "" | secret key, read more |
| triggerNewImageScan | string | "disable" | enable/disable trigger image scan for new images |
Updated about 1 month ago
Did this page help you?