Installation of Kubescape in cluster
Prerequisites
- Make sure you have an Kubescape account - if not, sign-up here
- You need to have installation access to your cluster (you should be able to create Deployments, CronJobs, ConfigMaps and Secrets)
- You must have Kubectl and Helm
Cluster requirements
ARMO cluster components require minimum 300Mib RAM and 400m CPU
Install a pre-registered cluster
- Navigate to Kubescape portal
- Click on "
Add Cluster
"


- Select the in cluster installation and follow the steps


Install without pre-registering the cluster
- Add ARMO helm repo
helm repo add armo https://armosec.github.io/armo-helm/
Or, if already installed, run an upgrade:
helm repo update
- Install the Helm Chart
helm upgrade --install armo armo/armo-cluster-components -n armo-system --create-namespace --set clusterName=`kubectl config current-context` --set accountGuid=<account ID>
Post-install validation
Please check after installation that all components are running correctly
$ kubectl -n armo-system get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
armo-collector 1/1 1 1 47h
armo-kubescape 1/1 1 1 47h
armo-notification-service 1/1 1 1 47h
armo-vuln-scan 1/1 1 1 47h
armo-web-socket 1/1 1 1 47h
Prometheus Exporter
Read more about the integration with Prometheus
Supported Helm values
Key | Type | Default | Description |
---|---|---|---|
armoCollector.enabled | bool | true | enable/disable the armoCollector |
armoCollector.env[0] | object | {"name":"PRINT_REPORT","value":"false"} | print in verbose mode (print all reported data) |
armoCollector.image.repository | string | "quay.io/armosec/cluster-collector" | source code (private repo) |
armoKubescape.downloadArtifacts | bool | true | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) |
armoKubescape.enableHostScan | bool | true | enable host scanner feature |
armoKubescape.enabled | bool | true | enable/disable kubescape scanning |
armoKubescape.image.repository | string | "quay.io/armosec/kubescape" | source code (public repo) |
armoKubescape.serviceMonitor.enabled | bool | false | enable/disable service monitor for prometheus (operator) integration |
armoKubescape.skipUpdateCheck | bool | false | skip check for a newer version |
armoKubescape.submit | bool | true | submit results to ARMO SaaS: https://portal.armo.cloud/ |
armoKubescapeScanScheduler.enabled | bool | true | enable/disable a kubescape scheduled scan using a CronJob |
armoKubescapeScanScheduler.image.repository | string | "quay.io/armosec/http_request" | source code (public repo) |
armoKubescapeScanScheduler.scanSchedule | string | "0 0 * * *" | scan schedule frequency |
armoNotificationService.enabled | bool | true | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings |
armoNotificationService.image.repository | string | "quay.io/armosec/notification-server" | source code (private repo) |
armoScanScheduler.enabled | bool | true | enable/disable image vulnerability a schedule scan using a CronJob |
armoScanScheduler.image.repository | string | "curlimages/curl" | image: curlimages/curl |
armoScanScheduler.scanSchedule | string | "0 0 * * *" | scan schedule frequency |
armoVulnScanner.enabled | bool | true | enable/disable image vulnerability scanning |
armoVulnScanner.image.repository | string | "quay.io/armosec/images-vulnerabilities-scan" | source code (private repo) |
armoWebsocket.enabled | bool | true | enable/disable kubescape and image vulnerability scanning |
armoWebsocket.image.repository | string | "quay.io/armosec/action-trigger" | source code (private repo) |
aws_iam_role_arn | string | nil | AWS IAM arn role |
clientID | string | "" | client ID, read more |
cloudRegion | string | nil | cloud region |
cloud_provider_engine | string | nil | cloud provider engine |
gkeProject | string | nil | GKE project |
gke_service_account | string | nil | GKE service account |
secretKey | string | "" | secret key, read more |
triggerNewImageScan | string | "disable" | enable/disable trigger image scan for new images |
Updated about 1 month ago
Did this page help you?