Installing ARMO Platform Agent Using Kustomize
This guide explains how to install the ARMO Platform agent (Kubescape operator) in your Kubernetes cluster using Kustomize with Helm chart support.
Overview
Kustomize 5.0+ includes native support for rendering Helm charts, allowing you to install the ARMO Platform agent without using Helm directly. This is useful in environments where only Kustomize is permitted or where you want to manage all Kubernetes resources through Kustomize.
Prerequisites
- Kubernetes cluster: A running Kubernetes cluster with
kubectlconfigured - Kustomize 5.0+: Required for Helm chart inflation support
- ARMO Platform account: Access to ARMO Platform to obtain credentials
Step 1: Install Latest Kustomize
Ensure you have Kustomize version 5.0.0 or later installed:
# Check current version
kustomize version
# Install latest kustomize if needed
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
sudo mv kustomize /usr/local/bin/
# Verify installation
kustomize versionStep 2: Obtain ARMO Platform Credentials
- Log in to ARMO Platform
- Copy your AccountID from the top right "account drop-down" (you should see your account name in your drop-down)
- Then navigate to Settings → Agent Access Keys
- Copy your Agent Access Key
Step 3: Create Kustomization Configuration
Create a new directory and a kustomization.yaml file:
mkdir armo-agent
cd armo-agentCreate a file named kustomization.yaml with the following content:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubescape
helmCharts:
- name: armosec-kubescape-operator
repo: https://armosec.github.io/helm-charts/
releaseName: armosec
namespace: kubescape
valuesInline:
kubescape-operator:
clusterName: <CLUSTER_NAME>
account: <ACCOUNT_ID>
accessKey: <AGENT_ACCESS_KEY>
server: api.armosec.io
imagePullSecret:
password: Q5UMRCFPRAHAIRWAYTOP7P4PK9ZNV2H26JFTB70CMNZ2KG1NHGPYXK6PNPNC677E
nodeAgent:
autoscaler:
enabled: trueStep 4: Configure Your Installation
Replace the following placeholders in kustomization.yaml:
| Placeholder | Description | Example |
|---|---|---|
<CLUSTER_NAME> | A friendly name for your cluster | production-eks-cluster |
<ACCOUNT_ID> | Your ARMO Platform Account ID | ba301f17-d9dd-1391-873a-0a02cf5110c9 |
<AGENT_ACCESS_KEY> | Your Agent Access Key from ARMO Platform | b1130f08-e20a-4555-a6e8-9c1856382526 |
Tip: You can automatically set the cluster name to your current kubectl context:
CLUSTER_NAME=$(kubectl config current-context)
sed -i "s/<CLUSTER_NAME>/$CLUSTER_NAME/g" kustomization.yamlStep 5: Create Namespace
Create the kubescape namespace:
kubectl create namespace kubescapeStep 6: Deploy the Agent
Build and apply the configuration using Kustomize:
kustomize build . --enable-helm | kubectl apply -f -Note: The
--enable-helmflag is required to enable Helm chart processing in Kustomize.
Step 7: Verify Installation
Check that the agent is running:
# View all resources in the kubescape namespace
kubectl get all -n kubescape
# Check operator pod status
kubectl get pods -n kubescapeThe cluster should now appear in your ARMO Platform dashboard within a few minutes.
Verification in ARMO Platform
- Log in to ARMO Platform
- Navigate to Clusters
- Verify that your cluster appears in the list with a "Connected" status
Updating the Agent
To update the agent to the latest version:
# Rebuild and reapply
kustomize build . --enable-helm | kubectl apply -f -Kustomize will automatically fetch the latest version of the Helm chart from the repository.
Uninstalling the Agent
To remove the ARMO Platform agent from your cluster:
# Delete all resources
kustomize build . --enable-helm | kubectl delete -f -
# Delete the namespace (optional)
kubectl delete namespace kubescapeTroubleshooting
Kustomize version too old
Error: unknown field "helmCharts"
Solution: Upgrade to Kustomize 5.0.0 or later as described in Step 1.
Agent not connecting
- Verify credentials are correct in
kustomization.yaml - Check operator logs for connection errors:
kubectl logs -n kubescape deployment/kubescape-operator- Ensure your cluster has internet connectivity to
api.armosec.io
Pods not starting
Check pod status and events:
kubectl describe pods -n kubescape
kubectl get events -n kubescape --sort-by='.lastTimestamp'Review rendered manifests
To inspect what will be applied without actually applying it:
kustomize build . --enable-helm > rendered-manifests.yaml
less rendered-manifests.yamlAdvanced Configuration
Custom Values
You can add additional Helm chart values under valuesInline. For example:
valuesInline:
kubescape-operator:
clusterName: <CLUSTER_NAME>
account: <ACCOUNT_ID>
accessKey: <AGENT_ACCESS_KEY>
server: api.armosec.io
# Additional custom values
resources:
limits:
memory: "512Mi"
cpu: "500m"Using a Specific Chart Version
To pin to a specific chart version:
helmCharts:
- name: armosec-kubescape-operator
repo: https://armosec.github.io/helm-charts/
version: 1.16.3 # Specify version
releaseName: armosec
# ... rest of configurationAlternative: Helm Template Approach
If you cannot use Kustomize 5.0+, you can render the Helm chart manually:
# Add the Helm repository
helm repo add armosec https://armosec.github.io/helm-charts/
helm repo update
# Render the chart to a file
helm template armosec armosec/armosec-kubescape-operator \
--namespace kubescape \
--set kubescape-operator.clusterName=<CLUSTER_NAME> \
--set kubescape-operator.account=<ACCOUNT_ID> \
--set kubescape-operator.accessKey=<AGENT_ACCESS_KEY> \
--set kubescape-operator.server=api.armosec.io \
--set kubescape-operator.imagePullSecret.password=Q5UMRCFPRAHAIRWAYTOP7P4PK9ZNV2H26JFTB70CMNZ2KG1NHGPYXK6PNPNC677E \
> manifests.yaml
# Apply the rendered manifests
kubectl create namespace kubescape
kubectl apply -f manifests.yamlSupport
For additional help:
- Documentation: ARMO Platform Docs
Updated 2 days ago