Skip to content

Install the Kubescape Operator in your Kubernetes cluster

Kubescape can run as a set of microservices inside a Kubernetes cluster. This allows you to continually monitor the status of a cluster, including for compliance and vulnerability management, and to export this data to an external provider.

The Kubescape Operator is installed using Helm.

Installing the Kubescape Operator

First, configure kubectl to refer to the Kubernetes cluster you wish to install the Kubescape Operator into.

If you have not already, you should install Helm.

To install the Kubescape Operator:

helm repo add kubescape https://kubescape.github.io/helm-charts/
helm repo update
helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` 

Upgrading to a new release

To upgrade to the most recent version of the Kubescape Operator:

helm repo update
helm upgrade kubescape kubescape/kubescape-operator -n kubescape

You can find the current version of the Helm chart installed in your cluster by running helm list -n kubescape.

To manually check if a newer version is available, visit the GitHub page for the Helm chart, or run

helm repo update
helm search repo kubescape/kubescape-operator

Configuring your installation

The Helm charts for the Kubescape Operator support coarse and fine grained control of configuration of many

Enabling capabilities

High-level capabilities of the Kubescape Operator can be configured using the values.yaml file:

capabilities:
  relevancy: enable
  configurationScan: enable
  continuousScan: disable
  vulnerabilityScan: enable
  nodeScan: enable

You can configure these by using --set when installing the chart, or by specifying your own values file with the -f flag. Read the Helm documentation to learn more.

Configuring parameters

See the GitHub repository for the Kubescape operator to learn the full set of configuration parameters.

Sizing resources

By default, Kubescape supports small- to medium-sized clusters. If you have a larger cluster and you experience slowdowns, or see Kubernetes evicting components, revise the number of resources allocated for the troubled component.

The defaults of 500 MiB of memory and 500m CPU work well for clusters up to 1250 total resources when running Kubescape.

If you have more total resources or experience resource pressure, verify how many resources are in your cluster by running the following command:

kubectl get all -A --no-headers | wc -l

The command prints an approximate count of resources in your cluster.
Then based on the number you see, allocate 100 MiB of memory for every 200 resources in your cluster over the count of 1250, but no less than 128 MiB total.

The formula for memory is as follows:

MemoryLimit := max(128, 0.4 * YOUR_AMOUNT_OF_RESOURCES)

For example, if your cluster has 500 resources, a sensible memory limit would be:

kubescape:
  resources:
    limits:
      memory: 200Mi  # max(128, 0.4 * 500) == 200

If your cluster has 50 resources, we recommend allocating at least 128 MiB of memory.

For the CPU, the more you allocate, the faster your clusters are scanned. This is especially true for clusters that have a large number of resources.

However, we recommend that you give Kubescape no less than 500m CPU no matter the size of your cluster so it can scan a relatively large amount of resources fast.