Chkk Kubernetes Connector
An overview of Chkk Kubernetes Connector — what it is, why you need it, and how to install and configure it.
Overview
Key Components
The Chkk Kubernetes Connector is composed of two main components:
- Chkk Operator
- Chkk Agent
Working together, these components periodically (or on-demand) extract cluster metadata and ingest it into the Chkk SaaS platform. Once ingestion is complete, Chkk scans and analyzes your environment for potential risks or helpful insights (e.g., add-on instances running in your cluster).
Chkk Operator
The Chkk Operator is a Kubernetes Operator that manages and configures the Chkk Kubernetes Connector. It deploys Chkk Agent through a single Custom Resource Definition (CRD) and simplifies configurations by:
- Providing a single source of truth (the CRD) for your Connector.
- Reporting deployment status, health, and errors in the CRD’s status.
- Limiting the risk of potential misconfigurations by enforcing higher-level settings.
Once deployed, the Operator:
- Validates your Chkk Connector configurations.
- Keeps the Connector aligned with your CRD-based configuration.
- Orchestrates creation and updates of the Connector resources.
- Reports the Connector’s status in the Operator’s CRD.
Chkk Agent
Chkk Agent is a Kubernetes Custom Resource managed by the Operator. It defines how and when to collect data from your cluster. Some key features include:
- Manages the Agent CronJob: Schedules periodic scans of your cluster to keep you informed of the latest known risks.
- Resource Filtering: Allows you to include or exclude specific namespaces or resource types.
Setup
Prerequisites
Before installing the Chkk Kubernetes Connector, ensure the following:
-
Allowlisted Access
- You must be allowlisted to access the Chkk SaaS. Contact us to get a dedicated Chkk Organization provisioned for you: chkk.io.
-
Network Firewall Rules
- If your cluster is in a restricted network, allow outbound connections to:
chkk.ioand its subdomainss3.amazonaws.comand its subdomains
- If your cluster is in a restricted network, allow outbound connections to:
-
Proxy Settings
- If you use a proxy server, you will be required to configure the
HTTP_PROXY,HTTPS_PROXY, andNO_PROXYenvironment variables at the time of installation.
- If you use a proxy server, you will be required to configure the
-
Image Hosting
- The Chkk Kubernetes Connector container images are hosted publicly on the Amazon ECR Public Registry. Ensure your cluster can pull images from this registry.
- Chkk supports custom registries. If you host all images in a private registry, detailed configuration instructions will be provided during installation.
Resource Requirements
Below are the baseline resource requests for each component of the Chkk Kubernetes Connector. Actual usage varies by cluster size and scan frequency.
| Component | CPU | Memory |
|---|---|---|
| Chkk Operator | 100m | 256Mi |
| Chkk Agent | 500m | 1024Mi |
| Chkk Agent Manager | 50m | 128Mi |
Supported Kubernetes Distributions
The Chkk Kubernetes Connector is compatible with all Kubernetes providers that are compliant with the upstream API. For the list of supported Kubernetes providers and versions, refer to Support and Compatibility
Installation Modes
There are three deployment methods available for installing the Chkk Kubernetes Connector:
- Helm
- K8s YAML
- Terraform
System Requirements
Before installing the Chkk Kubernetes Connector, please ensure that your system meets the minimum requirements for the selected deployment method:
Installation & Validation
- Log in to the Chkk Dashboard: chkk.io.
- In the left-hand sidebar, navigate to Risk Ledger → Clusters.
- Click Add Cluster in the top-right corner.
- Follow the step-by-step instructions and select your preferred deployment mode.
Configuration
Configuration Parameters
The table below lists the configurable parameters for installing the Chkk Operator.
| Parameter | Description | Sample Default |
|---|---|---|
image.repository | Image repository | public.ecr.aws/chkk/operator |
image.tag | Image tag | v0.0.14 |
image.pullPolicy | Image pull policy | Always |
replicaCount | Number of replicas | 1 |
revisionHistoryLimit | Revision history limit | 2 |
secret.create | Create a new secret | true |
secret.chkkAccessToken | Chkk access token | CHKK-ACCESS-TOKEN |
secret.ref.secretName | Name of an existing Secret with the Chkk access token (only used if secret.create=false) | chkk-operator |
secret.ref.keyName | Key in the existing Secret’s data that contains the token (only used if secret.create=false) | CHKK_ACCESS_TOKEN |
serviceAccount.create | Create a service account | true |
serviceAccount.name | Service account name | chkk-operator-sa |
podAnnotations | Annotations applied to the Chkk Operator Pod | { chkk.io/name: "chkk-operator" } |
disableAnalytics | Disable analytics data collection | false |
proxy.http_proxy | HTTP proxy | "" |
proxy.https_proxy | HTTPS proxy | "" |
proxy.no_proxy | No proxy | "" |
tolerations | Node tolerations | See values.yaml |
nodeSelector | Node labels for scheduling | {} |
affinity | Pod scheduling affinity | See values.yaml |
securityContext | Pod-Level Security Context | See values.yaml |
containerSecurityContext | Container-Level Security Context | See values.yaml |
Configuration Examples
Was this page helpful?