Overview

Key Components

The Chkk Kubernetes Connector is composed of two main components:
  1. Chkk Operator
  2. Chkk Agent
Working together, these components periodically (or on-demand) extract cluster metadata and ingest it into the Chkk SaaS platform. Once ingestion is complete, Chkk scans and analyzes your environment for potential risks or helpful insights (e.g., add-on, application service, and Kubernetes operator instances running in your cluster).

Chkk Operator

The Chkk Operator is a Kubernetes Operator that manages and configures the Chkk Kubernetes Connector. It deploys Chkk Agent through a single Custom Resource Definition (CRD) and simplifies configurations by:
  • Providing a single source of truth (the CRD) for your Connector.
  • Reporting deployment status, health, and errors in the CRD’s status.
  • Limiting the risk of potential misconfigurations by enforcing higher-level settings.
Once deployed, the Operator:
  • Validates your Chkk Connector configurations.
  • Keeps the Connector aligned with your CRD-based configuration.
  • Orchestrates creation and updates of the Connector resources.
  • Reports the Connector’s status in the Operator’s CRD.

Chkk Agent

Chkk Agent is a Kubernetes Custom Resource managed by the Operator. It defines how and when to collect data from your cluster. Some key features include:
  • Manages the Agent CronJob: Schedules periodic scans of your cluster to keep you informed of the latest known risks.
  • Resource Filtering: Allows you to include or exclude specific namespaces or resource types.

Setup

Prerequisites

Before installing the Chkk Kubernetes Connector, ensure the following:
  1. Allowlisted Access
    • You must be allowlisted to access the Chkk SaaS. Contact us to get a dedicated Chkk Organization provisioned for you: chkk.io.
  2. Network Firewall Rules
    • If your cluster is in a restricted network, allow outbound connections to:
      • chkk.io and its subdomains
      • s3.amazonaws.com and its subdomains
  3. Proxy Settings
    • If you use a proxy server, you will be required to configure the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables at the time of installation.
  4. Image Hosting
    • The Chkk Kubernetes Connector container images are hosted publicly on the Amazon ECR Public Registry. Ensure your cluster can pull images from this registry.
    • Chkk supports custom registries. If you host all images in a private registry, detailed configuration instructions will be provided during installation.

Resource Requirements

Below are the baseline resource requests for each component of the Chkk Kubernetes Connector. Actual usage varies by cluster size and scan frequency.
ComponentCPUMemory
Chkk Operator100m256Mi
Chkk Agent500m1024Mi
Chkk Agent Manager50m128Mi

Supported Kubernetes Distributions

The Chkk Kubernetes Connector is compatible with all Kubernetes providers that are compliant with the upstream API. For the list of supported Kubernetes providers and versions, refer to Support and Compatibility

Installation Modes

There are three deployment methods available for installing the Chkk Kubernetes Connector:
  • Helm
  • K8s YAML
  • Terraform

System Requirements

Before installing the Chkk Kubernetes Connector, please ensure that your system meets the minimum requirements for the selected deployment method:

Installation & Validation

  1. Log in to the Chkk Dashboard: chkk.io.
  2. In the left-hand sidebar, navigate to Risk LedgerClusters.
  3. Click Add Cluster in the top-right corner.
  4. Follow the step-by-step instructions and select your preferred deployment mode.

Configuration

Configuration Parameters

The table below lists the configurable parameters for installing the Chkk Operator.
ParameterDescriptionSample Default
image.repositoryImage repositorypublic.ecr.aws/chkk/operator
image.tagImage tagv0.0.14
image.pullPolicyImage pull policyAlways
replicaCountNumber of replicas1
revisionHistoryLimitRevision history limit2
secret.createCreate a new secrettrue
secret.chkkAccessTokenChkk access tokenCHKK-ACCESS-TOKEN
secret.ref.secretNameName of an existing Secret with the Chkk access token (only used if secret.create=false)chkk-operator
secret.ref.keyNameKey in the existing Secret’s data that contains the token (only used if secret.create=false)CHKK_ACCESS_TOKEN
serviceAccount.createCreate a service accounttrue
serviceAccount.nameService account namechkk-operator-sa
podAnnotationsAnnotations applied to the Chkk Operator Pod{ chkk.io/name: "chkk-operator" }
disableAnalyticsDisable analytics data collectionfalse
proxy.http_proxyHTTP proxy""
proxy.https_proxyHTTPS proxy""
proxy.no_proxyNo proxy""
tolerationsNode tolerationsSee values.yaml
nodeSelectorNode labels for scheduling{}
affinityPod scheduling affinitySee values.yaml
securityContextPod-Level Security ContextSee values.yaml
containerSecurityContextContainer-Level Security ContextSee values.yaml

Configuration Examples

Upgrade

1

Get the current version of Helm chart installed in your K8s cluster

helm list -n chkk-system -o json
Sample output:
[{
  "name": "chkk-operator",
  "namespace": "chkk-system",
  "revision": "1",
  "chart": "chkk-operator-0.0.9",
  "app_version": "0.0.9"
}]
2

Update the Helm repository

Update the Helm repository to fetch latest chart
helm repo update chkk
3

Upgrade the Kubernetes Connector

Replace <CHKK_ACCESS_TOKEN> with your Chkk ingestion token, which you can copy from the Chkk Dashboard under Settings → Tokens.
4

Verify the upgrade

kubectl get deployment chkk-operator -n chkk-system -o json \
| jq '.spec.template.spec.containers[].image'
Sample output:
"public.ecr.aws/chkk/operator:v0.0.14"