Skip to main content

Overview

Key Components

The Chkk Kubernetes Connector is composed of two main components:
  1. Chkk Operator
  2. Chkk Agent
Working together, these components periodically (or on-demand) extract cluster metadata and ingest it into the Chkk SaaS platform. Once ingestion is complete, Chkk scans and analyzes your environment for potential risks or helpful insights (e.g., Cloud Native Project, application service, and operator instances running in your cluster).

Chkk Operator

The Chkk Operator is a Kubernetes Operator that manages and configures the Chkk Kubernetes Connector. It deploys Chkk Agent through a single Custom Resource Definition (CRD) and simplifies configurations by:
  • Providing a single source of truth (the CRD) for your Connector.
  • Reporting deployment status, health, and errors in the CRD’s status.
  • Limiting the risk of potential misconfigurations by enforcing higher-level settings.
Once deployed, the Operator:
  • Validates your Chkk Connector configurations.
  • Keeps the Connector aligned with your CRD-based configuration.
  • Orchestrates creation and updates of the Connector resources.
  • Reports the Connector’s status in the Operator’s CRD.

Chkk Agent

Chkk Agent is a Kubernetes Custom Resource managed by the Operator. It defines how and when to collect data from your cluster. Some key features include:
  • Manages the Agent CronJob: Schedules periodic scans of your cluster to keep you informed of the latest known risks.
  • Resource Filtering: Allows you to include or exclude specific namespaces or resource types.

Setup

Prerequisites

Before installing the Chkk Kubernetes Connector, ensure the following:
  1. Allowlisted Access
    • You must be allowlisted to access the Chkk SaaS. Contact us to get a dedicated Chkk Organization provisioned for you: chkk.io.
  2. Network Firewall Rules
    • If your cluster is in a restricted network, allow outbound connections to:
      • chkk.io and its subdomains
      • s3.amazonaws.com and its subdomains
  3. Proxy Settings
    • If you use a proxy server, you will be required to configure the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables at the time of installation.
  4. Image Hosting
    • The Chkk Kubernetes Connector container images are hosted publicly on the Amazon ECR Public Registry. Ensure your cluster can pull images from this registry.
    • Chkk supports custom registries. If you host all images in a private registry, detailed configuration instructions will be provided during installation.

Resource Requirements

Below are the baseline resource requests for each component of the Chkk Kubernetes Connector. Actual usage varies by cluster size and scan frequency.
ComponentCPUMemory
Chkk Operator100m256Mi
Chkk Agent500m1024Mi
Chkk Agent Manager50m128Mi

Supported Kubernetes Distributions

The Chkk Kubernetes Connector is compatible with all Kubernetes providers that are compliant with the upstream API. For the list of supported Kubernetes providers and versions, refer to Support and Compatibility

Installation Modes

There are three deployment methods available for installing the Chkk Kubernetes Connector:
  • Helm
  • K8s YAML
  • Terraform

System Requirements

Before installing the Chkk Kubernetes Connector, please ensure that your system meets the minimum requirements for the selected deployment method:
  • Kubernetes >= v1.19 (tested on EKS, GKE, AKS)
  • OS/Architecture: linux/amd64, linux/arm64
  • kubectl: >= v1.19
  • Helm: >= version 2
  • Kubernetes >= v1.19 (tested on EKS, GKE, AKS)
  • OS/Architecture: linux/amd64, linux/arm64
  • kubectl: >= v1.19
  • Kubernetes >= v1.19 (tested on EKS, GKE, AKS)
  • OS/Architecture: linux/amd64, linux/arm64
  • hashicorp/helm: >= version 2
  • gavinbunney/kubectl: >= v1.19

Installation & Validation

  1. Log in to the Chkk Dashboard: chkk.io.
  2. In the left-hand sidebar, navigate to Risk LedgerClusters.
  3. Click Add Cluster in the top-right corner.
  4. Follow the step-by-step instructions and select your preferred deployment mode.

Configuration

  • Chkk Operator Helm Configuration
  • Chkk Agent Helm Configuration
  • Chkk Kubernetes Connector Terraform Configuration

Configuration Parameters

The table below lists the configurable parameters for installing the Chkk Operator.
ParameterDescriptionSample Default
image.repositoryImage repositorypublic.ecr.aws/chkk/operator
image.tagImage tagv0.0.14
image.pullPolicyImage pull policyAlways
replicaCountNumber of replicas1
revisionHistoryLimitRevision history limit2
secret.createCreate a new secrettrue
secret.chkkAccessTokenChkk access tokenCHKK-ACCESS-TOKEN
secret.ref.secretNameName of an existing Secret with the Chkk access token (only used if secret.create=false)chkk-operator
secret.ref.keyNameKey in the existing Secret’s data that contains the token (only used if secret.create=false)CHKK_ACCESS_TOKEN
serviceAccount.createCreate a service accounttrue
serviceAccount.nameService account namechkk-operator-sa
podAnnotationsAnnotations applied to the Chkk Operator Pod{ chkk.io/name: "chkk-operator" }
disableAnalyticsDisable analytics data collectionfalse
proxy.http_proxyHTTP proxy""
proxy.https_proxyHTTPS proxy""
proxy.no_proxyNo proxy""
tolerationsNode tolerationsSee values.yaml
nodeSelectorNode labels for scheduling{}
affinityPod scheduling affinitySee values.yaml
securityContextPod-Level Security ContextSee values.yaml
containerSecurityContextContainer-Level Security ContextSee values.yaml

Configuration Examples

If you prefer to manage the secret externally, set secret.create to false and reference your secret in the values.yaml file:
secret:
  create: false
  ref:
    secretName: my-secret
    keyName: CHKK_ACCESS_TOKEN
To customize the RBAC settings, modify the serviceAccount parameters in the values.yaml file. You can specify whether to create a new service account and provide a custom name.
serviceAccount:
  create: false
  name: chkkagent-custom-sa
To use a custom image, update the image.repository and image.tag fields in the values.yaml file. You can also set the image.pullPolicy to control when the image is pulled.
image:
  repository: custom-repo/chkk/operator
  tag: v0.0.14
  pullPolicy: IfNotPresent
To schedule the Chkk Operator on nodes with specific taints, configure the tolerations section in the values.yaml file. You can specify the key, operator, value, and effect for each toleration.
tolerations:
  - key: "example.com/special-taint"
    operator: "Equal"
    value: "true"
    effect: "NoSchedule"
When configuring the Chkk Connector to run behind a proxy, set the following fields in your values.yaml to ensure proper connectivity and to disable telemetry reporting.
You must set disableAnalytics: true when defining proxy settings.
proxy:
  http_proxy: "http://your-proxy.example.com:3128"
  https_proxy: "http://your-proxy.example.com:3128"
  no_proxy: "localhost,127.0.0.1,.svc,.cluster.local"

disableAnalytics: true
This ensures the Chkk Operator and Agent operate correctly within your network environment.

Upgrade

  • Helm
  • Terraform
1

Get the current version of Helm chart installed in your K8s cluster

helm list -n chkk-system -o json
Sample output:
[{
  "name": "chkk-operator",
  "namespace": "chkk-system",
  "revision": "1",
  "chart": "chkk-operator-0.0.9",
  "app_version": "0.0.9"
}]
2

Update the Helm repository

Update the Helm repository to fetch latest chart
helm repo update chkk
3

Upgrade the Kubernetes Connector

Replace <CHKK_ACCESS_TOKEN> with your Chkk ingestion token, which you can copy from the Chkk Dashboard under Settings → Tokens.
1

Run the following command to upgrade the Chkk Kubernetes Connector to the latest version.

helm upgrade chkk-operator chkk/chkk-operator \
  --namespace chkk-system \
  --set secret.chkkAccessToken=<CHKK_ACCESS_TOKEN>
1

Verify the Secret exists in your cluster

kubectl get secret chkk-operator-token -n chkk-system
Sample output:
NAME                   TYPE                                  DATA   AGE
chkk-operator-token    Opaque                                1      10m
2

Run the following command to upgrade the Chkk Kubernetes Connector to the latest version using the existing Secret.

helm upgrade chkk-operator chkk/chkk-operator \
  --namespace chkk-system \
  --set secret.ref.secretName=chkk-operator-token \
  --set secret.ref.keyName=<CHKK_ACCESS_TOKEN> \
  --set secret.create=false
1

Verify the ServiceAccount and Secret with the Chkk access token exists in your cluster

  1. Get the Secret:
kubectl get secret chkk-operator-token -n chkk-system
Sample output:
NAME                   TYPE                                  DATA   AGE
chkk-operator-token    Opaque                                1      10m
  1. Get the ServiceAccount:
kubectl get serviceaccount chkk-operator -n chkk-system
Sample output:
NAME               SECRETS   AGE
chkk-operator      1        10m
2

Run the following command to upgrade the Chkk Kubernetes Connector to the latest version using the existing ServiceAccount and Secret.

helm upgrade chkk-operator chkk/chkk-operator \
  --namespace chkk-system \
  --set secret.ref.secretName=chkk-operator-token \
  --set secret.ref.keyName=<CHKK_ACCESS_TOKEN> \
  --set secret.create=false \
  --set serviceAccount.create=false \
  --set serviceAccount.name=<SERVICE_ACCOUNT>
4

Verify the upgrade

kubectl get deployment chkk-operator -n chkk-system -o json \
| jq '.spec.template.spec.containers[].image'
Sample output:
"public.ecr.aws/chkk/operator:v0.0.14"