BLACKSHIELD

Public Guide

Deploy the Kubernetes Scanner

Scan cluster posture with kube-bench (CIS benchmarks), kubescape, and Kyverno policy telemetry. One Helm chart install, one kubectl secret — done. Audience: Platform engineers, Kubernetes administrators, security engineers. Typical setup time: 2 minutes.

Before You Begin

  • Install Helm ≥ 3.14: brew install helm
  • Confirm kubectl is configured for the target cluster.
  • Create an ingestion API key in Settings → API Keys with Ingestion scope.

Step-by-step

Step 1

Create secret and add Helm repo

Store the API key in a Kubernetes Secret and add the chart repository.

  • kubectl create namespace secplatform
  • kubectl create secret generic secplatform-k8s-scanner --namespace secplatform --from-literal=api-key=sp_xxxx
  • helm repo add secplatform https://charts.yourdomain.com && helm repo update

Step 2

Install the chart

Choose Deployment mode (internal loop) or CronJob mode (Kubernetes schedule).

  • Deployment mode (default): helm upgrade --install secplatform-k8s-scanner secplatform/k8s-scanner --namespace secplatform --set env.SECPLATFORM_API_URL=https://api.yourdomain.com --set existingSecret.name=secplatform-k8s-scanner --set existingSecret.key=api-key --set scanIntervalSeconds=21600 --wait
  • CronJob mode: add --set mode=cronjob --set cronSchedule='0 */6 * * *'
  • The chart automatically creates ClusterRole + ClusterRoleBinding with least-privilege read-only access.
  • NetworkPolicy restricts egress to port 443 only.

Step 3

Scale with GitOps

Use Argo CD ApplicationSet or Flux HelmRelease to deploy to every cluster from one place.

  • Argo CD: kubectl apply -f deploy/argocd/k8s-scanner-appset.yaml — deploys to all registered clusters.
  • Flux: apply deploy/flux/k8s-scanner-helmrelease.yaml per cluster or cluster group.
  • Promote new chart versions by bumping targetRevision in the ApplicationSet.
  • Verify health: kubectl port-forward svc/secplatform-k8s-scanner 8080:8080 -n secplatform && curl localhost:8080/health

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

Helm chart source

Creates `deploy/helm/secplatform-k8s-scanner/` locally so you can inspect, modify, and install the chart from source.

deploy/helm/secplatform-k8s-scanner/
bash
bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/k8s-scanner-helm.sh)
cd deploy/helm/secplatform-k8s-scanner
Download source

Argo CD ApplicationSet

Creates the Argo CD ApplicationSet manifest locally for multi-cluster rollout from GitOps.

deploy/argocd/k8s-scanner-appset.yaml
bash
bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/k8s-scanner-argocd.sh)
Download source

Run This

Install with Helm (Deployment mode)

bash
# Create namespace and secret
kubectl create namespace secplatform
kubectl create secret generic secplatform-k8s-scanner \
  --namespace secplatform \
  --from-literal=api-key=sp_xxxx

# Install chart — scans every 6 hours
helm repo add secplatform https://charts.yourdomain.com
helm repo update
helm upgrade --install secplatform-k8s-scanner secplatform/k8s-scanner \
  --namespace secplatform \
  --set env.SECPLATFORM_API_URL=https://api.yourdomain.com \
  --set existingSecret.name=secplatform-k8s-scanner \
  --set existingSecret.key=api-key \
  --set scanIntervalSeconds=21600 \
  --wait

GitOps: Argo CD ApplicationSet (all clusters)

yaml
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: secplatform-k8s-scanner
  namespace: argocd
spec:
  generators:
    - clusters: {}   # all registered clusters
  template:
    metadata:
      name: "secplatform-k8s-scanner-{{name}}"
    spec:
      project: default
      source:
        repoURL: https://charts.yourdomain.com
        chart: k8s-scanner
        targetRevision: "1.0.0"
        helm:
          valuesObject:
            env:
              SECPLATFORM_API_URL: "https://api.yourdomain.com"
            existingSecret:
              name: secplatform-k8s-scanner
              key: api-key
            scanIntervalSeconds: 21600
      destination:
        server: "{{server}}"
        namespace: secplatform
      syncPolicy:
        automated: { prune: true, selfHeal: true }
        syncOptions: [CreateNamespace=true]

Success Checks

  • helm upgrade --install completes with STATUS: deployed.
  • kubectl get pods -n secplatform shows the scanner pod as Running.
  • curl http://localhost:8080/health (via port-forward) returns status: healthy.
  • Cluster posture findings appear in the platform Findings view.
Deploy the Kubernetes Scanner | BlackShield Docs