search
SupportSnyk LearnAPI referenceProduct updatesSign up for free
githubEdit

Install the Snyk Controller with Helm (Azure and Google Cloud Platform)

circle-info

Ensure you have reviewed the prerequisites for installing the Snyk Controller.

To receive vulnerability details about your Kubernetes workloads, a Snyk admin must first install the Snyk Controller onto your cluster. The Snyk Controller is published in Helm Hubarrow-up-right.

The installation steps cover:

  • Snyk integration for most Kubernetes platforms

  • Additional configuration steps for integration when using Amazon Elastic Container Registry (ECR) with your Amazon Elastic Kubernetes Service (EKS) clusters.

hashtag
Installing the Snyk Controller with Helm

To install the Snyk Controller with Helm, follow these mandatory steps:

  1. Access your Kubernetes environment. Run the following command to add the Snyk Charts repository to Helm:

helm repo add snyk-charts https://snyk.github.io/kubernetes-monitor --force-update

  1. After the repository is added, create a unique namespace for the Snyk Controller:

kubectl create namespace snyk-monitor
circle-info

As a good practice for Kubernetes applications, use a unique namespace to isolate the controller resources easily.

Ensure you remember the namespace snyk-monitor. You will use it when configuring other resources.

Snyk monitor requires:

  • Snyk Integration ID

  • Service Account Token

  • dockercfg.json file.

hashtag
Installing the Snyk Controller to scan images from a public container registry

To install the Snyk Controller to scan images from a public container registry, you must create a Kubernetes secret called snyk-monitor containing the Snyk Integration ID and the service account token.

To do this, run the following command:

circle-info

For a successful integration, the secret must be called snyk-monitor.

hashtag
Install the Snyk Helm chart

If you are running your own instance of Snyk, you must specify the API endpoint when installing the controller.

In the following command, provide the full hostname of your Snyk instance.

  • Replace "Production cluster" with a name based on the cluster you are monitoring. You can use this label to find workloads in Snyk later.

  • Using / (slash) in the cluster name is not allowed. Any /in the cluster names are removed.

  • To avoid renaming the cluster on every update, you can use the existing option from Helm --reuse-values. When upgrading, Helm reuses the values from the last release and merges them in any overrides from the command line using --set and -f

hashtag
Integrate AKS with ACR using Managed Identities

To do this:

  1. When you use AKS with user-managed identities to authorize access to ACR, and there are multiple identities that assign the AcrPull role to the VM scale set, you must also specify the Client ID of the desired user-managed identity to be used. This value must be set as an override, in .Values.azureEnvVars:

  1. With the YAML above saved in override.yaml, run the following command:

By default, this value is set to an empty string, and it is not used as such.

circle-info

When using the system-managed identity with the AcrPull role assigned, setting this variable is not necessary.

hashtag
Update an existing installation

If you are an existing customer and are updating your Snyk Controller:

  1. Create a service account token. For more information, see Prerequisites for installing the Snyk Controller. This token is stored in the snyk-monitor secret.

  2. Delete your existing snyk-monitor secret:

  1. Follow the mandatory installation steps. To get the latest Helm chart version, run the following command:

PreviousInstall the Snyk ControllerNextOptional installation steps for the Snyk Controller with Helm

Last updated

Was this helpful?