Insight Point (Helm Chart)
Deploy an Insight Point to a Kubernetes cluster.
The Kubernetes integration requires an Insight Point running within the cluster to discover RBAC entities. When adding the integration, you will specify the cluster details and the Insight Point to use. Veza provides a helm chart to simplify the process of deploying and managing the Insight Point.
Configuration Options
The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.
key
Insight Point Registration key for connecting to Veza
""
--set key=abc123
addr
Address for Veza API connection, overriding the one provided by the key
""
--set addr=customer.vezacloud.com
skipVerify
Disable TLS certificate validation
false
--set skipVerify=true
authority
Overrides the request authority for certificate validation
""
--set authority=veza.example.com
replicaCount
Number of Insight Point replicas for high availability
3
--set replicaCount=1
keyis your unique Insight Point registration key, generated in the Veza UI.Create a key in Veza: Integrations > Insight Points > Create
Store this value securely as it cannot be recovered if lost
skipVerify(TLS_INSECURE_SKIP_VERIFY) should only be set totrueto disable certificate validation for testing/troubleshooting.
Configuring Proxy CA Certificates
When using an HTTPS inspection proxy:
Set to
addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.Ensure your proxy can connect to your Veza deployment.
authorityspecifies the domain name to use for TLS certificate validation and is only required whenaddrpoints to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).
To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:
High Availability Configuration
The Insight Point Helm chart supports high availability (HA) deployment to ensure continuous operation and resilience against node failures or pod disruptions. By default, the chart deploys three replicas of the Insight Point. You can customize the HA settings based on your requirements.
Replica Count
For high availability, deploy multiple Insight Point replicas:
Single Instance: Use
replicaCount: 1for basic deploymentsHigh Availability: Use
replicaCount: 2or higher for production environmentsRecommended:
replicaCount: 3(default) provides good balance of availability and resource usage
Pod Anti-Affinity
When running multiple replicas, configure pod anti-affinity to distribute pods across nodes or availability zones:
podAntiAffinity.type
Anti-affinity enforcement
soft (preferred) or hard (required)
soft
podAntiAffinity.topologyKey
Distribution topology
kubernetes.io/hostname (nodes) or topology.kubernetes.io/zone (zones)
kubernetes.io/hostname
Soft Anti-Affinity: Kubernetes will try to place pods on different nodes/zones but will allow co-location if necessary
Hard Anti-Affinity: Kubernetes will never place pods on the same node/zone, which may prevent scheduling if insufficient resources
Pod Disruption Budget
Control the number of pods that can be disrupted simultaneously during maintenance:
podDisruptionBudget.enabled
Enable PodDisruptionBudget
true
podDisruptionBudget.minAvailable
Minimum pods that must remain available
1
The PodDisruptionBudget ensures that at least one Insight Point remains available during cluster updates, node maintenance, or voluntary pod evictions.
Webhook Relay Configuration
The webhook relay service allows the Insight Point to forward webhook requests to destinations in your private network. For an overview of webhook relay, when to use it, security considerations, and supported host formats, see Webhook Relay in the main Insight Point documentation.
Configuration options
webhookRelay.enabled
Insight Point Registration key for connecting to Veza
false
--set webhookRelay.enabled=true
webhookRelay.allowedHosts
A list of allowed destinations (supports multiple formats as documented in Webhook Relay)
""
--set 'webhookRelay.allowedHosts[0]=172.17.0.0/24' --set 'webhookRelay.allowedHosts[1]=172.16.0.*' --set 'webhookRelay.allowedHosts[3]=*.example.com'
Configuration via Command Line
Configure webhook relay when installing or upgrading the Insight Point:
Or when upgrading an existing deployment:
Configuration via values.yaml
Create or edit a values.yaml file with webhook relay configuration:
Then install or upgrade with the values file:
Verifying Webhook Relay Configuration
To verify webhook relay is configured correctly:
Check the Helm values:
Check the pod environment variables:
If webhook relay is enabled but not working:
Verify the allowed hosts are in the correct format
Check that the destination is included in the allowed hosts list
Review the Insight Point logs for validation or connection errors:
Ensure the destination is actually reachable from the Insight Point's network
Requirements
A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:
System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the Insight Point system requirements (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).
Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.
Insight Point Version: Note the most recent Insight Point version (e.g.
2024.8.12-9) from Veza's OCI repository.Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.
Helm Installed: Ensure Helm version
3.8or greater is installed on your local machine. You can install Helm by following the official documentation: Helm Installation.Your organization security policies must allow chart installation from the VEZA ECR
public.ecr.aws/veza
Install Insight Point (Helm Chart)
Customize Values and Install the Insight Point:
Use the
helm installcommand to install the Insight Point into the Kubernetes cluster. Replace<NAME>,<VERSION>,<KEY>, and key with your specific values:--namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.--create-namespace: required if the namespace does not exist yet.--set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.
An Veza Insight Point Key must be provided. To do this, you can specify the value with the
--set key=<registration-key>option when installing the chart.Example:
Verify Installation:
Verify the status of the installation by running:
This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."
Get Insight Point Logs:
If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:
Upgrade and Maintain:
Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the
helm upgradecommand to make these changes.Standard upgrade:
Note that newer versions can introduce breaking changes (eg, replacing Kubernetes resources with others), which can cause a brief unavailability of the Insight Point.
Uninstall the Insight Point:
If you need to uninstall the Insight Point, you can do so using the
helm uninstallcommand:
Last updated
Was this helpful?