Release Notes

Insight Point (Helm Chart)

Deploy an Insight Point to a Kubernetes cluster.

The Kubernetes integration requires an Insight Point running within the cluster to discover RBAC entities. When adding the integration, you will specify the cluster details and the Insight Point to use. Veza provides a helm chart to simplify the process of deploying and managing the Insight Point.

Configuration Options

The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.

Parameter
Description
Default
Example

key

Insight Point Registration key for connecting to Veza

""

--set key=abc123

addr

Address for Veza API connection, overriding the one provided by the key

""

--set addr=customer.vezacloud.com

skipVerify

Disable TLS certificate validation

false

--set skipVerify=true

authority

Overrides the request authority for certificate validation

""

--set authority=veza.example.com

replicaCount

Number of Insight Point replicas for high availability

3

--set replicaCount=1

  • key is your unique Insight Point registration key, generated in the Veza UI.

    • Create a key in Veza: Integrations > Insight Points > Create

    • Store this value securely as it cannot be recovered if lost

  • skipVerify (TLS_INSECURE_SKIP_VERIFY) should only be set to true to disable certificate validation for testing/troubleshooting.

Configuring Proxy CA Certificates

When using an HTTPS inspection proxy:

  • Set to addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.

  • Ensure your proxy can connect to your Veza deployment.

  • authority specifies the domain name to use for TLS certificate validation and is only required when addr points to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).

To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:

spec:
  template:
    spec:
      volumes:
        - name: proxy-ca-certs
          secret:
            secretName: proxy-ca-cert
      containers:
        - name: {{ .Chart.Name }}
          volumeMounts:
            - name: proxy-ca-certs
              mountPath: /etc/ssl/certs/proxy
              readOnly: true

High Availability Configuration

The Insight Point Helm chart supports high availability (HA) deployment to ensure continuous operation and resilience against node failures or pod disruptions. By default, the chart deploys three replicas of the Insight Point. You can customize the HA settings based on your requirements.

Replica Count

For high availability, deploy multiple Insight Point replicas:

  • Single Instance: Use replicaCount: 1 for basic deployments

  • High Availability: Use replicaCount: 2 or higher for production environments

  • Recommended: replicaCount: 3 (default) provides good balance of availability and resource usage

Pod Anti-Affinity

When running multiple replicas, configure pod anti-affinity to distribute pods across nodes or availability zones:

Parameter
Description
Values
Default

podAntiAffinity.type

Anti-affinity enforcement

soft (preferred) or hard (required)

soft

podAntiAffinity.topologyKey

Distribution topology

kubernetes.io/hostname (nodes) or topology.kubernetes.io/zone (zones)

kubernetes.io/hostname

  • Soft Anti-Affinity: Kubernetes will try to place pods on different nodes/zones but will allow co-location if necessary

  • Hard Anti-Affinity: Kubernetes will never place pods on the same node/zone, which may prevent scheduling if insufficient resources

Pod Disruption Budget

Control the number of pods that can be disrupted simultaneously during maintenance:

Parameter
Description
Default

podDisruptionBudget.enabled

Enable PodDisruptionBudget

true

podDisruptionBudget.minAvailable

Minimum pods that must remain available

1

The PodDisruptionBudget ensures that at least one Insight Point remains available during cluster updates, node maintenance, or voluntary pod evictions.

Requirements

A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:

  • System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the Insight Point system requirements (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).

  • Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.

  • Insight Point Version: Note the most recent Insight Point version (e.g. 2024.8.12-9) from Veza's OCI repository.

  • Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.

  • Helm Installed: Ensure Helm version 3.8 or greater is installed on your local machine. You can install Helm by following the official documentation: Helm Installation.

  • Your organization security policies must allow chart installation from the VEZA ECR public.ecr.aws/veza

Install Insight Point (Helm Chart)

  1. Customize Values and Install the Insight Point:

    Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:

    helm install <NAME> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE> --create-namespace  --set key=<KEY>

    • --namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.

    • --create-namespace: required if the namespace does not exist yet.

    • --set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.

    An Veza Insight Point Key must be provided. To do this, you can specify the value with the --set key=<registration-key> option when installing the chart.

    Example:

    helm install veza-insight-point oci://public.ecr.aws/veza/helm-chart/insight-point --version 2024.1.29-1 --namespace veza --create-namespace --set enableSecrets=true --set key=<YOUR_KEY>

  2. Verify Installation:

    Verify the status of the installation by running:

    helm list -n <NAMESPACE>

    This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."

  3. Get Insight Point Logs:

    If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:

    kubectl logs -l app=<veza-insight-point> -n <NAMESPACE>

  4. Upgrade and Maintain:

    Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the helm upgrade command to make these changes.

    Standard upgrade:

    helm upgrade <veza-insight-point> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE>

    Note that newer versions can introduce breaking changes (eg, replacing Kubernetes resources with others), which can cause a brief unavailability of the Insight Point.

  5. Uninstall the Insight Point:

    If you need to uninstall the Insight Point, you can do so using the helm uninstall command:

    helm uninstall <veza-insight-point> --namespace <NAMESPACE>
PreviousDeploy with Azure Container InstancesNextSecrets Vaults

Last updated

Was this helpful?