Deploy an Insight Point to a Kubernetes cluster.
The Kubernetes integration requires an Insight Point running within the cluster to discover RBAC entities. When adding the integration, you will specify the cluster details and the Insight Point to use. Veza provides a helm chart to simplify the process of deploying and managing the Insight Point.
The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.
key is your unique Insight Point registration key, generated in the Veza UI.
Create a key in Veza: Integrations > Insight Points > Create
Store this value securely as it cannot be recovered if lost
When using an HTTPS inspection proxy:
Set to addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.
Ensure your proxy can connect to your Veza deployment.
authority specifies the domain name to use for TLS certificate validation and is only required when addr points to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).
To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:
A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:
System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).
Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.
Insight Point Version: Note the most recent Insight Point version (e.g. 2024.8.12-9) from .
Customize Values and Install the Insight Point:
Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:
--namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.
skipVerify (TLS_INSECURE_SKIP_VERIFY) should only be set to true to disable certificate validation for testing/troubleshooting.
Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.
Helm Installed: Ensure Helm version 3.8 or greater is installed on your local machine. You can install Helm by following the official documentation: Helm Installation.
Your organization security policies must allow chart installation from the VEZA ECR public.ecr.aws/veza
--create-namespace: required if the namespace does not exist yet.
--set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.
An Veza Insight Point Key must be provided. To do this, you can specify the value with the --set key=<registration-key> option when installing the chart.
Example:
Verify Installation:
Verify the status of the installation by running:
helm list -n <NAMESPACE>This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."
Get Insight Point Logs:
If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:
kubectl logs -l app=<veza-insight-point> -n <NAMESPACE>Upgrade and Maintain:
Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the helm upgrade command to make these changes.
Example:
helm upgrade <veza-insight-point> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE>Uninstall the Insight Point:
If you need to uninstall the Insight Point, you can do so using the helm uninstall command:
helm uninstall <veza-insight-point> --namespace <NAMESPACE>key
Insight Point Registration key for connecting to Veza
""
--set key=abc123
addr
Address for Veza API connection, overriding the one provided by the key
""
--set addr=customer.vezacloud.com
skipVerify
Disable TLS certificate validation
false
--set skipVerify=true
authority
Overrides the request authority for certificate validation
""
--set authority=veza.example.com
spec:
template:
spec:
volumes:
- name: proxy-ca-certs
secret:
secretName: proxy-ca-cert
containers:
- name: {{ .Chart.Name }}
volumeMounts:
- name: proxy-ca-certs
mountPath: /etc/ssl/certs/proxy
readOnly: truehelm install <NAME> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE> --create-namespace --set key=<KEY>helm install veza-insight-point oci://public.ecr.aws/veza/helm-chart/insight-point --version 2024.1.29-1 --namespace veza --create-namespace --set enableSecrets=true --set key=key