Insight Point (Helm Chart)

The Kubernetes integration requires an Insight Point running within the cluster to discover RBAC entities. When adding the integration, you will specify the cluster details and the Insight Point to use. Veza provides a helm chart to simplify the process of deploying and managing the Insight Point.

Configuration Options

The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.

• key is your unique Insight Point registration key, generated in the Veza UI.

  • Create a key in Veza: Integrations > Insight Points > Create

  • Store this value securely as it cannot be recovered if lost

Custom CA Certificate Bundle

If your Insight Point needs to trust custom Certificate Authorities (for example, when connecting through a corporate proxy with SSL inspection, or when the control plane uses certificates signed by a private CA), you can provide a custom CA bundle.

The CA bundle should be in PEM format and can contain multiple certificates.

Important: Do not use skipVerify=true in production. Instead, add your custom CA certificates using this feature. The skipVerify option should only be used for testing and development.

Option 1: Inline CA Bundle

Create a file ca-values.yaml with the certificate contents:

Install or upgrade with:

Option 2: Reference to Existing ConfigMap

If you already have a ConfigMap with your CA bundle:

Note: The custom CA bundle is mounted to /etc/ssl/certs/ca-certificates.crt inside the container, which is the standard location for Go applications. This will replace the default system CA bundle, so ensure your custom bundle includes any default certificates you need to trust.

Proxy Configuration

When using an HTTPS inspection proxy:

• Set addr to your proxy's address if different from the Veza endpoint. This value overrides the default request authority.

• Ensure your proxy can connect to your Veza deployment.

• authority specifies the domain name to use for TLS certificate validation and is only required when addr

Configuring Tags

Tags are custom key-value labels that help organize and categorize your Insight Point instances. For an overview of tags, their use cases, and requirements, see in the main Insight Point documentation.

Using values.yaml File

Create or edit your values.yaml:

Then install:

Using Command-Line Flags

Updating Tags on Existing Deployment

High Availability Configuration

The Insight Point Helm chart supports high availability (HA) deployment to ensure continuous operation and resilience against node failures or pod disruptions. By default, the chart deploys three replicas of the Insight Point. You can customize the HA settings based on your requirements.

Replica Count

For high availability, deploy multiple Insight Point replicas:

• Single Instance: Use replicaCount: 1 for basic deployments

• High Availability: Use replicaCount: 2 or higher for production environments

• Recommended: replicaCount: 3

Pod Anti-Affinity

When running multiple replicas, configure pod anti-affinity to distribute pods across nodes or availability zones:

• Soft Anti-Affinity: Kubernetes will try to place pods on different nodes/zones but will allow co-location if necessary

• Hard Anti-Affinity: Kubernetes will never place pods on the same node/zone, which may prevent scheduling if insufficient resources

Pod Disruption Budget

Control the number of pods that can be disrupted simultaneously during maintenance:

The PodDisruptionBudget ensures that at least one Insight Point remains available during cluster updates, node maintenance, or voluntary pod evictions.

Webhook Relay Configuration

The webhook relay service allows the Insight Point to forward webhook requests to destinations in your private network. For an overview of webhook relay, when to use it, security considerations, and supported host formats, see in the main Insight Point documentation.

Configuration options

The following parameters configure webhook relay behavior:

Configuration via Command Line

Configure webhook relay when installing or upgrading the Insight Point:

Or when upgrading an existing deployment:

Configuration via values.yaml

Create or edit a values.yaml file with webhook relay configuration:

Then install or upgrade with the values file:

Verifying Webhook Relay Configuration

To verify webhook relay is configured correctly:

1. Check the Helm values:

2. Check the pod environment variables:

If webhook relay is enabled but not working:

• Verify the allowed hosts are in the correct format

• Check that the destination is included in the allowed hosts list

• Review the Insight Point logs for validation or connection errors:

Requirements

A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:

• System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).

• Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.

• Insight Point Version: Note the most recent Insight Point version (e.g. 2024.8.12-9

Install Insight Point (Helm Chart)

1. Customize Values and Install the Insight Point:

   Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:

   • --namespace <NAMESPACE>