دليل عام
Scan cluster posture with kube-bench (CIS benchmarks), kubescape, and Kyverno policy telemetry. One Helm chart install, one kubectl secret — done. الجمهور: Platform engineers, Kubernetes administrators, security engineers. وقت الإعداد المعتاد: 2 minutes.
Scan cluster posture with kube-bench (CIS benchmarks), kubescape, and Kyverno policy telemetry. One Helm chart install, one kubectl secret — done.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.
Creates `deploy/helm/blackshield-k8s-scanner/` locally with the current platform API URL prefilled so you can inspect, modify, and install the chart from source.
BLACKSHIELD_SITE_URL=https://blackshield.chaplau.com \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/k8s-scanner-helm.sh)
cd deploy/helm/blackshield-k8s-scannerCreates a Git-based Argo CD ApplicationSet manifest with the current platform API URL prefilled so multi-cluster rollout can track the chart source in your GitOps repository.
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/k8s-scanner-argocd.sh)# Create namespace and secret
kubectl create namespace blackshield
kubectl create secret generic blackshield-k8s-scanner \
--namespace blackshield \
--from-literal=api-key=sp_xxxx
# Bootstrap the local chart source from the guide first
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/k8s-scanner-helm.sh)
# Install chart — scans every 6 hours
helm upgrade --install blackshield-k8s-scanner ./deploy/helm/blackshield-k8s-scanner \
--namespace blackshield \
--set existingSecret.name=blackshield-k8s-scanner \
--set existingSecret.key=api-key \
--set scanIntervalSeconds=21600 \
--waitapiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: blackshield-k8s-scanner
namespace: argocd
spec:
generators:
- clusters: {} # all registered clusters
template:
metadata:
name: "blackshield-k8s-scanner-{{name}}"
spec:
project: default
source:
repoURL: https://github.com/acme/platform-deployments.git
targetRevision: main
path: deploy/helm/blackshield-k8s-scanner
helm:
valuesObject:
env:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
existingSecret:
name: blackshield-k8s-scanner
key: api-key
scanIntervalSeconds: 21600
destination:
server: "{{server}}"
namespace: blackshield
syncPolicy:
automated: { prune: true, selfHeal: true }
syncOptions: [CreateNamespace=true]Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
الخطوة 1
Store the API key in a Kubernetes Secret, then pull the chart source locally so the generated values already point at your deployed platform.
What success looks like
Review `deploy/helm/blackshield-k8s-scanner/values.yaml` before the first install so any scan cadence or resource overrides are intentional.
الخطوة 2
Choose Deployment mode (internal loop) or CronJob mode (Kubernetes schedule) and install directly from the local chart source.
What success looks like
NetworkPolicy restricts egress to port 443 only.
الخطوة 3
Use Argo CD ApplicationSet or Flux HelmRelease to deploy to every cluster from one place.
What success looks like
Verify health: kubectl port-forward svc/blackshield-k8s-scanner 8080:8080 -n blackshield && curl localhost:8080/health
Keep your rollout moving with the next recommended step.
استيعاب أولى النتائج