Snyk Documentation

Install the Snyk controller for Kubernetes

To get vulnerability details about your Kubernetes workloads, a Snyk admin must first install the Snyk controller onto your cluster. The Snyk monitor (kubernetes-monitor) requires some minimal configuration items in order to work correctly. As with any Kubernetes deployment, the kubernetes-monitor runs within a single namespace.

Prerequisites

  • Integration with Kubernetes is available for Snyk Container customers as part of the Standard, Pro and Enterprise plans.
  • The Snyk controller is installed using Helm.
  • Set up your Snyk account before getting started.
  • To configure the integration from Snyk, you must be an admin for the account.
  • A minimum 50 GB of storage must be available in the form of an emptyDir on the cluster.
  • External internet access must be available from the Kubernetes cluster.

Steps

  1. Access your Kubernetes environment and run the following command from your cluster in order to add the Snyk Charts repository to Helm:
    helm repo add snyk-charts
  2. Once the charts are added, create a unique namespace for the Snyk controller:
    kubectl create namespace snyk-monitor https://snyk.github.io/kubernetes-monitor/

    Tip: Use a unique namespace to isolate the controller resources more easily This is generally good practice for Kubernetes applications.
    Note: Notice our namespace is called snyk-monitor, you’ll need this later when configuring other resources.

  3. Now, log in to your Snyk account and navigate to Integrations.
  4. Search for and click Kubernetes.
  5. Click Connect and from the page that loads, copy the Integration ID. The Snyk Integration ID is a UUID, similar to this format: abcd1234-abcd-1234-abcd-1234abcd1234.
    Save it for use from your Kubernetes environment in the next step.
  6. The Snyk monitor runs by using your Snyk Integration ID, and using a dockercfg file. If you are not using any private registries, create a Kubernetes secret called snyk-monitor containing the Snyk Integration ID from the previous step and run the following command:
    kubectl create secret generic snyk-monitor -n snyk-monitor --from-literal=dockercfg.json={} --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234

    Next, go to step 8.
    Note: The secret must be called snyk-monitor in order for the integration to work.

  7. If any of the images you need to scan are located in private registries, you need to provide credentials to access those registries by creating a secret (which must be called snyk-monitor) using both the Snyk Integration ID as well as a dockercfg file. The dockercfg file is necessary to allow the monitor to look up images in private registries. Usually a copy of the dockercfg resides in $HOME/.docker/config.json.
    1. Create a dockercfg configuration file:
      {
      
      "auths": {
      
      "gcr.io": {
      
      "auth": "BASE64-ENCODED-AUTH-DETAILS"
      
      }
      
      // Add other registries as necessary
      
      }
      
      }
    2. Create a secret with the file added:
      kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234
  8. Install the Snyk Helm chart:
    helm upgrade --install snyk-monitor snyk-charts/snyk-monitor --namespace snyk-monitor --set clusterName="Production cluster"

    Tip: Replace the name Production cluster with a name based on the cluster you are monitoring. You’ll use this label to find workloads in Snyk later.