K8s Install (Helm)
Full Helm values reference and advanced deployment options for production clusters.
Full values.yaml reference
# values.yaml — full reference
apiKeySecret:
name: rtk-api-key
key: api-key
controlPlane:
endpoint: https://ingest.runtimekindle.com
tlsVerify: true
agent:
image:
repository: ghcr.io/runtimekindle/agent
tag: "0.9.4"
pullPolicy: IfNotPresent
resources:
requests:
cpu: "50m"
memory: "128Mi"
limits:
cpu: "200m"
memory: "384Mi"
tolerations:
- operator: Exists
nodeSelector: {}
priorityClassName: system-node-critical
policy:
rulesConfigMap: ""
defaultRuleset: production
admission:
enabled: false
failurePolicy: Fail
namespaceSelector:
matchLabels:
rtk-attestation: requiredRBAC configuration
The Helm chart creates a ClusterRole with the minimum required permissions:
rules:
- apiGroups: [""]
resources: ["nodes", "namespaces", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets"]
verbs: ["get", "list", "watch"]Admission webhook setup
To enforce supply-chain attestation at deploy time, enable the admission webhook. Apply a namespace label to the namespaces you want to enforce:
kubectl label namespace production rtk-attestation=required
kubectl label namespace staging rtk-attestation=required
# Then enable in values.yaml:
# admission:
# enabled: trueVerifying BTF support on worker nodes
# SSH to a worker node and check:
ls /sys/kernel/btf/vmlinux
# Should return: /sys/kernel/btf/vmlinux (not "No such file")
# Also check kernel version (needs 5.8+):
uname -r
# e.g., 6.1.84-99.169.amzn2023.x86_64