Complete Kubernetes deployment for the Kentra Security Testing Platform, including the operator, dashboard, and log aggregation.
This umbrella chart deploys the complete Kentra platform stack:
- Kentra Operator - Kubernetes operator for orchestrating security testing operations
- Kentra Dashboard - Web UI for monitoring logs and managing security tests
- Grafana Loki - Log aggregation and querying system
- Kubernetes 1.11.3+
- Helm 3.8.0+
- kubectl configured to communicate with your cluster
- (Optional) NGINX Ingress Controller for external access
- (Optional) cert-manager for TLS certificates
There are two ways to install the Kentra platform:
- OCI Registry (Recommended) - Install directly from GHCR using Helm OCI support
- Local Chart - Clone the repository and install from source
Create a secret for pulling images from GitHub Container Registry:
kubectl create namespace kentra-system
kubectl create secret docker-registry ghcr-pull-secret \
--docker-server=ghcr.io \
--docker-username=<your-github-username> \
--docker-password=<your-github-pat> \
--namespace=kentra-systemInstall directly from the GitHub Container Registry without cloning the repository.
Create a minimal values.yaml:
kentra:
controller:
imagePullSecrets:
- name: ghcr-pull-secret
kentra-dashboard:
dashboard:
imagePullSecrets:
- name: ghcr-pull-secret
enabled: true
ingress:
annotations:
cert-manager.io/cluster-issuer: your-cluster-issuer
className: traefik
enabled: true
hosts:
- host: kentra.yourdomain.com
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- kentra.yourdomain.com
secretName: kentra-tls-secret
loki:
enabled: true
minio:
enabled: true
persistence:
size: 10Gi
singleBinary:
persistence:
enabled: true
size: 5GiThen install:
helm install kentra-platform \
oci://ghcr.io/kentrasecurity/helm/kentra-platform \
--version 0.3.4 \
--namespace kentra-system \
--create-namespace \
-f values.yamlClone the repository and install with all dependencies.
git clone https://github.com/kentrasecurity/kentra.git
cd kentra/helmDownload the chart dependencies (Kentra operator, dashboard, and Loki):
helm dependency updateThis will download:
kentrafromoci://ghcr.io/kentrasecurity/helmkentra-dashboardfromoci://ghcr.io/kentrasecurity/helmlokifrom Grafana's Helm repository
helm install kentra-platform . \
--namespace kentra-system \
--create-namespacehelm install kentra-platform . \
--namespace kentra-system \
--create-namespace \
-f custom-values.yamlhelm install kentra-platform . \
--namespace kentra-system \
--create-namespace \
--set kentra-dashboard.ingress.enabled=true \
--set kentra-dashboard.ingress.hosts[0].host=kentra.yourdomain.com \
--set loki.singleBinary.persistence.size=50GiBoth methods install the complete Kentra platform with sensible defaults:
- Kentra Operator with latest images
- Kentra Dashboard with ingress enabled
- Grafana Loki with MinIO backend (5Gi + 10Gi storage)
- Fixed service names (
loki-gateway) for consistent configuration
The chart uses a single values.yaml file with:
- Centralized Loki configuration using YAML anchors
- Fixed Loki service name (
loki-gateway) for consistent addressing - Inline production examples and best practices
- Clear comments for all configuration options
| Parameter | Description | Default |
|---|---|---|
_lokiConfig.host |
Loki gateway hostname | loki-gateway |
_lokiConfig.port |
Loki gateway port | 80 |
global.imagePullSecrets |
Image pull secrets for GHCR | [{name: ghcr-pull-secret}] |
kentra-dashboard.ingress.enabled |
Enable ingress for dashboard | true |
kentra-dashboard.ingress.hosts[0].host |
Dashboard hostname | kentra.example.com |
loki.enabled |
Enable Loki log aggregation | true |
loki.fullnameOverride |
Override Loki service name | loki |
loki.singleBinary.persistence.size |
Loki storage size | 5Gi |
For advanced Loki configuration options, see:
helm show values charts/loki-*.tgzLoki configuration is centralized using YAML anchors - configure it once in _lokiConfig, and it's automatically used by both the operator and dashboard.
The chart uses fullnameOverride to ensure the Loki service is always named loki-gateway, regardless of the release name:
_lokiConfig: &lokiConfig
host: "loki-gateway"
port: "80"
# ... other settings
loki:
enabled: true
fullnameOverride: "loki" # Service will be loki-gatewayThis simplifies configuration - you don't need to adjust the hostname based on your release name.
To use an external Loki instance, update the host and disable the bundled Loki:
_lokiConfig: &lokiConfig
host: "external-loki.monitoring.svc.cluster.local"
port: "3100"
tenantId: "tenant-1"
auth:
username: "loki-user"
password: "secret-pass"
loki:
enabled: falseTo enable Loki authentication:
# 1. Enable auth in Loki server
loki:
loki:
auth_enabled: true
# 2. Configure client credentials
_lokiConfig: &lokiConfig
host: "loki-gateway"
port: "80"
tenantId: "tenant-1"
auth:
username: "your-username"
password: "your-password"kentra:
controller:
replicas: 1
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mikentra-dashboard:
dashboard:
replicaCount: 1
config:
# Filter namespaces by annotation
nsAnnotationFilter: "managed-by-kentra="
ingress:
enabled: true
className: nginx
hosts:
- host: kentra.yourdomain.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: kentra-dashboard-tls
hosts:
- kentra.yourdomain.comBasic (default):
loki:
enabled: true
fullnameOverride: "loki"
singleBinary:
persistence:
size: 5GiProduction settings:
helm install kentra-platform . \
--set loki.singleBinary.persistence.size=50Gi \
--set loki.loki.limits_config.retention_period=2160h # 90 daysAccess the dashboard at the configured hostname:
https://kentra.yourdomain.com
kubectl port-forward -n kentra-system \
svc/kentra-platform-kentra-dashboard 8080:80
# Access at: http://localhost:8080Query logs directly from Loki (service name is always loki-gateway):
kubectl port-forward -n kentra-system \
svc/loki-gateway 3100:80
# Query logs
curl "http://localhost:3100/loki/api/v1/query?query={namespace=\"kentra-system\"}"Upgrade to a newer version:
helm upgrade kentra-platform \
oci://ghcr.io/kentrasecurity/helm/kentra-platform \
--version 0.1.4 \
--namespace kentra-system \
-f values.yamlUpdate dependencies and upgrade:
# Pull latest changes
git pull
# Update dependencies
helm dependency update
# Upgrade the release
helm upgrade kentra-platform . \
--namespace kentra-system \
-f custom-values.yamlhelm uninstall kentra-platform --namespace kentra-systemNote: PersistentVolumeClaims (Loki storage) are not automatically deleted. To remove them:
kubectl delete pvc -n kentra-system -l app.kubernetes.io/instance=kentra-platform# View all pods
kubectl get pods -n kentra-system
# Check specific components
kubectl get pods -n kentra-system -l app.kubernetes.io/name=kentra
kubectl get pods -n kentra-system -l app.kubernetes.io/name=kentra-dashboard
kubectl get pods -n kentra-system -l app.kubernetes.io/name=loki# Kentra operator logs
kubectl logs -n kentra-system -l control-plane=controller-manager
# Dashboard logs
kubectl logs -n kentra-system -l app.kubernetes.io/component=dashboard
# Loki logs
kubectl logs -n kentra-system -l app.kubernetes.io/name=lokiEnsure the GHCR pull secret is created correctly:
kubectl get secret ghcr-pull-secret -n kentra-systemVerify the Loki gateway service (always named loki-gateway):
kubectl get svc -n kentra-system loki-gatewayEnsure the Loki host is configured correctly:
kubectl get configmap -n kentra-system -o yaml | grep -i lokiThe host should be set to loki-gateway.
┌─────────────────────────────────────────────────────┐
│ Ingress Controller │
│ (NGINX - Optional) │
└────────────────────┬────────────────────────────────┘
│
┌────────────┴─────────────┐
│ │
┌───────▼────────┐ ┌─────────▼─────────┐
│ Dashboard │ │ Loki Gateway │
│ (Web UI) │◄──────┤ (Optional) │
└───────┬────────┘ └─────────┬─────────┘
│ │
│ ┌─────────▼─────────┐
│ │ Loki Single │
│ │ Binary │
│ └─────────┬─────────┘
│ │
┌───────▼────────┐ │
│ Kentra │ │
│ Operator │─────────────────┘
│ (Controller) │ Logs
└───────┬────────┘
│
│ Manages
▼
┌────────────────┐
│ Security Test │
│ Jobs (CRDs) │
└────────────────┘
| Component | Default Size | Purpose | Adjustable |
|---|---|---|---|
| Loki | 5Gi | Log storage (WAL and cache) | Yes - loki.singleBinary.persistence.size |
| MinIO | 10Gi | Object storage (logs and chunks) | Yes - loki.minio.persistence.size |
Recommendation: For production use, allocate at least 50Gi for MinIO based on expected log volume and retention period.
- All components run with security contexts (non-root, read-only filesystem)
- RBAC policies are enforced
- Image pull secrets required for private registry access
- TLS recommended for ingress (use cert-manager)
- Consider network policies for additional isolation
# Create a Kind cluster
kind create cluster --name kentra-test
# Install the chart
helm dependency update
helm install kentra-platform . \
--namespace kentra-system \
--create-namespace \
--set kentra-dashboard.ingress.enabled=falsehelm lint .helm template kentra-platform . --debug- Issues: https://github.com/kentrasecurity/kentra/issues
- Documentation: https://github.com/kentrasecurity
See individual component licenses:
- Kentra Operator: https://github.com/kentrasecurity/kentra
- Kentra Dashboard: https://github.com/kentrasecurity/dashboard
- Grafana Loki: https://github.com/grafana/loki