# Install OX Runtime Sensor on Kubernetes (Helm) Install the OX Runtime Sensor into a Kubernetes cluster using Helm. The sensor runs as a DaemonSet, with one pod per node. ## Prerequisites * Kubernetes v1.20 and later, with `kubectl` configured for your cluster. * Helm 3. * Linux nodes with kernel v5.10 and later and BTF enabled. * Outbound HTTPS (port 443) access to `api.cloud.ox.security` * [An OX API key](/secure-runtime/ox-runtime-sensor.md). ## Step 1: Create the namespace and API key secret 1. Create the `ox-runtime` namespace: ``` kubectl create namespace ox-runtime ``` 2. Create the API key secret: ``` kubectl -n ox-runtime create secret generic ox-runtime-sensor-secret \ --from-literal=api-key= ``` Replace `` with the API key you generated. > **Note:** For production environments, it is recommended to manage secrets externally using tools such as External Secrets Operator, Sealed Secrets, or HashiCorp Vault rather than creating the secret with a literal value. If you use an external secret manager, make sure the secret already exists in the `ox-runtime` namespace before you install the sensor. ## Step 2: Install the Helm chart 1. Add the Helm repository and update it: ``` helm repo add ox-runtime-sensor-repo https://charts.cloud.ox.security helm repo update ``` 2. Install the sensor: ``` helm install ox-runtime-sensor ox-runtime-sensor-repo/ox-runtime-sensor \ --namespace ox-runtime \ --set cluster.name="" \ --set cluster.cloud_provider="" \ --set cluster.region="" \ --set cluster.account_id="" ``` | Placeholder | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------- | | `` | Name of the Kubernetes cluster where Runtime Sensor will run | | `` | Cloud provider where the cluster is running (`aws`, `gcp`, or `azure`) | | `` | Cloud region where the Kubernetes cluster is running (for example, `us-east-1`, `europe-west1`, `westeurope`) | | `` | Cloud provider account identifier (AWS Account ID, Azure Subscription ID, or GCP Project ID, e.g. `123456789012` for AWS) | > **Note:** If your existing secret uses a different name or key field, add `--set secret.name=` and `--set secret.apiKeyField=` to the Helm command. ## Step 3: Verify ``` kubectl get daemonset ox-runtime-sensor -n ox-runtime kubectl logs -l app=ox-runtime-sensor -n ox-runtime --tail=50 ``` ## [Step 4: Connect to OX Runtime Sensor](/secure-runtime/ox-runtime-sensor.md) ## Configuration reference | Helm value | Default | Description | | ------------------------ | ---------------------- | ------------------------------------------------------------------- | | `cluster.name` | `""` | Cluster name shown in the OX UI | | `cluster.cloud_provider` | `""` | Cloud provider: `aws`, `gcp`, or `azure` | | `cluster.region` | `""` | Cloud region (for example, `us-east-1`) | | `cluster.account_id` | `""` | Cloud account ID. Quote numeric IDs (for example, `"123456789012"`) | | `image.tag` | chart default | Sensor image tag | | `priorityClassName` | `system-node-critical` | Pod priority class | For the full set of Helm values, proxy configuration, Pod Security Standards labels, and security/permissions details, see [Runtime Sensor Advanced Configuration](/secure-runtime/ox-runtime-sensor/runtime-sensor-advanced-configuration.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ox.security/secure-runtime/ox-runtime-sensor/install-ox-runtime-sensor-on-kubernetes-helm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.