Install OX Runtime Sensor on Kubernetes (Helm)

Install the OX Runtime Sensor into a Kubernetes cluster using Helm. The sensor runs as a DaemonSet, with one pod per node.

Prerequisites

Kubernetes v1.20 and later, with kubectl configured for your cluster.
Helm 3.
Linux nodes with kernel v5.10 and later and BTF enabled.
Outbound HTTPS (port 443) access to api.cloud.ox.security
An OX API key.

Step 1: Create the namespace and API key secret

Create the ox-runtime namespace:

kubectl create namespace ox-runtime

Create the API key secret:

kubectl -n ox-runtime create secret generic ox-runtime-sensor-secret \
  --from-literal=api-key=<API_KEY>

Replace <API_KEY> with the API key you generated.

Note: For production environments, it is recommended to manage secrets externally using tools such as External Secrets Operator, Sealed Secrets, or HashiCorp Vault rather than creating the secret with a literal value. If you use an external secret manager, make sure the secret already exists in the ox-runtime namespace before you install the sensor.

Step 2: Install the Helm chart

Add the Helm repository and update it:

helm repo add ox-runtime-sensor-repo https://charts.cloud.ox.security
helm repo update

Install the sensor:

helm install ox-runtime-sensor ox-runtime-sensor-repo/ox-runtime-sensor \
  --namespace ox-runtime \
  --set cluster.name="<CLUSTER_NAME>" \
  --set cluster.cloud_provider="<CLOUD_PROVIDER>" \
  --set cluster.region="<REGION>" \
  --set cluster.account_id="<ACCOUNT_ID>"

Placeholder

Description

<CLUSTER_NAME>

Name of the Kubernetes cluster where Runtime Sensor will run

<CLOUD_PROVIDER>

Cloud provider where the cluster is running (aws, gcp, or azure)

<REGION>

Cloud region where the Kubernetes cluster is running (for example, us-east-1, europe-west1, westeurope)

<ACCOUNT_ID>

Cloud provider account identifier (AWS Account ID, Azure Subscription ID, or GCP Project ID, e.g. 123456789012 for AWS)

Note: If your existing secret uses a different name or key field, add --set secret.name=<SECRET_NAME> and --set secret.apiKeyField=<FIELD> to the Helm command.

Step 3: Verify

kubectl get daemonset ox-runtime-sensor -n ox-runtime
kubectl logs -l app=ox-runtime-sensor -n ox-runtime --tail=50

Step 4: Connect to OX Runtime Sensor

Configuration reference

Helm value

Default

Description

cluster.name

""

Cluster name shown in the OX UI

cluster.cloud_provider

""

Cloud provider: aws, gcp, or azure

cluster.region

""

Cloud region (for example, us-east-1)

cluster.account_id

""

Cloud account ID. Quote numeric IDs (for example, "123456789012")

image.tag

chart default

Sensor image tag

priorityClassName

system-node-critical

Pod priority class

For the full set of Helm values, proxy configuration, Pod Security Standards labels, and security/permissions details, see Runtime Sensor Advanced Configuration.

Last updated 9 days ago

hashtagPrerequisites

hashtagStep 1: Create the namespace and API key secret

hashtagStep 2: Install the Helm chart

hashtagStep 3: Verify

hashtagStep 4: Connect to OX Runtime Sensor

hashtagConfiguration reference

Prerequisites

Step 1: Create the namespace and API key secret

Step 2: Install the Helm chart

Step 3: Verify

Step 4: Connect to OX Runtime Sensor

Configuration reference