# Runtime Sensor Advanced Configuration The Runtime Sensor runs inside your Kubernetes cluster and operates at both the Kubernetes and node levels. In most environments, you can install it with the default configuration and no additional changes are required. In some cases, you may need to review or adjust how the sensor is deployed, depending on your environment. For example, you may need to: * understand its resource usage and impact on cluster nodes * review the required permissions and security constraints * configure network access through a proxy * customize deployment settings using Helm values This page brings together these aspects to help you understand how the sensor behaves in your environment and how to adapt it when needed. ## Resource footprint The Runtime Sensor runs continuously on each node in your cluster. Understanding its resource usage helps you assess its impact on node capacity and plan deployment in production environments. The OX Runtime Sensor runs as a DaemonSet, with one pod per node. It is designed to have minimal impact on your cluster. Based on production measurements: | Metric | Typical | Peak (short spikes) | | ------ | ----------- | ------------------- | | CPU | 3m – 10m | up to 40m | | Memory | 63Mi – 96Mi | up to 200Mi | Typical CPU usage stays under 10 millicores, which is less than 1% of a single CPU core. The sensor does not require persistent storage and uses a read-only root filesystem. ### Security and permissions requirements The Runtime Sensor requires specific Kubernetes permissions and Linux capabilities to observe runtime activity. This section describes the access model and the security constraints that must be allowed in your cluster. The Helm chart creates the required ClusterRole and ClusterRoleBinding automatically. Kubernetes API access is read-only and used to enrich runtime data with metadata. No additional RBAC configuration is required. The sensor uses eBPF to observe kernel-level activity. This requires the following Linux capabilities, which are configured by default: | Capability | Reason | | ------------------ | ------------------------ | | `CAP_SYS_ADMIN` | Load eBPF programs | | `CAP_SYS_PTRACE` | Access process namespace | | `CAP_SYS_RESOURCE` | Allocate eBPF memory | | `CAP_IPC_LOCK` | Map eBPF memory | | `CAP_SYSLOG` | Resolve kernel symbols | If your cluster enforces Pod Security Standards (PSA), label the namespace with the `privileged` level: ``` kubectl label namespace ox-runtime \ pod-security.kubernetes.io/enforce=privileged ``` ## Configure a proxy (optional) If your environment restricts outbound network traffic, you may need to configure the Runtime Sensor to communicate through a proxy. This ensures the sensor can send data to OX. To route outbound traffic through a proxy, configure it using the `additionalEnv` Helm value: ``` helm install ox-runtime-sensor ox-runtime-sensor-repo/ox-runtime-sensor \ --namespace ox-runtime --create-namespace \ --set secret.create=true \ --set secret.apiKey="" \ --set cluster.name="" \ --set cluster.account_id="" \ --set cluster.cloud_provider="" \ --set additionalEnv[0].name=HTTPS_PROXY \ --set additionalEnv[0].value="http://proxy.example.com:3128" ``` ## Helm values reference You can customize the Runtime Sensor deployment using Helm values. This section lists the available parameters for adjusting how the sensor is deployed and runs in your environment. Use these values to customize the Runtime Sensor deployment. | Parameter | Type | Default | Description | | ---------------------------- | ------- | ----------------------------- | ---------------------------------------------- | | `image.repository` | string | *(OX registry)* | Container image repository | | `image.pullPolicy` | string | `Always` | Image pull policy | | `image.tag` | string | *(chart appVersion)* | Container image tag | | `image.pullSecrets` | array | `[]` | Image pull secrets | | `cluster.name` | string | `""` | Cluster name (for example, `"prod-us-east-1"`) | | `cluster.account_id` | string | `""` | Cloud account ID | | `cluster.cloud_provider` | string | `""` | Cloud provider (`"aws"`, `"gcp"`, `"azure"`) | | `secret.name` | string | `ox-runtime-sensor-secret` | Secret name | | `secret.apiKeyField` | string | `api-key` | Key that stores the API key | | `secret.create` | boolean | `false` | Whether Helm creates the secret | | `secret.apiKey` | string | `""` | API key value | | `serviceAccount.name` | string | `ox-security-service-account` | Service account name | | `serviceAccount.create` | boolean | `true` | Whether to create the service account | | `serviceAccount.annotations` | object | `{}` | Service account annotations | | `serviceAccount.labels` | object | `{}` | Service account labels | | `nodeSelector` | object | `{kubernetes.io/os: linux}` | Node selector | | `affinity` | object | `{}` | Pod affinity rules | | `tolerations` | object | `{}` | Pod tolerations | | `priorityClassName` | string | `system-node-critical` | Pod priority class | | `appArmorProfile` | string | `unconfined` | AppArmor profile | | `podAnnotations` | object | `{}` | Pod annotations | | `additionalEnv` | array | `[]` | Additional environment variables | | `additionalLabels.labels` | object | `{}` | Additional resource labels | | `runtimeClassName` | string | `""` | Runtime class name |