Deploy
Helm install for full-stack, agent-only, and air-gapped environments.
Agent only (federated)
Run only the collector in an edge cluster and stream telemetry to a hub control plane you operate.
helm repo add kubehero https://charts.kubehero.io
helm install kubehero-agent kubehero/kubehero \
--namespace kubehero-system --create-namespace \
--set controlPlane.enabled=false \
--set operator.enabled=false \
--set dashboard.enabled=false \
--set pricingEngine.enabled=false \
--set cloud.enabled=true \
--set cloud.hubEndpoint=https://ingress.kubehero.internal \
--set-file cloud.clusterCert=./cluster-cert.pemFull stack (single cluster)
Everything runs inside your cluster. No egress required.
helm install kubehero kubehero/kubehero \
--namespace kubehero-system --create-namespace \
-f values.yamlSee deploy/helm/kubehero/values.yaml in the source for every tunable.
Air-gapped
Pre-mirror images to your internal registry, then:
helm install kubehero kubehero/kubehero \
-f values.yaml \
-f values.airgap.yaml \
--set image.registry=registry.internal.acme.com \
--set imagePullSecrets[0].name=acme-regcredTroubleshooting
- "collector pods not ready" — check RBAC; the DaemonSet needs
hostPID: true. On GKE Autopilot, see the GKE Autopilot guide. - "no telemetry at control plane" —
kubectl -n kubehero-system logs ds/kubehero-collector. If you seeebpf: load: invalid argument, your kernel is too old. The collector falls back to cAdvisor automatically; see--enable-cadvisor-fallback. - "policies not firing" — confirm
humanArmis false, or runkubehero cap --arm --policy <name>.
Identity · SSO · SCIM · RBAC
Modern enterprise SSO — Okta, Azure AD, Google Workspace, Keycloak, Auth0, GitHub. LDAP and SAML via the Dex bridge. SCIM 2.0 user provisioning. Group-claim → role mapping.
Production deployment
Sizing, HA, backups, disaster recovery, air-gap, and federation for production KubeHero installs.