This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Getting Started

M9sweeper deploys as an app in your Kubernetes cluster. We like to say that is Kubernetes-native; that is to say, you can deploy it entirely inside of kubernetes. You do not need to install complicated applications in your Kubernetes nodes. This makes it very safe and easy to install.


It also can be installed in a hub-and-spoke way, with a single m9sweeper install monitoring multiple kubernetes clusters. This requires that you ingress traffic to m9sweeper, and is preferred if you have a lot of kubernetes clusters.


There are 2 ways to get started:

  • Easy Install Guide - If you do not want a step-by-step wizard but still want to get it booted up with largely the defaults, start here.
  • Advanced Install Guide - This covers all the options short of reviewing the reference materials.

1 - Easy Install

Install m9sweeper with a one-liner.

You can install m9sweeper using our helm chart. This is a one-line cli command that installs m9sweeper. Change the default username/password to your own username/password and the API Key to something random/unpredictable.

helm repo add m9sweeper && \
helm repo update && \
helm upgrade m9sweeper m9sweeper/m9sweeper --install --wait --create-namespace --namespace m9sweeper-system \
  --set-string dash.init.superAdminEmail="" \
  --set-string dash.init.superAdminPassword="password" \
  --set-string global.jwtSecret="changeme" \
  --set-string global.apiKey="YOUR-API-KEY"

Many more options are available. For serious enterprise deployments, we recommend creating a helm values.yaml file and versioning this in a code repository to make upgrades easier.

For more information, please see the advanced installation guide.

2 - Advanced Install

Full list of installation options using m9sweeper’s helm chart.



We recommend putting your configuration in a values.yaml file and then deploying our app using helm. This example uses “helm upgrade –install”, which is an idempotent way of installing and/or upgrading the app. This is repeatable and the same command can be run regardless of whether you intend to upgrade or install the app.

helm repo add m9sweeper && \
helm repo update && \
helm upgrade m9sweeper m9sweeper/m9sweeper --install --wait --create-namespace --namespace m9sweeper-system \
  --values values.yaml --version latest

When implementing for our customers we automate this in a CICD pipeline. Upgrades can be done simply by changing which chart version you are deploying. By default, it installs the latest version, but you can add –version to install a specific version of m9sweeper.

At a minimum, you MUST specify these 4 values:

--set-string dash.init.superAdminEmail=""
--set-string dash.init.superAdminPassword="password"
--set-string global.jwtSecret="changeme" \
--set-string global.apiKey="YOUR-API-KEY"

Validating Webhook

If you wish to have m9sweeper prevent applications from booting up that are not compliant with your specified policies, you will need the validating webhook. This installs automatically and should work without any configuration in most installations.

However, in some installations of Kubernetes such as Azure Kubernetes Services (AKS) and Google Kubernetes Engine (GKE) as well as some others depending upon configuration, the kubernetes' API is not allowed to reach out to a remote cluster or a remote ingress when validating whether a pod is allowed to boot or not. Therefore, we have to set it up to connect to a pod in the local cluster as well as setup the appropriate Certificate Authority, Public, and Private Keys to enable SSL. This will allow the validating webhook to be hit by the Kubernetes API when validating whether a pod is compliant and allowed to boot up. To assist in this process we have developed a script that will install a nginx reverse proxy that will allow your kubernetes API to reach the validating webhook. For information on utilizing this script, please see the scripts documentation on our GitHub page here.

Falco bulkhead Deployment

Depending on your environment, Falco can send an immense amount of alerts to M9sweeper. This could overload the application and cause it to crash. To avoid this, there is an option to deploy multiple instances of M9sweeper that only take api requests sent to /api/falco.

  bulkhead: true
  replicas: 1

When set to true, this will create a seperate deployment appended with “-falco”, a service, and when applicable, a service monitor. This also edits ingress, routing all API calls from Falco, into the bulkhead deployment.

Configuration Options

If postgresql is enabled, then it will deploy postgres db. Set to false to use an external postgres DB

  enabled: true

If rabbitmq is enabled, then it will deploy rabbitmq. Set to false to use an external rabbitmq.

  enabled: true

The following table lists the configurable parameters of the chart and the default values.

Parameter Description Default
postgresql properties postgresql hostname minesweeper-postgres
global.postgres.username postgresql username postgres
global.postgres.password postgresql password postgres
global.postgres.database postgresql database postgres
global.postgres.port postgresql port 5432
rabbitmq properties rabbitmq hostname minesweeper-rabbitmq
global.rabbitmq.port rabbitmq port 5672
global.rabbitmq.username rabbitmq username guest
global.rabbitmq.password rabbitmq password guest
global.rabbitmq.queueName rabbitmq queue name trawler_queue
global.jwtSecret Provide a secret string that will be used to sign JWT tokens asdfasdfasd
global.baseUrl URL will be used in email templates to reference a http link to Dash localhost:3000
global.apiKey Provide a secret string that will be the default api key used for integrations 1234567890
global.trawlerApiKey Provide a secret string that will be the default api key for trawler 1234567890
global.kubeBenchApiKey Provide a secret string that will be the default kube-bench api key 1234567890
global.kubeHunterApiKey Provide a secret string that will be the default kube-hunter api key 1234567890
global.falcoApiKey Provide a secret string that will be the default falco API key 1234567890
Dash Properties
dash.image.registry Registry for Dash Helm chart
dash.image.repository Repository for Dash Helm chart m9sweeper/dash
dash.image.tag Tag for Dash Helm chart latest
values that will be used to initialize the Dash database during installation
dash.init.clusterGroupName Dash Init clusterGroupName default-cluster-group
dash.init.clusterName Dash Init clusterName default-cluster
dash.init.superAdminEmail Dash Init superAdminEmail
dash.init.superAdminPassword Dash Init superAdminPassword superadmin4me
dash.init.licenseKey Dash Init licenseKey for permission to run project ``
dash.init.instanceKey Dash Init instanceKey for permission to run project `` Dash Init Registry Name ``
dash.init.docker.registries.hostname Dash Init Registry Hostname ``
dash.init.docker.registries.login_required Dash Init login_required ``
dash.init.docker.registries.username Dash Init Registry Username ``
dash.init.docker.registries.password Dash Init password ``
Trawler Configuration
trawler.image.registry Registry for Trawler Helm chart
trawler.image.repository Repository for Trawler Helm chart m9sweeper/trawler
trawler.image.tag Tag for Trawler Helm chart latest
Dash Email Properties Email method options are SMTP or SENDGRID SMTP Choose smtp host localhost Choose smtp port 465 Choose smtp tls authentication required or not true Choose smtp username smtp Choose smtp password smtp Choose email sendgridApiKey '' Choose email senderEmail `` Enable/disable system error email notifications false The email address to send system error emails to ``
Dash Ingress Properties
dash.ingress.hosts Add lists of hosts ``
dash.ingress.path Add backend endpoint path /
dash.ingress.k8sIngress.enabled Set true to enable nginx ingress false
dash.ingress.k8sIngress.annotations Add annotations for nginx ingress nginx
dash.ingress.k8sIngress.tls.secretName K8s secret where certificate is stored tls-secret
dash.ingress.k8sIngress.tls.hosts Write hostname for apply tls ``
Istio Config - VirtualService, DestinationRule, Gateway (optional), PeerAuthentication (optional)
dash.ingress.istio.enabled Set true to enable Istio or false to disable false
dash.ingress.istio.gateways.create Set true to enable create istio gateways false
dash.ingress.istio.gateways.gatewayRefs Provide name to create istio gateway istio-system/example
dash.ingress.istio.loadBalancerType Write name of loadBalancerType ROUND_ROBIN
dash.ingress.istio.mtlsMode Set mtls mode, options are: PERMISSIVE or STRICT PERMISSIVE