Quickstart
This page walks through a minimum install on a fresh cluster.
Targets helm install with the umbrella chart on a single node;
production hardening (mTLS, OIDC, ingress, WORM bucket) is covered
in the Hardening guide.
Prerequisites
Section titled “Prerequisites”- Kubernetes ≥ 1.30 (for ValidatingAdmissionPolicy CEL).
helm≥ 3.14,kubectl≥ 1.30.- Cluster nodes on Linux kernel ≥ 5.8 (modern-eBPF baseline).
- An S3-compatible object store for the WORM evidence bucket. SeaweedFS or MinIO work out of the box; AWS S3 with Object Lock enabled in production.
Install
Section titled “Install”The umbrella chart is published as a cosign-keyless signed OCI
artifact on GHCR. Helm 3.8+ consumes it directly, no helm repo add needed.
kubectl create namespace ugallu-systemhelm install ugallu oci://ghcr.io/ninsun-labs/charts/ugallu \ --version 0.1.0-alpha.2 \ --namespace ugallu-system \ --set clusterIdentity.clusterID=$(kubectl config current-context) \ --set clusterIdentity.clusterName=$(kubectl config current-context)The release ships the SDK runtime singletons and seven operators
(audit-detection, dns-detect, forensics, gitops-responder,
honeypot, tenant-escape, webhook-auditor) wired to their
real images on GHCR. Four operators (backup-verify,
compliance-scan, confidential-attestation, seccomp-gen)
ship as scaffolds in this release and are disabled by default;
flip <operator>.enabled=true once a future release publishes
their binaries.
Verify
Section titled “Verify”kubectl get crd | grep security.ugallu.iokubectl get pods -n ugallu-systemkubectl get pods -n ugallu-system-privilegedYou should see the SDK runtime singletons (ugallu-resolver,
ugallu-attestor, ugallu-ttl, …) and one Deployment / DaemonSet
per operator.
First SecurityEvent
Section titled “First SecurityEvent”kubectl apply -f - <<'EOF'apiVersion: security.ugallu.io/v1alpha1kind: SecurityEventmetadata: generateName: hello- namespace: ugallu-systemspec: class: Audit type: KubernetesAPICall severity: info source: apiVersion: security.ugallu.io/v1alpha1 kind: ugallu-quickstart name: hello version: v0 subject: kind: Cluster name: cluster signals: note: hello from the quickstartEOFkubectl get securityevent -n ugallu-systemThe attestor picks the SE up, signs it cosign-keyless, anchors the record in Rekor, and seals the bundle into the WORM bucket.
Next steps
Section titled “Next steps”- Architecture - operator inventory and how they compose.
- Hardening - mTLS, RBAC tightening, OIDC, Object Lock policies.
- Observability - Prometheus metrics + Grafana dashboards shipped with the chart.