Skip to content
ugallu

Quickstart

This page walks through a minimum install on a fresh cluster. Targets helm install with the umbrella chart on a single node; production hardening (mTLS, OIDC, ingress, WORM bucket) is covered in the Hardening guide.

Prerequisites

Section titled “Prerequisites”
  • Kubernetes ≥ 1.30 (for ValidatingAdmissionPolicy CEL).
  • helm ≥ 3.14, kubectl ≥ 1.30.
  • Cluster nodes on Linux kernel ≥ 5.8 (modern-eBPF baseline).
  • An S3-compatible object store for the WORM evidence bucket. SeaweedFS or MinIO work out of the box; AWS S3 with Object Lock enabled in production.

Add the chart repository

Section titled “Add the chart repository”

The chart repository is published from ninsun-labs/ugallu.io to ugallu.io/charts as a standard Helm v3 repo. An OCI mirror at oci://ghcr.io/ninsun-labs/charts ships the same artifacts cosign-signed.

Terminal window
helm repo add ugallu https://ugallu.io/charts/
helm repo update

Install

Section titled “Install”
Terminal window
kubectl create namespace ugallu-system
helm install ugallu ugallu/ugallu \
  --namespace ugallu-system \
  --set clusterIdentity.clusterID=$(kubectl config current-context) \
  --set clusterIdentity.clusterName=$(kubectl config current-context)

The default values keep every operator enabled but in placeholder mode - busybox sleep - so the chart renders cleanly while you finish wiring the WORM bucket and the optional integrations (Velero, Falco, Tetragon, Keycloak). Flip the per-component placeholder: false once the prerequisites are satisfied.

Verify

Section titled “Verify”
Terminal window
kubectl get crd | grep security.ugallu.io
kubectl get pods -n ugallu-system
kubectl get pods -n ugallu-system-privileged

You should see the SDK runtime singletons (ugallu-resolver, ugallu-attestor, ugallu-ttl, …) and one Deployment / DaemonSet per operator.

First SecurityEvent

Section titled “First SecurityEvent”
Terminal window
kubectl apply -f - <<'EOF'
apiVersion: security.ugallu.io/v1alpha1
kind: SecurityEvent
metadata:
  generateName: hello-
  namespace: ugallu-system
spec:
  class: Audit
  type: KubernetesAPICall
  severity: info
  source:
    apiVersion: security.ugallu.io/v1alpha1
    kind: ugallu-quickstart
    name: hello
    version: v0
  subject:
    kind: Cluster
    name: cluster
  signals:
    note: hello from the quickstart
EOF
kubectl get securityevent -n ugallu-system

The attestor picks the SE up, signs it cosign-keyless, anchors the record in Rekor, and seals the bundle into the WORM bucket.

Next steps

Section titled “Next steps”
  • Architecture - operator inventory and how they compose.
  • Hardening - mTLS, RBAC tightening, OIDC, Object Lock policies.
  • Observability - Prometheus metrics + Grafana dashboards shipped with the chart.