• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Self managed Deepfactor portal
  • Install Self managed Deepfactor portal
  • Kubernetes Cluster

Install Deepfactor portal using Helm

This document outlines how to install the Deepfactor portal in your Kubernetes cluster using a Helm chart. This installation process is intended for scenarios where customization needs to be performed during the installation.

For a simpler installation process that uses default choices for most options, visit Deploying Deepfactor Portal in your Kubernetes Cluster.

 

Requirements #

To deploy the Deepfactor portal on Kubernetes, the following are required.

  1. kubectl
  2. kube config for your kubernetes cluster
  3. Helm v3
  4. A Kubernetes cluster with version 1.23 or later. 8vCPU and 32GB of RAM are recommended.
  5. A valid Deepfactor Portal key. You can obtain the key by registering on Deepfactor’s website.
  6. TLS Certificates in PEM format.

 

Installation #

Create deepfactor namespace #

kubectl create ns deepfactor

 

Generate TLS certificate #

Deepfactor allows users to generate the certificate using different methods. Please choose one of the following options based on your organization’s strategy to generate/maintain certificates.

cert-manager

Add the following section to the override.yaml

ingress:
  hostName: <your_portal_hostname>
  certManager:
    enabled: true
  cert-manager:
    enablemodule: true
    installCRDs: true

 

If you have already installed cert-manager in your K8s cluster, please set enablemodule: false under cert-manager section.

 

Self signed certificate

Download the required helper scripts from Deepfactor.

# create a directory for the files
mkdir deepfactor-certs

# change directory
cd deepfactor-certs/

wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/generate-cert.sh
wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/openssl-portal.cnf
wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/openssl-portalca.cnf

Navigate to the download directory and run the script generate-cert.sh with your preferred domain name as the argument to the script.

chmod +x generate-cert.sh
sudo ./generate-cert.sh <DNS-of-your-portal>

 

Create Kubernetes secret from the certificates generated by the previous step.

# create new certificates secret
kubectl -n deepfactor create secret generic df-certs-ingress \
--from-file=tls.crt=portal.crt --from-file=tls.key=portal.key \
--from-file=ca.crt=portalca.crt

 

 

AWS private CA certificate

Install Cert Manager

helm repo add jetstack https://charts.jetstack.io
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.6.1 \
--set prometheus.enabled=false

 

Create an IAM OIDC provider for your cluster

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

Create a service account for AWS PCA issuer and add helm

In the following example, pls replace the AWS zone as applicable.

eksctl create iamserviceaccount \
 --region=us-east-2 \
 --cluster=qa-test-awspca \
 --namespace=aws-pca-issuer \
 --name=aws-pca-issuer \
 --attach-policy-arn=arn:aws:iam::<Your Account ID>:policy/certificate-manager-policy \
 --override-existing-serviceaccounts --approve

 

Install Helm Chart For AWS PCA

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer 
helm repo update 
helm install aws-pca-issuer awspca/aws-privateca-issuer -n aws-pca-issuer \
      --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer

 

Create issuer for AWS PCA

cat <<EOF | kubectl -n deepfactor apply -f -
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAIssuer
metadata:
  name: df-awspcs-issuer
spec:
  arn: arn:aws:acm-pca:us-east-2:<Your Account ID>:certificate-authority/b7a66d42-65da-4970-9ebe-429988b68430
  region: us-east-2
EOF

 

Create certificate for the portal

Create yaml for Certificate as follows.

kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: app.deepfactor.io
spec:
  commonName: app.deepfactor.io
  dnsNames:
    - app.deepfactor.io
  duration: 2160h0m0s
  issuerRef:
    group: awspca.cert-manager.io
    kind: AWSPCAIssuer
    name: df-awspcs-issuer
  renewBefore: 360h0m0s
  secretName: app.deepfactor.io
  usages:
    - server auth
    - client auth
  privateKey:
    algorithm: "RSA"
    size: 2048

 

Use the following commands to create the certificate using the file (cert.yaml) created above

kubectl -n deepfactor apply -f cert.yaml

 

Check certificate status

alice@localhost:~$ kubectl -n deepfactor get certificate 
NAME                READY    SECRET                 AGE 
app.deepfactor.io   True     app.deepfactor.io      13s

 

Let’s Encrypt certificate

Install Cert Manager

helm repo add jetstack https://charts.jetstack.io 
helm repo update
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml 
helm install \
 cert-manager jetstack/cert-manager \
 --namespace cert-manager \
 --create-namespace \
 --version v1.6.1 \
 --set prometheus.enabled=false

 

Create issuer for Let’s Encrypt

Create yaml file, le-issuer.yaml for Let’s Encrypt issuer as follows. Replace the highlighted configs as applicable

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: matt@example.io
    privateKeySecretRef:
      name: letsencrypt-issuer
    solvers:
      - http01:
          ingress:
            class: df-ingress-nginx

 

Use the following command to create issuer for Let’s encrypt using the file (le-issuer.yaml) created above

kubectl -n deepfactor apply -f le-issuer.yaml

 

Create CA certificate

wget https://letsencrypt.org/certs/isrgrootx1.pem
kubectl -n deepfactor create secret generic deepfactor-certs --from-file=portalca.crt=isrgrootx1.pem

 

Create a certificate for the portal

Create yaml for Certificate as follows. Replace the highlighted configs as applicable

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: dfp-letsencrypt.dmux.in
spec:
  secretName: dfp-letsencrypt.dmux.in
  dnsNames:
  - dfp-letsencrypt.dmux.in
  issuerRef:
    name: letsencrypt-issuer
    kind: Issuer
    group: cert-manager.io

 

Use the following commands to create a Let’s Encrypt certificate using the file (cert.yaml) created above

kubectl -n deepfactor apply -f cert.yaml

 

 

Add the Deepfactor Helm chart repo #

helm repo add deepfactor https://static.deepfactor.io/helm-charts
helm repo update

 

Create an override.yaml file with your config

Note: If you are using cert-manager replace app.deepfactor.io with the name of the secret created by the cert-manager issued certificate

dfstartup:
  config:
    firstName: Alice
    lastName: Smith
    emailID: alice@example.io
    ttlDays: 30
ingress:
  hostName: app.deepfactor.io
  secretName: app.deepfactor.io

 

Install the portal #

helm install df-stable deepfactor/deepfactor -n deepfactor \
  -f override.yaml \
  --set dfstartup.config.password=YOUR_PORTAL_PASSWORD \
  --set dfstartup.config.portalToken= \
   "YOUR_DEEPFACTOR_LICENSE_KEY_FROM_MY.DEEPFACTOR.IO"

 

Advanced Configuration #

The Deepfactor Helm charts support additional configurable values that can be specified in the override.yaml file.

Parameter Description Default Required
dfstartup.config.firstName First name of the admin login for the portal Yes
dfstartup.config.lastName Last name of the admin login for the portal Yes
dfstartup.config.emailID Email id of the first/admin login for the portal Yes
dfstartup.config.ttlDays The number of days to retain the telemetry Yes
dfstartup.config.password The password of the first/admin login for the portal Yes
dfstartup.config.portalToken The Deepfactor portal license key that can be obtained from https://my.deepfactor.io Yes
dfwebscan.enableProxiedScans Proxy Scan Support false No
appSettings.numberOfConcurrentWebScansAllowed The number of concurrent webscans allowed on this portal 1 No
deepfactorImageRegistry The registry to fetch the deepfactor service images from public.ecr.aws/deepfactor/ No
imagePullSecrets The secret that contains the image pull dockerconfig to pull from private registries – name: “regcred” No
ingress-nginx.enablemodule The Deepfactor portal by default creates an ingress-nginx controller. You would have to disable this if you choose to use an existing ingress true No
ingress-nginx.tcp.13443 Proxied Scan Ingress No
nginx.service.proxyPort The port number to use for the webscan proxy 13443 No
webappsvc.zapPod.memReq The memory request for the webscan pod 8Gi No
webappsvc.zapPod.memLimit The memory limit for the webscan pod 16Gi No
postgres.password The password for the postgres database used by the portal

Note: The password must be limited to alphanumeric characters

Auto-generated random password No
postgres.storage.requests The storage size that is requested for the postgres database 100Gi No
clickhouse.password The password for the clickhouse database used by the portal

Note: The password must be limited to alphanumeric characters

Auto-generated random password No
clickhouse.storage.requests The storage size that is requested for the clickhouse database 300Gi No

 

Customizations #

We understand that different enterprises have different policies for Kubernetes clusters and hence we provide a rich set of customizations for our Deepfactor K8s portal installation. You can specify an override.yaml file while deploying our helm charts in your cluster. Some common customization scenarios are captured in the following article

Customizing your Deepfactor Portal Deployment in K8s

Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on September 6, 2023
Deploying Deepfactor Portal in your Kubernetes Cluster

Powered by BetterDocs

Table of Contents
  • Requirements
  • Installation
    • Create deepfactor namespace
    • Generate TLS certificate
    • Add the Deepfactor Helm chart repo
    • Install the portal
  • Advanced Configuration
  • Customizations
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure