Skip to main content


Visualize Kubernetes resources and monitor changes through queries and alerts.



To use this integration, you must have a running Kubernetes cluster. This integration with JupiterOne will be deployed as a pod and interact with a Kubernetes API server.

Configuration in JupiterOne

To install the Kubernetes integration in JupiterOne

  1. Navigate to the Integrations tab in JupiterOne and select Kubernetes.
  2. Click New Instance to begin configuring your integration and provide the following:
  • The Account Name used to identify the Addigy account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  1. Click Create after all values are provided and your instance appears in the list of all your Kubernetes instances.
  2. Click the name of the new instance in the list of instances, and go to the API Keys tab.
  3. Follow the prompts to create the integration API Key.
  4. Click Reveal and copy the API Key.

For the configuration in Kubernetes, you need:

  • The Integration API Key you just created
  • The Integration Instance Id (which is listed as ID in the Configuration Settings)
  • Your Account ID (listed under Account Management after clicking the gear Icon).

Configuration in Kubernetes using Helm

The easiest way to install and update the graph-kubernetes project is through the published helm chart. You can find information on how to install the JupiterOne repository here with specific information about maintain the graph-kubernetes chart here.


helm repo add jupiterone
helm repo update
helm install [RELEASE_NAME] jupiterone/graph-kubernetes --set secrets.jupiteroneAccountId="some-account-id" --set secrets.jupiteroneApiKey="some-api-key" --set secrets.jupiteroneIntegrationInstanceId="some-integration-instance-id"

Configuration in Kubernetes using standard YAML

In addition to Helm, you can utilize YAML as outlined below.


RBAC This integration expects a service account with either a specific namespace read-only access, or cluster-wide read-only access.

Creating a service account with namespace read-only access:

  1. Create a new service account using kubectl create sa jupiterone-integration.
  2. Assign namespace read-only access using kubectl create rolebinding jupiterone-integration-view --clusterrole=view --serviceaccount=default:jupiterone-integration --namespace=default.

Creating service account with cluster-wide read-only access:

  1. Create a new service account using kubectl create sa jupiterone-integration-cluster.
  2. Assign cluster-wide read-only access using kubectl apply -f clusterRole.yml and kubectl apply -f clusterRoleBinding.yml.

If you are using a different service account name or different namespace name, ensure you use the correct name in both the commands/YAML listed above.


The integration requires you to store your jupiterone account ID, jupiterone API key, and integration ID as secrets that will be read by the pod.

Update the createSecret.yml with base64-encoded values using kubectl apply -f createSecret.yml.


To deploy the built image as a pod:

  • a. To create cronjob deployment for a service account with namespace read-only access, use:
    kubectl apply -f cronjobNamespace.yml
  • b. To create deployment for a service account with entire cluster read-only access use:
    kubectl apply -f cronjobCluster.yml


  • To check if the cronjob has been created, use:

    kubectl get cronjob
  • To check if the cronjob has spawned any jobs, use:

    kubectl get job
  • To see the logs, use:

    kubectl logs --selector job-name=job-name


  • To delete the deployment, use:

    kubectl delete cronjob <name>
  • To delete the service account, use:

    kubectl delete serviceaccount <serviceaccount> -n <namespace>
  • To delete the cluster role binding, use:

    `kubectl delete clusterrolebinding <clusterrolebinding>
  • To delete the cluster role binding, use:

    kubectl delete clusterole <clusterrole>


To upgrade a particular resource such as cronjob and secrets, reapply the yaml using:

kubectl apply -f resourceFile.yaml

Telemetry and Diagnostics

The Helm charts and vanilla Kubernetes YAML are instrumented with the OpenTelemetry Collector and FluentBit with FluentBit forwarding docker logs into the OpenTelemetry Collector. If you want to forward the same telemetry to your own internal systems (CloudWatch, Prometheus, etc) configure the collector to point to them and update the manifests.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.