Kubernetes with Helm
Deploy DAST on your Kubernetes cluster using Helm.
Prerequisites
- Kubernetes cluster (1.18+)
- Helm 3 installed
kubectlconfigured to access your cluster- At least 2GB RAM per DAST pod
Install DAST with Helm
Basic Installation
helm install levoai-shadownet oci://levoai/levoai-shadownet \
--namespace levoai \
--create-namespace \
--set key=<your-auth-key> \
--set orgId=<your-org-id> \
--set levoBaseUrl="https://api.levo.ai"
With Custom Resources
helm install levoai-shadownet oci://levoai/levoai-shadownet \
--namespace levoai \
--create-namespace \
--set key=<your-auth-key> \
--set orgId=<your-org-id> \
--set levoBaseUrl="https://api.levo.ai" \
--set replicaCount=3 \
--set resources.requests.memory="2Gi" \
--set resources.requests.cpu="1000m" \
--set resources.limits.memory="2Gi" \
--set resources.limits.cpu="2000m"
Scheduled Worker Deployment
To deploy workers that handle scheduled scans configured in the Levo dashboard:
helm install levoai-shadownet-scheduled oci://levoai/levoai-shadownet \
--namespace levoai \
--create-namespace \
--set key=<your-auth-key> \
--set orgId=<your-org-id> \
--set levoBaseUrl="https://api.levo.ai" \
--set scheduled=true
With Worker Group
Use worker groups to segment workloads across different clusters or teams:
helm install levoai-shadownet oci://levoai/levoai-shadownet \
--namespace levoai \
--create-namespace \
--set key=<your-auth-key> \
--set orgId=<your-org-id> \
--set levoBaseUrl="https://api.levo.ai" \
--set group="team-backend"
Create Secrets for LLM (Optional)
If you want to use AI-guided crawling, create a secret with your LLM API keys. The Helm chart looks for a secret named levoai-shadownet-secret:
kubectl create secret generic levoai-shadownet-secret \
--namespace levoai \
--from-literal=anthropic-api-key=<your-anthropic-key> \
--from-literal=openai-api-key=<your-openai-key>
The deployment automatically mounts these keys as ANTHROPIC_API_KEY and OPENAI_API_KEY environment variables (both are optional).
Run a Scan
Once the DAST worker is installed in your cluster, use the Levo platform UI to run scans:
- Go to your Levo workspace
- Navigate to Security Testing → DAST
- Click New Scan
- Select On-Prem as the scan location (to use your installed runner)
- Configure your scan settings and target URL
- Click Start Scan
The scan will be executed on your cluster using the DAST worker you installed via Helm. Results will appear in the Levo dashboard.
Helm Values Reference
Core Settings
| Parameter | Description | Default |
|---|---|---|
key | Levo auth key | "" |
orgId | Levo organization ID | "" |
levoBaseUrl | Levo platform URL | "https://api.levo.ai" |
replicaCount | Number of worker replicas | 3 |
scheduled | Enable scheduled worker mode | false |
group | Worker group name for workload segmentation | "" |
Image Settings
| Parameter | Description | Default |
|---|---|---|
image.registry | Container registry | docker.io |
image.repo | Image repository | levoai |
image.name | Image name | levoai-shadownet |
image.pullPolicy | Image pull policy | IfNotPresent |
image.tagOverride | Override image tag (defaults to chart version) | "" |
Resource Settings
| Parameter | Description | Default |
|---|---|---|
resources.requests.cpu | CPU request | 500m |
resources.requests.memory | Memory request | 1Gi |
resources.limits.cpu | CPU limit | 2000m |
resources.limits.memory | Memory limit | 2Gi |
Browser Settings
These are required for headless Chromium to work properly in containers:
| Parameter | Description | Default |
|---|---|---|
browser.shmSize | Size of /dev/shm (shared memory for Chrome rendering) | 1Gi |
browser.tmpSize | Size of /tmp tmpfs (Playwright artifacts) | 512Mi |
Advanced Settings
| Parameter | Description | Default |
|---|---|---|
extraEnv | Additional environment variables (key-value map) | {} |
extraEnvVars | Additional env vars with valueFrom support | [] |
extraEnvVarsCM | ConfigMap name for environment variables | [] |
extraEnvVarsSecret | Secret name for environment variables | [] |
secretMounts | Mount Kubernetes Secrets as volumes | [] |
configMapMounts | Mount ConfigMaps as volumes | [] |
podAnnotations | Pod annotations | sidecar.istio.io/inject: "false" |
nodeSelector | Node selector for pod scheduling | {} |
tolerations | Pod tolerations | [] |
affinity | Pod affinity rules | {} |
Accessing Internal Services
For scanning internal services within your cluster, use the internal Kubernetes DNS name as the target URL:
http://<service-name>.<namespace>.svc.cluster.local:<port>
Example:
- Service name:
my-api - Namespace:
default - Port:
8080 - Full URL:
http://my-api.default.svc.cluster.local:8080
The worker pods have network access to services in the cluster, allowing you to scan internal applications directly from the Levo dashboard.
Upgrading
helm upgrade levoai-shadownet oci://levoai/levoai-shadownet \
--namespace levoai \
--reuse-values
Uninstalling
helm uninstall levoai-shadownet --namespace levoai
Next Steps
- CLI Reference - Full command documentation
- Levo Dashboard - Configure dashboard integration
- CI/CD Integration - Automate with GitLab CI or other tools