Radar Helm Chart
Deploy Radar to your Kubernetes cluster for web-based cluster visualization and management.
See also: In-Cluster Deployment Guide for ingress and DNS setup.
Prerequisites
- Kubernetes 1.21+
- Helm 3.0+
Installation
Quick Start
helm repo add skyhook https://skyhook-io.github.io/helm-charts
helm repo update skyhook
helm upgrade --install radar skyhook/radar -n radar --create-namespace
Access via port-forward:
kubectl port-forward svc/radar 9280:9280 -n radar
open http://localhost:9280
With Ingress
helm upgrade --install radar skyhook/radar \
-n radar --create-namespace \
--set ingress.enabled=true \
--set ingress.className=nginx \
--set ingress.hosts[0].host=radar.example.com \
--set ingress.hosts[0].paths[0].path=/ \
--set ingress.hosts[0].paths[0].pathType=Prefix
With TLS
helm upgrade --install radar skyhook/radar \
-n radar --create-namespace \
--set ingress.enabled=true \
--set ingress.className=nginx \
--set ingress.hosts[0].host=radar.example.com \
--set ingress.hosts[0].paths[0].path=/ \
--set ingress.hosts[0].paths[0].pathType=Prefix \
--set ingress.tls[0].secretName=radar-tls \
--set ingress.tls[0].hosts[0]=radar.example.com
Configuration
| Parameter | Description | Default |
|---|---|---|
replicaCount |
Number of replicas | 1 |
image.repository |
Image repository | ghcr.io/skyhook-io/radar |
image.tag |
Image tag | Chart appVersion |
service.type |
Service type | ClusterIP |
service.port |
Service port | 9280 |
ingress.enabled |
Enable ingress | false |
ingress.className |
Ingress class name | "" |
timeline.storage |
Timeline storage (memory/sqlite) | memory |
persistence.enabled |
Enable PVC for SQLite | false |
traffic.prometheusUrl |
Manual Prometheus/VictoriaMetrics URL (skips auto-discovery) | "" |
resources.limits.memory |
Memory limit | 512Mi |
resources.requests.memory |
Memory request | 128Mi |
See values.yaml for all configuration options.
RBAC
The chart creates a ClusterRole with read-only access to common Kubernetes resources.
Default Permissions (Core K8s Resources)
Always granted (required for basic functionality):
| API Group | Resources |
|---|---|
Core ("") |
pods, services, configmaps, events, namespaces, nodes, pvcs, serviceaccounts, endpoints |
apps |
deployments, daemonsets, statefulsets, replicasets |
networking.k8s.io |
ingresses, networkpolicies |
batch |
jobs, cronjobs |
autoscaling |
horizontalpodautoscalers |
apiextensions.k8s.io |
customresourcedefinitions (for CRD discovery) |
Privileged Permissions (Opt-in)
Disabled by default for security:
| Feature | Value | Description |
|---|---|---|
| Secrets | rbac.secrets: true |
View secrets in resource list |
| Terminal | rbac.podExec: true |
Shell access to pods |
| Port Forward | rbac.portForward: true |
Port forwarding to pods |
| Logs | rbac.podLogs: true |
View pod logs (enabled by default) |
CRD Access
Radar discovers CRDs in your cluster. All common CRD groups are enabled by default. Granting RBAC for CRDs that don't exist has no effect.
Wildcard option: Grant read access to ALL CRDs with one setting:
--set rbac.crdGroups.all=true
This overrides individual settings below. Simpler but broader — some orgs may not allow this.
| Option | API Groups |
|---|---|
argo |
argoproj.io |
awx |
awx.ansible.com |
certManager |
cert-manager.io |
cloudnativePg |
cloudnative-pg.io |
crossplane |
crossplane.io, pkg.crossplane.io |
descheduler |
descheduler.alpha.kubernetes.io |
envoyGateway |
gateway.envoyproxy.io |
externalDns |
externaldns.k8s.io |
externalSecrets |
external-secrets.io |
flux |
*.toolkit.fluxcd.io |
gatewayApi |
gateway.networking.k8s.io |
gcpMonitoring |
monitoring.googleapis.com |
grafana |
monitoring.grafana.com, tempo.grafana.com, loki.grafana.com |
istio |
networking.istio.io, security.istio.io |
karpenter |
karpenter.sh, karpenter.k8s.aws |
keda |
keda.sh |
knative |
serving.knative.dev, eventing.knative.dev |
kubeshark |
kubeshark.io |
kured |
kured.io |
kyverno |
kyverno.io, wgpolicyk8s.io, reports.kyverno.io |
mariadb |
mariadb.mmontes.io |
nginx |
nginx.org |
openshift |
observability.openshift.io |
opentelemetry |
opentelemetry.io |
prometheus |
monitoring.coreos.com |
reflector |
reflector.v1.k8s.emberstack.com |
reloader |
reloader.stakater.com |
sealedSecrets |
sealed-secrets.bitnami.com |
strimzi |
strimzi.io, kafka.strimzi.io |
tekton |
tekton.dev |
traefik |
traefik.io, traefik.containo.us |
velero |
velero.io |
Disable groups: --set rbac.crdGroups.istio=false
Add unlisted CRDs:
rbac:
additionalCrdGroups:
- mycompany.io
Troubleshooting: "Failed to list resource" Warnings
If you see these warnings, Radar discovered a CRD but doesn't have RBAC access. This is not an error — add the API group to additionalCrdGroups if you need it.
Advanced: Custom Rules
For fine-grained control, use additionalRules to add arbitrary RBAC rules:
rbac:
additionalRules:
- apiGroups: ["custom.example.com"]
resources: ["myresources"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete"] # Dangerous - use with caution
Capability Detection
Radar uses its ServiceAccount permissions to access the Kubernetes API. The UI automatically detects which features are available based on RBAC and hides unavailable features (e.g., the terminal button won't appear if podExec is disabled).
Uninstalling
helm uninstall radar -n radar
kubectl delete namespace radar