This repository contains the Helm chart for deploying DevGuard, a security and vulnerability management platform, on Kubernetes clusters.
Get started by following the installation instructions in the DevGuard documentation.
You can find the default configuration values in the values.yaml file. Customize these values as needed for your deployment.
DevGuard is tested on Rancher-supported Kubernetes distributions and is supported by L3montree GmbH on the following configurations:
| DevGuard Chart | Distribution | Distribution | Kubernetes | Status |
|---|---|---|---|---|
| > 1.9.x | Rancher (>= 2.14) | K3s (>= v1.35) | >= v1.35 | Tested |
| > 1.9.x | Talos Linux (>= 1.11) | K8s (>= 1.33) | >= v1.33 | Tested |
The chart declares kubeVersion: >=1.21-0 and is expected to work on other Rancher-supported distributions (e.g. RKE2, EKS) and recent Kubernetes versions, but the configurations listed above are the ones we have validated and actively support.
- Storage: DevGuard's PostgreSQL requires a
PersistentVolumeClaim. Your cluster must provide a StorageClass — either a default one, or setpostgresql.pvc.storageClassNameexplicitly. Note that some distributions (e.g. RKE2, or Rancher's local cluster) do not ship a default StorageClass; the local-path-provisioner is a simple option for single-node setups. - Ingress: An ingress controller must be available if
api.ingress.enabled/web.ingress.enabledare used (default: enabled).
For api.image, web.image, and postgresql.image, the chart supports both:
- Full image string (for example
ghcr.io/l3montree-dev/devguard:0.13.0orghcr.io/l3montree-dev/devguard@sha256:...) - Object format with
repository,tag, optionaldigest, andpullPolicy
When digest is set in object format, it is preferred over tag and rendered as repository@digest.
The chart includes an optional Kyverno policy for supply chain security. Enable it with:
kyvernoPolicy:
enabled: true
validationFailureAction: Enforce # or AuditThe policy enforces three rules on all Pods in the namespace:
| Rule | Image | Verification |
|---|---|---|
verify-devguard-images |
ghcr.io/l3montree-dev/devguard* |
Cosign signature + SLSA provenance attestation |
verify-kratos-image |
oryd/kratos* |
Cosign signature |
verify-otel-collector-image |
otel/opentelemetry-collector-contrib* |
Keyless signature (GitHub Actions OIDC) |
For DevGuard images, the policy additionally verifies the SLSA provenance attestation and checks that:
- The builder ID is
devguard.org - The image was built from
https://github.com/l3montree-dev/devguard - The commit was authored by a known maintainer
See tests/kyverno/README.md for instructions on running the policy tests locally.