Kubernetes / Helm

May 21, 2026 · View on GitHub

Add the Helm repository

helm repo add gen0sec https://helm.gen0sec.com
helm repo update
helm search repo gen0sec
# gen0sec/synapse
# gen0sec/synapse-stack

Quick install

export ARX_KEY="your-api-key"
export SYNAPSE_VER="0.1.2"   # check `helm search repo gen0sec` for latest

helm upgrade --install synapse-stack gen0sec/synapse-stack \
  --version "$SYNAPSE_VER" \
  -n synapse --create-namespace \
  --set synapse.synapse.server.upstream="http://your-service:8080" \
  --set synapse.synapse.arxignis.apiKey="$ARX_KEY"

Wait for rollout:

kubectl -n synapse rollout status deploy/synapse-stack
kubectl -n synapse-system rollout status deploy/synapse-operator

Full install with operator

helm upgrade --install synapse-stack gen0sec/synapse-stack \
  --version "$SYNAPSE_VER" \
  -n synapse --create-namespace \
  --set global.namespaces.synapse="synapse" \
  --set global.namespaces.operator="synapse-system" \
  --set synapse.image.repository="ghcr.io/gen0sec/synapse" \
  --set synapse.image.tag="latest" \
  --set synapse.synapse.server.upstream="http://example.com" \
  --set synapse.synapse.network.disableXdp=true \
  --set synapse.synapse.arxignis.apiKey="$ARX_KEY" \
  --set synapse.synapse.contentScanning.scanExpression='http.request.method eq "POST" or http.request.method eq "PUT"' \
  --set operator.enabled=true \
  --set operator.createNamespace=true \
  --set operator.image.repository="ghcr.io/gen0sec/synapse-operator" \
  --set operator.image.tag="latest"

values.yaml reference

global:
  namespaces:
    synapse: synapse
    operator: synapse-system

synapse:
  replicaCount: 1
  image:
    repository: ghcr.io/gen0sec/synapse
    tag: latest
    pullPolicy: IfNotPresent

  synapse:
    server:
      # Upstream origin — change to your service
      upstream: "http://example.com"
    network:
      # Disable XDP for environments without eBPF/XDP support
      disableXdp: true
    arxignis:
      # Prefer Kubernetes Secrets over inline values in production
      apiKey: "REPLACE_ME"
    contentScanning:
      scanExpression: 'http.request.method eq "POST" or http.request.method eq "PUT"'

operator:
  enabled: true
  createNamespace: true
  image:
    repository: ghcr.io/gen0sec/synapse-operator
    tag: latest
    pullPolicy: IfNotPresent
  replicaCount: 1
  leaderElect: true
  serviceAccount:
    create: true
    name: ""
  rbac:
    create: true
  resources:
    requests:
      cpu: 5m
      memory: 32Mi
    limits:
      cpu: 200m
      memory: 128Mi

Install from values file:

helm upgrade --install synapse-stack gen0sec/synapse-stack \
  --version "$SYNAPSE_VER" \
  -n synapse --create-namespace \
  -f values.yaml

Notes

  • XDP in Kubernetes: XDP requires NET_ADMIN + SYS_ADMIN + BPF capabilities and a kernel that supports XDP on the CNI's virtual interfaces. Set synapse.synapse.network.disableXdp=true and use nftables/iptables mode if your cluster does not support it.
  • Interface selection on Cilium/Calico/GKE-Dataplane-V2: network.iface: "auto" now selects only the node uplink (e.g. eth0) and never CNI-managed interfaces (lxc*, cilium_*, gke*, veths, bridges). This keeps the agent at its normal ~30-50MB footprint and means it will never attach to — or clobber — the CNI's own XDP datapath, so pinning iface: "eth0" is no longer required (it remains valid). If you explicitly point Synapse at an interface that already runs another XDP program, Synapse refuses to replace it and skips that interface (warning logged) instead of breaking the other datapath.
  • API key: Store the Gen0Sec API key as a Kubernetes Secret and reference it via valueFrom.secretKeyRef rather than embedding it in values files.
  • Operator: The Synapse Operator manages CRD-driven configuration and rollout. It is optional but recommended for production deployments.