Kubernetes / Helm
May 21, 2026 · View on GitHub
Add the Helm repository
helm repo add gen0sec https://helm.gen0sec.com
helm repo update
helm search repo gen0sec
# gen0sec/synapse
# gen0sec/synapse-stack
Quick install
export ARX_KEY="your-api-key"
export SYNAPSE_VER="0.1.2" # check `helm search repo gen0sec` for latest
helm upgrade --install synapse-stack gen0sec/synapse-stack \
--version "$SYNAPSE_VER" \
-n synapse --create-namespace \
--set synapse.synapse.server.upstream="http://your-service:8080" \
--set synapse.synapse.arxignis.apiKey="$ARX_KEY"
Wait for rollout:
kubectl -n synapse rollout status deploy/synapse-stack
kubectl -n synapse-system rollout status deploy/synapse-operator
Full install with operator
helm upgrade --install synapse-stack gen0sec/synapse-stack \
--version "$SYNAPSE_VER" \
-n synapse --create-namespace \
--set global.namespaces.synapse="synapse" \
--set global.namespaces.operator="synapse-system" \
--set synapse.image.repository="ghcr.io/gen0sec/synapse" \
--set synapse.image.tag="latest" \
--set synapse.synapse.server.upstream="http://example.com" \
--set synapse.synapse.network.disableXdp=true \
--set synapse.synapse.arxignis.apiKey="$ARX_KEY" \
--set synapse.synapse.contentScanning.scanExpression='http.request.method eq "POST" or http.request.method eq "PUT"' \
--set operator.enabled=true \
--set operator.createNamespace=true \
--set operator.image.repository="ghcr.io/gen0sec/synapse-operator" \
--set operator.image.tag="latest"
values.yaml reference
global:
namespaces:
synapse: synapse
operator: synapse-system
synapse:
replicaCount: 1
image:
repository: ghcr.io/gen0sec/synapse
tag: latest
pullPolicy: IfNotPresent
synapse:
server:
# Upstream origin — change to your service
upstream: "http://example.com"
network:
# Disable XDP for environments without eBPF/XDP support
disableXdp: true
arxignis:
# Prefer Kubernetes Secrets over inline values in production
apiKey: "REPLACE_ME"
contentScanning:
scanExpression: 'http.request.method eq "POST" or http.request.method eq "PUT"'
operator:
enabled: true
createNamespace: true
image:
repository: ghcr.io/gen0sec/synapse-operator
tag: latest
pullPolicy: IfNotPresent
replicaCount: 1
leaderElect: true
serviceAccount:
create: true
name: ""
rbac:
create: true
resources:
requests:
cpu: 5m
memory: 32Mi
limits:
cpu: 200m
memory: 128Mi
Install from values file:
helm upgrade --install synapse-stack gen0sec/synapse-stack \
--version "$SYNAPSE_VER" \
-n synapse --create-namespace \
-f values.yaml
Notes
- XDP in Kubernetes: XDP requires
NET_ADMIN+SYS_ADMIN+BPFcapabilities and a kernel that supports XDP on the CNI's virtual interfaces. Setsynapse.synapse.network.disableXdp=trueand use nftables/iptables mode if your cluster does not support it. - Interface selection on Cilium/Calico/GKE-Dataplane-V2:
network.iface: "auto"now selects only the node uplink (e.g.eth0) and never CNI-managed interfaces (lxc*,cilium_*,gke*, veths, bridges). This keeps the agent at its normal ~30-50MB footprint and means it will never attach to — or clobber — the CNI's own XDP datapath, so pinningiface: "eth0"is no longer required (it remains valid). If you explicitly point Synapse at an interface that already runs another XDP program, Synapse refuses to replace it and skips that interface (warning logged) instead of breaking the other datapath. - API key: Store the Gen0Sec API key as a Kubernetes Secret and reference it via
valueFrom.secretKeyRefrather than embedding it in values files. - Operator: The Synapse Operator manages CRD-driven configuration and rollout. It is optional but recommended for production deployments.