Installing JFrog Runtime Security
CPU and Memory Sizing Guidelines for Runtime Integrity Nodes are to run an considered average of 100 pods.
System Requirements
CPU and Memory Sizing Guidelines for Runtime Integrity
Nodes are considered to run an average of 100 pods.
| Number of Running Nodes | CPU | Memory |
|---|---|---|
| 100 nodes or below | 6 Cores | 16 GiB |
| 500 nodes or below | 30 Cores | 16 Gib |
| 1,000 nodes or below | Contact JFrog Support for sizing requirements |
Recommended PostgreSQL Database Sizing for Runtime Impact
Type of supported database: PostgreSQL 16 Nodes are considered to run an average of 100 pods.
| Monitored Nodes | vCPUs | Memory (GiB) | Storage Type | Storage Specs | Network Performance |
|---|---|---|---|---|---|
| Runtime Integrity (controller only setup) or 100 nodes or below | 2 | 10 | SSD | 20 GiB, 600 IOPS, 500 MBps throughput | 4,750 Mbps |
| 500 nodes and below | 10 | 32 | SSD | 100 GiB, 3000 IOPS, 500 MBps throughput | 4,750 Mbps |
| 1,000 nodes and below | Contact JFrog Support for sizing requirements |
Prerequisites
Before installing JFrog Runtime Security, ensure the following:
- kubectl and helm are installed and configured to access the Kubernetes cluster where Runtime Security will be deployed.
- A Kubernetes ingress controller is available and configured in the cluster.
- Network access is available between the cluster and the JFrog Platform.
Communication Mode
Runtime Security supports two communication modes: REST/HTTP1 and gRPC.
- REST/HTTP1 is the default and recommended mode. It works with standard ingress controllers and typical Kubernetes networking setups and does not require any special protocol support.
- gRPC requires explicit infrastructure support. If you have not already validated gRPC connectivity through your ingress, load balancer, and network policies, you should use the REST/HTTP1 installation.
Standard Installation (REST/HTTP1) - Recommended
Recommended for most environments
This method provides reliable communication over standard Kubernetes ingress using REST/HTTP1 and works in virtually all environments.
Choose this option unless you have very high event volume or a specific need for gRPC.
Install the Runtime Service (REST)
- Create
runtime-values.yaml:
global:
deployEnv: onprem
jfrogUrl: <add-your-public-domain-here>
postgresql:
enabled: true
# For external DB:
# database:
# url: postgres://<host>:5432/runtime
# user: runtime
# password: <password>
router:
jfrogUrl: <artifactory-service-url>
# Example: http://artifactory:8082
runtime:
joinKey: <join-key>
image:
registry: releases-docker.jfrog.io- Run:
helm upgrade --install runtime -f runtime-values.yamlInstall Sensors
- In the JFrog Platform, go to
Administration → Runtime Settings → Cluster Management - Click Install Runtime to open the sensor installation wizard.
- Copy the generated installation snippet.
- For on-prem REST installations, add:
--set serviceCommunicationType=restSelf-Signed Certificates (Sensors)
If the platform is configured with a self-signed certificate, add:
--set tlsInsecureSkipVerify=trueHigh-Volume Installation (gRPC)
For large-scale and high-throughput clusters only
This method is intended for environments with high scan volume or high event throughput. gRPC provides more efficient, low-latency communication but requires additional ingress configuration and gRPC-capable networking.
Preparing Your JFrog Platform
This guide assumes you are installing Runtime Security on an existing JFrog Platform.
Artifactory Update (gRPC only)
If your platform is not already configured to use an ingress controller, you must update the Artifactory Helm configuration.
Replace <add-your-public-domain-here> in ingress.hosts and tls.hosts with your actual domain.
nginx:
enabled: false
ingress:
enabled: true
defaultBackend:
enabled: true
hosts:
- <add-your-public-domain-here>
routerPath: /
disableRouterBypass: true
artifactoryPath: /artifactory/
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/rewrite-target: "/"
tls:
- secretName: artifactory-tls-secret
hosts:
- <add-your-public-domain-here>Install the Runtime Service (gRPC)
- Create
runtime-values.yaml:
global:
deployEnv: onprem
jfrogUrl: <add-your-public-domain-here>
postgresql:
enabled: true
# For external DB:
# database:
# url: postgres://<host>:5432/runtime
# user: runtime
# password: <password>
router:
jfrogUrl: <artifactory-service-url>
# Example: http://artifactory:8082
runtime:
joinKey: <join-key>
image:
registry: releases-docker.jfrog.io
ingress:
grpc:
tlsSecretName: runtime-tls-secret
securedBackendProtocol: false- Run:
helm upgrade --install runtime -f runtime-values.yamlInstall Runtime Sensors (gRPC)
- In the JFrog Platform, go to
Administration → Runtime Settings → Cluster Management - Click Install Runtime.
- Copy and run the generated installation snippet.
Bypassing Certificate Verification
Skipping TLS verification should be carefully considered in production environments.
If you are using a self-signed certificate, add:
--set tlsInsecureSkipVerify=trueSelf-Signed Certificates (Runtime Service)
Runtime Service supports self-signed certificates by adding your CA to the trusted certificate bundle.
- Create a Secret
kubectl create secret generic runtime-custom-certs \
--from-file=ca.crt=/path/to/ca.crt \
--from-file=intermediate.crt=/path/to/intermediate.crt- Enable in
runtime-values.yaml
Global configuration:
global:
customCertificates:
enabled: true
certificateSecretName: runtime-custom-certsRuntime-only configuration:
runtime:
customCertificates:
enabled: true
certificateSecretName: runtime-custom-certs- Install / Upgrade
helm upgrade --install runtime -f runtime-values.yamlUpdated 2 days ago