Skip to main content
The ChangeGuard operator manages the full lifecycle of data collection, security scanning, runtime detection, and AI analysis through a single ChangeGuardAgent custom resource.

One-Line Install

curl -sL https://install.changeguard.ai | \
  CG_API_KEY=YOUR_API_KEY \
  CG_CLUSTER_NAME=production \
  CG_PROVIDER=EKS sh

What Gets Deployed

ResourceTypePurpose
changeguard-operatorDeploymentController (watches ChangeGuardAgent CRDs)
changeguard-collectorDeploymentRead-only data collector (snapshots every 10s)
changeguard-benchCronJobCIS benchmark scanner (KubeBench)
changeguard-grypeCronJobContainer image CVE scanner
changeguard-syftCronJobSBOM generator
changeguard-plutoCronJobDeprecated API detector
changeguard-falcoDaemonSetRuntime syscall monitor (every node)
changeguard-sidekickDeploymentFalco alert forwarder

RBAC

The operator creates a ClusterRole with read-only access. It reads pods, deployments, nodes, events, services, RBAC objects (for Identity & Access and Attack Paths), network policies, and metrics, plus ArgoCD Application and Flux (Kustomization, HelmRelease, Source) custom resources for GitOps discovery. GitOps state is read directly from those resources — no ArgoCD or Flux API token is required — and the agent never reads application Secrets.
The agent never reads or stores application secrets.

Requirements

  • Kubernetes 1.25+
  • helm 3.8+ and kubectl (for installation)
  • Outbound HTTPS to api.changeguard.ai
  • For Falco: Linux kernel 5.8+ (modern_ebpf driver)

Helm Install

helm repo add changeguard https://charts.changeguard.ai
helm repo update
helm upgrade --install changeguard changeguard/changeguard-operator \
  --namespace changeguard-system --create-namespace \
  --set agent.apiKey=YOUR_API_KEY \
  --set agent.clusterName=production \
  --set agent.provider=EKS \
  --set agent.security.enabled=true

Uninstall

kubectl delete changeguardagent changeguard -n changeguard-system
helm uninstall changeguard -n changeguard-system
kubectl delete namespace changeguard-system
kubectl delete crd changeguardagents.changeguard.ai