Prerequisites
- A Kubernetes cluster (EKS, GKE, AKS, or any CNCF-conformant cluster)
kubectl configured and pointing at your clusterhelm 3.8+ installed — the installer is a thin wrapper around a Helm install- A ChangeGuard account (start free trial)
Step 1: Get Your API Key
After signing up, your API key is shown on the confirmation screen. You can also create keys in Settings → API Keys → Create Key.
Save your API key immediately — it cannot be retrieved after creation. Only the prefix is stored.
Step 2: Install the Operator
curl -sL https://install.changeguard.ai | \
CG_API_KEY=YOUR_API_KEY CG_CLUSTER_NAME=my-cluster-name sh
- Data collector — read-only snapshot agent pushing every 10 seconds
- KubeBench — CIS Kubernetes benchmark scanning (every 6 hours)
- Grype — container image CVE scanning (every 4 hours + on new deploys)
- Falco — runtime syscall threat detection (continuous, every node)
- Pluto — deprecated Kubernetes API detection (every 12 hours)
- Syft — software bill of materials generation (every 8 hours)
Step 3: Verify
kubectl get changeguardagent -n changeguard-system
NAME CLUSTER CSC PHASE PUSHES AGE
changeguard my-cluster 87 Running 142 2m
Step 4: View Your Dashboard
Go to app.changeguard.ai and log in. Your cluster appears in the sidebar within 10 seconds.
Install Options
The one-liner is configured with environment variables:
| Variable | Default | Description |
|---|
CG_API_KEY | required | Your ChangeGuard API key (starts with cg_) |
CG_CLUSTER_NAME | required | Display name for this cluster |
CG_PROVIDER | Kubernetes | EKS, GKE, AKS, or Kubernetes |
changeguard-system namespace. For a custom namespace, air-gapped or OCI installs, GitOps, or finer-grained values, install the Helm chart directly.
Uninstall
kubectl delete changeguardagent changeguard -n changeguard-system
helm uninstall changeguard -n changeguard-system
kubectl delete namespace changeguard-system
kubectl delete crd changeguardagents.changeguard.ai
