System Requirements
CPU and Memory Sizing Guidelines for Runtime Integrity
Nodes are considered to run an average of 100 pods.
Number of Running Nodes | CPU | Memory |
|---|---|---|
100 nodes or below | 6 Cores | 16 GiB |
500 nodes or below | 30 Cores | 16 Gib |
1,000 nodes or below | Contact JFrog Support for sizing requirements | |
Recommended PostgreSQL Database Sizing for Runtime Impact
Type of supported database: PostgreSQL 16 Nodes are considered to run an average of 100 pods.
Monitored Nodes | vCPUs | Memory (GiB) | Storage Type | Storage Specs | Network Performance |
|---|---|---|---|---|---|
Runtime Integrity (controller only setup) or 100 nodes or below | 2 | 10 | SSD | 20 GiB, 600 IOPS, 500 MBps throughput | 4,750 Mbps |
500 nodes and below | 10 | 32 | SSD | 100 GiB, 3000 IOPS, 500 MBps throughput | 4,750 Mbps |
1,000 nodes and below | Contact JFrog Support for sizing requirements | ||||
Prerequisites:
Ensure your
kubectlandhelmclients can access the Kubernetes cluster where you want to install the Runtime Service.You must have an ingress controller configured—preferably Ingress-Nginx with TLS. JFrog officially supports the Nginx ingress controller. Other ingress controllers can also work if they are properly configured to support gRPC communication.
Note
Most ingress controllers support gRPC, but configurations vary. If you're using a non-Nginx ingress controller, make sure you're familiar with how to configure gRPC support. If unsure, you can configure the service to fall back to HTTP1/JSON instead.
Runtime gRPC Access
The Runtime Service exposes a gRPC API over the web. While gRPC is supported by most ingress controllers, misconfiguration can lead to failed installations. To avoid issues:
If you're confident in configuring gRPC with your ingress controller, proceed with the default setup.
If you're unsure, configure the Runtime Service to use HTTP1/JSON as a fallback. Details on this configuration are provided later in the guide.
Preparing your JFrog Platform
This guide describes installing JFrog Runtime Security on a pre-existing JFrog Platform.
JFrog Charts
For the installation of the different JFrog platform components, you will need access to the JFrog Charts Repository. Add and update the JFrog Helm chart repository in your local configuration:
helm repo add jfrog https://charts.jfrog.io --force-update
Artifactory Update
JFrog Platform with JFrog Runtime Security requires setting the JPD with an ingress controller. If your platform is already configured to work with an ingress controller you can skip this part. For Artifactory to work with an ingress controller you need to update your Artifactory configuration. Set the following chart values along with the Helm install/upgrade command or pass it in a values.yaml file. Make sure to replace <add-your-public-domain-here> in the ingress.hosts and tls.hosts sections with your actual domain name.
nginx:
enabled: false
ingress:
enabled: true
defaultBackend:
enabled: true
hosts:
- <add-your-public-domain-here>
routerPath: /
disableRouterBypass: true
artifactoryPath: /artifactory/
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/rewrite-target: "/"
tls:
- secretName: artifactory-tls-secret
hosts:
- <add-your-public-domain-here>Install the Runtime Service
To install the Runtime Service on the JFrog Platform create a new file named runtime-values.yaml with the following content:
global:
deployEnv: onprem
jfrogUrl: <add-your-public-domain-here>
postgresql:
enabled: true
# To use an external database, comment the section above and use the following:
# database:
# url: postgres://<host>:5432/runtime
# user: runtime
# password: <password>
ingress:
grpc:
tlsSecretName: runtime-tls-secret
securedBackendProtocol: false
router:
jfrogUrl: <artifactory-service-url> # Example: http://artifactory:8082
runtime:
joinKey: <join-key> # The same join key as used in Artifactory
enableGrpcGateway: true
image:
registry: releases-docker.jfrog.ioRun the following to install the runtime service:
helm upgrade --install runtime -f runtime-values.yaml
Install Runtime Sensors
To install sensors:
In the JFrog Platform, go to Administration > Runtime > Sensor Management.
Click Install Runtime to open the sensor installation wizard.
Copy the generated installation snippet.
If you're using a non-Nginx ingress controller and aren't sure how to configure gRPC, update the sensor installation command with:
--set serviceCommunicationType=rest
This will switch communication to HTTP1/JSON, which is more universally supported with minimal configuration.
If you're using a self-signed certificate, add:
--set tlsInsecureSkipVerify=true
Note
Skipping TLS verification should be carefully considered in production environments, based on your organization’s security requirements and risk posture.
Bypassing Certificate Verification
If you’re using a self-signed certificate, you need to configure the sensors to bypass verification of the server's certificate chain and hostname. To apply this configuration, set the following value in the sensor installation snippet you copied from the sensor installation wizard: --set tlsInsecureSkipVerify=true
Note
Note that this setup should be carefully reconsidered for production environments based on your organization’s security requirements and constraints.