Skip to content

Installation

Add the Helm repository

helm repo add k8s-sustain https://noony.github.io/k8s-sustain
helm repo update

Install with bundled Prometheus

The default installation deploys the operator, the admission webhook, and a Prometheus instance with the required recording rules pre-configured.

helm install k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --create-namespace

Install with an existing Prometheus

If you already have Prometheus running, disable the bundled instance and point the operator at yours:

helm install k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --create-namespace \
  --set prometheus.enabled=false \
  --set prometheusAddress=http://prometheus.monitoring.svc:80

Recording rules required

When prometheus.enabled=false, you must install the recording rules manually. Copy the rule groups from prometheus.server.serverFiles in values.yaml into your existing Prometheus configuration. If you use the Prometheus Operator, enable controller.serviceMonitor.enabled=true to deploy the PrometheusRule and ServiceMonitor CRDs instead.

Install without the admission webhook

If you only need Ongoing mode (no OnCreate), you can disable the webhook entirely. This removes the TLS certificate requirement.

helm install k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --create-namespace \
  --set webhook.enabled=false

Install in recommend-only mode (dry-run)

Run the operator without applying any changes. Recommendations are logged as structured JSON but workloads and pods are never modified.

helm install k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --create-namespace \
  --set recommendOnly=true

Once you are satisfied with the logged recommendations, disable recommend-only mode:

helm upgrade k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --reuse-values \
  --set recommendOnly=false

The chart creates a self-signed Issuer and Certificate automatically — just enable cert-manager:

helm install k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --create-namespace \
  --set webhook.certManager.enabled=true

See the cert-manager guide for using your own Issuer.

Verify the installation

kubectl get pods -n k8s-sustain

Expected output:

NAME                                        READY   STATUS    RESTARTS   AGE
k8s-sustain-<hash>                          1/1     Running   0          1m
k8s-sustain-webhook-<hash>                  1/1     Running   0          1m

Check the controller logs:

kubectl logs -n k8s-sustain -l app.kubernetes.io/name=k8s-sustain -l app.kubernetes.io/component!=webhook

Check the webhook logs:

kubectl logs -n k8s-sustain -l app.kubernetes.io/component=webhook

Upgrading

helm repo update
helm upgrade k8s-sustain k8s-sustain/k8s-sustain \
  --namespace k8s-sustain \
  --reuse-values

Uninstalling

helm uninstall k8s-sustain -n k8s-sustain

CRD retention

The Policy CRD is annotated with helm.sh/resource-policy: keep and will not be deleted on uninstall to protect existing Policy objects. Delete it manually if needed: 

kubectl delete crd policies.k8s.sustain.io