Docs/Agent/Install with Helm

Install the Agent with Helm

The reel cluster agent runs as a Kubernetes DaemonSet and captures container state from every node. Install it with a single Helm command.

How it works

The agent is a DaemonSet — one pod per node. Each agent pod works entirely against its own node:

It talks to the node's container runtime (containerd, CRI-O, or Docker) to see the containers actually running there.
It captures their state — SBOM, CBOM, malware scan, filesystem layers, CRIU checkpoints, memory — before pods are reaped.
It ships the evidence to your S3 bucket; large artifacts go straight to S3, not through any central service.

There is no central controller and nothing to scale separately — capture is node-local, so it grows with the cluster. The agent verifies its license offline (no call-home), so it runs in air-gapped clusters too.

Prerequisites

Kubernetes 1.25+ and Helm 3.
A license token — get a free one (up to 9 nodes) on the pricing page.
An S3 bucket and credentials, if you want scheduled uploads to an evidence vault (optional).
CRIU on the nodes for checkpoint and memory capture (optional — SBOM, CBOM, and layers work without it).

Install

Install the chart from Docker Hub's OCI registry, passing your license token:

helm install reel oci://docker.io/getreel/helm \

--namespace reel --create-namespace \

--set-string license.token="<YOUR_TOKEN>"

Prefer a Secret? Set license.secretRef to an existing Secret instead of passing the token inline. Full chart values and options are in the helm chart repo.

Verify

Confirm an agent pod is running on each node:

kubectl get pods -n reel -o wide

You should see one reel pod per node. Without a license the agent runs a short grace period, then pauses captures until a token is provided.

Next: schedule captures

The agent captures nothing until you tell it what and when. Define schedules with Kubernetes annotations — see the scheduling reference.

Installation Scheduling Reference