Skip to main content
This page covers a full Nyx installation: prerequisites, installing on Linux and Windows nodes, the configuration values the chart accepts, and how to verify, upgrade, and uninstall. If you just want to get running quickly, the Quickstart is the faster path.

Prerequisites

Cluster

  • Linux nodes on the AMD64 architecture, running a kernel of 5.15 or newer (required for eBPF/TC enforcement). Ubuntu-based AKS, EKS, GKE, and self-managed node images are validated. ARM64 isn’t supported yet — the agent schedules only on AMD64 Linux nodes.
  • Windows nodes (optional) — Windows Server 2022. See Add Windows nodes below.
  • Kubernetes 1.27 or newer recommended.

Tooling

  • kubectl, configured for your cluster. Version 1.27+ is needed for the kubectl identity step.
  • Helm 3.8 or newer. OCI registry support is required, which is stable from Helm 3.8.0 onward.

Network

Nyx’s agent connects outbound to your Tracenyx Service Bus endpoint over a single, persistent AMQP-over-TLS connection — it sends data and receives commands on that one connection. Nothing inbound to your cluster is ever required. If your cluster has outbound firewall restrictions, allow:
SettingValue
ProtocolTCP
Port5671 (AMQP over TLS)
DestinationYour Service Bus endpoint, shown in your dashboard under Settings → Cluster → Connection Details
Allowlist your specific endpoint rather than a wildcard, so the rule permits traffic only to your Tracenyx namespace.

Access

You’ll need a Scout key and image pull credentials, both available from your dashboard once you have access. See Quickstart → Create your Scout account for how to request access. If your environment restricts which container registries it can reach, Sentinel and Aegis customers can have Nyx images mirrored to a private registry — contact us to arrange it.

Install on Linux nodes

Copy the install command from your dashboard and run it. It has this shape: 
helm install nyx \
  oci://tracenyxpublic.azurecr.io/helm/nyx \
  --version 0.1.0 \
  --namespace nyx-system \
  --create-namespace \
  --set global.scout.key=<YOUR_SCOUT_KEY> \
  --set global.image.registry=<YOUR_IMAGE_REGISTRY> \
  --set global.image.pullUsername=<YOUR_PULL_USERNAME> \
  --set global.image.pullPassword=<YOUR_PULL_PASSWORD>
Your dashboard generates this command fully populated with your Scout key and image pull credentials. Copy it from there rather than assembling it by hand — the credentials are unique to your account.
This installs two components into the nyx-system namespace:
  • nyx-agent — a DaemonSet, the kernel-native enforcement engine. One pod runs on every Linux node.
  • nyx-gatekeeper — the admission webhook that validates and authorises policies.

Add Windows nodes

Nyx enforces on Windows nodes through a dedicated chart, nyx-windows, which deploys the nyx-agent-windows DaemonSet. It installs alongside the Linux release in the same nyx-system namespace and shares your Scout key and image registry — the two charts are installed separately so each targets the correct node OS. If you selected Windows nodes during signup, your dashboard shows the Windows install command alongside the Linux one. It follows the same shape: 
helm install nyx-windows \
  oci://tracenyxpublic.azurecr.io/helm/nyx-windows \
  --version 0.1.0 \
  --namespace nyx-system \
  --set global.scout.key=<YOUR_SCOUT_KEY> \
  --set global.image.registry=<YOUR_IMAGE_REGISTRY> \
  --set global.image.pullUsername=<YOUR_PULL_USERNAME> \
  --set global.image.pullPassword=<YOUR_PULL_PASSWORD>
Windows nodes must be Windows Server 2022. Nyx enforces on Windows through a signed Windows Filtering Platform (WFP) callout driver, deployed by the nyx-agent-windows DaemonSet.

Configuration

The most common values are below. To see everything the chart accepts, run: 
helm show values oci://tracenyxpublic.azurecr.io/helm/nyx --version 0.1.0
ValueRequiredDescription
global.scout.keyYesYour Scout license key. Binds the cluster to your Tracenyx account.
global.image.registryYesThe private registry hosting Nyx container images. Provided in your dashboard.
global.image.pullUsernameYesUsername for pulling Nyx images. Provided in your dashboard.
global.image.pullPasswordYesPassword or token for pulling Nyx images. Provided in your dashboard.

Verify the installation

Check that every component came up: 
kubectl get pods -n nyx-system
You should see one nyx-agent pod per Linux node, one nyx-agent-windows pod per Windows node (if installed), and one nyx-gatekeeper pod: 
NAME                              READY   STATUS    RESTARTS   AGE
nyx-agent-7d9f2                   1/1     Running   0          40s
nyx-agent-x4k8p                   1/1     Running   0          40s
nyx-gatekeeper-6c5b9d4f7-w2lqz    1/1     Running   0          40s
Confirm the CRDs registered: 
kubectl get crds | grep nyx.tracenyx.io

nyxclusternetworkpolicies.nyx.tracenyx.io
nyxnetworkpolicies.nyx.tracenyx.io
Then open your dashboard — the cluster should appear as connected, with live traffic in the Traffic Map.

Connect your kubectl identity

Nyx’s admission webhook needs to recognise your kubectl user so it can authorise policies you apply from the command line. The dashboard prompts you for this on first login — you can also find it under Settings → My Account. Find your Kubernetes username: 
kubectl auth whoami -o jsonpath='{.status.userInfo.username}'
Paste the result into the dashboard and confirm. From this point, applying policies works the same whether you use kubectl or the dashboard, and both appear under the same identity in the audit log.

Upgrading

To upgrade to a newer chart version, reusing your existing configuration: 
helm upgrade nyx \
  oci://tracenyxpublic.azurecr.io/helm/nyx \
  --version <NEW_VERSION> \
  --namespace nyx-system \
  --reuse-values
--reuse-values preserves your Scout key and image credentials. Check the release notes before upgrading across minor versions. If you run Windows nodes, upgrade nyx-windows to the matching version as well.

Uninstalling

Remove the Nyx components: 
helm uninstall nyx --namespace nyx-system
# If you installed Windows support:
helm uninstall nyx-windows --namespace nyx-system
Uninstalling stops enforcement on every node — traffic returns to your cluster’s default behaviour. Helm leaves the CRDs in place, so your policies are preserved if you reinstall. To remove Nyx completely, including all policies: 
kubectl delete crd \
  nyxnetworkpolicies.nyx.tracenyx.io \
  nyxclusternetworkpolicies.nyx.tracenyx.io
Deleting the CRDs permanently removes every NyxNetworkPolicy and NyxClusterNetworkPolicy in your cluster. This cannot be undone. Only do this if you intend to fully remove Nyx.