Deploy on Kubernetes using Helm
The supported method for deploying Anchore Enterprise on Kubernetes is with Helm. The Anchore Enterprise Helm Chart includes configuration options for a full Enterprise deployment.
About the Helm Chart
The chart is split into global and service specific configurations for the core features, as well as global and services specific configurations for the optional Enterprise services.
- The
anchoreConfigsection of the values file contains the application configuration for Anchore Enterprise. This includes the database connection information, credentials, and other application settings. - Anchore Enterprise services run as a kubernetes deployment when installed with the Helm chart. Each service has its own section in the values file for making customizations and configuring the kubernetes deployment spec.
For a description of each service component see Anchore Enterprise Service Overview
Prerequisites
See the README in the chart repository for prerequisites before starting the deployment.
Install the Chart
This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. Refer to the Configuration section of the chart README for additional guidance on production deployments.
Create the namespace: The steps to follow will require the namespace to have been created already.
export NAMESPACE=anchore kubectl create namespace ${NAMESPACE}Create a Kubernetes Secret for License File: Generate a Kubernetes secret to store your Anchore Enterprise license file.
export NAMESPACE=anchore export LICENSE_PATH="license.yaml" kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -n ${NAMESPACE}Create a Kubernetes Secret for DockerHub Credentials: Generate a Kubernetes secret containing the Anchore-provided DockerHub credentials. These credentials are required for authenticated access to the private Anchore Enterprise repositories on DockerHub in order to pull/download the Docker images used by the deployment. Contact Anchore Support to obtain access.
export NAMESPACE=anchore export DOCKERHUB_PASSWORD="password" export DOCKERHUB_USER="username" export DOCKERHUB_EMAIL="[email protected]" kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -n ${NAMESPACE}Add Chart Repository & Deploy Anchore Enterprise: Create a custom values file, named
anchore_values.yaml, to override any chart parameters. Refer to the Parameters section for available options.Default passwords are specified in the chart and must be changed before deploying. The password for theadminuser is set via theanchoreConfig.default_admin_passwordparameter in your customanchore_values.yamlfile. This value is only used during initial creation of the admin user; the password can be changed post-installation via the UI.The RELEASE variable should not contain any dots.export NAMESPACE=anchore export RELEASE=anchore helm repo add anchore https://charts.anchore.io helm install ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f anchore_values.yamlThe
helm installcommand will initiate the installation of Anchore Enterprise into the specified namespace using the chart parameters defined in your customanchore_values.yamlfile. Upon completion, the pod status can be checked per the below and should reflectREADY 1/1andSTATUS Runningfor each pod.kubectl get pods -n ${NAMESPACE}Example output:
NAME READY STATUS RESTARTS AGE anchore-enterprise-analyzer-5f7f97ffcf-6rtrn 1/1 Running 0 5m anchore-enterprise-api-587fb89495-sl2xn 1/1 Running 0 5m anchore-enterprise-catalog-7767d58d4f-6dsv7 1/1 Running 0 5m anchore-enterprise-datasyncer-558959869f-qp9nx 1/1 Running 0 5m anchore-enterprise-notifications-64ccbf9864-pl629 1/1 Running 0 5m anchore-enterprise-policy-6dc88b5df6-vrrcw 1/1 Running 0 5m anchore-enterprise-reports-569587dbf5-jjfz2 1/1 Running 0 5m anchore-enterprise-reportsworker-6bc7f7b4dd-7fnrn 1/1 Running 0 5m anchore-enterprise-simplequeue-7f848498df-64bxq 1/1 Running 0 5m anchore-enterprise-ui-6fd7d78449-2vc6l 1/1 Running 0 5m anchore-postgresql-0 1/1 Running 0 5m anchore-ui-redis-master-0 1/1 Running 0 5mThere should be 12 Anchore Enterprise pods in total, which includes PostgreSQL and Redis.
This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the External Database section of the chart README for details on using an external database.Post-Installation Steps: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities and the UI will show errors until the sync is complete, which can take an hour or more based on the enabled feeds. The sync process will take place in the background, and while it’s in progress, anchorectl can be installed and the below commands can be used to check system status.
Export the required parameters to invoke
anchorectl:export NAMESPACE=anchore export RELEASE=anchore export ANCHORECTL_URL=http://localhost:8228 export ANCHORECTL_USERNAME="admin" export ANCHORECTL_PASSWORD="<default_admin_password>"Port-forward API and UI traffic to the associated pods. Run each command in a separate terminal window in the background:
kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-api 8228:8228 --address 0.0.0.0 --request-timeout=0 & kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-ui 3000:80 --address 0.0.0.0 --request-timeout=0 &Gather the status of Anchore Enterprise services.
anchorectldefaults to the user${ANCHORECTL_USERNAME}and to the password${ANCHORECTL_PASSWORD}automatically if set:anchorectl system statusExample output:
✔ Status system ┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐ │ SERVICE │ HOST ID │ URL │ UP │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │ ├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤ │ analyzer │ anchore-quickstart │ http://analyzer:8228 │ true │ available │ 5270 │ 5.27.0 │ │ policy_engine │ anchore-quickstart │ http://policy-engine:8228 │ true │ available │ 5270 │ 5.27.0 │ │ apiext │ anchore-quickstart │ http://api:8228 │ true │ available │ 5270 │ 5.27.0 │ │ reports │ anchore-quickstart │ http://reports:8228 │ true │ available │ 5270 │ 5.27.0 │ │ reports_worker │ anchore-quickstart │ http://reports-worker:8228 │ true │ available │ 5270 │ 5.27.0 │ │ data_syncer │ anchore-quickstart │ http://data-syncer:8228 │ true │ available │ 5270 │ 5.27.0 │ │ simplequeue │ anchore-quickstart │ http://queue:8228 │ true │ available │ 5270 │ 5.27.0 │ │ notifications │ anchore-quickstart │ http://notifications:8228 │ true │ available │ 5270 │ 5.27.0 │ │ catalog │ anchore-quickstart │ http://catalog:8228 │ true │ available │ 5270 │ 5.27.0 │ └─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘For more information about configuringanchorectl, see Using Environment Variables.The port forwarding shown above is intended only for POC purposes or an initial Anchore Enterprise installation and is not recommended for Production use. In a Production environment, an ingress controller or load balancer is recommended for exposing the Anchore Enterprise API and UI services. See the cloud-provider–specific Helm deployment guides (AKS, EKS, GKE, OpenShift) for ingress examples.List all Helm releases usinghelm list -n ${NAMESPACE}.
Next Steps
Now that you have Anchore Enterprise running, you can begin to learning more about Anchore Enterprise architecture, Anchore concepts, and Anchore usage.
Last modified May 14, 2026