Advanced

The K8s exporter supports additional flags and the option to provide additional configuration sources, making it easier to configure its behavior to your liking.

Required configuration

The following parameters are required with every K8s exporter installation/upgrade:

Parameter	Description
secret.secrets.portClientId	Port Client ID
secret.secrets.portClientSecret	Port Client Secret

Advanced installation parameters

The following advanced configuration parameters are available:

Resync Interval

The resyncInterval parameter specifies the interval in minutes to send a repeated sync event for all known existing objects (in addition to new cluster events).

• Default value: 0 (re-sync disabled)
• Use case: Re-sync every X minutes. This parameter is useful when reporting entities with relations inside your cluster in instances where an entity is reported before its related target has been created in Port. The initial sync will fail, but later when the target entity is available, the entity creation will succeed.

State Key

The stateKey parameter specifies a unique state key per K8s exporter installation. Enables deletion of stale Port entities that had been created by the exporter, and shouldn't be synced (anymore) according to your existing exporter app configuration. The exporter will check for pending deletions during pod initialization, and also respond to deletion events in the cluster.

• Default value: "".
  • When empty, a UUID will be automatically generated and kept in the ConfigMap. Changing the state key will cause the existing exporter to lose track of entities it reported previously from the cluster, and will therefore not delete them from Port.
• Use case: Deletion of stale Port entities. For example:
  • Removal of entire resource (like pods) from the exporter app config, will also remove them from the software catalog.
  • Modification of an entity's identifier will cause the stale entity to be removed and created again with the correct identifier.

Overwrite Configuration

The overwriteConfigurationOnRestart parameter controls how the exporter's mapping configuration is managed after the initial installation.

• Default value: false

When set to false (the default), the mapping configuration defined in your Helm chart values is synced to Port only on the first installation. After that, the Port UI becomes the source of truth for the integration's mapping. Any subsequent changes to the mapping in your Helm values will not be applied. You have to update the mapping directly in the data sources page in Port for the changes to take effect.

When set to true, the Helm chart becomes the source of truth. On every exporter restart (including pod restarts and Helm upgrades), the exporter pushes its local configuration to Port, overwriting whatever is currently stored there. This is useful if you want to manage your mapping configuration declaratively (e.g. via GitOps).

UI changes will be overwritten

When overwriteConfigurationOnRestart is set to true, any changes you make to the mapping via the Port UI will be overwritten the next time the exporter restarts. Make sure to apply all mapping changes through your Helm values or Git repository instead.

Example — enabling overwrite via Helm:

helm upgrade --install k8s-exporter port-labs/port-k8s-exporter \
    --create-namespace --namespace port-k8s-exporter \
    --set secret.secrets.portClientId="YOUR_PORT_CLIENT_ID"  \
    --set secret.secrets.portClientSecret="YOUR_PORT_CLIENT_SECRET"  \
    --set stateKey="k8s-exporter"  \
    --set overwriteConfigurationOnRestart=true  \
    --set-file configMap.config=my-config.yaml

Where my-config.yaml contains your full mapping configuration, including resources, crdsToDiscover, and any other configuration keys.

Logging Level

The K8S exporter provides support for multiple event listeners. The event listener is used to receive events and resync requests from Port and forward them to the exporter.

By configuring an event listener the integration will listen to and react to the following events sent from Port:

• Configuration update - the integration will use the data of the new configuration to perform a resync of information from the k8s cluster
• Resync request - the integration will perform a resync of data from the k8s cluster to Port based on the existing configuration

The following event listener types are supported:

• POLLING - the integration will automatically query Port for updates in the integration configuration and perform a resync if changes are detected.

• KAFKA - the integration will consume incoming resync requests from your dedicated Kafka topic, provisioned to you by Port

Available event listeners configuration parameters can be found here

multiple exporter instances

The event listeners that are currently available do not support multiple instances of the same exporter

resync

If a resync event is received by your integration while it is actively performing a resync, the currently running resync will be aborted and a new resync process will start.

If a new resync trigger consistently aborts a running resync, it means that your integration never finishes a complete resync process (which means some information from the cluster might never appear in Port).

Metrics

The loggingLevel parameter is used to control the level of logs in the K8s exporter's pod.

• Default value: info - show all info and error logs, including info logs of successful updates.
• Use case: Set the value to error if you want to include error logs only (and exclude info logs).

Bulk Sync

The metricsEnabled parameter is used to control if the k8s exporter would expose a /metrics endpoint compatible with OTLP.

• Default value: true

The metricsPort parameter is used to control the port number of the metrics server.

• Default value: 9090
• Use case: Set the value to a different port if you do not wish to expose the metrics server on 9090.

Event Listener Type

The bulkSyncMaxPayloadBytes parameter is used to control the size (in bytes) of the bulk upserts to Port.

• Default value: 1048576

The bulkSyncMaxEntitiesPerBatch parameter is used to control the number of entities to be sent as part of a bulk upsert to Port.

• Default value: 20

The bulkSyncBatchTimeoutSeconds parameter is used to control the time (in seconds) to wait until flushing a bulk upsert to Port (even if the maximum number/size of entities has not been reached).

• Default value: 5

CRDs to Discover

The crdsToDiscover parameter is used to specify a filter for the CRDs that the K8s exporter should discover and export to Port, without the need to create a mapping and the blueprint manually.

For more information how to use the crdsToDiscover parameter, please refer to the K8S API extension guide

• Default value: "" (no filter)

JQ Configuration

The K8s exporter supports configuration options to control access to environment variables within JQ queries used in resource mappings.

allowAllEnvironmentVariablesInJQ

The allowAllEnvironmentVariablesInJQ parameter controls whether all environment variables are accessible in JQ queries.

• Default value: true (all environment variables are accessible within JQ queries)
• Security implications: When set to true, JQ queries in your resource mappings can access any environment variable available to the exporter pod, including sensitive information like API keys, passwords, and other secrets (if those are mapped to the exporter pod as environment variables).

Security Risk

Setting allowAllEnvironmentVariablesInJQ to true can expose sensitive environment variables to JQ queries. This includes:

• Port credentials (PORT_CLIENT_ID, PORT_CLIENT_SECRET)
• Kubernetes service account tokens.
• Any other environment variables injected into the pod.
• Secrets mounted as environment variables.

Due to the potential security implication, if you have a need to limit the exposure of environment variables in the exporter's JQ, please set this parameter to false and explicitly specify the variables that need to be accessed using JQ through the allowedEnvironmentVariablesInJQ parameter.

allowedEnvironmentVariablesInJQ

The allowedEnvironmentVariablesInJQ parameter specifies which environment variables are allowed in JQ queries when allowAllEnvironmentVariablesInJQ is set to false. This parameter accepts a list of JQ expressions that evaluate to environment variable names or patterns.

Each entry in the list is a JQ expression that should return:

• A specific environment variable name (e.g., "CLUSTER_NAME")

• A pattern for matching multiple variables (e.g., "^CLUSTER_" to match all cluster-related environment variables)

• An array of environment variable names or patterns.

• Default value: ^PORT_, CLUSTER_NAME

• Use case: Restrict access to only specific, safe environment variables in JQ queries for enhanced security. Use JQ expressions to dynamically determine which environment variables should be accessible.

Configuration Example

allowAllEnvironmentVariablesInJQ: false
allowedEnvironmentVariablesInJQ:
  - ^CLUSTER_
  - AWS_REGION
  - AWS_ACCOUNT_ID
resources:
  - kind: v1/namespaces
...

This configuration allows:

• All environment variables starting with CLUSTER_ (e.g., CLUSTER_NAME, CLUSTER_ID)
• Specific variables: AWS_REGION & AWS_ACCOUNT_ID

Security Configuration

The following security parameters can be modified to give the K8s exporter more granular access to your cluster:

Parameter	Description	Default
clusterRole.apiGroups	The API groups that the K8s Exporter can access. Make sure to grant access to the relevant API groups, with respect to the resources that you've configured in the resource mapping	{'*'}
clusterRole.resources	The resources that the K8s Exporter can access. Make sure to grant access to the relevant resources, with respect to the resources that you've configured in the resource mapping	{'*'}
serviceAccount.create	Whether to create the default ServiceAccount, ClusterRole and ClusterRoleBinding resources.	true
serviceAccount.name	The name of the custom ServiceAccount resource to use, relevant only when serviceAccount.create is set to false

Overriding configurations

When installing the K8s exporter, it is possible to override default values in the helm upgrade command:

By using the --set flag, you can override specific exporter configuration parameters during exporter installation/upgrade:

helm upgrade --install k8s-exporter port-labs/port-k8s-exporter \
    --create-namespace --namespace port-k8s-exporter \
    --set secret.secrets.portClientId="YOUR_PORT_CLIENT_ID"  \
    --set secret.secrets.portClientSecret="YOUR_PORT_CLIENT_SECRET"  \
    --set stateKey="k8s-exporter"  \
    --set eventListenerType="KAFKA"  \
    --set extraEnv=[{"name":"CLUSTER_NAME","value":"my-cluster"}] 

For example, to set the parameters from the security configuration section:

--set clusterRole.apiGroups="{argoproj.io,'',apps}" \
--set clusterRole.resources="{rollouts,pods,replicasets}"

Manage K8s mapping config

The K8s exporter's mapping configuration (the resources block, crdsToDiscover, etc.) can be managed in two ways: through the Port UI or through your Helm chart values. The overwriteConfigurationOnRestart parameter controls which approach is used.

Port UI (default)

By default (overwriteConfigurationOnRestart: false), the mapping defined in your Helm values is synced to Port only during the initial installation. After that:

• The data sources page in Port is the source of truth.
• You can edit the mapping in the Port UI and click Save & Resync to apply changes.
• Any mapping changes in your Helm values will be ignored on subsequent upgrades or restarts.

This is the recommended approach if you prefer to iterate on your mapping through the Port UI.

Helm chart / GitOps

If you want to manage your mapping declaratively (e.g. storing it in Git alongside your Helm values), set overwriteConfigurationOnRestart: true. With this approach:

• The Helm chart is the source of truth for the mapping configuration.
• On every exporter restart, the local configuration is pushed to Port, overwriting any changes made in the UI.
• All mapping changes should be made in your Helm values file and applied via helm upgrade.

To use this approach, provide your mapping configuration via the configMap.config value:

Example values.yaml (Click to expand)

values.yaml

overwriteConfigurationOnRestart: true

configMap:
  config: |
    crdsToDiscover: ".metadata.ownerReferences[0].kind == \"CompositeResourceDefinition\""
    resources:
      - kind: apps/v1/deployments
        selector:
          query: .metadata.namespace | startswith("kube") | not
        port:
          entity:
            mappings:
              - identifier: .metadata.name + "-Deployment-" + .metadata.namespace
                title: .metadata.name
                blueprint: '"k8s_workload"'
                properties:
                  kind: '"Deployment"'
                  creationTimestamp: .metadata.creationTimestamp

Switching between approaches

If you have been managing your mapping in the Port UI and want to switch to a GitOps approach, first copy the current mapping from the data sources page into your Helm values file. Then set overwriteConfigurationOnRestart: true and run helm upgrade. This ensures you don't lose any mapping changes you previously made in the UI.

All configuration parameters

• A complete list of configuration parameters available when using the helm chart is available here.
• An example skeleton values.yml file is available here.

Extra environment variables

To pass extra environment variables to the exporter's runtime, you can use the Helm chart provided with the installation. You can do this in one of two ways:

1. Using Helm's --set flag:

helm upgrade --install <MY_INSTALLATION_NAME> port-labs/port-k8s-exporter \
  # Standard installation flags
  # ...
  --set "extraEnv[0].name"=HTTP_PROXY \
  --set "extraEnv[0].value"=http://my-proxy.com:1111

2. The Helm values.yaml file:

# The rest of the configuration
# ...
extraEnvs:
  - name: HTTP_PROXY
    value: http://my-proxy.com:1111

Proxy Configuration

HTTP_PROXY & HTTPS_PROXY

HTTP_PROXY and HTTPS_PROXY are environment variables used to specify a proxy server for handling HTTP or HTTPS, respectively. The values assigned to these settings should be the URL of the proxy server.

For example:

HTTP_PROXY=http://my-proxy.com:1111
HTTPS_PROXY=http://my-proxy.com:2222

NO_PROXY

NO_PROXY allows blacklisting certain addresses from being handled through a proxy. This variable accepts a comma-seperated list of hostnames or urls.

For example:

NO_PROXY=http://127.0.0.1,google.com

Advanced resource mapping configuration

Delete Dependents

The deleteDependents parameter is used to enable deletion of dependent Port entities. This is useful when you have two blueprints with a required relation, and the target entity in the relation should be deleted. In this scenario, the delete operation will fail if this flag is set to false if the flag is set to true, the source entity will be deleted as well.

• Default value: false (disabled)
• Use case: Deletion of dependent Port entities. Must be enabled if you want to delete a target entity (and its source entities) when the entity's blueprint has required relations.

Create Missing Related Entities

The createMissingRelatedEntities parameter is used to enable the creation of missing related Port entities.

• Default value: true to allow the Kubernetes app to create barebones related entities, in case those related entities do not exist in the software catalog.
• Use case: use false if you do not want this default behavior (do not create missing related entities).