Manual Install (Helm)
This page covers installing Lakerunner yourself with Helm. A POC via the Helm chart is supported for a local or throwaway cluster.
We recommend the operator for every install — including production. The operator-managed install brings up Lakerunner and the Cardinal UI as a single unit and handles automatic upgrades, health monitoring, and clean removal for you — driven from app.cardinalhq.io . A manual Helm install means you own upgrades and monitoring yourself, so keep it to POCs.
For production or advanced installs (external S3 + Postgres at scale, air-gapped clusters, custom HA), use the operator and contact sales — we’ll help you size and harden the deployment.
Quick start (local cluster)
The fastest manual path — deploy Lakerunner on a local Kubernetes cluster with no cloud account required.
Up and running in minutes
Get Lakerunner deployed on a local Kubernetes cluster — no cloud account required.
Prerequisites
Sign up for a Cardinal account
Create your free account at app.cardinalhq.io.
Download your Lakerunner Trial license
After signing in, download your trial license from the Cardinal dashboard.
Create the namespace
kubectl create namespace lakerunnerInstall using Helm
Use the configuration wizard to generate a values.yaml tailored to your environment, then install:
helm install lakerunner oci://public.ecr.aws/cardinalhq.io/lakerunner \
--values values.yaml \
--namespace lakerunnerVerify the installation
Wait for all pods to become ready:
kubectl get pods -n lakerunner -wAccess Grafana
If Grafana was included in your installation, port-forward it to your local machine:
kubectl port-forward -n lakerunner svc/grafana 3000:3000Open http://localhost:3000 in your browser. Lakerunner's data source is pre-configured, but you won't see any data yet — that comes in the next step.
Send data
Install OpenTelemetry Collectors to monitor your cluster and write telemetry to S3.
Generate data from your real applications, or use the OTel Demo Application to produce realistic logs, metrics, and traces right away.
What's next?
Configuration wizard
Use the interactive wizard below to generate a values.yaml for your deployment. Select your installation type
and fill in the required details.
Installation Type
Organization Settings
Lakerunner is multi-tenant. Each tenant is an organization, and the collector and API key are used by that organization.
Optional Components
Cloud Provider
PostgreSQL - Lakerunner DB
PostgreSQL - Config DB
License
A valid license is required for Lakerunner to operate. Contact support@cardinalhq.com to obtain one.
Scaling
Lakerunner uses internal autoscaling from 1 pod up to the max you set here.
| Service | Max Pods |
|---|---|
| Log Processing | |
| Metric Processing | |
| Trace Processing |
Ingestion
Choose how S3 object notifications are ingested. HTTP provides a webhook endpoint. SQS polls from an AWS SQS queue.
Generated values.yaml
For the complete list of configuration options, see the full values.yaml reference on GitHub .
Post-installation
Verify the installation
After installation, verify all pods are running:
kubectl get pods -n lakerunner -l app.kubernetes.io/name=lakerunnerAccess Grafana
Configure an Ingress or use port-forwarding to access Grafana:
kubectl port-forward -n lakerunner svc/grafana 3000:3000Deploying on OpenShift
The chart renders cleanly under the restricted-v2 SCC with two adjustments. Add the following to the values.yaml produced by the wizard above:
1. Let the SCC assign UIDs
OpenShift’s restricted-v2 SCC rejects pods whose runAsUser/runAsGroup/fsGroup fall outside the namespace’s assigned UID range — it wants to inject them from the range itself. Null the fields so the chart emits only runAsNonRoot: true:
global:
podSecurityContext:
runAsNonRoot: true
runAsUser: null
runAsGroup: null
fsGroup: null
grafana:
podSecurityContext:
runAsNonRoot: true
runAsUser: null
runAsGroup: null
fsGroup: nullThe SCC fills in runAsUser, runAsGroup, and fsGroup. All other hardening from global.containerSecurityContext (no-privilege-escalation, drop ALL, RuntimeDefault seccomp, read-only rootfs) stays in effect.
2. Grafana needs an SCC that permits UID 472
The upstream grafana/grafana image expects UID 472 to own /var/lib/grafana. Because that UID almost never falls inside a namespace’s restricted-v2 range, Grafana needs either a custom SCC or an OpenShift-compatible image. The simplest path is:
oc adm policy add-scc-to-user nonroot-v2 -z <release>-lakerunner -n <namespace>…and then keep Grafana’s defaults (UID 472). If you prefer to avoid the SCC grant, swap grafana.image.repository for an image that supports random UIDs.
3. Perch needs elevated RBAC
The Perch component ships with a ClusterRole that includes patch on apps/deployments cluster-wide — this is its legitimate function (cross-namespace deployment management), but it counts as a privileged grant. On clusters with strict RBAC review you may need admin approval or an oc adm policy add-role-to-user edit against the chart’s ServiceAccount.
4. Ingress / Routes
The chart uses standard networking.k8s.io/v1 Ingress resources. They work with the OpenShift HAProxy router out of the box; no nginx-specific annotations are emitted.
Upgrading
To upgrade an existing installation:
helm upgrade lakerunner oci://public.ecr.aws/cardinalhq.io/lakerunner \
--values values.yaml \
--namespace lakerunnerUninstalling
To remove Lakerunner:
helm uninstall lakerunner --namespace lakerunnerNote: This does not delete your data in the cloud storage bucket.
Reach out to support@cardinalhq.io for support or to ask questions not answered in our documentation.