Skip to main content



kube-green support all Kubernetes cluster versions >= 1.23 <= 1.30 and OpenShift Container Platform v4.

Supported architectures are: amd64, arm64.

kube-green needs certificates to exposes webhooks. The recommended way to handle certificates is using the cert-manager. Otherwise, you can manage certificates manually as described here.

kubectl apply

With this method, you can not change the default configuration parameters.

The default static configuration for the latest release can be installed with:

kubectl apply -f

If you want to install a specific release version, run:

kubectl apply -f${RELEASE_TAG}/kube-green.yaml

with ${RELEASE_TAG} correctly filled.


Change default configuration

You can change default configuration editing the config files.

For example, to deploy the controller in another namespace, change the file kustomization.yaml with the desired namespace name.


To install kube-green in the cluster, clone the repository and run

make deploy

This will create a new namespace, kube-green, which contains the pod of the operator.

Operator Lifecycle Manager (OLM)

Install from

You can find kube-green in the website. Click the Install button, and follow the instructions.

Install on OpenShift

kube-green is in the Red Hat-provided Operator catalogs called community operators. On OpenShift 4 you can install kube-green from OperatorHub. To install it, follow this guide.

Cloud compatibility


When Google configure the control plane for private cluster, they automatically configure VPC peering between your Kubernetes cluster network and a separate Google managed project.

To restrict what Google is able to access in your cluster, the firewall rules configured restrict access to your Kubernetes pods. This means that the webhook won't work, and you see an error like Internal error occurred: failed calling webhook ...:

So, to use the webhook component with a GKE private cluster, you need to configure an additional firewall rule to allow the GKE control plane to access to your webhook pod.

kube-green uses webhook (exposed on port 9443) to check that SleepInfo CRD is valid. In order to make it works, you must open the 9443 port (or change the exposed port by configuration) otherwise it would not possible to add SleepInfo CRD.

Here you can read more information about how to add firewall rules to GKE.


When using a custom CNI on EKS (such as cilium), the webhook cannot be reached by kube-green. This happens because the control plane cannot be configured to run on a custom CNI, so the CNIs differ between control plane and worker nodes.

To address this, set hostNetwork: true in the deployment of the webhook to run it in the host network.

To set this, uncomment the # - host_network_patch.yaml line (in this file) to apply the patch with the hostNetwork: true value.