crowdsecurity · blotus · Feb 27, 2026
diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl
@@ -94,6 +94,16 @@ true
 {{- $IsCAPIDisabled }}
 {{- end }}
 
+{{/*
+  Return the kubectl helper image used by registration jobs.
+  If image.kubectl.tag is empty, default to latest.
+*/}}
+{{ define "registerJobKubectlImage" }}
+{{- $repository := .Values.image.kubectl.repository | default "alpine/kubectl" -}}
+{{- $tag := .Values.image.kubectl.tag | default "latest" -}}
+{{- printf "%s:%s" $repository $tag -}}
+{{- end -}}
+
 {{/*
   Provide a default value for StoreCAPICredentialsInSecret. 
   If StoreCAPICredentialsInSecret is not set in the values, and there's no persistency for the LAPI config, defaults to true

diff --git a/charts/crowdsec/templates/capi-register-job.yaml b/charts/crowdsec/templates/capi-register-job.yaml
@@ -37,18 +37,34 @@ spec:
       tolerations:
 {{ toYaml .Values.lapi.tolerations | indent 8 }}
       {{- end }}
+      initContainers:
+        - name: install-kubectl
+          image: {{ include "registerJobKubectlImage" . | quote }}
+          imagePullPolicy: {{ .Values.image.kubectl.pullPolicy | default .Values.image.pullPolicy }}
+          command:
+            - "/bin/sh"
+            - "-c"
+            - |
+                cp "$(command -v kubectl)" /kubectl-bin/kubectl
+                chmod 0755 /kubectl-bin/kubectl
+          volumeMounts:
+            - name: kubectl-bin
+              mountPath: /kubectl-bin
       containers:
         - name: capi-register
           image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: kubectl-bin
+              mountPath: /kubectl-bin
           command:
             - "/bin/bash"
             - "-c"
             - |
-                apk update && apk add kubectl
                 set -ex
+                KUBECTL=/kubectl-bin/kubectl
                 echo "Checking if the secret {{ .Release.Name }}-capi-credentials already exists..."
-                if kubectl -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-capi-credentials >/dev/null 2>&1; then
+                if $KUBECTL -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-capi-credentials >/dev/null 2>&1; then
                   echo "Secret already exists. Skipping registration."
                   exit 0
                 fi
@@ -61,9 +77,12 @@ spec:
                 cscli -c /staging/etc/crowdsec/config.yaml capi register
                 yq -i '.papi_url="https://papi.api.crowdsec.net/"' /tmp/online_api_credentials.yaml
                 echo "Creating secret {{ .Release.Name }}-capi-credentials..."
-                kubectl create secret generic {{ .Release.Name }}-capi-credentials \
+                $KUBECTL create secret generic {{ .Release.Name }}-capi-credentials \
                   -n {{ .Release.Namespace }} \
                   --from-file=online_api_credentials.yaml=/tmp/online_api_credentials.yaml
+      volumes:
+        - name: kubectl-bin
+          emptyDir: {}
     {{- end }}
   {{- end }}
 {{- end }}
diff --git a/charts/crowdsec/templates/cscli-lapi-register-job.yaml b/charts/crowdsec/templates/cscli-lapi-register-job.yaml
@@ -36,18 +36,34 @@ spec:
       tolerations:
 {{ toYaml .Values.lapi.tolerations | indent 8 }}
       {{- end }}
+      initContainers:
+        - name: install-kubectl
+          image: {{ include "registerJobKubectlImage" . | quote }}
+          imagePullPolicy: {{ .Values.image.kubectl.pullPolicy | default .Values.image.pullPolicy }}
+          command:
+            - "/bin/sh"
+            - "-c"
+            - |
+                cp "$(command -v kubectl)" /kubectl-bin/kubectl
+                chmod 0755 /kubectl-bin/kubectl
+          volumeMounts:
+            - name: kubectl-bin
+              mountPath: /kubectl-bin
       containers:
         - name: lapi-cscli-register
           image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: kubectl-bin
+              mountPath: /kubectl-bin
           command:
             - "/bin/bash"
             - "-c"
             - |
-                apk update && apk add kubectl
                 set -ex
+                KUBECTL=/kubectl-bin/kubectl
                 echo "Checking if the secret {{ .Release.Name }}-lapi-cscli-credentials already exists..."
-                if kubectl -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-lapi-cscli-credentials >/dev/null 2>&1; then
+                if $KUBECTL -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-lapi-cscli-credentials >/dev/null 2>&1; then
                   echo "Secret already exists. Skipping registration."
                   exit 0
                 fi
@@ -60,8 +76,11 @@ spec:
 
                 echo "Creating secret {{ .Release.Name }}-lapi-cscli-credentials..."
 
-                kubectl create secret generic {{ .Release.Name }}-lapi-cscli-credentials \
+                $KUBECTL create secret generic {{ .Release.Name }}-lapi-cscli-credentials \
                   -n {{ .Release.Namespace }} \
                   --from-file=lapi_cscli_credentials.yaml=/tmp/lapi-cscli-credentials.yaml
+      volumes:
+        - name: kubectl-bin
+          emptyDir: {}
     {{- end }}
 {{- end }}
diff --git a/charts/crowdsec/values.schema.json b/charts/crowdsec/values.schema.json
@@ -45,6 +45,24 @@
                 },
                 "pullPolicy": {
                     "type": "string"
+                },
+                "kubectl": {
+                    "type": "object",
+                    "properties": {
+                        "repository": {
+                            "type": "string"
+                        },
+                        "tag": {
+                            "type": "string"
+                        },
+                        "pullPolicy": {
+                            "type": "string"
+                        }
+                    },
+                    "required": [
+                        "repository",
+                        "pullPolicy"
+                    ]
                 }
             },
             "required": [

diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml
@@ -23,6 +23,14 @@ image:
   ## @param image.tag [string] docker image tag (empty defaults to chart AppVersion)
   tag: ""
 
+  ## @param image.kubectl.repository [default: alpine/kubectl] [string] kubectl image repository used by registration jobs initContainers
+  ## @param image.kubectl.tag [default: latest] [string] kubectl image tag (override to match your cluster version if you encounter issues with registration jobs)
+  ## @param image.kubectl.pullPolicy [default: IfNotPresent] [string] kubectl image pull policy (Always, IfNotPresent, Never)
+  kubectl:
+    repository: alpine/kubectl
+    tag: latest
+    pullPolicy: IfNotPresent
+
 ## @param podAnnotations [object] podAnnotations to be added to pods (string:string map)
 podAnnotations: {}
   # Uncomment the following lines if you use Prometheus Helm Chart rather than Prometheus Operator.