--- title: "Cloud Provider Integrations" diataxis: how-to applies_to: product: "kyverno" audience: ["platform-engineer","devsecops"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/controllers/n4k/provider-integrations/ --- Enterprise Kyverno can be installed on cloud provider-managed Kubernetes clusters. --- ## Nirmata Enterprise for Kyverno Pay-as-you-Go ## Overview Nirmata Enterprise for Kyverno is an enterprise distribution of [Kyverno](https://kyverno.io/) available via the AWS Marketplace. This add-on provides 0-CVEs, secure defaults, and operational enhancements - deployable directly to your Amazon EKS clusters. ## Prerequisites * Active AWS account and Amazon EKS cluster (v1.23+) * AWS CLI, kubectl, and eksctl installed and configured * IAM permissions to create roles and service accounts ## Installation via AWS Console ### Select Nirmata Enterprise for Kyverno Add-on 1. Go to _Clusters>Add-ons_ tab and click on `Get more add-ons`. 1. Scroll down to AWS Marketplace add-ons 1. In the search bar, type `nirmata` 1. Select `Nirmata Enterprise for Kyverno (PAYG)`. 1. Click on Next. ![Select Nirmata Enterprise for Kyverno add-on](/images/select-n4k-add-on.png) ### Configure Nirmata Enterprise for Kyverno Add-on 1. In the `Configure` step, if not already subscribed to Nirmata Enterprise for Kyverno from your cloud account, under the Status field, you will see a `Requires subscription` message. 1. Click on `View Subscription options` and follow the instructions for subscription. ![Configure Nirmata Enterprise for Kyverno add-on](/images/configure-n4k-addon.png) ![Subscribe Nirmata Enterprise for Kyverno add-on](/images/n4k-subscribe-addon.png) 1. The add-on requires access to AWS Metering APIs. Select `IAM roles for service accounts (IRSA)`. >NOTE: You **must** use the IRSA option and not Pod Identity as there will be issues in hitting the metering APIs resulting in errors in the Kyverno controller pods. 1. Create the IAM Role with the following trust relationship policy and permissions. 1. Go to _IAM>Roles>Create role_. Select Custom trust policy: >NOTE: Refer to the cluster's OpenID Connect provider URL to add in the trust relationship. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:::oidc-provider/.amazonaws.com/id/XXXX>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks..amazonaws.com/id/XXXX:aud": "sts.amazonaws.com" } } } ] } ```text Add Permissions: * AWSMarketplaceMeteringFullAccess * AWSMarketplaceMeteringRegisterUsage ![Create IAM Role](/images/iam-create-role.png) ### Review and Add 1. Review the add-on configuration. The `Status` should be `Ready to Install`. 1. Click on Create. ![Nirmata Enterprise for Kyverno Ready to Install](/images/n4k-ready-to-install.png) ## Verify Installation 1. Go to _Cluster>Resources>Workloads>Deployments_. 1. Select `kyverno` namespace from the dropdown. 1. Verify that all four deployments are up and running. ![Verify Nirmata Enterprise for Kyverno Installation](/images/verify-n4k.png) ## Installation via CLI ### Subscribe to Nirmata Enterprise for Kyverno in AWS Marketplace >Note: This step needs to be done only once per AWS account. 1. Visit the [Nirmata Enterprise for Kyverno listing](https://aws.amazon.com/marketplace/pp/prodview-t44by22ed5wxi). 1. Click **Continue to Subscribe**. 1. Accept the terms to enable deployment into EKS. ### Set Variables ```bash export CLUSTER_NAME= export CLUSTER_REGION= ```text ### Associate IAM OIDC Provider ```bash eksctl utils associate-iam-oidc-provider \ --cluster $CLUSTER_NAME \ --region $CLUSTER_REGION \ --approve ```text This step allows Amazon EKS to map IAM roles to Kubernetes service accounts securely. ### Create IAM Service Account for Marketplace Metering To enable AWS Marketplace metering for usage-based billing, Nirmata Enterprise for Kyverno requires permissions to report usage. These are provided via the managed policies: * `AWSMarketplaceMeteringRegisterUsage` * `AWSMarketplaceMeteringFullAccess` Create the IAM service account: ```bash eksctl create iamserviceaccount \ --name kyverno \ --namespace kyverno \ --cluster $CLUSTER_NAME \ --region $CLUSTER_REGION \ --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage \ --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess \ --approve \ --override-existing-serviceaccounts \ --role-only \ --role-name Nirmata Enterprise for Kyverno-PayG-Role ```text This step ensures that Nirmata Enterprise for Kyverno can register and report usage data required for AWS billing. No other permissions are required. ### Install Nirmata Enterprise for Kyverno Add-on in the Cluster To list available versions: ```bash aws eks describe-addon-versions --addon-name nirmata_nirmata-kyverno-payg --query 'addons[].addonVersions[].addonVersion' --output text ```text ```bash export SERVICE_ACCOUNT_ROLE_ARN=$(aws iam get-role --role-name Nirmata Enterprise for Kyverno-PayG-Role --output json | jq -r '.Role.Arn') aws eks create-addon \ --cluster-name $CLUSTER_NAME \ --region $CLUSTER_REGION \ --addon-name nirmata_nirmata-kyverno-payg \ --addon-version \ --service-account-role-arn $SERVICE_ACCOUNT_ROLE_ARN \ --resolve-conflicts OVERWRITE ```text ### Verify Deployment ```bash kubectl get pods -n kyverno ```text ## Upgrading the Add-on To upgrade Nirmata Enterprise for Kyverno: ```bash aws eks update-addon \ --cluster-name $CLUSTER_NAME \ --region $CLUSTER_REGION \ --addon-name nirmata_nirmata-kyverno-payg \ --addon-version ``` ## Uninstalling Nirmata Enterprise for Kyverno To remove the Nirmata Enterprise for Kyverno add-on and IAM service account: ```bash aws eks delete-addon \ --cluster-name $CLUSTER_NAME \ --region $CLUSTER_REGION \ --addon-name nirmata_nirmata-kyverno-payg eksctl delete iamserviceaccount \ --name kyverno \ --namespace kyverno \ --cluster $CLUSTER_NAME \ --region $CLUSTER_REGION ``` ## Support For assistance with setup or usage, contact [Nirmata Support](mailto:support@nirmata.com). --- ## Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is a popular managed Kubernetes service for deploying and managing containerized applications. Amazon EKS users are challenged with ensuring security and governance across their entire fleet of clusters. Kyverno, an open-source policy engine, enables policy-based security, governance, and compliance for Amazon EKS clusters. Using Kyverno, enterprise platform teams can deploy the necessary guardrails to ensure that deployed applications are secure, compliant, and follow Amazon EKS Best Practices. ### Deploying Enterprise Kyverno on Amazon EKS cluster #### Prerequisites * Subscribe to Nirmata Enterprise Kyverno on AWS Marketplace at: https://aws.amazon.com/marketplace/pp/prodview-nj5p5k32xgkxw * Install the following tools: kubectl, AWS CLI, and optionally eksctl * You have access to an Amazon EKS cluster #### Deploy Enterprise Kyverno as an Amazon EKS add-on After subscribing to Nirmata Enterprise Kyverno on [AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-nj5p5k32xgkxw) and following the on-screen instructions successfully, you are redirected to Amazon EKS console. Create the IAM role for service account. This assumes that you created the IAM OIDC provider with your cluster. To learn more about this step, [see the AWS IAM role for service account documentation](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html). **Note:** Remember to replace $CLUSTER_NAME & $CLUSTER_REGION with the actual cluster name and the region where the cluster is located. Also you can specify the name for the role to avoid conflicts across clusters. In the example below, the role name is AmazonEKS-kyverno-role. ```bash ###### Using AWS Console Go to your existing Amazon EKS cluster and in the Add-ons tab, select Get more add-ons to find Kyverno add-on and select it. Click Next. ![Select add-on](/images/select-add-on.png) On the next page, select the latest version and select the IAM role, AmazonEKS-kyverno-role (or the IAM role you created earlier). Click on Next to review the configuration and the select Create. This should deploy the add-on to your cluster. ![Configure add-on](/images/configure-add-on.png) ###### Using AWS CLI On your workspace, run the following command to enable Kyverno add-on for your Amazon EKS cluster: Note: The IAM role for service account should already be created. Also you can specify the name for the role to avoid conflicts across clusters. In the example below, the role name is AmazonEKS-kyverno-role. ```bash export SERVICE_ACCOUNT_ROLE_ARN=$(aws iam get-role --role-name AmazonEKS-kyverno-role --output json | jq -r '.Role.Arn') aws eks create-addon --cluster-name $CLUSTER_NAME \ --region $CLUSTER_REGION \ --addon-name nirmata_kyverno \ --addon-version v1.8.5-eksbuild.0 \ --service-account-role-arn $SERVICE_ACCOUNT_ROLE_ARN \ --resolve-conflicts OVERWRITE ```text ###### Verify add-on installation Once the add-on has been installed, verify that the Kyverno pod is running. ```bash kubectl get pods -n kyverno ```text Next, you can deploy Kyverno policies to secure your cluster. You can find supported and validated policy sets [here](https://github.com/nirmata/kyverno-policies). #### Deploy Enterprise Kyverno on an existing Amazon EKS cluster using the Helm Chart After subscribing to Nirmata Enterprise Kyverno on AWS Marketplace and following the on-screen instructions successfully, you are redirected to Amazon EKS console. Use the following command to create an AWS IAM role and Kubernetes service account. This command will create the Kyverno namespace and also the service account. Note: Remember to replace $CLUSTER_NAME & $CLUSTER_REGION with the actual cluster name and the region where the cluster is located. ```bash kubectl create namespace kyverno eksctl create iamserviceaccount \ --name kyverno \ --namespace kyverno \ --cluster $CLUSTER_NAME \ --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess \ --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AWSLicenseManagerConsumptionPolicy \ --approve \ --override-existing-serviceaccounts\ --region=$CLUSTER_REGION \ --role-name AmazonEKS_Kyverno_LicenseManagerRole export SERVICE_ACCOUNT_ROLE_ARN=$(aws iam get-role --role-name AmazonEKS_Kyverno_LicenseManagerRole --output json | jq -r '.Role.Arn') ```text Use the following commands to launch this software by installing a Helm chart on your Amazon EKS cluster. The Helm CLI version in your launch environment must be 3.7.1. ```bash export HELM_EXPERIMENTAL_OCI=1 aws ecr get-login-password \ --region us-east-1 | helm registry login \ --username AWS \ --password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com mkdir awsmp-chart && cd awsmp-chart helm pull oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/nirmata/kyverno-chart --version v1.10.0-06-aws tar xf $(pwd)/* && find $(pwd) -maxdepth 1 -type f -delete helm install kyverno \ --namespace kyverno ./* \ --set createnamespace=false \ --set rbac.serviceAccount.create=false \ --set rbac.serviceAccount.name=kyverno --set rbac.serviceAccount.annotations."eks\.amazonaws\.com\/role-arn"=$SERVICE_ACCOUNT_ROLE_ARN \ --set cluster.region=$CLUSTER_REGION ```text Next, verify that Kyverno is installed and the Kyverno pod is running. ```bash kubectl get pods -n kyverno ```text Now you should be able to deploy Kyverno policies to secure your cluster. You can find supported and validated policy sets [here](https://github.com/nirmata/kyverno-policies). ### Troubleshooting #### Kyverno fails to start If Kyverno pod status show Init:Error or Init:CrashLoopBackOff, there was an issue starting the init container. Check the init container logs as follows. ```bash kubectl logs -n kyverno awslm-init ``` Based on the error message you should be able to identify the issue: **Error**: No Entitlements Allowed \ **Problem**: No entitlements are available in your license. \ **Solution**: Increase the number of licensed nodes on the marketplace subscription. **Error**: failed to create LicenseCredentialsProvider\ **Problem**: IAM role is not configured correctly.\ **Solution**: Check the eks.amazonaws.com/role-arn annotation on the kyverno service account and make sure it is configured correctly. **Error**: CheckoutLicense because no identity-based policy.\ **Problem**: IAM role for service account is missing.\ **Solution**: Follow the steps above to configure the IAM role for service account and verify that the correct role ARN is added to the the eks.amazonaws.com/role-arn annotation on the kyverno service account. --- ## Amazon EKS-A Amazon EKS Anywhere lets you create and operate Kubernetes clusters on your own infrastructure. Amazon EKS Anywhere builds on the strengths of Amazon EKS Distro and provides open-source software that's up to date and patched so you can have an on-premises Kubernetes environment that's more reliable than a self-managed Kubernetes offering. Kyverno, an open-source policy engine, enables policy-based security, governance, and compliance for Amazon EKS-A clusters. Using Kyverno, enterprise platform teams can deploy the necessary guardrails to ensure that deployed applications are secure, compliant, and follow Amazon EKS Best Practices. ### Deploying Enterprise Kyverno on Amazon EKS-A cluster #### Prerequisites * Request a Nirmata Enterprise Kyverno license from sales@nirmata.com * Install the following tools: kubectl, AWS CLI, and optionally eksctl * You have access to an Amazon EKS-A cluster * Follow these prerequisites [here](https://github.com/aws-samples/eks-anywhere-addons) to install flux and external-secrets * Also create the secret (aws-secret) with AWS credentials to allow the AWS Secret to be retrieved * Add the Nirmata license to AWS Secrets Manager: - Create a Secret with the name 'nirmata-license-key' and type "Other type of secret" - In Key/Value pairs, add the license as plaintext ![image](/images/aws-secretsmanager.png) - Next, create the ClusterSecretStore as follows: ```bash cat <