--- title: "Nirmata Documentation" diataxis: how-to applies_to: product: "nirmata-control-hub" audience: ["platform-engineer"] last_updated: 2024-09-01 url: https://docs.nirmata.io/docs/ --- --- ## Nirmata Control Hub > **Applies to:** Nirmata Control Hub 4.0 and later Nirmata Control Hub provides enterprise-grade policy governance and AI agent management across Kubernetes clusters, IaC pipelines, and cloud resources. It is built on [Kyverno](https://kyverno.io/), a CNCF Graduated project created by Nirmata. ![image](/images/dashboard.png) ## What's Inside - [**Cluster Onboarding**]({{< relref "Cluster/" >}}) — Onboard and manage Kubernetes clusters - [**Policy Hub**]({{< relref "policy-hub/" >}}) — Policy sets, reports, exceptions, remediations, and compliance - [**Agent Hub**]({{< relref "agent-hub/" >}}) — Deploy and run AI governance agents *(In Private Preview)* - [**Monitoring**]({{< relref "Monitoring/" >}}) — Cluster health, activity, and alerts - [**Identity & Access**]({{< relref "identity-access/" >}}) — Users, teams, SAML/OIDC, and API keys - [**Settings**]({{< relref "Settings/" >}}) — Integrations, GitHub App, Terraform, and MFA - [**How-To Guides**]({{< relref "how-to/" >}}) — Step-by-step workflows for common tasks --- ## Nirmata AI Agents > **Applies to:** Nirmata AI Agents 1.0 and later Nirmata's AI Agents save critical time and resources by automating complex tasks across Kubernetes clusters, IaC and CI/CD pipelines, and Cloud — from local development to production environments. ## Nirmata AI Agents are available as:

Nirmata Assistant

Security-first CLI agent for policy development, testing, cluster management, and Kubernetes operations — with built-in session management and 15+ specialized skills.

Service Agents

Autonomous agents deployed inside your clusters that continuously detect violations and open GitOps PRs to remediate them.

Cloud Agents

On-demand and scheduled AI agents for cost analysis, security auditing, workload troubleshooting, and remediation — launched directly from Nirmata Control Hub.

Copilot

Context-aware AI embedded in Nirmata Control Hub that provides intelligent insights and recommendations using your full platform context and data.

## Key Benefits ### Accelerate Development & Operations * **Save Time** – Reduce time spent on policy creation, troubleshooting, and remediation from days and hours to minutes with AI-guided workflows * **Faster Issue Resolution** – Get instant answers and automated fixes instead of searching through documentation or waiting for support * **Accelerated Onboarding** – New team members become productive faster with AI-powered guidance and contextual recommendations ### Reduce Costs & Maximize Efficiency * **Do More with Less** – Empower smaller teams to manage larger, more complex platforms and environments * **Lower Operational Costs** – Automated remediation and policy enforcement reduce manual intervention and operational overhead * **Cost-Effective AI** – Optimized for accuracy and low cost, delivering reliable results without excessive token consumption or API expenses ### Improve Security & Compliance * **Shift Left with Confidence** – Catch security and compliance issues during development before they reach production * **Continuous Enforcement** – Automated policy enforcement ensures consistent governance across all environments 24/7 * **Reduce Risk** – Proactive detection and remediation minimize security vulnerabilities and compliance violations ### Enhance Accuracy & Reliability * **High Accuracy** – Purpose-built AI models trained specifically for Kubernetes and cloud-native environments * **Context-Aware Decisions** – Leverages your cluster state, policies, and organizational context for precise recommendations * **Trusted Automation** – Validated workflows ensure changes are safe and aligned with best practices ### Scale Platform Engineering * **Unified Governance** – Single framework spanning CLI, clusters, and cloud for consistent policy enforcement everywhere * **Self-Service Capabilities** – Developers get instant feedback and guidance without depending on platform teams * **Knowledge Democratization** – Share expertise across teams through AI-powered best practices and automation --- ## Nirmata CLI (nctl) > **Applies to:** nctl 4.0 and later ### nctl - the Nirmata CLI `nctl` the Nirmata Controller Command Line Interface (CLI) is a powerful tool designed to simplify and streamline the security posture of your clusters and applications. With its intuitive and comprehensive set of commands, the CLI offers a unified approach to shifting left security by providing CI/CD integrations and the ability to perform internal and external scans for comprehensive vulnerability assessments. ### Key Features and Benefits: 1. **Shift-Left Security**: Integrating `nctl` into your CI/CD, GitOps, and IaC pipelines enables proactive enforcement of policies and enables self-service remediation for developers. With `nctl` you can scan Kubernetes manifests, Terraform plans, Dockerfiles, and any JSON-formatted resource to **shift-left** security and prevent misconfigurations prior to deployment. 2. **Simplified Kubernetes Cluster Scanning**: `nctl` allows you to scan your Kubernetes clusters for common misconfigurations, and ensure compliance, *without* having to install an policy engine in each cluster. This allows you to easily identify critical issues and have your teams address them, before you enable cluster admission controls for defense-in-depth strategy and to block misconfigurations. 3. **Unified Governance with Nirmata Control Hub**: `nctl` seamlessly integrates with Nirmata Control Hub so you can enable a unified governance layer across clusters, pipeline and cloud. You can publish and share policy reports and use centrally managed policy sets and exceptions. 4. **Nirmata Assistant**: `nctl ai` is an AI-powered personal agent that runs on your workstation and helps you scan clusters, generate Kyverno policies, troubleshoot issues, and manage compliance — all from your terminal. See the [Nirmata Assistant](/docs/ai/nctl-ai/) documentation to get started. --- ## Policy Control Points > **Applies to:** Enterprise Kyverno 1.10 and later Policy Control Points apply centrally configured policies and exceptions, and generate audit and compliance data. All control points share the same behavior but are delivered in different form factors based on where they operate in your stack. ## Policy Control Points - [Kubernetes Control Point]({{< relref "n4k/" >}}) — Enterprise-grade Kyverno distribution with LTS and SLAs - [Pipeline Control Point]({{< relref "/docs/nctl/" >}}) — Policy enforcement for CI/CD pipelines using nctl - [Terraform Control Point]({{< relref "ntc/" >}}) — Policy enforcement for Terraform Cloud workspaces - [Cloud Control Point]({{< relref "nch-cloud/" >}}) — Cloud posture management for AWS, GCP, and Azure using Nirmata Control Hub - [AI Control Point]({{< relref "mcp-ai-gateways/" >}}) — Identity-aware governance for LLM access — model access control, session budgets, cost attribution, and audit trails *(In Private Preview)* - [Authz Control Point]({{< relref "authorization-service/" >}}) — Runtime authorization using Kyverno AuthZ *(In Private Preview)* --- ## Policy Library Nirmata provides curated Policy Sets that map to various industry standards for running Kubernetes clusters following best practices. All policies are available at [https://github.com/nirmata/kyverno-policies](https://github.com/nirmata/kyverno-policies) and are licensed under the **GNU Affero General Public License v3.0 (AGPL-3.0)**. See the [Licensing]({{< relref "/docs/reference/licensing/" >}}) page for details. ## Writing Custom Policies Refer to the official documentation to learn the policy constructs and syntax. * [Kyverno Policies](https://kyverno.io/docs/policy-types/) * [Kyverno JSON Policies](https://kyverno.github.io/kyverno-json/latest/intro/) ## Policy Conventions The [Nirmata Control Hub](/docs/control-hub/) relies heavily on policy annotations to display relevant information to users and to support certain workflows, such as displaying Remediation Suggestions and diffs. To ensure custom policies integrate seamlessly with Nirmata Control Hub, adhere to the following conventions. ### Display Policy Category `policies.kyverno.io/category` Use this annotation to display the Category in the Policy Reports page. Example, `policies.kyverno.io/category: Pod Security Standards (Baseline)` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Display Findings Description `policies.kyverno.io/description` Use this annotation to display more info about the policy in the findings details page. Example, ```yaml policies.kyverno.io/description: >- Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. ``` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Display Findings Severity `policies.kyverno.io/severity` Use this annotation to display the severity of a finding. Example, `policies.kyverno.io/severity:medium` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Display Fix Recommendations `policies.nirmata.io/remediation-docs` Use this annotation to link to external/internal web pages that contain more information on the policy, its impact, and how to fix in case of violations. Example, `policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Provide Remediation Suggestion (Diff) `policies.nirmata.io/remediation` Use this annotation to link to a Kyverno `mutate` policy that is used for computing remediation diffs for violations. Example, `policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml"` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Adding Analyzer Binding to Kyverno JSON Policy Add this binding to the `match` block: `$analyzer.resource.type` Use the analyzer binding to let NCTL know what the policy is for. Example, `($analyzer.resource.type): terraform-config` Similarly, if the policy is for a terraform plan, terraform state, or dockerfile, the analyzer is terraform-plan, terraform-state, or dockerfile respectively. Sample policy: [enable-kms-encryption.yaml](https://github.com/nirmata/kyverno-policies/blob/main/terraform/plan/s3-best-practices/enable-kms-encryption/enable-kms-encryption.yaml) --- ## Reference Reference documentation for the Nirmata platform. ## Sections - [REST API]({{< relref "rest-api/" >}}) — Full REST API documentation for Nirmata Control Hub - [Compatibility Matrix]({{< relref "compatibility/" >}}) — Compatibility information for Nirmata Enterprise for Kyverno - [Licensing]({{< relref "licensing/" >}}) — License terms for Nirmata products and the Policy Library --- ## Release Notes Release notes for all Nirmata products and services. ## Products - [Nirmata Control Hub]({{< relref "control-hub/" >}}) — Nirmata Data Platform release notes - [Nirmata Enterprise for Kyverno]({{< relref "n4k/" >}}) — Release notes for the enterprise Kyverno distribution - [nctl]({{< relref "nctl/" >}}) — CLI release notes