Getting Started with N4K

Enterprise Kyverno is available as a Helm chart that can be installed using the Helm package manager.


  • Helm: Refer to the official docs for installation.
  • Kubernetes Cluster: Any CNCF compliant Kubernetes distribution.
  • License key: The license key for Nirmata Enterprise for Kyverno is available in the UI. For assistance, you can contact

Note: N4K is completely free to use upto 3 nodes, meaning there is no need for a license key to run it.

Installing the Enterprise Kyverno Chart

Adding the Kyverno Helm repository

The following commands add the Kyverno helm chart repository and update it accordingly:

helm repo add nirmata
helm repo update nirmata

Creating a namespace

You can install Kyverno in any namespace. The example uses kyverno as the namespace:

kubectl create namespace kyverno

(Optional) If a custom CA (Certificate Authority) is used in the cluster, create a configmap corresponding to the same in the namespace using the cutom-ca.pem key:

kubectl -n kyverno create configmap <e.g. ca-store-cm> --from-file=custom-ca.pem=<cert file e.g. some-cert.pem>

Installing the Kyverno chart

The following command installs Kyverno in the kyverno namespace:

helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=<license key>[,licenseManager.apiKey=<api key>]

This command deploys Kyverno on the Kubernetes cluster with default configuration. The detailed installation guide lists the parameters that can be configured during installation.

Note: While using the free tier, there is no need to use the --set licensekey argument in the above command.

The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix :webhook. Ex., *:webhook or kyverno:webhook. Other ClusterRole/ClusterRoleBinding names are configurable.

(Optional) Other parameters to the above command corressponding to custom CA, HTTP proxies, or NO_PROXY should be provided as needed:

--set customCAConfigMap=<e.g. ca-store-cm> --set systemCertPath=<e.g. /etc/ssl/certs> --set "extraEnvVars[0].name=HTTP_PROXY" --set "extraEnvVars[0].value=<e.g.>" ...

Installing the YAML

To install the chart directly without using the helm install command, simply generate the YAML from the helm chart and install it using the kubectl command. After updating the Helm repository as described above, proceed to the next step by creating the namespace for Kyverno in your Kubernetes cluster. Once the namespace is created, generate the kyverno YAML file by using the following helm template command:

helm template kyverno --namespace=kyverno nirmata/kyverno --create-namespace --set licenseManager.licenseKey=<license key>[,licenseManager.apiKey=<api key>] > kyverno.yaml

The following kubectl command installs the file directly into the namespace:

kubectl create -f kyverno.yaml

Notes for ArgoCD users: You can install this chart with the help of ArgoCD as well. Refer to the Kyverno documentation for more details.

Upgrading from open-source Kyverno to Nirmata Enterprise Subscription

For users having open-source Kyverno of version 1.5.0 or above installed in their cluster, execute the following command to upgrade directly to Nirmata Enterprise Subscription:

helm upgrade kyverno --namespace kyverno nirmata/kyverno --set licenseManager.licenseKey=<license key >[,licenseManager.apiKey=<api key>]

Note: Replace <license key> and <api key> with your license-key and api-key respectively.

Uninstalling the Enterprise Kyverno Chart

The below command will uninstall the kyverno deployment and remove all the Kubernetes components associated with the chart and delete the release:

helm delete -n kyverno kyverno