Getting Started with N4K
Enterprise Kyverno is available as a Helm chart that can be installed using the Helm package manager.
Prerequisites
- Helm: Refer to the official docs for installation.
- Kubernetes Cluster: Any CNCF compliant Kubernetes distribution.
- License key: The license key for Nirmata Enterprise for Kyverno is available in the UI. For assistance, you can contact support@nirmata.com.
Note: N4K is completely free to use upto 3 nodes, meaning there is no need for a license key to run it.
Installing the Enterprise Kyverno Chart
Adding the Kyverno Helm repository
The following commands add the Kyverno helm chart repository and update it accordingly:
helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
Creating a namespace
You can install Kyverno in any namespace. The example uses kyverno as the namespace:
kubectl create namespace kyverno
(Optional) If a custom CA (Certificate Authority) is used in the cluster, create a configmap corresponding to the same in the namespace using the cutom-ca.pem key:
kubectl -n kyverno create configmap <e.g. ca-store-cm> --from-file=custom-ca.pem=<cert file e.g. some-cert.pem>
Installing the Kyverno chart
The following command installs Kyverno in the kyverno namespace:
helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=<license key>[,licenseManager.apiKey=<api key>]
This command deploys Kyverno on the Kubernetes cluster with default configuration. The detailed installation guide lists the parameters that can be configured during installation.
Note: While using the free tier, there is no need to use the
--set licensekeyargument in the above command.
The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix :webhook. Ex., *:webhook or kyverno:webhook. Other ClusterRole/ClusterRoleBinding names are configurable.
(Optional) Other parameters to the above command corressponding to custom CA, HTTP proxies, or NO_PROXY should be provided as needed:
--set customCAConfigMap=<e.g. ca-store-cm> --set systemCertPath=<e.g. /etc/ssl/certs> --set "extraEnvVars[0].name=HTTP_PROXY" --set "extraEnvVars[0].value=<e.g. http://test.com:8080>" ...
Installing the YAML
To install the chart directly without using the helm install command, simply generate the YAML from the helm chart and install it using the kubectl command. After updating the Helm repository as described above, proceed to the next step by creating the namespace for Kyverno in your Kubernetes cluster. Once the namespace is created, generate the kyverno YAML file by using the following helm template command:
helm template kyverno --namespace=kyverno nirmata/kyverno --create-namespace --set licenseManager.licenseKey=<license key>[,licenseManager.apiKey=<api key>] > kyverno.yaml
The following kubectl command installs the file directly into the namespace:
kubectl create -f kyverno.yaml
Notes for ArgoCD users: You can install this chart with the help of ArgoCD as well. Refer to the Kyverno documentation for more details.
Upgrading from open-source Kyverno to Nirmata Enterprise Subscription
For users having open-source Kyverno of version 1.5.0 or above installed in their cluster, execute the following command to upgrade directly to Nirmata Enterprise Subscription:
helm upgrade kyverno --namespace kyverno nirmata/kyverno --set licenseManager.licenseKey=<license key >[,licenseManager.apiKey=<api key>]
Note: Replace
<license key>and<api key>with your license-key and api-key respectively.
Uninstalling the Enterprise Kyverno Chart
The below command will uninstall the kyverno deployment and remove all the Kubernetes components associated with the chart and delete the release:
helm delete -n kyverno kyverno