---
title: "Nirmata CLI (nctl)"
description: "CLI for scanning Kubernetes manifests, Terraform, and more"
diataxis: how-to
applies_to:
  product: "nctl"
audience: ["developer","platform-engineer"]
last_updated: 2026-04-16
url: https://docs.nirmata.io/docs/nctl/
---


> **Applies to:** nctl 4.0 and later

### nctl - the Nirmata CLI

`nctl` the Nirmata Controller Command Line Interface (CLI) is a powerful tool designed to simplify and streamline the security posture of your clusters and applications. With its intuitive and comprehensive set of commands, the CLI offers a unified approach to shifting left security by providing CI/CD integrations and the ability to perform internal and external scans for comprehensive vulnerability assessments.


### Key Features and Benefits:

1. **Shift-Left Security**: Integrating `nctl` into your CI/CD, GitOps, and IaC pipelines enables proactive enforcement of policies and enables self-service remediation for developers. With `nctl` you can scan Kubernetes manifests, Terraform plans, Dockerfiles, and any JSON-formatted resource to **shift-left** security and prevent misconfigurations prior to deployment.
2. **Simplified Kubernetes Cluster Scanning**: `nctl` allows you to scan your Kubernetes clusters for common misconfigurations, and ensure compliance, *without* having to install an policy engine in each cluster. This allows you to easily identify critical issues and have your teams address them, before you enable cluster admission controls for defense-in-depth strategy and to block misconfigurations.
3. **Unified Governance with Nirmata Control Hub**: `nctl` seamlessly integrates with Nirmata Control Hub so you can enable a unified governance layer across clusters, pipeline and cloud. You can publish and share policy reports and use centrally managed policy sets and exceptions.
4. **Nirmata Assistant**: `nctl ai` is an AI-powered personal agent that runs on your workstation and helps you scan clusters, generate Kyverno policies, troubleshoot issues, and manage compliance — all from your terminal. See the [Nirmata Assistant](/docs/ai/nctl-ai/) documentation to get started.


---

## Quick Start


> **Applies to:** nctl 4.0 and later

The Nirmata Controller (`nctl`) is a command line application that makes it easy to scan Kubernetes, Terraform, Dockerfiles and other resources for misconfigurations using default or custom Kyverno policy sets.

You can use `nctl` to apply policies and **shift-left** by applying policies to Kubernetes and IaC resources directly in your code repositories, or to scan Kubernetes clusters without installing a policy engine as an admission controller in each cluster.

## Install nctl

Install  `nctl` using Homebrew:

```sh
brew tap nirmata/tap
brew install nctl
```

For more installation options, refer to the [installation guide](./installation.md).

## Scan a Kubernetes Cluster

To scan a Kubernetes Cluster and publish the report, run:

```sh
nctl scan kubernetes --cluster --publish
```text

This command will scan your cluster using default policy sets (Pod Security Standards, RBAC Best Practices, and Kubernetes Best Practices) and publish a shareable report to Nirmata Control Hub. An email will be required to sign-in.

To view additional options and detailed examples, run:

```sh
nctl scan kubernetes --help
```text

## Scan a repository

To scan a Git repository, run:

```sh
nctl scan repository https://github.com/nirmata/demo-resources
```text

To scan manifests in the current repository, run:

```sh
nctl scan repository .
```text

For more information and examples, run:

```sh
nctl scan repository --help
```text

## Login to the Nirmata Control Hub
To interact with the Nirmata Control Hub, you should first login to your account.

```bash
nctl login
```text

**Note**: Enter the right URL, email address, and the API Key associated with your account. The API Key can be generated by logging into your Nirmata account and navigating to the `Settings -> Profile` tab. Upon successful login, you should see this line in the output: `Validating user credentials...done!`. The configuration is written to `~/.nirmata/config`


## Commands Help

For the available commands and details for each command, refer to the [Commands](./commands/) section.

To learn more about the commands and different arguments supported, you can also view the command help.
Here are a few examples.

```bash
nctl help
nctl scan --help
```text



---

## Installation


The Nirmata CLI is available on Linux, macOS, and Windows. 

## Homebrew

Download and install the latest stable release of the notation CLI on macOS, Linux, or Windows Subsystem for Linux (WSL) using [Homebrew](https://brew.sh/):

### Install

```bash
brew tap nirmata/tap
brew install nctl
```

### Verify

You can verify the `nctl` installation by checking its version:

```sh
nctl version
```

### Upgrade

```bash
brew upgrade nctl
```

### Uninstall

```sh
brew uninstall nctl
```

To remove the Nirmata homebrew tap:
```sh
brew untap nirmata/tap
```

## Binary download

[Download](https://downloads.nirmata.io/nctl/stablereleases/) the latest stable release of the Nirmata CLI binary.

Set the `NCTL_VERSION` environment variable to the version of nctl you want to download. For example, if the latest version is `4.7.10`

```bash
export NCTL_VERSION=4.7.10
```text

### Linux
For ARM processors:
```bash
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_linux_arm64.zip
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_linux_arm64.zip.asc
```text

For x86 processors:
```bash
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_linux_amd64.zip
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_linux_amd64.zip.asc
```text

### MacOS
For ARM processors:
```bash
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_macos_arm64.zip
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_macos_arm64.zip.asc
```text

For x86 processors:
```bash
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_macos_amd64.zip
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_macos_amd64.zip.asc
```text

### Windows
```bash
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_windows_64-bit.zip
curl -LO https://dl.nirmata.io/nctl/nctl_$NCTL_VERSION/nctl_$NCTL_VERSION\_windows_64-bit.zip.asc
```text

### Verify the download

To verify the signature of a Nirmata download:

* Download the Nirmata PGP key (see below)
* Use gpg to verify the download integrity

```bash
export GNUPGHOME="$(mktemp -d)"
gpg --keyserver keys.openpgp.org --recv-key 7CEE8D12BCFE419B55A5D66A4F71AE57094A908B
gpg --batch --verify <ASC_FILE> <ARCHIVED_ZIP_FILE>
```text

For a download with a valid signature, the above commands will show an output with a line:
```bash
gpg: Good signature from "Nirmata Security <security@nirmata.com>"
```text

To secure communications and verify downloads, you can use the following PGP key. You can also fetch this key from the `keys.openpgp.org` key server with the ID `7CEE8D12BCFE419B55A5D66A4F71AE57094A908B`.
<details>
<summary>key</summary>

```text
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF46FmMBEAC5mu4GcQpQrLX9IEzpvcigrQLhDgTyfffO3ATTH8xp2w3DDfZQ
BGCpG+dmr5aBxZWsD34vFcSJdSrgtnKSR8KQRM5jgj2OSM1hiDwschdX2K5+luGH
xTCrKHZNZo22YGkOmkoAakkhbDH4NLcNuLV6Ra8E5TmaBwTruYnyVEgrWsmWd0xx
1GX7d4CUbe8y+ozTpLK2JzCwEA1HIs9/76OViY9i5o9AHMbX2NFW1xccEgLFS4eF
RASn7pgss0HEeJzoRt5c1E6L9A9JXIHWHNdJM7e/KwkdjuyNwgsNg8xNC7+R8riv
a4Tv+yhtSCW9UksPpzKMFGHGylwkZ69cW9IJCYfQmv8waMPqkfRyXVoIAcSrqmWl
nwrQ1kyBn4c/RX5l4WaRw99VVJsVXPS0Zqp2e1Ofw/Ho0Pmbzv7enQGLEoIy+eot
PvSENs1spEGfHNDayWGxSG50sqFHHFWHSrMopuFzZV4QATSMp49m9gauEo3TeNaJ
Xkg67qkjufcyzfBEtU65eE0tl2t+kLWLCa2CKlFbaLAJBaNF6YikVrmQ5HV1S1k2
K53ZJ9rXlJwiJdOUXnDWQ8Q1GT73ioAguojFVGFl5rBL1brXtyDlhW2Lt4tuKmZd
a9hR24qdyY5eIXY4sj1s2ZSKlUWKqSCMlUbrz4gvyuHxNr9vQfdyKDsOMQARAQAB
tCdOaXJtYXRhIFNlY3VyaXR5IDxzZWN1cml0eUBuaXJtYXRhLmNvbT6JAlQEEwEI
AD4WIQR87o0SvP5Bm1Wl1mpPca5XCUqQiwUCXjoWYwIbAwUJEswDAAULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRBPca5XCUqQi5T9D/91N0XfAuRRJqFpF/zFPyd9
NP55TPvRpnj6l5uytCmEeRP/mnUMBGlM23I+sRNJXHY9yTwglf/ZbQYf4lQ+27aJ
Fcrw6UJN/6dz2mrxGkh0GQntcwj0Pc2ws/vF941r0VlA9BtkN6D0aRj9aGQ3lgU4
wYjAPxpuIZdJg8eecs9LCYMeMxW6wTcqhGB/6y8vByFbBTEYCJ4ry28tOs2EmmoK
jRPKbaaQ8fs80il2Zj9RWqcoqUWhwN0dwwtL/MhQuT2ej8ilAB1TzJU66pzu44rM
IOvZbOsoMeiyzAdAZpFug4YA63Y+8uCf7I/04DK4fuy2U7pIFx/OAngzvfqTiMPY
eKicSImSsJSINtYBtVRYlMjsnIi4t0LvL6ibOWtyGO2l7ejcppFClEcO2kmOhdCu
TLiLlGXXIhfL2lwFGMilD13TeQydaU6ItQ3Nrvjn2Mzg0TGLAcww2n1mOu9K85CA
AejTaqlZ/tQRfAQe5LycNPJy5+xj5enp7Rp3Yu8z5H4Di4G4VCtAw66k5pmJXYn+
AbO/KCbRYF2hl8XVHDh7GC2YGcNMD7Z5dP2A5a/yIUZCLLIE2SgaShOZYSSMHZFX
9nKjz1GkNoVALy8JaUrnJuErDkVhfAFfDMFzaJ09hkQ1PlSlke1lhOBtoJQ+syrz
Qnb1wmx+P1nKeQZtUmGqGLkCDQReOhZjARAAwZ8bcgXkd3tlzgJJ/E1OIRjjJ5da
UVcwlwHXFKTxu6edackcy8vpWt3xURdY8FrEBg8fwzqyBaGTEFA3bJwxLrP9eQUN
7ZhyLZpec0Kh9p17IClWB7LuMRpxV8mUhXh0HZydi11kFhjVdHlTu6SFbQNpU211
AehgWVtHDNLJfaA9rotITc2uq8aOHHUVY/coGz3C5SasBRJEcxJhN0lvSJjSaGXe
+CgHGNcBNPvYDGFxLDpE5PzdB5FcN+6kcJynLZ8kaF43RRzzh4yA/kvBqCykcbRJ
2fBjW+ugdgrtRPKDQSduJngtcg7EcsefVsZcB5V2QSOk32pVYBfiZcy0VA8VxqAg
jwk0SwDDmM53+1HJeaAr5ejjZ/CmuzH3nuGnlivY7N9Rsaz3UWrR1njZFdP0HKWJ
dJiXxI6ECcL6meGZ1Mm7E8SjZltO0k5xvmQh60mqZPpX9hkbKm6lurZ9ZXpmBIfh
lT6UzD+y11l06aTU1Da9d3ZHofRRJHFJyEXdeh/h6dr+QCJoyCGCjSLFSGh7CrHo
fLtdFLYoTnYzH6YEa6ghlr6xQh4dh56kunSlBBZOKw7CyMu0tWVJVV/pNEMOJ9dw
d8KPjClLJJxCObFMi0zsSVzu10xd/BXncjgXtEFLhG7Jhrsloo5E41xEWXxT8R+U
yL0nOhEVYfRRdrcAEQEAAYkCPAQYAQgAJhYhBHzujRK8/kGbVaXWak9xrlcJSpCL
BQJeOhZjAhsMBQkSzAMAAAoJEE9xrlcJSpCL1DUP/RwH4okrNjGsz667VM+gxFV5
lRLI9/hmptjRPkz2h41xJjKiZP2xm4ACKyOXARQKjyQl116g/vpEtJANoczVsa14
5fR334qZf/WnvAuQ/dYmJPDibXX9Uwyje0mex+WGj5uELtw8vn9gCoRO5dQCn37+
gX+w8u6tpPxNFOCJf3xOov7pzn3kyLZh/mDIKkAAnqqOumqx/d/qRdJ3T/B9Ojol
axftBA34HSI6pDhqtX4encUM72KfZfxddGyL2/V0y7aWseTJcL0JXo6go9c2CUsR
9CKvxVZol80mh5RtJGAYVe+wpWaMEP/ns8rhs6xFoqO8qv5qNz1NYz+iTcjOd+pw
/ekeOvSobIc6W6VxuD5jrxWycPrWytRv2K60JB68tJDA6ipk9jWHi5uqK2f7nR66
32IgO/04o3CK4zg3KznFBl9ba7Keyvwz0BCA7nAVDgWCWCqIz0iSvs4aE8k7Qr2Z
wNGHPNyIuDCzJ9eRfi5ZnuSrIIwkR4LY9pwM6cqXDFDM08ZUz9YDHiii6lBiQoRD
yaXgm4eH3hCFaMVvR2Hgy7G6O/upJDCz6IC8HdYirbkrCrys4rWHrqr+ybve1otw
N4ZiNIcFCjfaCjJnnACsF5bH7FEuIgtYv15JZQIsL4ajMi1K7eXexQQLCr79sgTw
9V4Q6JD9HXyskV/e83uN
=jCzX
-----END PGP PUBLIC KEY BLOCK-----
```text
</details>


### Install the CLI binary
`nctl` is a precompiled binary. It is distributed as a zip archive. After download, unzip the downloaded package. You can then set permissions and move the binary into a directory in your `PATH`.

```bash
unzip <ZIP_FILE>
chmod u+x nctl
sudo mv nctl /usr/local/bin/nctl
```

### Verify the installation

You can verify the `nctl` installation by checking its version:

```sh
nctl version
```

### Upgrade
To upgrade `nctl` and stay up-to-date with the supported features, follow these steps:

1. Check the version of the installed binary and compare it with the latest stable release to see if an update is required:
```bash
nctl version
``` 
2. If the installed binary is outdated, remove the previous installation of `nctl`:
```bash
rm -rf /usr/local/bin/nctl
```
3. Delete the `.asc` and `.zip` files downloaded during installation.
4. Download the latest release of `nctl` binary and install it as described above in the [installation instructions](#install-the-cli-binary). 
5. After installing, check the version of the newly installed binary: 
```bash
nctl version
```

### Uninstall
Follow these steps to uninstall `nctl`: 
1. Remove the installed `nctl` binary: 
```bash
rm -rf /usr/local/bin/nctl
```
2. Remove the `.asc` and `.zip` files downloaded during installation.

```text


---

## Service Account Authentication


Nirmata Control Hub Service Account tokens allow `nctl` to authenticate with Nirmata Control Hub without requiring a user login. This is the recommended approach for CI/CD pipelines, GitOps workflows, and any automated scanning or publishing process where storing user credentials is not practical.

## Overview

By default, `nctl` authenticates using a user API key (set via `nctl login`, the `NIRMATA_TOKEN` environment variable, or `~/.nirmata/config`). Service Account tokens provide an alternative authentication path scoped to specific operations, making them well-suited for automation.

### Supported Operations

Service Account tokens can be used for the following `nctl` operations:

| Operation | Description |
|-----------|-------------|
| `nctl scan * --publish` | Publish scan reports to Nirmata Control Hub for any resource type (Kubernetes, Helm, Terraform, Dockerfile, JSON, repository) |
| Artifact uploads | Upload scan artifacts alongside published reports |
| Policy fetching | Read policy sets and exceptions from Nirmata Control Hub during scans |
| `nctl remediate` | Generate AI-driven remediation suggestions |

{{% alert title="Note" %}}
Cluster management operations (`nctl add cluster`, `nctl get clusters`, `nctl remove cluster`, `nctl update cluster`) and user-context operations (`nctl login`, `nctl info`, `nctl ai`) require a user API key and are not supported with Service Account tokens.
{{% /alert %}}

## Create an Nirmata Control Hub Service Account

Before using Service Account authentication, create a Service Account in Nirmata Control Hub and assign it the appropriate role.

1. Log in to [Nirmata Control Hub](https://nirmata.io)
2. Navigate to **Identity & Access** from the left sidebar
3. Go to the **Service Accounts** section and create a new Service Account
4. Assign the `reportPublisher` role (or a role with equivalent permissions) to allow scan report publishing and policy fetching
5. Copy the generated secret token — this is your `NIRMATA_SERVICE_ACCOUNT_TOKEN`

The `reportPublisher` role grants the following access:

| Permission | Description |
|------------|-------------|
| Policy set read | Fetch policy sets used during scanning |
| Policy exception read | Fetch exceptions applied during scanning |
| PRR model write | Publish scan results (`POST /policies/api/policyReportResult`) |
| Artifact upload | Upload scan artifacts (`POST /policies/api/uploadReportFiles`) |

## Configure the Token

Set the `NIRMATA_SERVICE_ACCOUNT_TOKEN` environment variable to your Service Account secret. When this variable is set, `nctl` uses it automatically for all supported operations — no `nctl login` required.

```bash
export NIRMATA_SERVICE_ACCOUNT_TOKEN="<your-service-account-secret>"
```text

{{% alert title="Note" %}}
If both `NIRMATA_SERVICE_ACCOUNT_TOKEN` and `NIRMATA_TOKEN` (or `--publish-token`) are set, the Service Account token takes precedence for scan publishing operations.
{{% /alert %}}

## Usage Examples

### CLI

```bash
export NIRMATA_SERVICE_ACCOUNT_TOKEN="<your-service-account-secret>"

# Scan and publish a Kubernetes cluster report
nctl scan kubernetes --cluster --publish

# Scan and publish a local repository
nctl scan repository /path/to/repo --publish

# Scan and publish a Helm chart
nctl scan helm /path/to/chart --publish

# Scan and publish a Terraform plan
nctl scan terraform /path/to/plan.json --publish

# Scan and publish a Dockerfile
nctl scan dockerfile /path/to/Dockerfile --publish
```text

### GitHub Actions

```yaml
name: NCTL Scan
on:
  pull_request:
    branches:
      - main

jobs:
  nctl-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4

      - name: Install nctl
        uses: nirmata/action-install-nctl-scan@v0.0.12

      - name: Scan and publish Kubernetes resources
        env:
          NIRMATA_SERVICE_ACCOUNT_TOKEN: ${{ secrets.NIRMATA_SERVICE_ACCOUNT_TOKEN }}
        run: nctl scan kubernetes --policies controls/pod-security --resources config-files/k8s --publish
```text

Store the Service Account token as a repository or organization secret (`NIRMATA_SERVICE_ACCOUNT_TOKEN`) in your GitHub repository settings. This avoids hardcoding credentials in your workflow files.

### GitLab CI

```yaml
nctl-scan:
  image: ubuntu:latest
  variables:
    NIRMATA_SERVICE_ACCOUNT_TOKEN: $NIRMATA_SERVICE_ACCOUNT_TOKEN
  script:
    - curl -LO https://downloads.nirmata.io/nctl/stablereleases/nctl_linux_amd64.zip
    - unzip nctl_linux_amd64.zip && chmod u+x nctl && mv nctl /usr/local/bin/
    - nctl scan repository . --publish
```text

## Token Expiry

Service Account tokens may have an expiry depending on your Nirmata Control Hub account configuration. When a token expires:

- For CLI usage, update the `NIRMATA_SERVICE_ACCOUNT_TOKEN` environment variable with a new token
- For CI/CD pipelines, update the secret in your pipeline configuration

To check or manage token expiry settings, navigate to **Identity & Access** → **API Tokens** in Nirmata Control Hub.


---

## Scanning Resources


`nctl scan` is the primary command group for scanning resources for policy violations and security misconfigurations. It supports a wide range of resource types — from live Kubernetes clusters and Git repositories to Terraform plans, Dockerfiles, and Helm charts — making it easy to shift-left security across your entire stack.

## Subcommands

| Command | Description |
|---------|-------------|
| [`nctl scan kubernetes`](/docs/nctl/commands/nctl_scan_kubernetes/) | Scan Kubernetes resources from a live cluster or local manifests against Kyverno policies |
| [`nctl scan repository`](/docs/nctl/commands/nctl_scan_repository/) | Scan all supported resource types in a Git repository or local directory in a single command |
| [`nctl scan terraform`](/docs/nctl/commands/nctl_scan_terraform/) | Scan Terraform plan files for policy violations |
| [`nctl scan dockerfile`](/docs/nctl/commands/nctl_scan_dockerfile/) | Scan Dockerfiles for security and best-practice violations |
| [`nctl scan helm`](/docs/nctl/commands/nctl_scan_helm/) | Scan Helm charts for policy violations |
| [`nctl scan json`](/docs/nctl/commands/nctl_scan_json/) | Scan arbitrary JSON-formatted resources |
| [`nctl scan github-actions`](/docs/nctl/commands/nctl_scan_github-actions/) | Scan GitHub Actions workflow files for security vulnerabilities |
| [`nctl scan compliance`](/docs/nctl/commands/nctl_scan_compliance/) | Run a compliance scan against a Kubernetes cluster for a named standard (SOC2, NIST 800-53, PCI-DSS, etc.) |
| [`nctl scan prompt`](/docs/nctl/commands/nctl_scan_prompt/) | [Experimental] Scan LLM prompts for policy violations |
| [`nctl scan skills`](/docs/nctl/commands/nctl_scan_skills/) | [Experimental] Scan agent skills |

## Output Formats

Most scan commands support multiple output formats via the `-o` / `--output` flag:

| Format | Description |
|--------|-------------|
| `text` | Human-readable terminal output (default) |
| `json` | Machine-readable JSON |
| `yaml` | YAML output |
| `scan-report` | Structured scan report |
| `sarif` | SARIF format for GitHub Code Scanning integration |

Use `--file` to save output to a file instead of printing to stdout.

## Publishing Reports

Use `--publish` to send scan results to Nirmata Control Hub for centralized visibility and sharing across your team.

### Authentication for Publishing

Publishing requires authentication with Nirmata Control Hub. There are two ways to authenticate:

- **User API key** — Set via `nctl login`, the `NIRMATA_TOKEN` environment variable, or `~/.nirmata/config`. Used by default when no other token is provided.
- **Service Account token** — Set via the `NIRMATA_SERVICE_ACCOUNT_TOKEN` environment variable or the `--publish-token` flag. Recommended for CI/CD pipelines and automation workflows where user credentials should not be stored.

For details on setting up and using Service Account tokens, see [Service Account Authentication](./service-accounts/).

## AI-Powered Analysis

Add `--analyze` to a cluster scan to get AI-powered insights and recommendations on the results.

For a fully interactive, AI-driven scanning and policy workflow, see the [Nirmata Assistant](/docs/ai/nctl-ai/).


---

## Cluster Onboarding


`nctl` provides an easy way to add new clusters to Nirmata Control Hub, and also to interact with existing clusters.

**Note:** You must be logged in to your Nirmata Control Hub account before performing any of the below actions. View the steps to login [here](https://docs.nirmata.io/docs/nctl/getting-started/#login-to-the-nirmata-policy-manager).

## Add a new cluster to Nirmata Control Hub
To onboard an existing cluster to the Nirmata Control Hub, use the `add` command.

```bash
nctl add cluster --cluster-name <cluster-name>
```text

This will install the Kyverno Operator, and also deploy the following PolicySets:
* Pod Security Standards (Baseline)
* Pod Security Standards (Restricted)
* RBAC Best Practices

If you wish to only onboard the cluster without deploying the Kyverno Operator and related components, use the `--register-only` flag.


## List all clusters
To get a list of all clusters that are onboarded to Nirmata Control Hub, use the `get` command.

```bash
nctl get cluster
```text

## Get cluster details
To view more details about a cluster:

```bash
nctl get cluster <cluster-name>
```text

## Remove cluster from Nirmata Control Hub
To remove a cluster from Nirmata Control Hub:

```bash
nctl remove cluster --cluster-name <cluster-name>
```
This deregisters the cluster from Nirmata Control Hub and removes the Kyverno Operator, related components, and policysets that were installed during cluster registration.


---

## Kyverno Operator Management


The Enterprise Kyverno Operator is a [Kubernetes Operator](https://www.cncf.io/blog/2022/06/15/kubernetes-operators-what-are-they-some-examples/) to manage lifecycle of Kyverno, Adapters and Nirmata supported policies. It offers comprehensive lifecycle management capabilities that go beyond just Kyverno itself, extending to related components like policies and adapters. Managing these components at scale can be challenging due to compatibility and upgrade issues. The Operator provides a seamless solution for your policy and governance ecosystem, ensuring stability and smooth operation. The Operator itself can be used with `nctl` and is also available as a [Helm chart](https://github.com/nirmata/kyverno-charts/blob/main/charts/enterprise-kyverno-operator/README.md#helm-chart-for-enterprise-kyverno).


## Generate the values file template
The Operator supports a wide variety of parameters to fine tune Kyverno, Adapters, and policies. To see what parameters are available, generate the values file template and update the necessary fields.

```bash
nctl get operator helm-values
```
## Initialize the Kyverno Operator
To initialize Kyverno Operator with default values, run the below command.

```bash
nctl install operator
```
This installs the operator and related components in the `nirmata-system` namespace. View all operator components using,

```bash
kubectl get all -n nirmata-system
```

Kyverno in installed HA mode (3 replicas), and the following policysets are installed by default.
* Pod Security Standards (Baseline)
* Pod Security Standards (Restricted)
* RBAC Best Practices

## Upgrading the Kyverno Operator
In order to upgrade any component of the operator, use the `upgrade` command. The parameters are the same as the ones listed by the `generate` command above.

**Note:** Upgrading to Kyverno version `1.10.x` is not supported by the CLI. This is because `Kyverno 1.10.x` version contains breaking changes that may affect existing policies. Please contact [Nirmata Support](mailto:support@nirmata.com) for upgrading to `Kyverno 1.10.x` version and above.


## Uninstall the Kyverno Operator
Cleaning up the operator is straightforward. Use the `uninstall` command to cleanup all the resources created at the time of Operator install.

```bash
nctl uninstall operator 
```text


---

## Commands

## nctl

nctl is the command line interface for Nirmata

```bash
nctl [flags]
```

### Examples

```bash

  # Scan a Kubernetes cluster and analyze and publish the scan results
  nctl scan kubernetes --cluster --analyze --publish

  # Scan Kubernetes manifests, Dockerfiles, and Terraform code in a repository
  nctl scan repository https://github.com/nirmata/demo-resources

  # Scan the current directory
  nctl scan repository 

```bash

### Options

```text
  -h, --help      help for nctl
  -v, --v Level   number for the log level verbosity
```

### SEE ALSO

* [nctl add](/docs/nctl/commands/nctl_add/)	 - Add resources to Nirmata Control Hub  
* [nctl ai](/docs/nctl/commands/nctl_ai/)	 - Agentic AI powered workflows
* [nctl create](/docs/nctl/commands/nctl_create/)	 - Create policyexceptionrequests
* [nctl edit](/docs/nctl/commands/nctl_edit/)	 - Edit nctl resources
* [nctl get](/docs/nctl/commands/nctl_get/)	 - Get Nirmata Control Hub resources
* [nctl info](/docs/nctl/commands/nctl_info/)	 - Account and User Information
* [nctl login](/docs/nctl/commands/nctl_login/)	 - Provide authentication details to login
* [nctl raw](/docs/nctl/commands/nctl_raw/)	 - Direct access to the Nirmata REST API
* [nctl remediate](/docs/nctl/commands/nctl_remediate/)	 - Remediate a resource file or directory for policy violations
* [nctl remove](/docs/nctl/commands/nctl_remove/)	 - Remove Nirmata Control Hub resources
* [nctl scan](/docs/nctl/commands/nctl_scan/)	 - Scan resources
* [nctl signup](/docs/nctl/commands/nctl_signup/)	 - Create a new Nirmata Control Hub account
* [nctl transform](/docs/nctl/commands/nctl_transform/)	 - Transform resource manifests to json
* [nctl update](/docs/nctl/commands/nctl_update/)	 - Update Nirmata Control Hub resources
* [nctl version](/docs/nctl/commands/nctl_version/)	 - Show version and build information