Onboarding Cluster with Custom CA Certs in NCH
Custom Kyverno Configuration for Custom Kubernetes Certificates
This guide walks you through onboarding a cluster in NCH with Kyverno configured to use custom Kubernetes certificates, particularly those signed by your internal Certificate Authority (CA).
1. Generate or Use CA-Signed Certificates
If using your organization’s internal CA, generate/provide certs for kyverno-svc.kyverno.svc and kyverno-cleanup-controller.kyverno.svc. Must be CA-signed, not self-signed.
Wildcard Certificates
For wildcard certs (e.g., *.rancher.test or *.test.aws), SANs must include kyverno-svc.kyverno.svc and kyverno-cleanup-controller.kyverno.svc.
2. Verify Subject Alternative Names (SANs)
Ensure certs include these SANs before creating secrets:
For kyverno-svc:
kyverno-svckyverno-svc.kyvernokyverno-svc.kyverno.svc
For kyverno-cleanup-controller:
kyverno-cleanup-controllerkyverno-cleanup-controller.kyvernokyverno-cleanup-controller.kyverno.svc
Inspect SANs with Step CLI: step certificate inspect your-admission-cert.crt --short
3. Create Kubernetes Secrets for Kyverno
Create secrets in the kyverno namespace (replace <namespace>).
Admission Controller Secrets
kubectl create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=your-admission-cert.crt --key=your-admission-key.key -n <namespace>
kubectl create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt=your-ca.crt -n <namespace>
Cleanup Controller Secrets
kubectl create secret tls kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair --cert=your-cleanup-cert.crt --key=your-cleanup-key.key -n <namespace>
kubectl create secret generic kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt=your-ca.crt -n <namespace>
Important: Do not rename these secrets.
Nirmata Enterprise for Kyverno (N4K) and Operator Installation Guide
Version Details: N4K: v1.13.4-n4k.nirmata.2 | N4K Helm Chart: v3.3.9 | Kyverno Operator Helm Chart: v0.5.8
1. Overview
Install N4K and the Kyverno Operator using Helm. This guide also provides a complete container image list for deployments in air-gapped or private registry environments.
2. Install N4K (Kyverno)
helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
helm install kyverno nirmata/kyverno -n kyverno --create-namespace --set features.policyExceptions.namespace="kyverno" --set features.policyExceptions.enabled=true --set admissionController.replicas=3 --version 3.3.9
3. Install Kyverno Operator
helm install kyverno-operator nirmata/nirmata-kyverno-operator -n nirmata-system --create-namespace --devel --set enablePolicyset=true --version v0.5.8 --set "policies.policySets=[]"
4. Uninstall & Cleanup
helm uninstall kyverno -n kyverno
helm uninstall kyverno-operator -n nirmata-system
kubectl delete ns kyverno
kubectl delete ns nirmata-system
Remove any persistent CRDs or leftover Kyverno resources if needed.
5. Container Image List (For Private Registry Usage)
Ensure these images are in your private registry:
N4K Images:
reg.nirmata.io/nirmata/kyverno:v1.13.4-n4k.nirmata.2
reg.nirmata.io/nirmata/kyvernopre:v1.13.4-n4k.nirmata.2
reg.nirmata.io/nirmata/background-controller:v1.13.4-n4k.nirmata.2
reg.nirmata.io/nirmata/cleanup-controller:v1.13.4-n4k.nirmata.2
reg.nirmata.io/nirmata/reports-controller:v1.13.4-n4k.nirmata.2
Kyverno Operator Images:
ghcr.io/nirmata/nirmata-kyverno-operator:v0.4.5
Nirmata Kube-controller Images:
ghcr.io/nirmata/nirmata-kube-controller:v3.10.5 ghcr.io/nirmata/opentelemetry-collector:0.92.0
✅ Tip: Ensure all required images are in the private registry for air-gapped environments.