Onboarding Cluster with Custom CA Certs in NCH

Guide to Onboard a Cluster with Custom Certs in NCH

Custom Kyverno Configuration for Custom Kubernetes Certificates

This guide walks you through onboarding a cluster in NCH with Kyverno configured to use custom Kubernetes certificates, particularly those signed by your internal Certificate Authority (CA).

1. Generate or Use CA-Signed Certificates

If using your organization’s internal CA, generate/provide certs for kyverno-svc.kyverno.svc and kyverno-cleanup-controller.kyverno.svc. Must be CA-signed, not self-signed.

Wildcard Certificates

For wildcard certs (e.g., *.rancher.test or *.test.aws), SANs must include kyverno-svc.kyverno.svc and kyverno-cleanup-controller.kyverno.svc.

2. Verify Subject Alternative Names (SANs)

Ensure certs include these SANs before creating secrets:

For kyverno-svc:

  • kyverno-svc
  • kyverno-svc.kyverno
  • kyverno-svc.kyverno.svc

For kyverno-cleanup-controller:

  • kyverno-cleanup-controller
  • kyverno-cleanup-controller.kyverno
  • kyverno-cleanup-controller.kyverno.svc

Inspect SANs with Step CLI: step certificate inspect your-admission-cert.crt --short

3. Create Kubernetes Secrets for Kyverno

Create secrets in the kyverno namespace (replace <namespace>).

Admission Controller Secrets

kubectl create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=your-admission-cert.crt --key=your-admission-key.key -n <namespace>
kubectl create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt=your-ca.crt -n <namespace> 

Cleanup Controller Secrets


kubectl create secret tls kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair --cert=your-cleanup-cert.crt --key=your-cleanup-key.key -n <namespace>
kubectl create secret generic kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt=your-ca.crt -n <namespace> 

Important: Do not rename these secrets.

Nirmata Enterprise for Kyverno (N4K) and Operator Installation Guide

Version Details: N4K: v1.13.4-n4k.nirmata.2 | N4K Helm Chart: v3.3.9 | Kyverno Operator Helm Chart: v0.5.8

1. Overview

Install N4K and the Kyverno Operator using Helm. This guide also provides a complete container image list for deployments in air-gapped or private registry environments.

2. Install N4K (Kyverno)

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
helm install kyverno nirmata/kyverno -n kyverno --create-namespace --set features.policyExceptions.namespace="kyverno" --set features.policyExceptions.enabled=true --set admissionController.replicas=3 --version 3.3.9

3. Install Kyverno Operator


helm install kyverno-operator nirmata/nirmata-kyverno-operator -n nirmata-system --create-namespace --devel --set enablePolicyset=true --version v0.5.8 --set "policies.policySets=[]" 

4. Uninstall & Cleanup


helm uninstall kyverno -n kyverno
helm uninstall kyverno-operator -n nirmata-system
kubectl delete ns kyverno
kubectl delete ns nirmata-system

Remove any persistent CRDs or leftover Kyverno resources if needed.

5. Container Image List (For Private Registry Usage)

Ensure these images are in your private registry:

N4K Images:

 reg.nirmata.io/nirmata/kyverno:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/kyvernopre:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/background-controller:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/cleanup-controller:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/reports-controller:v1.13.4-n4k.nirmata.2

Kyverno Operator Images:

ghcr.io/nirmata/nirmata-kyverno-operator:v0.4.5

Nirmata Kube-controller Images:

ghcr.io/nirmata/nirmata-kube-controller:v3.10.5   ghcr.io/nirmata/opentelemetry-collector:0.92.0

✅ Tip: Ensure all required images are in the private registry for air-gapped environments.