FAQ

Does Kyverno support AWS Fargate or Azure Container Instances?

Kyverno is a Kubernetes-only tool and functions as an admission controller. It registers as a validating and mutating webhook with the Kubernetes API server.

• AWS Support:
  • Kyverno supports Fargate for Amazon EKS.
  • Kyverno does not support Fargate for Amazon ECS.
• Azure Support:
  • Kyverno does not support Azure Container Instances due to the lack of an admission webhook concept.

NOTE: Nirmata announced Cloud Control Point, a solution based on Kyverno, to address this requirement. Cloud Control Point currently supports AWS, and Azure support is planned.

What authentication methods are used in Nirmata Control Hub?

• Cluster Registration: Nirmata connector uses certificate-based authentication along with a cluster ID to authenticate with Nirmata Control Hub.
• Onboarding Process: During onboarding, appropriate cluster roles and role bindings are created to authorize Nirmata Control Hub to securely communicate with the cluster. See all permissions here.

What logs are generated by the Nirmata Agent, and where are they stored?

Kyverno logs are not stored locally. It is recommended to use a log forwarder like Fluentd to push logs to centralized systems such as Splunk or Elasticsearch.

Where are policy violations and reports stored?

Policy violations are stored in etcd (Custom Resource). These policy reports can be stored in an external database. Policy reports are pushed to Nirmata Control Hub for centralized viewing.

Where can I find product security information?

Product security information is defined in the Nirmata Security Policy: Nirmata Security Policy