Getting Started with N4K

Enterprise Kyverno is available as a Helm chart that can be installed using the Helm package manager.

Prerequisites

  • Helm: Refer to the official docs for installation.
  • Kubernetes Cluster: Any CNCF compliant Kubernetes distribution.

Note: For N4K version < 1.12, you will require a License Key. For assistance, you can contact Nirmata Support. This needs to be passed at the time of installation using the --set licenseManager.licenseKey flag.

Installing the Enterprise Kyverno Chart

Adding the Kyverno Helm repository

The following commands add the Kyverno helm chart repository and update it accordingly:

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata

Creating a namespace

You can install Kyverno in any namespace. The example uses kyverno as the namespace:

kubectl create namespace kyverno

(Optional) If a custom CA (Certificate Authority) is used in the cluster, create a configmap corresponding to the same in the namespace using the cutom-ca.pem key:

kubectl -n kyverno create configmap <e.g. ca-store-cm> --from-file=custom-ca.pem=<cert file e.g. some-cert.pem>

Installing the Kyverno chart

The following command installs Kyverno in the kyverno namespace:

helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno

This command deploys Kyverno on the Kubernetes cluster with default configuration. The detailed installation guide lists the parameters that can be configured during installation.

The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix :webhook. Ex., *:webhook or kyverno:webhook. Other ClusterRole/ClusterRoleBinding names are configurable.

(Optional) Other parameters to the above command corressponding to custom CA, HTTP proxies, or NO_PROXY should be provided as needed:

--set customCAConfigMap=<e.g. ca-store-cm> --set systemCertPath=<e.g. /etc/ssl/certs> --set "extraEnvVars[0].name=HTTP_PROXY" --set "extraEnvVars[0].value=<e.g. http://test.com:8080>" ...

Installing the YAML

To install the chart directly without using the helm install command, simply generate the YAML from the helm chart and install it using the kubectl command. After updating the Helm repository as described above, proceed to the next step by creating the namespace for Kyverno in your Kubernetes cluster. Once the namespace is created, generate the kyverno YAML file by using the following helm template command:

helm template kyverno --namespace=kyverno nirmata/kyverno --create-namespace > kyverno.yaml

The following kubectl command installs the file directly into the namespace:

kubectl create -f kyverno.yaml

Notes for ArgoCD users: You can install this chart with the help of ArgoCD as well. Refer to the Kyverno documentation for more details.

Upgrading from open-source Kyverno to Nirmata Enterprise Subscription

For users having open-source Kyverno of version 1.5.0 or above installed in their cluster, execute the following command to upgrade directly to Nirmata Enterprise Subscription:

helm upgrade kyverno --namespace kyverno nirmata/kyverno

Uninstalling the Enterprise Kyverno Chart

The below command will uninstall the kyverno deployment and remove all the Kubernetes components associated with the chart and delete the release:

helm delete -n kyverno kyverno
Reports Server