Fetching Public Signature and SBOM for N4K Binaries
Guide to retrieve public signatures and SBOMs for N4K binaries.
Getting Started with N4K
Enterprise Kyverno is available as a Helm chart that can be installed using the Helm package manager.
Prerequisites
- Helm: Refer to the official docs for installation.
- Kubernetes Cluster: Any CNCF compliant Kubernetes distribution.
Note: For N4K version < 1.12, you will require a License Key. For assistance, you can contact Nirmata Support. This needs to be passed at the time of installation using the
--set licenseManager.licenseKeyflag.
Installing the Enterprise Kyverno Chart
Adding the Kyverno Helm repository
The following commands add the Kyverno helm chart repository and update it accordingly:
helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
Creating a namespace
You can install Kyverno in any namespace. The example uses kyverno as the namespace:
kubectl create namespace kyverno
(Optional) If a custom CA (Certificate Authority) is used in the cluster, create a configmap corresponding to the same in the namespace using the cutom-ca.pem key:
kubectl -n kyverno create configmap <e.g. ca-store-cm> --from-file=custom-ca.pem=<cert file e.g. some-cert.pem>
Installing the Kyverno chart
The following command installs Kyverno in the kyverno namespace:
helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno
This command deploys Kyverno on the Kubernetes cluster with default configuration. The detailed installation guide lists the parameters that can be configured during installation.
The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix :webhook. Ex., *:webhook or kyverno:webhook. Other ClusterRole/ClusterRoleBinding names are configurable.
(Optional) Other parameters to the above command corressponding to custom CA, HTTP proxies, or NO_PROXY should be provided as needed:
--set customCAConfigMap=<e.g. ca-store-cm> --set systemCertPath=<e.g. /etc/ssl/certs> --set "extraEnvVars[0].name=HTTP_PROXY" --set "extraEnvVars[0].value=<e.g. http://test.com:8080>" ...
Installing the YAML
To install the chart directly without using the helm install command, simply generate the YAML from the helm chart and install it using the kubectl command. After updating the Helm repository as described above, proceed to the next step by creating the namespace for Kyverno in your Kubernetes cluster. Once the namespace is created, generate the kyverno YAML file by using the following helm template command:
helm template kyverno --namespace=kyverno nirmata/kyverno --create-namespace > kyverno.yaml
The following kubectl command installs the file directly into the namespace:
kubectl create -f kyverno.yaml
Notes for ArgoCD users: You can install this chart with the help of ArgoCD as well. Refer to the Kyverno documentation for more details.
Running Enterprise Kyverno on AWS Fargate
Creating a Fargate Profile
Create a new cluster named fargate-testing-cluster and set up a Fargate profile:
eksctl create fargateprofile \
--cluster fargate-testing-cluster \
--name kyverno-profile \
--namespace kyverno
Installing Enterprise Kyverno on Fargate
helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.enable=false
Applying a Policy
kubectl create -f- << EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
rules:
- name: check-team
match:
any:
- resources:
kinds:
- Pod
validate:
failureAction: Enforce
message: "label 'team' is required"
pattern:
metadata:
labels:
team: "?*"
EOF
Testing the Policy
kubectl create deployment nginx --image=nginx
Expected error message:
error: failed to create deployment: admission webhook "validate.kyverno.svc-fail" denied the request:
resource Deployment/default/nginx was blocked due to the following policies
require-labels:
autogen-check-team: 'validation error: label ''team'' is required. rule autogen-check-team
failed at path /spec/template/metadata/labels/team/'
Note: Do check if the pods are running on Fargate by checking the Node column by doing -
kubectl get pods -n kyverno -o wide
Upgrading from open-source Kyverno to Nirmata Enterprise Subscription
For users having open-source Kyverno of version 1.5.0 or above installed in their cluster, execute the following command to upgrade directly to Nirmata Enterprise Subscription:
helm upgrade kyverno --namespace kyverno nirmata/kyverno
Uninstalling the Enterprise Kyverno Chart
The below command will uninstall the kyverno deployment and remove all the Kubernetes components associated with the chart and delete the release:
helm delete -n kyverno kyverno