Cluster Onboarding

There are several ways to onboard a cluster with Nirmata.

Onboarding with the UI Wizard

First time users can follow the step-by-step UI cluster onboarding wizard.

To onboard a cluster with Nirmata, Click on the Add Cluster button on the Clusters panel. If you are trying out NCH for the first time, it is highly recommended to use the default onboarding process instead of the manual onboarding flow.

Using nctl

This workflow requires nctl. Refer to the documentation for installation.

  1. Enter the cluster name (required) and labels (optional).

image

  1. After entering the cluster information, click on Select Compliance Standards to proceed to the next step. The Pod Security Standards Baseline is added by default. It is highly recommended to opt for Pod Security Standards Restricted and RBAC Best Practices to improve the overall security posture of the cluster. Select the set of policies to be configured on the cluster as default policy sets. These policies will be deployed in audit mode. After selecting the policy sets, click on Add Cluster to proceed to the final step.

image

  1. Use the nctl login command to login to NCH. If the token is not auto generated, visit the profile page and click on Generate API Key button to generate the token.

image

Once the command has run successfully, it will display a message notifying that:

Validating user credentials...done!
Wrote configuration to /home/username/.nirmata/config

Next, copy the nctl clusters add command displayed in the final step from the web UI. Run this command to add your cluster to NCH.

  1. After running the above command, a confirmation message will be displayed, notifying that Nirmata Opertor has been deployed successfully in the cluster. Following this, the policy sets selected in the previous step will become ready. Next, you can click on I Have Run the Command in the web UI to complete the onboarding process and navigate to the Clusters dashboard. The new cluster added can be seen in the dashboard.

image

Legacy Onboarding

This workflow is now deprecated and will soon be removed in a future release.

  1. Enter the cluster name and add any labels to this cluster.
  2. Download the nirmata-kube-controller.yaml and deploy in the target cluster.
  3. Follow the instructions on the UI to install the Kyverno Operator
  4. Verify all components are up and running and policies deployed.

Once the cluster is connected, you should be able to view any policy violations detected on your cluster. You will also see the recommended adapter to be installed.

To troubleshoot Nirmata Kubernetes Controller please go through this troubleshooting guide. Contact Nirmata Support if the problem persists.

NOTE: If the Kyverno version is not supported, you will be prompted to install the supported version.

Onboarding with the Helm chart

Install Cluster Registrator

Use Nirmata’s cluster-registrator Helm chart to deploy kubecontroller into your cluster. This connects with Nirmata SaaS using a secure websocket (Websocket over TLS) connection.

Add the Nirmata Helm chart repository.

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata

Create a values.yaml file and update any variables as needed.

# Default values for cluster registrator chart
nirmataURL: "https://nirmata.io"

# Set this to false if nirmata namespace already exists
createNs: true

cluster:
  name: "test-cluster"
  type: "default-policy-manager-type"

apiToken: <<<ADD YOUR API TOKEN>>>

proxy:
  httpProxy: ""
  httpsProxy: ""
  noProxy: ""

tlsCert: ""

imageTag: v0.1.4

# Use read-only if you want to provide readonly access to the cluster
# Few workflows like PolicySet and PolicyExceptions deployment will not
# work in a read-only mode.
controllerPerms: 'read-write'

namespace: nirmata

Install the Helm chart.

helm install cluster-registrator nirmata/cluster-registrator

Install Enterprise Kyverno Operator

The enterprise kyverno operator is used to lifecycle manage Kyverno, and its adapters. It is also used to prevent tampering of Kyverno configuration and policies in the cluster.

To install the enterprise kyverno operator, run the following commands.

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata

helm install nirmata-kyverno-operator nirmata/nirmata-kyverno-operator -n nirmata-system --create-namespace

Secure Installation Tips

Configure Nirmata Permissions

Deployment Options

Choose whether to allow Nirmata to deploy custom resources directly to your cluster or manage them using your own GitOps and Continuous Delivery tools.

Read-Only: Use your own tools to manage resources

Nirmata will not be able to deploy Policies and Policy Exceptions, but will enable other workflows for your teams. You’ll have complete visibility and control but will need to deploy these resources yourself.

Read-Write: Use Nirmata to manage resources

Nirmata will be able to deploy Policies and Policy Exceptions across your clusters. We recommend you enable additional security measures, such as SSO and MFA with this option.

Nirmata Kube Controller