Getting Started

Enterprise Kyverno is available as a Helm chart that can be installed using the Helm package manager.

Prerequisites

  • Helm: Refer to the official docs for installation.
  • Kubernetes Cluster: Any CNCF compliant Kubernetes distribution.

Note: For N4K version < 1.12, you will require a License Key. For assistance, you can contact Nirmata Support. This needs to be passed at the time of installation using the --set licenseManager.licenseKey flag.

Installing the Enterprise Kyverno Chart

Adding the Kyverno Helm repository

The following commands add the Kyverno helm chart repository and update it accordingly:

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata

Creating a namespace

You can install Kyverno in any namespace. The example uses kyverno as the namespace:

kubectl create namespace kyverno

(Optional) If a custom CA (Certificate Authority) is used in the cluster, create a configmap corresponding to the same in the namespace using the custom-ca.pem key:

kubectl -n kyverno create configmap <e.g. ca-store-cm> --from-file=custom-ca.pem=<cert file e.g. some-cert.pem>

Installing the Kyverno chart

NOTE: If you want to offload reporting mechanism to reports-server, refer to this guide.

The following command installs only the Kyverno deployment in the kyverno namespace:

helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno

This command deploys Kyverno on the Kubernetes cluster with default configuration. The detailed installation guide lists the parameters that can be configured during installation.

The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix :webhook. Ex., *:webhook or kyverno:webhook. Other ClusterRole/ClusterRoleBinding names are configurable.

(Optional) Other parameters to the above command corresponding to custom CA, HTTP proxies, or NO_PROXY should be provided as needed:

--set customCAConfigMap=<e.g. ca-store-cm> --set systemCertPath=<e.g. /etc/ssl/certs> --set "extraEnvVars[0].name=HTTP_PROXY" --set "extraEnvVars[0].value=<e.g. http://test.com:8080>" ...

Installing the YAML

To install the chart directly without using the helm install command, simply generate the YAML from the helm chart and install it using the kubectl command. After updating the Helm repository as described above, proceed to the next step by creating the namespace for Kyverno in your Kubernetes cluster. Once the namespace is created, generate the kyverno YAML file by using the following helm template command:

helm template kyverno --namespace=kyverno nirmata/kyverno --create-namespace > kyverno.yaml

The following kubectl command installs the file directly into the namespace:

kubectl create -f kyverno.yaml

Notes for ArgoCD users: You can install this chart with the help of ArgoCD as well. Refer to the Kyverno documentation for more details.

Running Enterprise Kyverno on AWS Fargate

Creating a Fargate Profile

Create a new cluster named fargate-testing-cluster and set up a Fargate profile:

eksctl create fargateprofile \
  --cluster fargate-testing-cluster \
  --name kyverno-profile \
  --namespace kyverno

Installing Enterprise Kyverno on Fargate

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.enable=false

Applying a Policy

kubectl create -f- << EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  rules:
  - name: check-team
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      failureAction: Enforce
      message: "label 'team' is required"
      pattern:
        metadata:
          labels:
            team: "?*"
EOF

Testing the Policy

kubectl create deployment nginx --image=nginx

Expected error message:

error: failed to create deployment: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Deployment/default/nginx was blocked due to the following policies

require-labels:
  autogen-check-team: 'validation error: label ''team'' is required. rule autogen-check-team
    failed at path /spec/template/metadata/labels/team/'

Note: Do check if the pods are running on Fargate by checking the Node column by doing -

kubectl get pods -n kyverno -o wide

Upgrading from open-source Kyverno to Nirmata Enterprise Subscription

For users having open-source Kyverno of version 1.5.0 or above installed in their cluster, execute the following command to upgrade directly to Nirmata Enterprise Subscription:

helm upgrade kyverno --namespace kyverno nirmata/kyverno

Uninstalling the Enterprise Kyverno Chart

The below command will uninstall the kyverno deployment and remove all the Kubernetes components associated with the chart and delete the release:

helm delete -n kyverno kyverno

Fetching signatures

Use the following command to fetch the signature for a specified N4K binary tag:

COSIGN_REPOSITORY=ghcr.io/nirmata/signatures cosign download signature ghcr.io/nirmata/kyvernopre:<TAG>

Replace the variable with the specific version tag as required.

Fetching the SBOM

FIPS Binaries

Use the following commands to fetch the SBOMs for FIPS-enabled N4K binaries. Replace with the desired version tag:

COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/cleanup-controller-fips:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/background-controller-fips:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/reports-controller-fips:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/kyverno-fips:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/kyverno-cli-fips:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/kyvernopre-fips:<TAG>

Non-FIPS Binaries

For non-FIPS binaries, use the following commands and replace with the specific version tag:

COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/cleanup-controller:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/background-controller:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/reports-controller:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/kyverno:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/kyverno-cli:<TAG>
COSIGN_REPOSITORY=ghcr.io/nirmata/sbom cosign download sbom ghcr.io/nirmata/kyvernopre:<TAG>

Notes

  • Ensure you have Sigstore Cosign installed and configured before running these commands.
  • Replace with the version tag of the N4K binary you want to fetch, e.g., v1.13.2-n4k.nirmata.2.
  • Refer to the official documentation for further details on cosign usage and capabilities.