Cluster Management
Prerequisites
Before onboarding your Kubernetes cluster to NCH, ensure that your cluster is CNCF-compliant. You can onboard both cloud-provided and local Kubernetes clusters, such as kind and minikube clusters.
Onboarding Workflow - UI Wizard
Step 1: Add Cluster
- Navigate to the Clusters page in Nirmata Control Hub.
- Click on the Add Cluster button to open the onboarding wizard.
- Enter Cluster Information:
- Provide a name for your cluster.
- Optionally, add labels to your cluster for better identification.
Step 2: Choose Onboarding Method
You have two options for onboarding:
- NCTL (Nirmata CLI): Recommended for users who want a streamlined process.
- Helm: For users who prefer to use Helm charts. You can switch to the Helm tab for detailed instructions.
NOTE: We recommend using NCTL if you are just trying out Nirmata, with version 4.7.0 or higher required for a smooth onboarding experience.
Follow the steps mentioned in the wizard and once the command runs successfully, run the I have run the commands - Verify Kyverno
button.
Step 3: Verify Kyverno Health
In this stage, we check the health of Kyverno running in the cluster to ensure it is optimally configured:
- No Greenfield Cluster Required: If your cluster is running an older version of N4K or even open-source Kyverno, it can still be onboarded without issues.
- We will also recommend newer N4K versions if an update is needed for optimal performance.
Step 4: Select PolicySets
Nirmata provides several built-in policy sets that you can deploy to your cluster:
- Pod Security Standards (17 controls in total) are available by default during onboarding.
- You can choose to deploy these policies immediately or select them later if you prefer to manage policies on your own.
NOTE: Deploying policy sets during onboarding is optional, and you can skip this step if you already have your own set of policies.
Step 5: Final Verification
Once the above steps are completed, the final stage ensures that all related components are properly installed and running:
- Kyverno (opensource or enterprise).
- Kyverno Operator for health monitoring and policy management.
- PolicySets (optional. Only if you had installed policysets in previous step.)
- Nirmata kube-controller, the agent that communicates with Nirmata SaaS and monitors your cluster.
Onboarding with the Helm chart
Add and update Helm repo
Add the Nirmata Helm chart repository.
helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
Install Nirmata Kube Controller
helm install nirmata-kube-controller nirmata/nirmata-kube-controller -n nirmata --create-namespace \
--set cluster.name=test \
--set namespace=nirmata \
--set apiToken=<nirmata-api-token>= \
--set features.policyExceptions.enabled=true \
--set features.policySets.enabled=true \
--set clusterOnboardingToken=ZWJhNzAzMGQtNGQ2YS00MjgzLWIzNDAtODU4NjU5ZTAxYTEx
NOTE: You will have a clusterOnboardingToken only if you are installing from the UI wizard. If you are making this a part of automation, you can skip this field.
Install Enterprise Kyverno Operator
The enterprise kyverno operator is used to monitor Kyverno, and its policies. It is also used to prevent tampering of Kyverno configuration and policies in the cluster.
To install the enterprise kyverno operator, run the following commands.
helm install kyverno-operator nirmata/nirmata-kyverno-operator -n nirmata-system \
--create-namespace \
--set enablePolicyset=true
Install Enterprise Kyverno
helm install kyverno nirmata/kyverno -n kyverno --create-namespace \
--set features.policyExceptions.namespace="kyverno" \
--set features.policyExceptions.enabled=true
Secure Installation Tips
Configure Nirmata Permissions
Deployment Options
Choose whether to allow Nirmata to deploy custom resources directly to your cluster or manage them using your own GitOps and Continuous Delivery tools.
Read-Only: Use your own tools to manage resources
Nirmata will not be able to deploy Policies and Policy Exceptions, but will enable other workflows for your teams. You’ll have complete visibility and control but will need to deploy these resources yourself.
Read-Write: Use Nirmata to manage resources
Nirmata will be able to deploy Policies and Policy Exceptions across your clusters. We recommend you enable additional security measures, such as SSO and MFA with this option.