Cluster Management

Learn how to manage Kubernetes clusters with Nirmata Control Hub

Prerequisites

Before onboarding your Kubernetes cluster to NCH, ensure that your cluster is CNCF-compliant. You can onboard both cloud-provided and local Kubernetes clusters, such as kind and minikube clusters.

Onboarding Workflow - UI Wizard

Step 1: Add Cluster

  1. Navigate to the Clusters page in Nirmata Control Hub.
  2. Click on the Add Cluster button to open the onboarding wizard.
  3. Enter Cluster Information:
    1. Provide a name for your cluster.
    2. Optionally, add labels to your cluster for better identification.

Step 2: Choose Onboarding Method

You have two options for onboarding:

  1. NCTL (Nirmata CLI): Recommended for users who want a streamlined process.
  2. Helm: For users who prefer to use Helm charts. You can switch to the Helm tab for detailed instructions.

NOTE: We recommend using NCTL if you are just trying out Nirmata, with version 4.7.0 or higher required for a smooth onboarding experience.

Follow the steps mentioned in the wizard and once the command runs successfully, run the I have run the commands - Verify Kyverno button.

Step 3: Verify Kyverno Health

In this stage, we check the health of Kyverno running in the cluster to ensure it is optimally configured:

  • No Greenfield Cluster Required: If your cluster is running an older version of N4K or even open-source Kyverno, it can still be onboarded without issues.
  • We will also recommend newer N4K versions if an update is needed for optimal performance.

Step 4: Select PolicySets

Nirmata provides several built-in policy sets that you can deploy to your cluster:

  • Pod Security Standards (17 controls in total) are available by default during onboarding.
  • You can choose to deploy these policies immediately or select them later if you prefer to manage policies on your own.

NOTE: Deploying policy sets during onboarding is optional, and you can skip this step if you already have your own set of policies.

Step 5: Final Verification

Once the above steps are completed, the final stage ensures that all related components are properly installed and running:

  • Kyverno (opensource or enterprise).
  • Kyverno Operator for health monitoring and policy management.
  • PolicySets (optional. Only if you had installed policysets in previous step.)
  • Nirmata kube-controller, the agent that communicates with Nirmata SaaS and monitors your cluster.

Onboarding with the Helm chart

Add and update Helm repo

Add the Nirmata Helm chart repository.

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata

Install Nirmata Kube Controller

helm install nirmata-kube-controller nirmata/nirmata-kube-controller -n nirmata --create-namespace \
  --set cluster.name=test \
  --set namespace=nirmata \
  --set apiToken=<nirmata-api-token>= \
  --set features.policyExceptions.enabled=true \
  --set features.policySets.enabled=true \
  --set clusterOnboardingToken=ZWJhNzAzMGQtNGQ2YS00MjgzLWIzNDAtODU4NjU5ZTAxYTEx

NOTE: You will have a clusterOnboardingToken only if you are installing from the UI wizard. If you are making this a part of automation, you can skip this field.

Install Enterprise Kyverno Operator

The enterprise kyverno operator is used to monitor Kyverno, and its policies. It is also used to prevent tampering of Kyverno configuration and policies in the cluster.

To install the enterprise kyverno operator, run the following commands.

helm install kyverno-operator nirmata/nirmata-kyverno-operator -n nirmata-system \
  --create-namespace \
  --set enablePolicyset=true

Install Enterprise Kyverno

helm install kyverno nirmata/kyverno -n kyverno --create-namespace \
  --set features.policyExceptions.namespace="kyverno" \
  --set features.policyExceptions.enabled=true

Secure Installation Tips

Configure Nirmata Permissions

Deployment Options

Choose whether to allow Nirmata to deploy custom resources directly to your cluster or manage them using your own GitOps and Continuous Delivery tools.

Read-Only: Use your own tools to manage resources

Nirmata will not be able to deploy Policies and Policy Exceptions, but will enable other workflows for your teams. You’ll have complete visibility and control but will need to deploy these resources yourself.

Read-Write: Use Nirmata to manage resources

Nirmata will be able to deploy Policies and Policy Exceptions across your clusters. We recommend you enable additional security measures, such as SSO and MFA with this option.