Kyverno allows for the management of specific environmental configurations independently from resource configurations, applying advanced configuration methods for clusters, in particular by blocking or altering API requests.
In some cases, it is required to trust user CA certificates. Kyverno can automatically add a volume containing user CA certificates to containers with a specific label.
The installation consists of four steps:
- Prepare Secret with the root CA certificate.
- Download the helm chart and the configuration file.
- Fill in the configuration file.
- Install the Kyverno chart using helm in a Kubernetes cluster.
Step 1: Prepare Secret with the root CA certificate
Create a Secret with the root CA certificate in the namespace
where the ELMA365 application is installed. If there are multiple instances of the ELMA365 application installed in the Kubernetes cluster, add the Secret only to the namespace
of the required ELMA365 instances.
Create a Secret named elma365-onpremise-ca
in the namespace
where the ELMA365 application is installed by executing the command:
kubectl create secret generic elma365-onpremise-ca --from-file=elma365-onpremise-ca.pem=/etc/ssl/certs/rootCA.pem [-n namespace]
where --from-file
specifies the path to your root CA certificate in .pem format.
Step 2: Download the helm chart and the configuration file
To install via the internet, obtain the configuration file values-kyverno.yaml
by executing the command:
helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/kyverno > values-kyverno.yaml
Obtaining the configuration file for installation in a closed loop without internet access
helm repo add elma365 https://charts.elma365.tech For more details, see Download ELMA365 images.
tar -xf kyverno-X.Y.Z.tgz |
Step 3: Fill in the configuration file
Fill in the configuration file values-kyverno.yaml
for Kyverno installation.
For this, configure the policy to add user CA certificates to all containers. The policy is enabled by default: the parameter kyverno.injectСerts.enabled
is set to true
. In the parameter kyverno.injectСerts.secretCA
, specify the name of the Secret created in step 1, in this article it's referred to as elma365-onpremise-ca
. The policy adds a volume containing the CA certificate to all containers with the label tier=elma365
.
If your Kubernetes cluster has multiple instances of the ELMA365 On-Premises application, but you need to add the user CA certificate only to some of the ELMA365 application instances, fill in the parameter kyverno.injectNamespace
. In the parameter kyverno.injectNamespace
, list the ELMA365 application instances for which the policy of adding certificates and the volume containing the CA certificate will be applied. Make sure that in step 1, the Secret with the root CA certificate was added to namespace
listed in kyverno.injectNamespace
.
Specify the name namespace
for the Kyverno service, in this article it's referred to as kyverno
. To ensure high availability, set the required number of replicas in the parameter kyverno.replicaCount
.
## kyverno settings
kyverno:
## he policy adds a volume containing the CA certificate to all containers with the label tier=elma365
injectСerts:
enabled: true
## he name of the secret with the root CA certificate for HTTPS operation with a self-signed certificate
secretCA: elma365-onpremise-ca
## The list of namespaces where the policy will be applied
# injectNamespace:
# - elma365-dev
# - elma365-prod
## Namespace for kyverno (need to be created before installation with kubectl create ns kyverno)
namespace: kyverno
## The number of replicas for high availability
replicaCount: 1
## Installation of crds (not required, added to the crds directory)
installCRDs: false
...
To connect to a private registry, you need to:
## kyverno settings where the format for kyverno.image.repository is as follows:
|
Step 4: Install the Kyverno chart using helm in a Kubernetes cluster
Install the Kyverno chart in namespace
, which was created in step 1 (in this article it's referred to as kyverno
).
For online installation:
helm upgrade --install kyverno elma365/kyverno -f values-kyverno.yaml -n kyverno --create-namespace
For offline installation without internet access:
helm upgrade --install kyverno ./kyverno -f values-kyverno.yaml -n kyverno --create-namespace
Начало внимание:
The installation of the Kyverno add-on component does not automatically attach the volume containing the CA certificate to the already running pods of the ELMA365 application.
After installing Kyverno, do not forget to restart the ELMA365 application services.
Конец внимание
Delete Kyverno chart usingс helm in a Kubernetes cluster
Начало внимание
Before deleting Kyverno, reconfigure the ELMA365 application to receive the CA certificate from other sources or disable TLS
Конец внимание
To delete the Kyverno chart in namespace kyverno
, execute the command.
helm uninstall kyverno -n kyverno
Found a typo? Highlight the text, press ctrl + enter and notify us