kyverno/documentation/installation.md

<small>*[documentation](/README.md#documentation) / Installation*</small>

# Installation

To install Kyverno in your cluster run the following command on a host with kubectl access:

````sh
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
````

To check the Kyverno controller status, run the command:

````sh
kubectl get pods -n kyverno
````

If the Kyverno controller is not running, you can check its status and logs for errors:

````sh
kubectl describe pod <kyverno-pod-name> -n kyverno
````

````sh
kubectl logs <kyverno-pod-name> -n kyverno
````

# Installing in a Development Environment

To build and run Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building

To check if the controller is working, find it in the list of kyverno pods:

`kubectl get pods -n kyverno`

# Try Kyverno without a Kubernetes cluster

The [Kyverno CLI](documentation/testing-policies-cli.md) allows you to write and test policies without installing Kyverno in a Kubernetes cluster.

# Pre-Requisites
Kyverno installs an admission webhook that requires a CA-signed certificate and key to setup TLS communication with the kube-apiserver. In-cluster mode, there are 2 ways to configure the admission webhook TLS configuration:
* Kyverno generates certificate and key pair for user, and a signed certificate is issued against the certificate signing request generated by Kyverno. This setup requires a 'certificate signer' configured in the cluster. The kube-controller-manager provides a default implementation of a signer which can be used to issue certificates. To verify if it is enabled, check if the command args `--cluster-signing-cert-file` and `--cluster-signing-key-file` are passed to the controller manager with paths to your CA's key-pair.
* Use self-signed certificates.

## Use self-signed certificates
To create a root CA, generate signed certificate and key using openssl:
1. `openssl genrsa -out rootCA.key 4096`
2. `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt  -subj "/C=US/ST=test/L=test /O=test /OU=PIB/CN=*.kyverno.svc/emailAddress=test@test.com"`
3. `openssl genrsa -out webhook.key 4096`
4. `openssl req -new -key webhook.key -out webhook.csr  -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=kyverno-svc.kyverno.svc/emailAddress=test@test.com"`
5. `openssl x509 -req -in webhook.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 1024 -sha256`

the following files are generated and are used to create kubernetes secrets:
- rootCA.crt
- webhooks.crt
- webhooks.key	

To create the required secrets:
1. `kubectl create ns kyverno`
2. `kubectl -n kyverno create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key `
3. `kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair  -n kyverno self-signed-cert=true`
4. `kubectl -n kyverno create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt`

*The annotation on the TLS pair secret is used by Kyverno to identify the use of self-signed certificates and checks for the required root CA secret*

Secret | Data | Content
------------ | ------------- | -------------
`kyverno-svc.kyverno.svc.kyverno-tls-pair` | rootCA.crt | root CA used to sign the certificate
`kyverno-svc.kyverno.svc.kyverno-tls-ca` | tls.key & tls.crt  | key and signed certificate

Kyverno uses secrets created above to define the TLS configuration for the webserver hook and specify the CA bundle used to validate the webhook's server certificate in the admission webhook configurations.

To deploy the Kyverno project, run `kubectl create -f definitions/install.yaml`. You can ignore the error 'namespaces "kyverno" already exists', which occurs as we previously created the namespace while creating the secrets.

*If tls pair secret is created and secret for root CA is not defined, then Kyverno follows its default behaviour of generating new tls pair and generate certificate signing request for issuer to issue certificate.*

Script to generate self-signed certificate and corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh)

---
<small>*Read Next >> [Writing Policies](/documentation/writing-policies.md)*</small>
update links and consolidate test docs 2019-05-21 15:50:36 -07:00			`<small>[documentation](/README.md#documentation) / Installation</small>`
update installation doc 2019-05-21 14:44:04 -07:00
start docs 2019-05-20 20:43:38 -07:00			`# Installation`

update commands and text 2019-05-21 16:09:05 -07:00			`To install Kyverno in your cluster run the following command on a host with kubectl access:`
start docs 2019-05-20 20:43:38 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			````sh
			`kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml`
			````
start docs 2019-05-20 20:43:38 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			`To check the Kyverno controller status, run the command:`
start docs 2019-05-20 20:43:38 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			````sh
			`kubectl get pods -n kyverno`
			````
update installation doc 2019-05-21 14:44:04 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			`If the Kyverno controller is not running, you can check its status and logs for errors:`
update installation doc 2019-05-21 14:44:04 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			````sh
			`kubectl describe pod <kyverno-pod-name> -n kyverno`
			````
start docs 2019-05-20 20:43:38 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			````sh
			`kubectl logs <kyverno-pod-name> -n kyverno`
			````
start docs 2019-05-20 20:43:38 -07:00
update installation doc 2019-05-21 14:44:04 -07:00			`# Installing in a Development Environment`
start docs 2019-05-20 20:43:38 -07:00
fix conflicts 2019-05-22 20:26:53 -07:00			`To build and run Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building`
start docs 2019-05-20 20:43:38 -07:00
- Change kube-policy to kyverno in install.yaml - Install in namespace kyverno 2019-05-21 18:36:24 -07:00			`To check if the controller is working, find it in the list of kyverno pods:`
start docs 2019-05-20 20:43:38 -07:00
- Change kube-policy to kyverno in install.yaml - Install in namespace kyverno 2019-05-21 18:36:24 -07:00			`kubectl get pods -n kyverno`
start docs 2019-05-20 20:43:38 -07:00
update installation doc 2019-05-21 14:44:04 -07:00			`# Try Kyverno without a Kubernetes cluster`
start docs 2019-05-20 20:43:38 -07:00
update commands and text 2019-05-21 16:09:05 -07:00			`The [Kyverno CLI](documentation/testing-policies-cli.md) allows you to write and test policies without installing Kyverno in a Kubernetes cluster.`
start docs 2019-05-20 20:43:38 -07:00
update error msg and documentation for scenarios when certificate signer is not configured 2019-05-27 00:35:40 -07:00			`# Pre-Requisites`
re-work 2019-05-28 19:50:40 -07:00			`Kyverno installs an admission webhook that requires a CA-signed certificate and key to setup TLS communication with the kube-apiserver. In-cluster mode, there are 2 ways to configure the admission webhook TLS configuration:`
			* Kyverno generates certificate and key pair for user, and a signed certificate is issued against the certificate signing request generated by Kyverno. This setup requires a 'certificate signer' configured in the cluster. The kube-controller-manager provides a default implementation of a signer which can be used to issue certificates. To verify if it is enabled, check if the command args `--cluster-signing-cert-file` and `--cluster-signing-key-file` are passed to the controller manager with paths to your CA's key-pair.
			`* Use self-signed certificates.`
update doc + get tlspair 2019-05-28 18:27:56 -07:00
re-work 2019-05-28 19:50:40 -07:00			`## Use self-signed certificates`
			`To create a root CA, generate signed certificate and key using openssl:`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			1. `openssl genrsa -out rootCA.key 4096`
update Quotation in installation.md 2019-05-29 18:25:32 -07:00			2. `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=test/L=test /O=test /OU=PIB/CN=*.kyverno.svc/emailAddress=test@test.com"`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			3. `openssl genrsa -out webhook.key 4096`
			4. `openssl req -new -key webhook.key -out webhook.csr -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=kyverno-svc.kyverno.svc/emailAddress=test@test.com"`
			5. `openssl x509 -req -in webhook.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 1024 -sha256`

re-work 2019-05-28 19:50:40 -07:00			`the following files are generated and are used to create kubernetes secrets:`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			`- rootCA.crt`
			`- webhooks.crt`
			`- webhooks.key`

			`To create the required secrets:`
			1. `kubectl create ns kyverno`
use single secret for tlsPair, check for secret annotation for self-signed cert & change type of secret from generic to tls 2019-05-29 12:36:03 -07:00			2. `kubectl -n kyverno create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key `
			3. `kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true`
			4. `kubectl -n kyverno create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt`
update doc 2019-05-29 17:45:42 -07:00
update doc 2019-05-29 14:23:37 -07:00			`The annotation on the TLS pair secret is used by Kyverno to identify the use of self-signed certificates and checks for the required root CA secret`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00
			`Secret \| Data \| Content`
			`------------ \| ------------- \| -------------`
use single secret for tlsPair, check for secret annotation for self-signed cert & change type of secret from generic to tls 2019-05-29 12:36:03 -07:00			`kyverno-svc.kyverno.svc.kyverno-tls-pair` \| rootCA.crt \| root CA used to sign the certificate
			`kyverno-svc.kyverno.svc.kyverno-tls-ca` \| tls.key & tls.crt \| key and signed certificate
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00
re-work 2019-05-28 19:50:40 -07:00			`Kyverno uses secrets created above to define the TLS configuration for the webserver hook and specify the CA bundle used to validate the webhook's server certificate in the admission webhook configurations.`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00
re-work 2019-05-28 19:50:40 -07:00			To deploy the Kyverno project, run `kubectl create -f definitions/install.yaml`. You can ignore the error 'namespaces "kyverno" already exists', which occurs as we previously created the namespace while creating the secrets.
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00
move client to pkg, helper script for self-signed certs & update documentation 2019-05-29 14:12:09 -07:00			`If tls pair secret is created and secret for root CA is not defined, then Kyverno follows its default behaviour of generating new tls pair and generate certificate signing request for issuer to issue certificate.`

			`Script to generate self-signed certificate and corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh)`

- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`---`
update commands and text 2019-05-21 16:09:05 -07:00			`<small>Read Next >> [Writing Policies](/documentation/writing-policies.md)</small>`