Installation Methods

Methods for installing Kyverno

Install Kyverno using Helm

Kyverno can be deployed via a Helm chart–the recommended and preferred method for a production install–which is accessible either through the Kyverno repository or on Artifact Hub. Both generally available and pre-releases are available with Helm.

In order to install Kyverno with Helm, first add the Kyverno Helm repository.

1helm repo add kyverno https://kyverno.github.io/kyverno/

Scan the new repository for charts.

1helm repo update

Optionally, show all available chart versions for Kyverno.

1helm search repo kyverno -l

Choose one of the installation configuration options based upon your environment type and availability needs. For a production installation, see the High Availability section. For a non-production installation, see the Standalone section below for additional details.

When deploying Kyverno to certain Kubernetes platforms such as EKS, AKS, or OpenShift; or when using certain GitOps tools such as ArgoCD, additional configuration options may be needed or recommended. See the Platform-Specific Notes section for additional details.

After Kyverno is installed, you may choose to also install the Kyverno Pod Security Standard policies, an optional chart containing the full set of Kyverno policies which implement the Kubernetes Pod Security Standards.

1helm install kyverno-policies kyverno/kyverno-policies -n kyverno

High Availability

The Helm chart is the recommended method of installing Kyverno in a production-grade, highly-available fashion as it provides all the necessary Kubernetes resources and configuration options to meet most production needs including platform-specific controls.

Since Kyverno is comprised of different controllers where each is contained in separate Kubernetes Deployments, high availability is achieved on a per-controller basis. A default installation of Kyverno provides four separate Deployments each with a single replica. Configure high availability on the controllers where you need the additional availability. Be aware that multiple replicas do not necessarily equate to higher scale or performance across all controllers. Please see the high availability page for more complete details.

The Helm chart offers parameters to configure multiple replicas for each controller. For example, a minimally-viable, highly-available, complete deployment of Kyverno would consist of the following values.

1admissionController.replicas: 3
2backgroundController.replicas: 2
3cleanupController.replicas: 2
4reportsController.replicas: 2

For all of the available values and their defaults, please see the Helm chart README. You should carefully inspect all available chart values and their defaults to determine what overrides, if any, are necessary to meet the particular needs of your production environment.

By default, the Kyverno Namespace will be excluded using a namespaceSelector configured with the immutable label kubernetes.io/metadata.name. Additional Namespaces may be excluded by configuring chart values. Both namespaceSelector and objectSelector may be used for exclusions.

See also the Namespace selectors section and especially the Security vs Operability section.

Use Helm to create a Namespace and install Kyverno in a highly-available configuration.

1helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
2--set admissionController.replicas=3 \
3--set backgroundController.replicas=2 \
4--set cleanupController.replicas=2 \
5--set reportsController.replicas=2

Standalone

A standalone installation of Kyverno is suitable for lab, test/dev, or small environments typically associated with non-production. It configures a single replica for each Kyverno Deployment and omits many of the production-grade components.

Use Helm to create a Namespace and install Kyverno.

1helm install kyverno kyverno/kyverno -n kyverno --create-namespace

To install pre-releases, add the --devel switch to Helm.

1helm install kyverno kyverno/kyverno -n kyverno --create-namespace --devel

Install Kyverno using YAMLs

Kyverno can also be installed using a single installation manifest, however for production installations the Helm chart is the preferred and recommended method.

Although Kyverno uses release branches, only YAML manifests from a tagged release are supported. Pull from a tagged release to install Kyverno using the YAML manifest.

1kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.11.1/install.yaml

Testing unreleased code

In some cases, you may wish to trial yet unreleased Kyverno code in a quick way. Kyverno provides an experimental installation manifest for these purposes which reflects the current state of the codebase as it is known on the main development branch.

1kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml

Last modified April 08, 2024 at 8:29 AM PST: Refactor links (#1205) (5060f3d)