Air gap installation
This guide shows you how to install Kubewarden in air-gapped environments. For an air-gapped installation of Kubewarden, you need a private Open Container Initiative (OCI) registry accessible by your Kubernetes cluster. Kubewarden Policies are WebAssembly modules; therefore, you can store them in an OCI-compliant registry as OCI artifacts. You need to add Kubewarden's images and policies to this OCI registry. You can see a list of Kubewarden artifacts in the Artifacts reference page. The following sections describe the process.
Save container images in your workstation​
-
Download
kubewarden-images.txt
from the Kubewarden release page. Alternatively, you can use theimagelist.txt
andpolicylist.txt
files shipped inside the helm charts containing the container images and policy Wasm modules, respectively.noteOptionally, you can verify the signatures of the helm charts and container images
-
Download
kubewarden-save-images.sh
andkubewarden-load-images.sh
from the utilities repository. -
Save Kubewarden container images into a
.tar.gz
file:./kubewarden-save-images.sh \
--image-list ./kubewarden-images.txt \
--images kubewarden-images.tar.gzDocker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When complete, your current directory, where you ran the command, has a tarball,
kubewarden-images.tar.gz
.
Save policies in your workstation​
-
Add all the policies you want to use to a
policies.txt
file. A file with a list of default policies is in the Kubewarden defaults release page. -
Download
kubewarden-save-policies.sh
andkubewarden-load-policies.sh
from thekwctl
repository -
Save policies into a
.tar.gz
file:./kubewarden-save-policies.sh --policies-list policies.txt
You use
kwctl
to download the policies. Thekubewarden-policies.tar.gz
archive contains the policies.
Helm charts​
You need to download the following helm charts to your workstation:
helm pull kubewarden/kubewarden-crds
helm pull kubewarden/kubewarden-controller
helm pull kubewarden/kubewarden-defaults
Populate private registry​
Move these files to the air gap environment:
kubewarden-policies.tar.gz
,kubewarden-images.tar.gz
,kubewarden-load-images.sh
,kubewarden-load-policies.sh
andpolicies.txt
-
Load Kubewarden images into the private registry. You need to authenticate the Docker client against the local registry.
./kubewarden-load-images.sh \
--image-list ./kubewarden-images.txt \
--images kubewarden-images.tar.gz \
--registry <REGISTRY.YOURDOMAIN.COM:PORT> -
Load Kubewarden policies into the private registry. You should authenticate
kwctl
against the local registry (kwctl
uses the same mechanism to authenticate asdocker
, a~/.docker/config.json
file)./kubewarden-load-policies.sh \
--policies-list policies.txt \
--policies kubewarden-policies.tar.gz \
--registry <REGISTRY.YOURDOMAIN.COM:PORT> \
--sources-path sources.yml
The kwctl
command needs the sources.yaml
file to connect to registries in
these categories:
- Authentication is required.
- Self-signed certificate is being used.
- No TLS termination is done.
Please refer to the section on custom certificate
authorities in the documentation to
learn how to configure the sources.yaml
file.
Install Kubewarden​
Now that your private registry has everything required you can install Kubewarden. The only difference to a standard Kubewarden installation is that you need to change the registry in the container images and policies to be the private registry.
Install the Kubewarden stack:
helm install --wait -n kubewarden \
kubewarden-crds kubewarden-crds.tgz
helm install --wait -n kubewarden \
kubewarden-controller kubewarden-controller.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
To use the Policy Reported subchart available in the kubewarden-controller
chart, you need to define other values specific for the subchart in an
air-gapped environment. See an example below:
helm install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \
--set auditScanner.policyReporter=true \
--set policy-reporter.image.registry=<REGISTRY.YOURDOMAIN.COM:PORT> \
--set policy-reporter.ui.image.registry=<REGISTRY.YOURDOMAIN.COM:PORT> \
--set policy-reporter.image.repository=kyverno/policy-reporter \
--set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui
It's necessary to define auditScanner.policyReporter
to enable the subchart
and 4 more values to configure the registry and repository where you store the
Policy Reporter images. For more information about the policy report subchart
values, see Policy Reporter
documentation.
helm install --wait -n kubewarden \
kubewarden-defaults kubewarden-defaults.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
To download the recommended policies installed by the kubewarden-defaults
Helm Chart from a registry other than global.cattle.systemDefaultRegistry
,
you can use the recommendedPolicies.defaultPoliciesRegistry
configuration.
This configuration lets users specify a registry dedicated to pulling the OCI
artifacts of the policies. It's particularly useful when their container image
repository doesn't support OCI artifacts.
To install and wait for the installation to complete, use the following command:
helm install --wait -n kubewarden \
kubewarden-defaults kubewarden-defaults.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \
--set recommendedPolicies.defaultPoliciesRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
If the recommendedPolicies.defaultPoliciesRegistry
configuration isn't set,
you use global.cattle.systemDefaultRegistry
as the default registry.
Finally, you need to configure Policy Server to fetch policies from your private registry. See the using private registry section of the documentation.
Now you can create Kubewarden policies in your cluster. Policies must be available in your private registry.
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
module: registry://<REGISTRY.YOURDOMAIN.COM:PORT>/kubewarden/policies/pod-privileged:v0.2.2
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
mutating: false
EOF
PolicyServer
resources must use the image available in your private registry.
For example:
apiVersion: policies.kubewarden.io/v1
kind: PolicyServer
metadata:
name: reserved-instance-for-tenant-a
spec:
image: <REGISTRY.YOURDOMAIN.COM:PORT>/kubewarden/policy-server:v1.3.0
replicas: 2
serviceAccountName: sa