This is unreleased documentation for Admission Controller 1.30-next.

Air gap installation

This guide shows you how to install SUSE Security Admission Controller in air-gapped environments. For an air-gapped installation of Admission Controller, you need a private Open Container Initiative (OCI) registry accessible by your Kubernetes cluster. Admission Controller Policies are WebAssembly modules, therefore you can store them in an OCI-compliant registry as OCI artifacts. You need to add Admission Controller’s images and policies to this OCI registry. You can refer to a list of Admission Controller artifacts in the Artifacts reference page. The following sections describe the process.

Save container images in your workstation

  1. Download kubewarden-images.txt from the Admission Controller release page. Alternatively, you can use the imagelist.txt and policylist.txt shipped inside the helm charts containing the used container images and policy Wasm modules, respectively.

    Optionally, you can verify the signatures of the helm charts and container images

  2. Download kubewarden-save-images.sh and kubewarden-load-images.sh from the utilities repository.

  3. Save Admission Controller container images into a .tar.gz file:

     ./kubewarden-save-images.sh \
   --image-list ./kubewarden-images.txt \
   --images kubewarden-images.tar.gz

    Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When complete, your current directory, where you ran the command, has a tarball, kubewarden-images.tar.gz.

Save policies in your workstation

  1. Add all the policies you want to use to a policies.txt file. A file with a list of default policies is in the Admission Controller defaults release page.

  2. Download kubewarden-save-policies.sh and kubewarden-load-policies.sh from the kwctl repository

  3. Save policies into a .tar.gz file:

    ./kubewarden-save-policies.sh --policies-list policies.txt

    You use kwctl to download the policies. The kubewarden-policies.tar.gz archive contains the policies.

Helm charts

You need to download the following helm charts to your workstation:

helm pull kubewarden/kubewarden-crds
helm pull kubewarden/kubewarden-controller
helm pull kubewarden/kubewarden-defaults

Populate private registry

Move these files to the air gap environment:

  • kubewarden-policies.tar.gz,

  • kubewarden-images.tar.gz,

  • kubewarden-load-images.sh,

  • kubewarden-load-policies.sh and

  • policies.txt

    1. Load Admission Controller images into the private registry. You need to authenticate the Docker client against the local registry .

       ./kubewarden-load-images.sh \
   --image-list ./kubewarden-images.txt \
   --images kubewarden-images.tar.gz \
   --registry <REGISTRY.YOURDOMAIN.COM:PORT>

    2. Load Admission Controller policies into the private registry. You should authenticate kwctl the local registry (kwctl uses the same mechanism to authenticate as docker, a ~/.docker/config.json file)

       ./kubewarden-load-policies.sh \
   --policies-list policies.txt \
   --policies kubewarden-policies.tar.gz \
   --registry <REGISTRY.YOURDOMAIN.COM:PORT> \
   --sources-path sources.yml

The kwctl command needs the sources.yaml file to connect to registries in these categories:

  • Authentication is required

  • Self signed certificate is being used

  • No TLS termination is done

Please refer to the section on custom certificate authorities in the documentation to learn about configuring the sources.yaml file

Install Admission Controller

Now that your private registry has everything required you can install Admission Controller. The only difference to a standard Admission Controller installation is that you need to change the registry in the container images and policies to be the private registry.

Install the Admission Controller stack:

helm install --wait -n kubewarden \
  kubewarden-crds kubewarden-crds.tgz
helm install --wait -n kubewarden \
  kubewarden-controller kubewarden-controller.tgz \
  --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>

To use the Policy Reported subchart available in the kubewarden-controller chart you need to define other values specific for the subchart in an air-gapped environment. An example is below:

helm install --wait -n kubewarden kubewarden-controller kubewarden-controller.tgz \
    --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \
    --set auditScanner.policyReporter=true \
    --set policy-reporter.image.registry=<REGISTRY.YOURDOMAIN.COM:PORT> \
    --set policy-reporter.ui.image.registry=<REGISTRY.YOURDOMAIN.COM:PORT> \
    --set policy-reporter.image.repository=kyverno/policy-reporter \
    --set policy-reporter.ui.image.repository=kyverno/policy-reporter-ui

It’s necessary to define auditScanner.policyReporter to enable the subchart and 4 more values, to configure the registry and repository where you store the Policy Reporter images. For more information about the policy report subchart values refer to the Policy Reporter documentation.

 
helm install --wait -n kubewarden \
  kubewarden-defaults kubewarden-defaults.tgz \
  --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>

To download the recommended policies installed by the kubewarden-defaults Helm Chart from a registry other than global.cattle.systemDefaultRegistry, you can use the recommendedPolicies.defaultPoliciesRegistry configuration. This configuration lets users specify a registry dedicated to pulling the OCI artifacts of the policies. It’s particularly useful when their container image repository doesn’t support OCI artifacts.

To install, and wait for the installation to complete, use the following command:

helm install --wait -n kubewarden \
  kubewarden-defaults kubewarden-defaults.tgz \
  --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \
  --set recommendedPolicies.defaultPoliciesRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>

If the recommendedPolicies.defaultPoliciesRegistry configuration isn’t set, the global.cattle.systemDefaultRegistry is used as the default registry.

Finally, you need to configure Policy Server to fetch policies from your private registry. Refer to the using private registry section of the documentation.

Now you can create Admission Controller policies in your cluster. Policies must be available in your private registry.

kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: privileged-pods
spec:
  module: registry://<REGISTRY.YOURDOMAIN.COM:PORT>/kubewarden/policies/pod-privileged:v0.2.2
  rules:
  - apiGroups: [""]
    apiVersions: [“v1”]
    resources: [“pods”]
    operations:
    - CREATE
  mutating: false
EOF

PolicyServer resources must use the image available in your private registry. For example:

apiVersion: policies.kubewarden.io/v1
kind: PolicyServer
metadata:
  name: reserved-instance-for-tenant-a
spec:
  image: <REGISTRY.YOURDOMAIN.COM:PORT>/kubewarden/policy-server:v1.3.0
  replicas: 2
  serviceAccountName: sa