Air gap installation
This guide shows you how to install Kubewarden in air-gapped environments. For an air-gapped installation of Kubewarden, you need a private Open Container Initiative (OCI) registry accessible by your Kubernetes cluster. Kubewarden Policies are WebAssembly modules, therefore you can store them in an OCI-compliant registry as OCI artifacts. You need to add Kubewarden’s images and policies to this OCI registry. The following sections describe the process.
Save container images in your workstation
-
Download
kubewarden-images.txt
from the Kubewarden release page. Alternatively, theimagelist.txt
andpolicylist.txt
files are shipped inside the helm charts containing the used container images and policy Wasm modules, respectively.+ Optionally, you can verify the signatures of the helm charts and container images
+
-
Add
cert-manager
, if not available, to your private registry.helm repo add jetstack https://charts.jetstack.io helm repo update helm pull jetstack/cert-manager helm template ./cert-manager-<Version>.tgz | \ awk '$1 ~ /image:/ {print $2}' | sed s/\"//g >> ./kubewarden-images.txt
-
Download
kubewarden-save-images.sh
andkubewarden-load-images.sh
from the utilities repository. -
Save Kubewarden container images into a
.tar.gz
file:./kubewarden-save-images.sh \ --image-list ./kubewarden-images.txt \ --images kubewarden-images.tar.gz
Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When complete, your current directory, where you ran the command, has a tarball,
kubewarden-images.tar.gz
.
Save policies in your workstation
-
Add all the policies you want to use in a
policies.txt
file. A file with a list of default policies is in the Kubewarden defaults release page. -
Download
kubewarden-save-policies.sh
andkubewarden-load-policies.sh
from the kwctl repository -
Save policies into a
.tar.gz
file:./kubewarden-save-policies.sh --policies-list policies.txt
The policies are downloaded by
kwctl
and stored in thekubewarden-policies.tar.gz
archive.
Helm charts
You need to download the following helm charts to your workstation:
helm pull kubewarden/kubewarden-crds
helm pull kubewarden/kubewarden-controller
helm pull kubewarden/kubewarden-defaults
Download cert-manager
, if not installed, to the air gap cluster.
helm pull jetstack/cert-manager
Populate private registry
Move these files to the air gap environment:
-
kubewarden-policies.tar.gz
, -
kubewarden-images.tar.gz
, -
kubewarden-load-images.sh
, -
kubewarden-load-policies.sh
and -
policies.txt
-
Load Kubewarden images into the private registry. The Docker client must be authenticated against the local registry.
./kubewarden-load-images.sh \ --image-list ./kubewarden-images.txt \ --images kubewarden-images.tar.gz \ --registry <REGISTRY.YOURDOMAIN.COM:PORT>
-
Load Kubewarden policies into the private registry. Kwctl must be authenticated against the local registry (
kwctl
uses the same mechanism to authenticate asdocker
, a~/.docker/config.json
file)./kubewarden-load-policies.sh \ --policies-list policies.txt \ --policies kubewarden-policies.tar.gz \ --registry <REGISTRY.YOURDOMAIN.COM:PORT> \ --sources-path sources.yml
-
The
Please refer to
the section on custom certificate authorities
in the documentation to learn about configuring the |
Install Kubewarden
Now that your private registry has everything required you can install Kubewarden. The only difference to a standard Kubewarden installation is that you need to change the registry in the container images and policies to be the private registry.
Install cert-manager
, if not already installed, in the air gap cluster:
helm install --create-namespace cert-manager ./cert-manager-<Version>.tgz \
-n kubewarden \
--set crds.enabled=true \
--set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-controller \
--set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-webhook \
--set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-cainjector \
--set startupapicheck.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-ctl
Now install the Kubewarden stack:
helm install --wait -n kubewarden \
kubewarden-crds kubewarden-crds.tgz
helm install --wait -n kubewarden \
kubewarden-controller kubewarden-controller.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
To use the Policy Reported sub-chart available in the
It’s necessary to define |
helm install --wait -n kubewarden \
kubewarden-defaults kubewarden-defaults.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
To download the recommended policies installed by the To install, and wait for the installation to complete, use the following command:
If the |
Finally, you need to configure Policy Server to fetch policies from your private registry. See the using private registry section of the documentation.
Now you can create Kubewarden policies in your cluster. Policies must be available in your private registry.
kubectl apply -f - <<EOF apiVersion: policies.kubewarden.io/v1 kind: ClusterAdmissionPolicy metadata: name: privileged-pods spec: module: registry://<REGISTRY.YOURDOMAIN.COM:PORT>/kubewarden/policies/pod-privileged:v0.2.2 rules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: - CREATE mutating: false EOF
|