This is unreleased documentation for Policy Manager 1.28-next. |
Air gap installation with Hauler
This guide shows you how to install Kubewarden in air-gapped environments using Hauler. Hauler is a tool that helps users run workloads in air-gapped environments. It moves the required resources for apps into those air-gapped environments.
Kubewarden uses Hauler capabilities by providing a manifest file with all the required resources to run Kubewarden in a private environment. This documentation describes how you can use it. Refer to the Hauler documentation to learn more about it.
The basic workflow using the Hauler manifest is:
-
Get it from a Kubewarden release page
-
Load all the resources required to run Kubewarden into a local store
-
Export them into a file
-
Move the file into the private environment
-
Load the resources into Hauler running inside the private environment
-
Copy everything into a registry, to be used in the installation process, in your air-gapped environment
Download Hauler manifest from Helm chart release page
Download hauler_manifest.yml
from the Kubewarden
release page.
Synchronize the resources defined in the manifest to your Hauler store:
hauler store sync --filename hauler_manifest.yaml
Hauler downloads all the resources from the manifest to the local store. This
process takes a few minutes. When complete, you can see the synchronized
resources with the hauler store info
command.
Generate the tarball file with all Kubewarden resources
Run the Hauler command to export all the resources previously loaded in the store to a file:
hauler store save --filename kubewarden-resources.tar.zst
Kubewarden container images support x86_64 and Arm architectures. Therefore, when you save the resource into the file, you can see warning messages like this:
To avoid this warning message, you can set the |
Transfer the tarball into your isolated environment
Now that you have all the Kubewarden resources in
kubewarden-resources.tar.zst
, copy it into your air-gapped environment and
load it into the Hauler store there:
hauler store load --filename kubewarden-resources.tar.zst
# Check if the resources are loaded
hauler store info
Now all the resources required to install Kubewarden are in the Hauler store in your isolated environment.
Populate private registry
To use the resources from your Hauler store, it’s necessary to make them available in an internal registry. You can use Hauler commands to copy them into your private registry.
hauler store copy registry://localhost:5000
You can also run Hauler to start a registry with all the resources from the store:
hauler store server registry
This starts a registry at the localhost:5000
address. From this point, you
can use other commands like Skopeo to copy all the container images, policy
modules and Helm charts used by Kubewarden into your private registry.
Install Kubewarden
Now that your private registry has everything required, you can install Kubewarden. The difference from a standard Kubewarden installation is that you need to change the registry in the container images and policies to be the private registry. Additionally, you need to install the Helm charts from OCI artifacts.
Install the Kubewarden stack:
helm install --wait -n kubewarden kubewarden-crds \
oci://<REGISTRY.YOURDOMAIN.COM:PORT>/hauler/kubewarden-crds
helm install --wait -n kubewarden kubewarden-controller \
--set "global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>" \
oci://<REGISTRY.YOURDOMAIN.COM:PORT>/hauler/kubewarden-controller
To use the PolicyReporter sub-chart available in the
It’s necessary to define |
helm install --wait -n kubewarden \
kubewarden-defaults oci://<REGISTRY.YOURDOMAIN.COM:PORT>/hauler/kubewarden-defaults \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
Finally, you need to configure each Policy Server to fetch policies from your private registry. See the using private registry section of the documentation.
Now you can create Kubewarden policies in your cluster. Policies must be available in your private registry.
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
module: registry://<REGISTRY.YOURDOMAIN.COM:PORT>/kubewarden/policies/pod-privileged:v0.2.2
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
mutating: false
EOF
|