Skip to main content

install

Installs the application and the KOTS Admin Console directly to a cluster. The kots install command pulls Kubernetes manifests from the remote upstream, deploys the manifests to the specified cluster, installs the Admin Console, and sets up port forwarding to make the Admin Console accessible on port 8800. Alternatively, you can specify the --port flag to override the default port.

Usage

kubectl kots install [upstream uri] [flags]
  • Replace [upstream-uri] with the URI for your KOTS application (required).
  • If the KOTS application has been packaged by Replicated Vendor, the --license-file flag must be provided.
  • Provide [flags] according to the table below

This command supports all global flags and also:

FlagTypeDescription
--additional-annotationsboolAdditional annotations to add to kotsadm pods.
--additional-labelsboolAdditional labels to add to kotsadm pods.
--airgapboolSet to true to run install in air gapped mode. Setting --airgap-bundle implies --airgap=true. Default: false. For more information, see Air Gap Installation in Existing Clusters with KOTS.
--airgap-bundlestringPath to the application air gap bundle where application metadata will be loaded from. Setting --airgap-bundle implies --airgap=true. For more information, see Air Gap Installation in Existing Clusters with KOTS.
--app-version-labelstringThe application version label to install. If not specified, the latest version is installed.
--config-valuesstringPath to a manifest file containing configuration values. This manifest must be apiVersion: kots.io/v1beta1 and kind: ConfigValues. For more information, see Installing with the KOTS CLI.
--copy-proxy-envboolCopy proxy environment variables from current environment into all Admin Console components. Default: false
--disable-image-pushboolSet to true to disable images from being pushed to private registry. Default: false
--ensure-rbacboolWhen false, KOTS does not attempt to create the RBAC resources necessary to manage applications. Default: true. If a role specification is needed, use the generate-manifests command.
-h, --helpHelp for the command.
--http-proxystringSets HTTP_PROXY environment variable in all Admin Console components.
--https-proxystringSets HTTPS_PROXY environment variable in all Admin Console components.
--kotsadm-namespacestring

Set to override the registry namespace of KOTS Admin Console images. Used for air gap installations. For more information, see Air Gap Installation in Existing Clusters with KOTS.

Note: Replicated recommends that you use --kotsadm-registry instead of --kotsadm-namespace to override both the registry hostname and, optionally, the registry namespace with a single flag.

--kotsadm-registrystringSet to override the registry hostname and namespace of KOTS Admin Console images. Used for air gap installations. For more information, see Air Gap Installation in Existing Clusters with KOTS.
--license-filestringPath to a license file.
--local-pathstringSpecify a local-path to test the behavior of rendering a Replicated application locally. Only supported on Replicated application types.
--namestringName of the application to use in the Admin Console.
--no-port-forwardboolSet to true to disable automatic port forward. Default: false
--no-proxystringSets NO_PROXY environment variable in all Admin Console components.
--portstringOverride the local port to access the Admin Console. Default: 8800
--private-ca-configmapstringName of a ConfigMap containing private CAs to add to the kotsadm deployment.
--preflights-wait-durationstringTimeout to be used while waiting for preflights to complete. Must be in Go duration format. For example, 10s, 2m. Default: 15m
--registry-passwordstringPassword to use to authenticate with the application registry. Used for air gap installations.
--registry-usernamestringUsername to use to authenticate with the application registry. Used for air gap installations.
--repostringRepo URI to use when installing a Helm chart.
--shared-passwordstringShared password to use when deploying the Admin Console.
--skip-compatibility-checkboolSet to true to skip compatibility checks between the current KOTS version and the application. Default: false
--skip-preflightsboolSet to true to skip preflight checks. Default: false. If any strict preflight checks are configured, the --skip-preflights flag is not honored because strict preflight checks must run and contain no failures before the application is deployed. For more information, see Defining Preflight Checks.
--skip-rbac-checkboolSet to true to bypass RBAC check. Default: false
--skip-registry-checkboolSet to true to skip the connectivity test and validation of the provided registry information. Default: false
--strict-security-contextbool

Set to true to explicitly enable strict security contexts for all KOTS Pods and containers.

By default, KOTS Pods and containers are not deployed with a specific security context. When true, --strict-security-context does the following:

  • Ensures containers run as a non-root user
  • Sets the specific UID for the containers (1001)
  • Sets the GID for volume ownership and permissions (1001)
  • Applies the default container runtime seccomp profile for security
  • Ensures the container is not run with privileged system access
  • Prevents the container from gaining more privileges than its parent process
  • Ensures the container's root filesystem is mounted as read-only
  • Removes all Linux capabilities from the container

The following shows the securityContext for KOTS Pods when --strict-security-context is set:

securityContext:
fsGroup: 1001
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
supplementalGroups:
- 1001

Default: false

note

Might not work for some storage providers.

--use-minimal-rbacboolWhen set to true, KOTS RBAC permissions are limited to the namespace where it is installed. To use --use-minimal-rbac, the application must support namespace-scoped installations and the user must have the minimum RBAC permissions required by KOTS in the target namespace. For a complete list of requirements, see Namespace-scoped RBAC Requirements​ in Installation Requirements. Default: false
--wait-durationstringTimeout to be used while waiting for individual components to be ready. Must be in Go duration format. For example, 10s, 2m. Default: 2m
--with-minioboolWhen set to true, KOTS deploys a local MinIO instance for storage and uses MinIO for host path and NFS snapshot storage. Default: true
--storage-classstringSets the storage class to use for the KOTS Admin Console components. Default: unset, which means the default storage class will be used

Examples

kubectl kots install sentry/unstable --license-file ~/license.yaml
kubectl kots install kots-sentry/stable --shared-password IgqG5OBc9Gp --license-file ~/sentry-license.yaml --namespace sentry-namespace --config-values ~/config-values.yaml
kubectl kots install --ensure-rbac=false