# install Installs the application and the KOTS Admin Console directly to a cluster. The `kots install` command pulls Kubernetes manifests from the remote upstream, deploys the manifests to the specified cluster, installs the Admin Console, and sets up port forwarding to make the Admin Console accessible on port 8800. Alternatively, you can specify the `--port` flag to override the default port. ### Usage ```bash kubectl kots install [upstream uri] [flags] ``` - _Replace [upstream-uri] with the URI for your KOTS application (required)._ - _If the KOTS application has been packaged by Replicated Vendor, the `--license-file` flag must be provided._ - _Provide [flags] according to the table below_ This command supports all [global flags](kots-cli-global-flags) and also: import StrictSecContextYaml from "./_strict-sec-context-yaml.mdx"

Flag	Type	Description
`--additional-annotations`	bool	Additional annotations to add to kotsadm pods.
`--additional-labels`	bool	Additional labels to add to kotsadm pods.
`--airgap`	bool	Set to `true` to run install in air gapped mode. Setting `--airgap-bundle` implies `--airgap=true`. Default: `false`. For more information, see Air Gap Installation in Existing Clusters with KOTS.
`--airgap-bundle`	string	Path to the application air gap bundle where application metadata will be loaded from. Setting `--airgap-bundle` implies `--airgap=true`. For more information, see Air Gap Installation in Existing Clusters with KOTS.
`--app-version-label`	string	The application version label to install. If not specified, the latest version is installed.
`--config-values`	string	Path to a manifest file containing configuration values. This manifest must be `apiVersion: kots.io/v1beta1` and `kind: ConfigValues`. For more information, see Install with the KOTS CLI.
`--copy-proxy-env`	bool	Copy proxy environment variables from current environment into all Admin Console components. Default: `false`
`--disable-image-push`	bool	Set to `true` to disable images from being pushed to private registry. Default: `false`
`--ensure-rbac`	bool	When `false`, KOTS does not attempt to create the RBAC resources necessary to manage applications. Default: `true`. If a role specification is needed, use the [generate-manifests](kots-cli-admin-console-generate-manifests) command.
`-h, --help`		Help for the command.
`--http-proxy`	string	Sets HTTP_PROXY environment variable in all Admin Console components.
`--https-proxy`	string	Sets HTTPS_PROXY environment variable in all Admin Console components.
`--kotsadm-namespace`	string	Set to override the registry namespace of KOTS Admin Console images. Used for air gap installations. For more information, see [Air Gap Installation in Existing Clusters with KOTS](/enterprise/installing-existing-cluster-airgapped). Note: Replicated recommends that you use `--kotsadm-registry` instead of `--kotsadm-namespace` to override both the registry hostname and, optionally, the registry namespace with a single flag.
`--kotsadm-registry`	string	Set to override the registry hostname and namespace of KOTS Admin Console images. Used for air gap installations. For more information, see [Air Gap Installation in Existing Clusters with KOTS](/enterprise/installing-existing-cluster-airgapped).
`--license-file`	string	Path to a license file.
`--local-path`	string	Specify a local-path to test the behavior of rendering a Replicated application locally. Only supported on Replicated application types.
`--name`	string	Name of the application to use in the Admin Console.
`--no-port-forward`	bool	Set to `true` to disable automatic port forward. Default: `false`
`--no-proxy`	string	Sets NO_PROXY environment variable in all Admin Console components.
`--port`	string	Override the local port to access the Admin Console. Default: 8800
`--private-ca-configmap`	string	Name of a ConfigMap containing private CAs to add to the kotsadm deployment.
`--preflights-wait-duration`	string	Timeout to be used while waiting for preflights to complete. Must be in [Go duration](https://pkg.go.dev/time#ParseDuration) format. For example, 10s, 2m. Default: 15m
`--registry-password`	string	Password to use to authenticate with the application registry. Used for air gap installations.
`--registry-username`	string	Username to use to authenticate with the application registry. Used for air gap installations.
`--repo`	string	Repo URI to use when installing a Helm chart.
`--shared-password`	string	Shared password to use when deploying the Admin Console.
`--skip-compatibility-check`	bool	Set to `true` to skip compatibility checks between the current KOTS version and the application. Default: `false`
`--skip-preflights`	bool	Set to `true` to skip preflight checks. Default: `false`. If any strict preflight checks are configured, the `--skip-preflights` flag is not honored because strict preflight checks must run and contain no failures before the application is deployed. For more information, see [Define Preflight Checks](/vendor/preflight-defining).
`--skip-rbac-check`	bool	Set to `true` to bypass RBAC check. Default: `false`
`--skip-registry-check`	bool	Set to `true` to skip the connectivity test and validation of the provided registry information. Default: `false`
`--strict-security-context`	bool	Set to `true` to explicitly enable strict security contexts for all KOTS Pods and containers. By default, KOTS Pods and containers are not deployed with a specific security context. When `true`, `--strict-security-context` does the following: Ensures containers run as a non-root user Sets the specific UID for the containers (1001) Sets the GID for volume ownership and permissions (1001) Applies the default container runtime seccomp profile for security Ensures the container is not run with privileged system access Prevents the container from gaining more privileges than its parent process Ensures the container's root filesystem is mounted as read-only Removes all Linux capabilities from the container The following shows the `securityContext` for KOTS Pods when `--strict-security-context` is set: Default: `false` :::note Might not work for some storage providers. :::
`--use-minimal-rbac`	bool	When set to `true`, KOTS RBAC permissions are limited to the namespace where it is installed. To use `--use-minimal-rbac`, the application must support namespace-scoped installations and the user must have the minimum RBAC permissions required by KOTS in the target namespace. For a complete list of requirements, see [Namespace-scoped RBAC Requirements](/enterprise/installing-general-requirements#namespace-scoped) in _Installation Requirements_. Default: `false`
`--wait-duration`	string	Timeout to be used while waiting for individual components to be ready. Must be in [Go duration](https://pkg.go.dev/time#ParseDuration) format. For example, 10s, 2m. Default: 2m
`--with-minio`	bool	When set to `true`, KOTS deploys a local MinIO instance for storage and uses MinIO for host path and NFS snapshot storage. Default: `true`
`--storage-class`	string	Sets the storage class to use for the KOTS Admin Console components. Default: unset, which means the default storage class will be used

### Examples ```bash kubectl kots install sentry/unstable --license-file ~/license.yaml kubectl kots install kots-sentry/stable --shared-password IgqG5OBc9Gp --license-file ~/sentry-license.yaml --namespace sentry-namespace --config-values ~/config-values.yaml kubectl kots install --ensure-rbac=false ```