Run the deployment script

To deploy ArcGIS Enterprise on Kubernetes, you run a bash script along with Kubernetes manifests. The deployment package is available for download from My Esri and is delivered as a .tar.gz file. Prior to running the deployment script, review instructions to get started.


To run the deployment script in interactive mode, your container registry password must not exceed 30 characters. If your container registry password exceeds 30 characters, you can run the deployment script in silent mode. Before doing so, use the tool to generate an encrypted password, remove any line breaks from it, and specify it in the file as the CONTAINER_REGISTRY_PASSWORD.

Run the deployment script in interactive mode

If you run the ArcGIS Enterprise on Kubernetes deployment script without specifying a configuration parameters file, it opens in interactive mode. The script prompts for each parameter and immediately checks the validity of each value. This provides a fast way to verify each configuration parameter for your deployment.

  1. On your Kubernetes client machine, open a terminal as an administrator.
  2. Change directories to where your deployment script is located.
  3. In the terminal, run the deployment script using the following command format:
  4. Complete the parameters.

    The script prompts you for the following parameters, one at a time. If you provide an invalid value, the script immediately returns an error and prompts for a valid parameter. The following is a summary of the user inputs:


    You do not need to run this script as the root user.

    • Deployment platformArcGIS Enterprise on Kubernetes uses ingress to route incoming traffic to the services in the cluster. If you are deploying in a managed Kubernetes service by a cloud provider, such as Amazon Web Services EKS or Microsoft Azure Kubernetes Service (AKS), the ingress controller can be exposed externally using a load balancer service by the cloud provider. In this case, ArcGIS Enterprise on Kubernetes provisions a load balancer during the deployment process.
    • Load balancer—During deployment, ArcGIS Enterprise on Kubernetes can provision selected cloud load balancers with the Azure Load Balancer (external and internal) and AWS Network Load Balancer (NLB-External and NLB-Internal). Each option prompts you to specify the load balancer's IP. In this release, only the Azure load balancers support this option; AWS EKS do not support the load balancer IP option. If you're using OpenShift, you can use Routes, which is typically backed by HAProxy or Big-IP-based load balancers.
    • Namespace—The Kubernetes cluster namespace where ArcGIS Enterprise on Kubernetes will be deployed.
    • Encryption Keyfile—The encryption keyfile is a plain text file used for AES-256 encryption and decryption of passwords. The content of this file is plain text that you specify and should not contain passwords. This file should remain in a fixed location and the contents should not be changed.
    • Registry Host—The fully qualified domain name (FQDN) of the container registry host (for example,
    • Image Path—The image repository that's used to pull the container images (for example, esridocker).
    • Registry Username—The username for an account in the specified container registry that stores permissions to pull from the registry.

      The container registry account that you specify should have a minimum level of privileges associated with it, for example, only those to download container images. By default, Kubernetes stores and accesses this account's unencrypted credentials as a secret. It is recommended that you do not specify an account that has privileges to push changes, edit metadata, or administer the container registry.

    • Registry Password—The password for the specified container registry account.
    • Fully Qualified Domain Name—The FQDN needed to access ArcGIS Enterprise on Kubernetes. This points to a load balancer, reverse proxy, edge router, or other web front-end point configured to route traffic to the ingress controller.
    • Context Path—The context path used in the URL for ArcGIS Enterprise on Kubernetes (for example, https://<FQDN>/<context path>).

      Once deployment is complete, the context path you specify here will be used when configuring ArcGIS Enterprise on Kubernetes Web Adaptor with your organization.

    • Node Port—The ingress controller exposes external traffic over service type "LoadBalancer" or "NodePort". The port can be specified in the range of 30000-32767. If a port is not specified, Kubernetes automatically allocates an available port in this range.
    • TLS Certificate—A TLS certificate (either self-signed or third-party CA-signed) is required with the FQDN and subject alternate name. This will be the default TLS certificate for the ingress controller.

When you have provided all valid parameters, a properties file is saved to your current working directory. Use this property file to automate future deployments or undeploy ArcGIS Enterprise on Kubernetes.


After the properties file is generated, you can customize the parameters within it to meet the needs of your deployment. For example, if your organization must run unprivileged containers, update ALLOWED_PRIVILEGED_CONTAINERS=false before deployment. See the Additional silent deployment properties section below for details.

The final deployment step is to create your ArcGIS Enterprise organization.


The deployment script uses kubectl commands to validate prerequisites, such as a valid namespace. If the kubectl command is unable to communicate with the cluster due to a network or firewall issue, the deployment script may appear to become unresponsive. If this happens, end the ./ command and run kubectl directly from a terminal to initiate communication with the cluster.

Run the deployment script in silent mode

As an alternative to running the deployment script in interactive mode, you can deploy ArcGIS Enterprise on Kubernetes silently. The deployment script is bundled with a file, which provides a set of parameters prompting for unique input to your ArcGIS Enterprise on Kubernetes deployment.

It is recommended that you run the tool to generate encrypted passwords for use in the file.

  1. On your Kubernetes client machine, open a terminal as an administrator.
  2. Change directories to where your deployment script and the file are located.
  3. Open the file.
  4. Refer to the descriptive comments in the file for a summary of the user inputs and provide values for each parameter listed in the file.

    The file is divided into the following sections:

    • Deployment platform
    • Namespace
    • Encryption keyfile
    • Container registry
    • Fully Qualified Domain Name (FQDN)
    • TLS certificate
    • Additional properties
  5. Save the file. Optionally, rename the file.
  6. In the terminal, run the deployment script using the following command format:
    ./ -f <user_properties>

The contents of <user properties> are derived from the file.

Before deploying ArcGIS Enterprise on Kubernetes, the deployment script will validate whether your system meets the minimum system requirements and whether you have provided valid input for each parameter listed in the file.

The final deployment step is to create your ArcGIS Enterprise organization.

Additional silent deployment properties

The file contains additional properties that can be used when deploying silently. The default values for each are provided.

ALLOWED_PRIVILEGED_CONTAINERS=true—If you cannot run a privileged container, set this value to false. When doing so, you'll also need to run the # "sysctl -w vm.max_map_count=262144" command as root to increase vm.max_map_count to 262144 on all nodes in your cluster.

CONTAINER_IMAGE_PULL_POLICY="Always"—When new containers are started, the ImagePullPolicy determines whether a new container image is pulled from the container registry. The default is "Always" and will pull a new image each time a container is started. If you want a new image to be pulled only if one is not already present, set this value to "IfNotPresent".

INGRESS_HSTS_ENABLED=false—HTTP Strict Transport Security (HSTS) adds a layer of security to your organization's web traffic. By default, the HSTS protocol option is set to false. To turn on HSTS, set this value to true.

INGRESS_SSL_PROTOCOLS="TLSv1.2 TLSv1.3"—Sets the SSL protocols to use. The default is "TLSv1.2 TLSv1.3". If additional TLS versions must be allowed, specify them here.


K8S_CLUSTER_DOMAIN="${K8S_CLUSTER_DOMAIN:-cluster.local}"—If you have a custom DNS for services and pods (for example,, you can use this property to allow ArcGIS Enterprise on Kubernetes to use your custom DNS. The default value is cluster.local.