Versions Compared

Old Version 2

changes.mady.by.user Sarabjeet Kaur

Saved on

compared with

New Version 3

changes.mady.by.user Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Permissions Permission required by Kyvos Managed Identity

Case 1: Dedicated Azure Kubernetes Service (AKS) Cluster

  1. Built-in Azure Kubernetes Service Cluster User Role on AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on Managed Resource Group

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Case 2: Shared AKS Cluster

  1. Permission is the same as the dedicated AKS Clustercluster.

  2. Both Namespaces (compute and monitoring) must be already createdcreated.

  3.  Download view-nodes.yaml file, update an object ID of Kyvos Managed Identity and execute the kubectl apply –f view-nodes.yaml command from the user/Managed Identity which has Admin privileges on the AKS cluster. This is to provide get and list node permission.

  4. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on AKS cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

Case 3: Dedicated Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on VMSS of Node pool

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Case 4: Shared Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

Permission required by Kubernetes Managed Identity

  1. Built-in Managed Identity Operator on this Managed Identity itself
    (Note: this

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note
This is required to create on AKS cluster if it is created externally)

  1. Built-in Storage Blob Data Contributor on the Kyvos storage account

  2. Built-in Reader on the AKS cluster

  3. Create Access policy to get secret on the Kyvos key Vault

In case of Enhanced Security

  1. AKS Subnet must be allowed in networking rules of Kyvos storage account.

  2. AKS Subnet must be allowed in networking rules of Kyvos key Vault.