To deploy Kyvos using Kubernetes, read the
...
VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.
Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.
Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser
roles/container.clusterAdmin
roles/container.developer
compute.instanceGroupManagers.update
compute.instanceGroupManagers.get
The above permission [roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace and service account used for Kyvos deployment.
Command:
Code Block gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-monitoring/default]" gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"