...
VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.
Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.
Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUserroles/container.clusterAdmin
roles/container.developer
compute.instanceGroupManagers.update
compute.instanceGroupManagers.getThe above permission
[roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace and service account used for Kyvos deployment.
Command:Code Block gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-monitoring/default]" gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note
|