Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You must have an existing GKE cluster to complete the following prerequisites.

  1. Cloud Storage FUSE CSI driver Add-on must be enabled.

  2. VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.

  3. Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.

  4. Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:

    • roles/iam.serviceAccountTokenCreatorworkloadIdentityUser

    • roles/container.clusterAdmin

    • roles/container.developer

    • compute.instanceGroupManagers.update

    • compute.instanceGroupManagers.get

  5. [roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace and service account used for Kyvos deployment.
    Command:

    Code Block
    gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-monitoring/default]"
    gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"

...