Page Comparison

...

Cloud Storage FUSE CSI driver Add-on must be enabled.
VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.
Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.
Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
- roles/iam.workloadIdentityUser
- roles/container.clusterAdmin
- roles/container.developer
- compute.instanceGroupManagers.update
- compute.instanceGroupManagers.get
The
- getNamespace for Kyvos Compute Worker.
Dedicated Node Pool: Kyvos will create a namespace on its own.
Shared Node Pool: Users should create this namespace before proceeding with the Kyvos deployment
Node pool for Kyvos Compute Worker: A Node pool should be created before proceeding with the Kyvos deployment.

Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
IAM Roles:

roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser: The above permission [roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace and service account used for Kyvos deployment.

Command:

Code Block

gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[KYVOS_NAMESPACE/kyvos-

monitoring/default]" gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"

sa]"

Permissions for Kyvos Service Account:

Panel

panelIconId	atlassian-note
panelIcon	:note:
bgColor	#DEEBFF

Note

There are two cases for the permissions required by the Kyvos Service Account based on the GKE cluster setup

Case 1: Dedicated Node Pool:

For a Dedicated Node Pool in a Shared GKE Cluster, the Kyvos Service Account needs the following permissions:

Roles:

roles/container.viewer
container.configMaps.create
container.jobs.create
container.persistentVolumeClaims.create
container.persistentVolumes.create
container.serviceAccounts.create
container.serviceAccounts.update
container.pods.getLogs
container.jobs.delete
container.storageClasses.create
container.namespaces.list
container.namespaces.create

Additional Permissions for Node Pool Management:

container.clusters.update
compute.instanceGroupManagers.get
compute.instanceGroupManagers.update

Case 2: Shared Node Pool:

For a Shared Node Pool in a Shared GKE Cluster, the Kyvos Service Account requires the following permissions.

Panel

panelIconId	atlassian-note
panelIcon	:note:
bgColor	#DEEBFF

Notekyvos-monitoring and kyvos-compute namespace in this command should be unchanged.

This is a shared node pool, so the node pool management permissions are not required.

Roles:

roles/container.viewer
container.configMaps.create
container.jobs.create
container.persistentVolumeClaims.create
container.persistentVolumes.create
container.serviceAccounts.create
container.serviceAccounts.update
container.pods.getLogs
container.jobs.delete
container.storageClasses.create
container.namespaces.list

Version	Old Version 7	New Version 8
Changes made by	Sarabjeet Kaur	Sarabjeet Kaur
Saved on	Dec 25, 2024	Dec 26, 2024

Versions Compared

Key