...
Cloud Storage FUSE CSI driver Add-on must be enabled.
VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.
Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.
Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
roles/container.clusterAdmin
roles/container.developer
compute.instanceGroupManagers.update
compute.instanceGroupManagers.getNamespace get
Namespace for Kyvos Compute Worker.
Dedicated Node Pool: Kyvos will create a namespace on its own.
Shared Node Pool: Users should create this namespace before proceeding with the Kyvos deployment
Node pool for Kyvos Compute Worker: A Node pool should be created before proceeding with the Kyvos deployment.
Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
IAM Roles:roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser: The above permission [roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace and service account used for Kyvos deployment.
Command:
Code Block gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[KYVOS_NAMESPACE/kyvos-sa]"
Permissions for Kyvos Service Account:
...