Versions Compared

Version Old Version 3 New Version 4
Changes made by

Sarabjeet Kaur

Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. If using existing Service Account, execute the following commands using the gcloud CLI to link the Kubernetes Service account to the IAM Service account.

    • Code Block
      gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-monitoring/default]"
      
gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"

      In the above-mentioned commands, replace the following:

      • IAM_SA_NAME: a name for your new IAM service account.

      • IAM_SA_PROJECT_ID: the project ID for your IAM service account.

      • PROJECT_ID: your Google Cloud project ID.

  2. Additionally, if using a shared Virtual Network, below roles and permissions are required on by Default service account of Kubernetes (service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com) on project of Shared Virtual Network

    • Compute Network User

    • kubernetes_role (create a custom role)

      • compute.firewalls.create

      • compute.firewalls.delete

      • compute.firewalls.get

      • compute.firewalls.list

      • compute.firewalls.update

      • compute.networks.updatePolicy

      • compute.subnetworks.get

      • container.hostServiceAgent.use

  3. ยท Add the following roles to the existing IAM service account:

    • roles/iam.serviceAccountTokenCreator (Service Account Token Creator)

    • roles/container.developer (Kubernetes Engine Developer)

    • roles/container.clusterAdmin (Kubernetes Engine Cluster Admin)

  4. Add the below permissions to Kyvos role

    • compute.instanceGroupManagers.update

    • compute.instanceGroupManagers.get

  5. SSH on All Instances one by one and run the below commands-

    • sudo apt-get update

    • sudo apt-get install apt-transport-https ca-certificates gnupg curl -y

    • curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg

    • echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list

    • sudo apt-get update && sudo apt-get install google-cloud-cli -y

    • sudo apt-get install google-cloud-cli-gke-gcloud-auth-plugin

    • sudo apt-get install kubectl

  6. To install the Google Cloud CLI on all Kyvos nodes, refer to Google documentation.

  7. Create Kubernetes cluster using Deployment scripts.

  8. Open Kyvos Manager, go to Compute cluster page, Click the Kyvos Native tab.

  9. Fill in the required inputs. Value provided to Worker Nodes Maximum Count should be same as you configured in templates. Click Save.

  10. On Kyvos Manager > navigate to the Kyvos Properties page, ensure that the value of the KYVOS_PROCESS_COMPUTE_SUBTYPE property is K8S_COMPUTE_CLUSTER.