Versions Compared

Version Old Version 1 New Version 2
Changes made by

Sarabjeet Kaur

Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

  • These are only required when the

AKS

  • Kubernetes cluster is created externally, and you want to configure it for automated or post-deployment/post upgrade from Kyvos Manager.

  • No permission is required for

AKS

  • Kubernetes new deployments when you select to create a new

AKS

  • Kubernetes cluster.

  • If the Managed Identity of Kubernetes is different from Kyvos and TLS is enabled in Kyvos, ensure that Kubernetes must have ‘get secret’ permission on the key vault.

For Existing Kubernetes Cluster

...

  • If Authentication and Authorization is set to Microsoft Entra ID authentication with Azure RBAC (AAD is enabled)

    image-20241220-093012.png

    1. No action is required for a dedicated cluster.

    2. For shared cluster, you must have already created namespace and KyvosMI with Azure Kubernetes Service RBAC Admin on the namespace level.

      1. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on AKS Kubernetes cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

...

  1. To configure as a dedicated cluster

    1. Assign Azure Kubernetes Service RBAC Cluster Admin to kyvos MI on AKSKubernetes .

    2. Assign Virtual Machine Contributor on managed resource group to Kyvos MI.

    3. Storage Blob Data Contributor to AKS Kubernetes Managed Identity on bucket.

  2. To configure as a shared Cluster:

    1. Either namespace should be already created or provide Azure Kubernetes Service RBAC Cluster Admin permission to kyvos MI on AKSKyvos Managed Identity on Kubernetes.

    2. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on AKS Kubernetes cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

    3. If namespace is already created, then Kyvos Managed Identity must have Azure Kubernetes Service RBAC Admin on namespace and Azure Kubernetes Service Cluster User Role on AKSKubernetes .

    4. Assign Reader on managed resource group to Kyvos Managed Identity.

    5. Storage Blob Data Contributor to AKS Kubernetes Managed Identity on bucket.

...

  1. To configure as a dedicated Cluster

    1. Assign Contributor to Kyvos MI on AKSKubernetes .

    2. Assign Virtual Machine Contributor on managed resource group to Kyvos MI.

    3. Storage Blob Data Contributor to AKS Kubernetes Managed Identity on bucket.

  2. To configure as a shared Cluster

    1. If namespace is already created, then Kyvos MI must have Azure Kubernetes Service Cluster User Role on AKSKubernetes .

    2. Assign Reader on AKS Kubernetes to Kyvos MI.

    3. Assign Reader on managed resource group to Kyvos MI.

    4. Storage Blob Data Contributor to AKS Kubernetes MI on bucket.

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

If scaling is enabled in any of the following cases of shared AKS Kubernetes cluster, the following roles must be assigned to Kyvos MI Managed Identity on the AKS Kubernetes cluster.

  1. "Microsoft.ContainerService/managedClusters/agentPools/write"

  2. "Microsoft.ContainerService/managedClusters/agentPools/read"

Enhanced Security

  1. AKS Kubernetes Subnet must be allowed in networking rules of Kyvos storage account.

  2. AKS Kubernetes Subnet must be allowed in networking rules of Kyvos key Vault.