...
Logged-in users should have the privilege to launch deployment in GCP Deployment Manager.
Logged-in users must have the Viewer and Editor predefined role attached
Logged-in user will need access to VPN, Subnet, Network Interface/Security Group, and Service Account, which will be used by Kyvos to launch compute engines, Dataproc, and Instance Group.
You must create a custom role. To do this, click Roles > Create new role.
Provide a name like Kyvos-deployment-role; assign the following permissions, and then attach to the logged-in user service account.deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.update
deploymentmanager.manifests.get
deploymentmanager.operations.get
storage.objects.get
compute.subnetworks.use
...
The GCP Deployment manager template is deployed through the logged-in user, and the resources inside the template are created through the default service account of GCP Deployment Manager.
To create other Google Cloud resources, Deployment Manager uses the credentials of the Google APIs Service Agent to authenticate to other APIs. The Google APIs Service Agent is designed specifically to run internal Google processes on your behalf. This service account is identifiable using the email: [ PROJECT_NUMBER]@cloudservices.gserviceaccount.comThe above service account must have the Editor predefined role attached.
Compute Network User: If using a Shared Network, grant the above service account the 'Compute Network User' predefined role to the project where the network originally resides.
You must create a custom role. To do this, click Roles > Create new role .
Provide a name like Kyvos-deployment-role; assign the cloudfunctions.functions.setIamPolicy permissions, and then attach to the service account.
Static External IP will be required. See Google Documentation for more details.
Dataproc Service Agent service account: Dataproc creates this service account with the Dataproc Service Agent role in a Dataproc user's Google Cloud project. This service account cannot be replaced by a user-specified service account when you create a cluster. This service agent account is used to perform Dataproc control plane operations, such as creating, updating, and deleting cluster VMs. Please refer to Dataproc Service Agent (Control Plane identity) for details.
By default, Dataproc uses the service-[project-number]@dataproc-accounts.iam.gserviceaccount.com as the service agent account. If that service account doesn't exist, Dataproc uses the Google APIs service agent account , [project-number]@cloudservices.gserviceaccount.com, for control plane operations.
Permission required :The above service account must have theDataproc Service Agent predefined role attached.
Private Google Access must be enabled for the subnet that you will use for deploying Kyvos and Dataproc clusters.
Secret Manager API Should be enabled.
If ephemeral IP is selected during Kyvos deployment then the address to static must be promoted . Conversely, if ephemeral IP is not selected, then while restarting the VM, following error messages will appear:
URLs received via email notification will no longer be correct as the IP will change.
URL on Kyvos Manager page to navigate to Kyvos will not be correct as the IP will change.
If the deployment network is in the standard tier, the external static IP should be in the standard tier. Conversely, if the deployment network is in the premium tier, the external static IP should be in the premium tier.
The iam.serviceAccounts.create permission is required for creating a new service account (logged-in user).
Below are the prerequisites When selected "None" when the None option is selected for External IP
Enable Public NAT Gateway, which will let VM connect to Internet Privately without External IP
Use respective VPC which has tunneling configured.
...
panelIconId | atlassian-note |
---|---|
panelIcon | :note: |
bgColor | #DEEBFF |
Note
NOTE: If the prerequisites mentioned above are not completed, there will be discrepancies in Installing Kyvos.
If using shared VPC, the VPC must be shared with the project that you want to access.
Navigate to the VPC network.
Click the Shared VPC.
Go to the ATTACHED PROJECTS tab and attach the project.
NOTE: This should be performed from the project where the shared VPC network originally resides.
When deploying in Kyvos in Shared VPC in Shared Project, ensure that the following prerequisites are met.
If VPC is in a different project, add the firewall rules:
For adding firewall rules, refer to Google documentation to create VPC firewall rules to shared VPC.
For Kyvos Firewall rules, do the following:
Ensure that the following ports are opened/allowed in the Firewall inbound rules for all internal communication between Kyvos instances.
2121, 2181, 2888, 3888, 4000, 6602, 6903, 6703, 45450, 45460, 45461, 45462, 45463, 45464, 45465, 6603, 6702, 6803, 7003, 45440, 6605, 45421, 45564, 4000, 8080, 8081, 8005, 8009, 8443, 8444, 9443, 22 and 9444.Ensure that the following ports are opened/allowed in the Firewall inbound rules for all internal communication between the Dataproc cluster and Kyvos.
3306, 8030, 8031, 8032, 8033, 8042, 8088, 9083, 8188, 18080, 8050, 8051, 8020, 10020, 19888, 10033, 8188, 9870, 10200, 10000, 10002, 22, 45460, 9866, 8998, and 9867
NOTE: The port 8998 is required for Livy.Ports 22, 8080, and 8081 should be accessible from outside of the cluster from where you want to access the Web application.
Create a firewall rule with all ports open between Dataproc master and worker nodes using network tags as targets, which will be attached to the Dataproc.
For more information about the required ports between the Dataproc master nodes and the worker nodes, refer to GCP documentation at: Dataproc Cluster Network Configuration
Add the compute network user permission on the subnet for the following service accounts:
service-[project-number]@dataproc-accounts.iam.gserviceaccount.com
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com