Versions Compared

Old Version 2

changes.mady.by.user Sarabjeet Kaur

Saved on

compared with

New Version Current

changes.mady.by.user Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

Take a note that as usual with with permissions, any change in role permissions is not instant rather it gets applied in near real time so if any permissions changes are performed give some time (in order of few minutes like 2-5 if always safe) to permissions get syn c& applied on role before performing that activity.

Scaling Permissions

  • The role permissions may not update instantly. Changes may take 2-5 minutes to sync and apply.

  • For Azure:

    • If the Resource Group of the Virtual Network is other than Kyvos, you must add custom roles with the required permissions, as mentioned below in the (Scaling Permissions) table. If Virtual Network is in the same Resource Group as Kyvos, no additional permission is required for scaling nodes as Azure Managed Identity has Contributor access rights to all resources of the given Resource Group.

    • While creating a custom role, add the Resource IDs for the following services in the assignable scope:

      • Application Gateway

      • Virtual Network

      • Network Security Group

    • Once the custom role is created, it must be assigned to each of the above-listed services.

Scaling Permissions

Anchor
Saclingpermisions
Saclingpermisions

 Functionality

AWS (IAM Role)

AZURE

GCP

Increase Node

ec2:GetLaunchTemplateData
ec2:CreateLaunchTemplate
ec2:RunInstances

 

 

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/networkInterfaces/write

  • Microsoft.Network/virtualNetworks/subnets/join/action

  • Microsoft.Network/networkSecurityGroups/join/action

NOTE: Applicable only when Virtual Network is in another Resource Group.

compute.subnetworks.use
(applicable for Marketplace only when shared VPC is used)

compute.instances.create
compute.disks.create
compute.disks.use
compute.instances.setServiceAccount
compute.instances.use

Decrease Node

ec2:DeleteLaunchTemplate
ec2:TerminateInstances

 

 

  • Microsoft.Network/applicationGateways/write
    (applicable only for Web Portal)

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/networkInterfaces/write

  • Microsoft.Network/virtualNetworks/subnets/join/action

  • Microsoft.Network/networkSecurityGroups/join/action

NOTE: Applicable only when Virtual Network is in another Resource Group.

compute.subnetworks.use
(applicable for Marketplace only)

compute.instances.delete
compute.instances.detachDisk
compute.disks.delete

Increase Disk

ec2:CreateVolume
ec2:AttachVolume
ec2:ModifyInstanceAttribute

 

  Contributor Access

compute.disks.create
compute.disks.use

Decrease Disk

ec2:DetachVolume
ec2:DeleteVolume

 

 

LB / TargetGroup Entry Addition  Contributor Access

compute.instances.detachDisk
compute.disks.delete

Load Balancer Entry Addition

TargetGroup

elasticloadbalancing:DescribeTargetGroups

elasticloadbalancing:RegisterTargets

 Microsoft.Network/applicationGateways/write
(applicable only for Web Portal)

 

 

LB / Target Group Entry DeletionInstance Group

compute.instanceGroups.get
compute.instanceGroups.update

Load Balancer Entry Deletion

Target Group

elasticloadbalancing:DescribeTargetGroups

elasticloadbalancing:DeregisterTargets

 Microsoft.Network/applicationGateways/write

(applicable only for Web Portal)

  Instance Group

compute.instanceGroups.get
compute.instanceGroups.update

Health Check

Target Group Health Check Probe

elasticloadbalancing:ModifyTargetGroup 

  Contributor Access

Instance Group Health Check

compute.instanceGroups.get
compute.instanceGroups.update

...

Read Also:

Managing Nodes and Services