Versions Compared

Version Old Version 2 New Version Current
Changes made by

Sarabjeet Kaur

Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

  • These are only required when the Kubernetes cluster is created externally, and you want to configure it for automated or post-deployment/post upgrade from Kyvos Manager.

  • No permission is required for Kubernetes new deployments when you select to create a new Kubernetes cluster.

  • If the Managed Identity of Kubernetes is different from Kyvos and TLS is enabled in Kyvos, ensure that Kubernetes MI must have ‘get secret’ permission on the key vault.

...

  1. Ensure that the Compute Namespace is pre-created.

  2. A Storage Class must be pre-configured.

  3. Assign a dedicated namespace to each Kyvos application.

  4. If using a shared/existing Kubernetes cluster, ensure the user node pool must have the taint-    ComputeWorkerOnlyComputeWorkerOnly=true:NoSchedule

  5. To configure taints as per your requirement, modify the kyvos-compute-worker-job.yaml.template from KM > Manage Configuration Files and save the changes. Then, navigate to Kyvos and Ecosystem > Compute Cluster and reapply the configuration to make it effective.
    For more details, see the Adding Taints and Configure Tolerations in Kyvos worker pods section.

...

  • If Authentication and Authorization is set to Microsoft Entra ID authentication with Azure RBAC (AAD is enabled)

    image-20241220-093012.png

    1. No action is required for a dedicated cluster.

    2. For shared cluster, you must have already created namespace and KyvosMI Kyvos Managed Identity with Azure Kubernetes Service RBAC Admin on the namespace level.

      1. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on Kubernetes cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

...

  1. To configure as a dedicated cluster

    1. Assign Azure Kubernetes Service RBAC Cluster Admin to kyvos Kyvos MI on Kubernetes.

    2. Assign Virtual Machine Contributor on managed resource group to Kyvos MI.

    3. Storage Blob Data Contributor to Kubernetes Managed Identity on bucket.

  2. To configure as a shared Cluster:

    1. Either namespace should be already created or provide Azure Kubernetes Service RBAC Cluster Admin permission to Kyvos Managed Identity on Kubernetes.

    2. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on Kubernetes cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

    3. If namespace is already created, then Kyvos Managed Identity must have Azure Kubernetes Service RBAC Admin on namespace and Azure Kubernetes Service Cluster User Role on Kubernetes.

    4. Assign Reader on managed resource group to Kyvos Managed Identity.

    5. Storage Blob Data Contributor to Kubernetes Managed Identity on bucket.

...