Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
panelIconIdatlassian-info
panelIcon:info:
bgColor#FFFAE6

Important

Ensure that using a single Kubernetes cluster for multiple Kyvos deployments is not supported.

Tip

Tip

Download the Azure Installation files folder and keep all the requisite files handy during deployment.

  1. Supported only with premium workspace.

  2. Supported only with Personal Access Token authentication.

  3. On storage, Storage Blob Data Contributor rights are required for the logged-in user.

  4. You must have permission to create (and map) Storage credentials and External Locations for the Unity Catalog.

  5. Resource Group for all Kyvos resources. We recommend you keep an empty resource group that will only be used for deploying Kyvos resources. The deployment user must have Owner rights on this resource group.

  6. If your network resources (for deploying Kyvos) are available in a separate Resource Group (other than the one mentioned in Point 1), create a Custom role for the user deploying the cluster with the following permissions. Refer to the Configuring Roles for Deployment User section for details on creating and assigning roles.
    NOTE: This is not required if you are creating network resources using the Kyvos provided template.

    1. Microsoft.Network/virtualNetworks/subnets/read

    2. Microsoft.Network/virtualNetworks/read

    3. Microsoft.Network/networkSecurityGroups/read

    4. Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action

    5. Microsoft.Network/virtualNetworks/subnets/write

    6. Microsoft.Network/virtualNetworks/subnets/join/action

    7. Microsoft.Network/networkSecurityGroups/join/action

  7. Managed Identity for Kyvos resources with the following information:
    NOTE:  As mentioned in the attached Prerequisites sheet, this is optional. It will be created if the value for Enable Managed Identity Creation is set as True in the ARM. 

    1. If you want to use your existing Managed Identity, you will need these details: 

      1. Managed Identity Name

      2. Managed Identity Resource Group Name

    NOTE: If using an existing Managed Identity, ensure that NO permissions are assigned to it.

  8. Valid License file for Kyvos.

  9. Secret Key to access the Kyvos bundle.

  10. Service Endpoints required on Subnet :

    1. Azure Storage (Microsoft.Storage): This model enables you to secure and control the level of access to your storage accounts so that only applications requesting data over the specified set of networks or through the specified set of Azure resources can access a storage account.

    2. Azure Key Vault (Microsoft.KeyVault): The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges.

    3. Azure App Service (Microsoft.Web): By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app.

    4. Azure SQL Database (Microsoft.Sql): Security feature that controls whether the server for your databases and elastic pools in Azure SQL Database or for your dedicated SQL pool (formerly SQL DW) databases in Azure Synapse Analytics accepts communications that are sent from particular subnets in virtual networks.

  11. Key Vault URL
    If this is not provided, Kyvos will automatically create a new Key Vault for Azure passwords.
    NOTE: You can create your own Key Vault for use with Kyvos. 
    If using an existing Key vault, ensure that the Soft Delete property is enabled, or you can enable it later.

    1. Permissions needed on Key Vault: Assigned managed identity should have permission Secret Permissions (GET, LIST, and SET)

  12. In case of Automated deployment, Wizard-based deployment, and/or if using an existing Azure Database for Postgres Flexible Server, ensure that a separate subnet attached to it with delegation (Microsoft.DBforPostgreSWL/flexibleServers and service endpoints Storage, KeyVault, SQL and Web).

  13. To use externally created Flexible Server in deployments, use ARM template (FlexibleServerKyvosManagerRepository and FlexibleServerKyvosRepository) to create Flexible Server that can be used in the deployments directly. OR, if you create Flexible Server through Microsoft, then you need to complete the following steps. For more information about how to create Flexible Server, refer to Microsoft documentation.

    1. For Kyvos repository

      1. Database name must be delverepo.

      2. Username must be Postgres

      3. Following tags are expected on the external repository:
        UsedBy - Kyvos
        ROLE - DATABASE
        LAYER - Metadata_Storage

    2. For Kyvos Manager repository

      1. Database name must be kmrepo.

      2. Username must be kmdbuser

      3. Following tags are expected on the external repository:
        UsedBy - Kyvos
        ROLE - DATABASE_KM
        LAYER - Metadata_Storage 

  14. The Azure logged-in user should have the following rights to create Kyvos resources using ARM templates.

    1. Owner Access on Resource group being used for deployment of Kyvos resources.

    2. Key and Secret Management rights on the Key vault if using an existing Key vault.

  15. Networking: Kyvos ARM template will need information about Vnet, Subnet, Network Interface/Security Group that will be used by Kyvos Machines.

    1. Create a Network Interface/Security Group with the following ports opened in Inbound rules. 
      6602, 6903, 6703, 45450, 45460, 6603, 6803, 45440, 6605, 8081, 8080, 45421, 45564, 4000, 7009, 22, 8443, 8444. 9443, 9444.
      To enable Web Portal High Availability,

      1. If using Session Management, you will need 45564 and 4000 ports opened in Inbound rules

      2. If using Azure Load Balancer, you will need port 80. 
        See Ports required for Kyvos for details.

  16. SSH Key pair consisting of a private key and a public key.

  17. Storage account permission and recommendations:

    1. Managed identity attached to the storage/container should have storage blob data contributor permission.

    2. If the storage account is in a separate Resource Group (different from the one in which the Managed Identity exists), then the Managed Identity should have a Reader role assigned to it at the Storage Account level. This permission is needed by the Kyvos Manager validation framework to check if the Storage Account is accessible or not.

    3. Service principle attached to the Databricks cluster should have storage blob data contributor permission on the storage/container.

    4. Soft deletion property must be disabled.

    5. Storage account must be of type ADLS GEN 2.

  18. To access the Usage Dashboard, you need to provide permissions after completing the deployment.

  19. For Automated Azure deployment,

    1. Newly created Flexible Server: User provided password will be used for repository. No password change is required.

    2. Existing Flexible Server: Password of the existing repository needs to be provided. No password change is required.

  20. If you use an existing Virtual Network, a subnet with at least a /23 mask is required.
    IP Address requirements

...