Versions Compared

Old Version 3

changes.mady.by.user Sarabjeet Kaur

Saved on

compared with

New Version Current

changes.mady.by.user Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note
This is required to create on AKS cluster if it is created externally.

Permission required by Kyvos Managed Identity

Panel
panelIconIdatlassian-info
panelIcon:info:
bgColor#FFFAE6

Important

These are only required when the AKS cluster is created externally, and you want to configure it post-deployment/post upgrade) from Kyvos Manager.
Hence, no permission is required for AKS fresh deployments.

Case 1: Dedicated Azure Kubernetes Service (AKS) Cluster

...

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on VMSS of Node pool

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Case 4: Shared Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

Permission required by Kubernetes Managed Identity

  1. Built-in Managed Identity Operator on this Managed Identity itself

...

panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

...

  2. Built-in Storage Blob Data Contributor on the Kyvos storage account

  3. Built-in Reader on the AKS cluster

  4. Create Access policy to get secret on the Kyvos key Vault

Enhanced Security

  1. AKS Subnet must be allowed in networking rules of Kyvos storage account.

  2. AKS Subnet must be allowed in networking rules of Kyvos key Vault.

...