| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Important To deploy the cluster through Wizard using Kubernetes, you must refer to the information mentioned in the Post Upgrade Steps to Configure Kubernetes for GCP section. |
To deploy Kyvos using Kubernetes, read the Common Prerequisites for Dataproc and Kubernetes section for the complete set of permissions required for deploying Kyvos.
...
Cloud Storage FUSE CSI driver Add-on must be enabled.
VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.
Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.
Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:
roles/iam.workloadIdentityUserroles/container.clusterAdmin
roles/container.developer
compute.instanceGroupManagers.update
compute.instanceGroupManagers.get
roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser: The above permission [roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace
service account used for Kyvos deployment.
Command:
Code Block gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[KYVOS_NAMESPACE/kyvos-
sa]"
Namespace for Kyvos Compute Worker.
Dedicated Node Pool: Kyvos will create a namespace on its own.
Shared Node Pool: Users should create this namespace before proceeding with the Kyvos deployment
Node pool for Kyvos Compute Worker: A Node pool should be created before proceeding with the Kyvos deployment with existing GKE.
Permissions for Kyvos Service Account:
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note There are two cases for the permissions required by the Kyvos Service Account based on the GKE cluster setup. |
Case 1: Dedicated Node Pool:
For a Dedicated Node Pool in a Shared GKE Cluster, the Kyvos Service Account needs the following permissions:
Roles:
roles/container.viewer
container.configMaps.create
container.jobs.create
container.persistentVolumeClaims.create
container.persistentVolumes.create
container.serviceAccounts.create
container.serviceAccounts.update
container.pods.getLogs
container.jobs.delete
container.storageClasses.create
container.namespaces.list
container.namespaces.create
Additional Permissions for Node Pool Management:
container.clusters.update
compute.instanceGroupManagers.get
compute.instanceGroupManagers.update
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note .These permissions should be granted to existing GKE service account. |
Case 2: Shared Node Pool:
For a Shared Node Pool in a Shared GKE Cluster, the Kyvos Service Account requires the following permissions.
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note This is a shared node pool, so the node pool management permissions are not required. |
Roles:
roles/container.viewer
container.configMaps.create
container.jobs.create
container.persistentVolumeClaims.create
container.persistentVolumes.create
container.serviceAccounts.create
container.serviceAccounts.update
container.pods.getLogs
container.jobs.delete
container.storageClasses.create
container.namespaces.list