Versions Compared

Version Old Version 7 New Version Current
Changes made by

Sarabjeet Kaur

Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Cloud Storage FUSE CSI driver Add-on must be enabled.

  2. VNet peering is necessary if the Kyvos VPC differs from the VPC associated with the existing Kubernetes cluster.

  3. Firewall rule on GKE Cluster VPC: An inbound rule allows TCP traffic on the 6903 port that is required with the source IP range set to the Kyvos VPC.

  4. Permissions required by GKE Service Account: For the GKE Service Account, the following roles and permissions are required:

    • roles/iam.workloadIdentityUserroles/container.clusterAdmin

    • roles/container.developer

    • compute.instanceGroupManagers.update

    • compute.instanceGroupManagers.get

    • roles/iam.serviceAccountTokenCreator

    • roles/iam.workloadIdentityUser: The above permission [roles/iam.workloadIdentityUser] is associated with the Kubernetes namespace

    and

    • service account used for Kyvos deployment.

    • Command:

      Code Block
      gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[KYVOS_NAMESPACE/kyvos-
    monitoring/default]" gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"
    • sa]"

  5. Namespace for Kyvos Compute Worker.

    • Dedicated Node Pool: Kyvos will create a namespace on its own.

    • Shared Node Pool: Users should create this namespace before proceeding with the Kyvos deployment

  6. Node pool for Kyvos Compute Worker: A Node pool should be created before proceeding with the Kyvos deployment with existing GKE.

  7. Permissions for Kyvos Service Account:

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

There are two cases for the permissions required by the Kyvos Service Account based on the GKE cluster setup.

Case 1: Dedicated Node Pool:

For a Dedicated Node Pool in a Shared GKE Cluster, the Kyvos Service Account needs the following permissions:

Roles:

  • roles/container.viewer

  • container.configMaps.create

  • container.jobs.create

  • container.persistentVolumeClaims.create

  • container.persistentVolumes.create

  • container.serviceAccounts.create

  • container.serviceAccounts.update

  • container.pods.getLogs

  • container.jobs.delete

  • container.storageClasses.create

  • container.namespaces.list

  • container.namespaces.create

Additional Permissions for Node Pool Management:

  • container.clusters.update

  • compute.instanceGroupManagers.get

  • compute.instanceGroupManagers.update

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note kyvos-monitoring and kyvos-compute namespace in this command should be unchanged

.These permissions should be granted to existing GKE service account.

Case 2: Shared Node Pool:

For a Shared Node Pool in a Shared GKE Cluster, the Kyvos Service Account requires the following permissions.

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

This is a shared node pool, so the node pool management permissions are not required.

Roles:

  • roles/container.viewer

  • container.configMaps.create

  • container.jobs.create

  • container.persistentVolumeClaims.create

  • container.persistentVolumes.create

  • container.serviceAccounts.create

  • container.serviceAccounts.update

  • container.pods.getLogs

  • container.jobs.delete

  • container.storageClasses.create

  • container.namespaces.list