Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Permissions required by Kyvos Managed Identity

Case 1: Dedicated AKS Cluster

  1. Built-in Azure Kubernetes Service Cluster User Role on AKS

  2. Built-in Reader on AKS

  3. Built-in Virtual Machine Contributor on Managed Resource Group

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on AKS

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on AKS

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on AKS

Case 2: Shared AKS Cluster

  1. Permission is same as dedicated AKS Cluster

  2. Both Namespaces (compute and monitoring) must be already created.

Case 3: Dedicated Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on AKS

  2. Built-in Reader on AKS

  3. Built-in Virtual Machine Contributor on VMSS of Node pool

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on AKS

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on AKS

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on AKS

Case 4: Shared Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on AKS

  2. Built-in Reader on AKS

Permission required by Kubernetes Managed Identity

  1. Built-in Managed Identity Operator on this Managed Identity itself
    (Note: this is required to create on AKS cluster if it is created externally)

  2. Built-in Storage Blob Data Contributor on Kyvos storage account

  3. Built-in Reader on AKS

  4. Create Access policy to get secret on Kyvos key Vault

In case of Enhanced Security

  1. AKS Subnet must be allowed in networking rules of Kyvos storage account.

  2. AKS Subnet must be allowed in networking rules of Kyvos key Vault.

  • No labels

Copyright Kyvos, Inc. All rights reserved.