Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Note

  • Ensure that role permissions may not update instantly. Changes may take 2-5 minutes to sync and apply.

  • For Azure, only custom roles with required permission are needed if Virtual Network is in different Resources Group (except Kyvos Resource Group). Ensure that there is no additional permission required for scaling nodes as Azure Managed Identity has Contributor access rights on all resources of the given Resource Group.

  • For Azure Enterprise, create a custom role with the required permissions. While creating a custom role, add the Resource IDs for the following services in the assignable scope:

    • Application Gateway

    • Virtual Network

    • Network Security Group

    Once the custom role is created, it must be assigned to each of the above listed services.

Scaling Permissions

 Functionality

AWS (IAM Role)

AZURE

GCP

Increase Node

ec2:GetLaunchTemplateData
ec2:CreateLaunchTemplate
ec2:RunInstances

Custom Roles (Optional)

NOTE: Applicable only when Virtual Network is in another Resource Group.

  • Microsoft.Network/applicationGateways/write
    (applicable only for Web Portal)

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/networkInterfaces/write

  • Microsoft.Network/virtualNetworks/subnets/join/action

  • Microsoft.Network/networkSecurityGroups/join/action

compute.subnetworks.use
(applicable for Marketplace only when shared VPC is used)

compute.instances.create
compute.disks.create
compute.disks.use
compute.instances.setServiceAccount
compute.instances.use

Decrease Node

ec2:DeleteLaunchTemplate
ec2:TerminateInstances

Custom Roles (Optional)

NOTE: Applicable only when Virtual Network is in another Resource Group.

  • Microsoft.Network/applicationGateways/write
    (applicable only for Web Portal)

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/networkInterfaces/write

  • Microsoft.Network/virtualNetworks/subnets/join/action

  • Microsoft.Network/networkSecurityGroups/join/action

compute.subnetworks.use
(applicable for Marketplace only)

compute.instances.delete
compute.instances.detachDisk
compute.disks.delete

Increase Disk

ec2:CreateVolume
ec2:AttachVolume
ec2:ModifyInstanceAttribute

 Contributor Access

compute.disks.create
compute.disks.use

Decrease Disk

ec2:DetachVolume
ec2:DeleteVolume

  Contributor Access

compute.instances.detachDisk
compute.disks.delete

Load Balancer Entry Addition

TargetGroup

elasticloadbalancing:DescribeTargetGroups

elasticloadbalancing:RegisterTargets

  Contributor Access

 Instance Group

compute.instanceGroups.get
compute.instanceGroups.update

Load Balancer Entry Deletion

Target Group

elasticloadbalancing:DescribeTargetGroups

elasticloadbalancing:DeregisterTargets

  Contributor Access

 Instance Group

compute.instanceGroups.get
compute.instanceGroups.update

Health Check

Target Group Health Check Probe

elasticloadbalancing:ModifyTargetGroup 

  Contributor Access

Instance Group Health Check

compute.instanceGroups.get
compute.instanceGroups.update


Read Also:

Managing Nodes and Services

  • No labels