Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Permission required by Kyvos Managed Identity

Case 1: Dedicated Azure Kubernetes Service (AKS) Cluster

  1. Built-in Azure Kubernetes Service Cluster User Role on AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on Managed Resource Group

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Case 2: Shared AKS Cluster

  1. Permission is the same as the dedicated AKS cluster.

  2. Both Namespaces (compute and monitoring) must be created.

  3.  Download view-nodes.yaml file, update an object ID of Kyvos Managed Identity and execute the kubectl apply –f view-nodes.yaml command from the user/Managed Identity which has Admin privileges on the AKS cluster. This is to provide get and list node permission.

  4. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on AKS cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

Case 3: Dedicated Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on VMSS of Node pool

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Case 4: Shared Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

Permission required by Kubernetes Managed Identity

  1. Built-in Managed Identity Operator on this Managed Identity itself

Note
This is required to create on AKS cluster if it is created externally)

  1. Built-in Storage Blob Data Contributor on the Kyvos storage account

  2. Built-in Reader on the AKS cluster

  3. Create Access policy to get secret on the Kyvos key Vault

Enhanced Security

  1. AKS Subnet must be allowed in networking rules of Kyvos storage account.

  2. AKS Subnet must be allowed in networking rules of Kyvos key Vault.

 

  • No labels

Copyright Kyvos, Inc. All rights reserved.