Before you begin with Kyvos Free on GCP

Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)

You must fulfill the following prerequisites to deploy Kyvos in a GCP environment. 
Permissions required by Google Console users:  

1. Logged-in users should have the privilege to launch deployment in GCP Deployment Manager.

2. Logged-in users must have the Viewer predefined role attached

3. Logged-in user will need access to VPN, Subnet, Network Interface/Security Group, and Service Account, which will be used by Kyvos to launch compute engines, Dataproc, and Instance Group.

4. You must create a custom role. To do this, click Roles > Create new role. 
   Provide a name like Kyvos-deployment-role; assign the following permissions, and then attach to the logged-in user service account.

   1. deploymentmanager.deployments.create  

   2. deploymentmanager.deployments.delete  

   3. deploymentmanager.deployments.get  

   4. deploymentmanager.deployments.list  

   5. deploymentmanager.deployments.update  

   6. deploymentmanager.manifests.get  

   7. deploymentmanager.operations.get  

   8. storage.objects.get

   9. compute.subnetworks.use 

5. The GCP Deployment manager template is deployed through the logged-in user, and the resources inside the template are created through the default service account of GCP Deployment Manager. 
   To create other Google Cloud resources, Deployment Manager uses the credentials of the Google APIs Service Agent to authenticate to other APIs. The Google APIs Service Agent is designed specifically to run internal Google processes on your behalf. This service account is identifiable using the email: [ PROJECT_NUMBER]@cloudservices.gserviceaccount.com

   1. The above service account must  have the Editor predefined role attached.

   2. Compute Network User: If using a Shared Network, grant the above service account the 'Compute Network User' predefined role to the project where the network originally resides.

6. Static External IP will be required.

7. Private Google Access must be enabled for the subnet that you will use for deploying Kyvos and Dataproc clusters.

8.  Secret Manager API Should be enabled.

9. Ensure that the following ports are opened/allowed in the Firewall inbound rules for all internal communication between Kyvos instances.
   2121, 2181, 2888, 3888, 4000, 6602, 6903, 6703, 45450, 45460, 45461, 45462, 45463, 45464, 45465, 6603, 6702, 6803, 7003, 45440, 6605, 45421, 45564, 4000, 8080, 8081, 8005, 8009, 8443, 8444, 9443, 22 and 9444.

10. Ensure that the following ports are opened/allowed in the Firewall inbound rules for all internal communication between the Dataproc cluster and Kyvos.
    3306, 8030, 8031, 8032, 8033, 8042, 8088, 9083, 8188, 18080, 8050, 8051, 8020, 10020, 19888, 10033, 8188, 9870, 10200, 10000, 10002, 22, 45460, 9866, 8998, and 9867

    The port 8998 is required for Livy. The port 8998 is also required when upgrading the Kyvos cluster to version 2023.3. 

11. Ports 22, 8080, and 8081 should be accessible from outside of the cluster from where you want to access the Web application.

12. Create a firewall rule with all ports open between Dataproc master and worker nodes using network tags as targets, which will be attached to the Dataproc.
    For more information about the required ports between the Dataproc master nodes and the worker nodes, refer to GCP documentation at: Dataproc Cluster Network Configuration.