Document toolboxDocument toolbox

Kubernetes Cluster Permissions

Owned by Sarabjeet Kaur
Last updated: Nov 12, 2024
2 min read

Note
This is required to create on AKS cluster if it is created externally.

Permission required by Kyvos Managed Identity

Important

These are only required when the AKS cluster is created externally, and you want to configure it post-deployment/post upgrade) from Kyvos Manager.
Hence, no permission is required for AKS fresh deployments.

Case 1: Dedicated Azure Kubernetes Service (AKS) Cluster

  1. Built-in Azure Kubernetes Service Cluster User Role on AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on Managed Resource Group

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Case 2: Shared AKS Cluster

  1. Permission is the same as the dedicated AKS cluster.

  2. Both Namespaces (compute and monitoring) must be created.

  3.  Download view-nodes.yaml file, update an object ID of Kyvos Managed Identity and execute the kubectl apply –f view-nodes.yaml command from the user/Managed Identity which has Admin privileges on the AKS cluster. This is to provide get and list node permission.

  4. Download kyvos-compute-worker-disk-class.yaml file and execute the kubectl apply –f kyvos-compute-worker-disk-class.yaml command from the user/MI which has Admin privileges on AKS cluster. This is to create storage class. If required, you can update the tags in the file by passing comma-separated values.

Case 3: Dedicated Node pool

  1. Built-in Azure Kubernetes Service Cluster User Role on the AKS cluster

  2. Built-in Reader on the AKS cluster

  3. Built-in Virtual Machine Contributor on VMSS of Node pool

  4. Microsoft.ContainerService/managedClusters/agentPools/write" on the AKS cluster

  5. Microsoft.ContainerService/managedClusters/agentPools/read" on the AKS cluster

  6. Microsoft.ContainerService/managedClusters/agentPools/delete" on the AKS cluster

Permission required by Kubernetes Managed Identity

  1. Built-in Managed Identity Operator on this Managed Identity itself

  2. Built-in Storage Blob Data Contributor on the Kyvos storage account

  3. Built-in Reader on the AKS cluster

  4. Create Access policy to get secret on the Kyvos key Vault

Enhanced Security

  1. AKS Subnet must be allowed in networking rules of Kyvos storage account.

  2. AKS Subnet must be allowed in networking rules of Kyvos key Vault.

 

Copyright Kyvos, Inc. All rights reserved.