Skip to main content

Kubernetes Cluster configuration and requirements

The Kubernetes cluster requires the following:

  • Service access
  • Service authorisation

And recommends:

  • DNS configuration for services
  • Network Policy provider

Required

Service access

You need to give Kubernetes access to the PostgreSQL database and blob store bucket.

The network level access is provided by IP configuration best reviewed in the cloud specific example deployments.

This is achieved through both VPC configuration and Kubernetes Network Policy configuration, depending on the cloud provider.

Service authorisation

Service authorisation is achieved differently on each of the platforms but the general idea is that an IAM based Role on the cloud provider is associated the cluster with two possible approaches:

  1. Cluster level - associate the Role with the cluster. E.g. a Database access role is associated with the cluster nodes and thus the whole cluster has access to the database. The app would still required the database password for authorisation. The advantage is that this is relatively simple to setup, the disadvantage is that access if possible by Pods that shouldn't have any rights or needs to access the services.
  2. App level (recommended) - by allowing the apps to assume a role this allows for instance the data-store app access to the cases database. This is provided by a combination IAM Role and Policy, and Kubernetes Service Account. This method is used in the example infrastructure and is outlined in more detail for each of the providers.

DNS via ExternalDNS

DNS should be configured automatically using ExternalDNS.

This will automatically create DNS records in your chosen DNS provider when the external load balancers are deployed or updated.

A number of providers are supported. Including AWS's Route53 and Google's Cloud DNS. THe following tutorials will help you installing ExternalDNS.

Calico

Network Policies are defined and enabled by default for QuickCase. We test using Calico, but these policies are written using basic Kubernetes network policies, i.e. standard Network Policies only.

If Calico (or any network policy provider is available) then these will be used, if not the app is deployed without network control.

Both Ingress and Egress rules are defined, if these cause any problems you can turn them off using:

networkPolicy:
  enabled: false