Skip to content

Latest commit

 

History

History
168 lines (117 loc) · 7.73 KB

File metadata and controls

168 lines (117 loc) · 7.73 KB
title Prerequisites
description Verify Kubernetes distribution compatibility, resource requirements, and access prerequisites before deploying UDS Core to production.
next true
sidebar
order
3.001

Work through each section and confirm your environment meets the requirements before building your bundle.

Kubernetes distribution

UDS Core runs on any CNCF-conformant Kubernetes distribution that has not reached End-of-Life. Supported and tested distributions include:

Distribution Notes
RKE2 Recommended for on-premises and classified deployments. See RKE2 requirements.
K3s Lightweight option for edge and resource-constrained environments. See K3s requirements.
EKS AWS managed Kubernetes. See EKS documentation.
AKS Azure managed Kubernetes. See AKS documentation.

Note

If your distribution has distribution-specific hardening guides (e.g., RKE2 CIS profile), review the component-specific notes below for required configuration changes.

Cluster capacity

UDS Core deploys multiple platform services. Plan your cluster sizing to accommodate them. As a baseline for a production deployment:

  • CPU: 12+ vCPUs across worker nodes
  • Memory: 32+ GiB RAM across worker nodes
  • Storage: 100+ GiB persistent storage available through the default storage class

These are conservative minimums. Size up based on the workloads you plan to run on top of UDS Core.

Default storage class

Several UDS Core components require persistent volumes. Verify your cluster has a default storage class configured:

uds zarf tools kubectl get storageclass

The output should include (default) next to one of the listed storage classes:

NAME                   PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2 (default)          kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   true                   10d

Networking requirements

Load balancer

Istio's ingress gateways require a load balancer. When a Service of type LoadBalancer is created, your cluster must be able to provision an external IP automatically. The following options are available by environment:

  • Cloud environments: Use your cloud provider's load balancer controller (e.g., AWS Load Balancer Controller).
  • On-premises: Use a bare-metal load balancer such as MetalLB or kube-vip. A MetalLB UDS Package is available.
  • Conflicting ingress controllers: Some distributions (e.g., RKE2) include ingress-nginx by default. Disable it before deploying UDS Core to avoid conflicts with Istio.

RKE2 with CIS profile

If running RKE2 with the CIS hardening profile, control plane components bind to 127.0.0.1 by default, which prevents Prometheus from scraping them. Add the following to your control plane node's /etc/rancher/rke2/config.yaml:

kube-controller-manager-arg:
  - bind-address=0.0.0.0
kube-scheduler-arg:
  - bind-address=0.0.0.0
etcd-arg:
  - listen-metrics-urls=http://0.0.0.0:2381

Restart RKE2 after making these changes.

DNS

You must own a domain and be able to create wildcard DNS records pointing to your load balancer IP. See Provision External Services for details.

TLS certificates

You must have TLS certificates (or the ability to obtain them) for both your tenant and admin domains. See Provision External Services for options.

Network policy support

The UDS Operator dynamically provisions NetworkPolicy resources to secure traffic between components. Your CNI must enforce network policies.

If you are using Cilium, CIDR-based network policies require an additional feature flag for node addressability.

Istio requirements

Istio requires certain kernel modules on each node. Load them as part of your node image build or cloud-init configuration:

modules=("br_netfilter" "xt_REDIRECT" "xt_owner" "xt_statistic" "iptable_mangle" "iptable_nat" "xt_conntrack" "xt_tcpudp" "xt_connmark" "xt_mark" "ip_set")
for module in "${modules[@]}"; do
  modprobe "$module"
  echo "$module" >> "/etc/modules-load.d/istio-modules.conf"
done

See Istio's platform requirements for the full upstream list.

Note

Unicorn flavor on RHEL 9 with fapolicyd: The unicorn flavor uses FIPS-compliant CNI images that write libcrypto.so.3 into /opt/cni/bin/.cgr/ at runtime. If fapolicyd is running in enforcing mode, it will block access to this file because it is not RPM-managed, preventing istio-cni from starting. Add the following rule to allow access, then recompile and restart fapolicyd:

mkdir -p /etc/fapolicyd/rules.d
cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF'
allow perm=any all : dir=/opt/cni/bin/
EOF
fagenrules
systemctl restart fapolicyd

Falco requirements

UDS Core uses Falco's Modern eBPF Probe, which has the following requirements:

Most modern OS distributions meet these requirements out of the box.

Vector requirements

Vector scrapes logs from all cluster workloads and may require kernel parameter adjustments on your nodes:

declare -A sysctl_settings
sysctl_settings["fs.nr_open"]=13181250
sysctl_settings["fs.inotify.max_user_instances"]=1024
sysctl_settings["fs.inotify.max_user_watches"]=1048576
sysctl_settings["fs.file-max"]=13181250

for key in "${!sysctl_settings[@]}"; do
  value="${sysctl_settings[$key]}"
  sysctl -w "$key=$value"
  echo "$key=$value" > "/etc/sysctl.d/$key.conf"
done
sysctl --system

Apply this as part of your node image build or cloud-init process.

UDS Registry access

Defense Unicorns publishes UDS Core packages to the UDS Registry. You need an account and a read token to pull packages.

  1. Create an account at registry.defenseunicorns.com
  2. Create a read token from your account settings in the registry web UI
  3. Authenticate locally using the command provided in the registry web UI after creating your token

Checklist

Before moving on, confirm you have completed the following:

  • Kubernetes cluster is running
  • Default storage class is present
  • Load balancer provisioner is installed
  • You own a domain and can create wildcard DNS records
  • TLS certificates are available (or obtainable) for *.yourdomain.com and *.admin.yourdomain.com
  • Object storage buckets are created with credentials available
  • An external PostgreSQL database for Keycloak is available with credentials ready
  • UDS CLI is installed (uds version)
  • Authenticated to the UDS Registry with a read token