| title | Prerequisites | ||
|---|---|---|---|
| description | Verify Kubernetes distribution compatibility, resource requirements, and access prerequisites before deploying UDS Core to production. | ||
| next | true | ||
| sidebar |
|
Work through each section and confirm your environment meets the requirements before building your bundle.
UDS Core runs on any CNCF-conformant Kubernetes distribution that has not reached End-of-Life. Supported and tested distributions include:
| Distribution | Notes |
|---|---|
| RKE2 | Recommended for on-premises and classified deployments. See RKE2 requirements. |
| K3s | Lightweight option for edge and resource-constrained environments. See K3s requirements. |
| EKS | AWS managed Kubernetes. See EKS documentation. |
| AKS | Azure managed Kubernetes. See AKS documentation. |
Note
If your distribution has distribution-specific hardening guides (e.g., RKE2 CIS profile), review the component-specific notes below for required configuration changes.
UDS Core deploys multiple platform services. Plan your cluster sizing to accommodate them. As a baseline for a production deployment:
- CPU: 12+ vCPUs across worker nodes
- Memory: 32+ GiB RAM across worker nodes
- Storage: 100+ GiB persistent storage available through the default storage class
These are conservative minimums. Size up based on the workloads you plan to run on top of UDS Core.
Several UDS Core components require persistent volumes. Verify your cluster has a default storage class configured:
uds zarf tools kubectl get storageclassThe output should include (default) next to one of the listed storage classes:
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer true 10d
Istio's ingress gateways require a load balancer. When a Service of type LoadBalancer is created, your cluster must be able to provision an external IP automatically. The following options are available by environment:
- Cloud environments: Use your cloud provider's load balancer controller (e.g., AWS Load Balancer Controller).
- On-premises: Use a bare-metal load balancer such as MetalLB or kube-vip. A MetalLB UDS Package is available.
- Conflicting ingress controllers: Some distributions (e.g., RKE2) include
ingress-nginxby default. Disable it before deploying UDS Core to avoid conflicts with Istio.
If running RKE2 with the CIS hardening profile, control plane components bind to 127.0.0.1 by default, which prevents Prometheus from scraping them. Add the following to your control plane node's /etc/rancher/rke2/config.yaml:
kube-controller-manager-arg:
- bind-address=0.0.0.0
kube-scheduler-arg:
- bind-address=0.0.0.0
etcd-arg:
- listen-metrics-urls=http://0.0.0.0:2381Restart RKE2 after making these changes.
You must own a domain and be able to create wildcard DNS records pointing to your load balancer IP. See Provision External Services for details.
You must have TLS certificates (or the ability to obtain them) for both your tenant and admin domains. See Provision External Services for options.
The UDS Operator dynamically provisions NetworkPolicy resources to secure traffic between components. Your CNI must enforce network policies.
If you are using Cilium, CIDR-based network policies require an additional feature flag for node addressability.
Istio requires certain kernel modules on each node. Load them as part of your node image build or cloud-init configuration:
modules=("br_netfilter" "xt_REDIRECT" "xt_owner" "xt_statistic" "iptable_mangle" "iptable_nat" "xt_conntrack" "xt_tcpudp" "xt_connmark" "xt_mark" "ip_set")
for module in "${modules[@]}"; do
modprobe "$module"
echo "$module" >> "/etc/modules-load.d/istio-modules.conf"
doneSee Istio's platform requirements for the full upstream list.
Note
Unicorn flavor on RHEL 9 with fapolicyd: The unicorn flavor uses FIPS-compliant CNI images that write libcrypto.so.3 into /opt/cni/bin/.cgr/ at runtime. If fapolicyd is running in enforcing mode, it will block access to this file because it is not RPM-managed, preventing istio-cni from starting. Add the following rule to allow access, then recompile and restart fapolicyd:
mkdir -p /etc/fapolicyd/rules.d
cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF'
allow perm=any all : dir=/opt/cni/bin/
EOF
fagenrules
systemctl restart fapolicydUDS Core uses Falco's Modern eBPF Probe, which has the following requirements:
- Kernel version >= 5.8
- BPF ring buffer support
- BTF (BPF Type Format) exposure
Most modern OS distributions meet these requirements out of the box.
Vector scrapes logs from all cluster workloads and may require kernel parameter adjustments on your nodes:
declare -A sysctl_settings
sysctl_settings["fs.nr_open"]=13181250
sysctl_settings["fs.inotify.max_user_instances"]=1024
sysctl_settings["fs.inotify.max_user_watches"]=1048576
sysctl_settings["fs.file-max"]=13181250
for key in "${!sysctl_settings[@]}"; do
value="${sysctl_settings[$key]}"
sysctl -w "$key=$value"
echo "$key=$value" > "/etc/sysctl.d/$key.conf"
done
sysctl --systemApply this as part of your node image build or cloud-init process.
Defense Unicorns publishes UDS Core packages to the UDS Registry. You need an account and a read token to pull packages.
- Create an account at registry.defenseunicorns.com
- Create a read token from your account settings in the registry web UI
- Authenticate locally using the command provided in the registry web UI after creating your token
Before moving on, confirm you have completed the following:
- Kubernetes cluster is running
- Default storage class is present
- Load balancer provisioner is installed
- You own a domain and can create wildcard DNS records
- TLS certificates are available (or obtainable) for
*.yourdomain.comand*.admin.yourdomain.com - Object storage buckets are created with credentials available
- An external PostgreSQL database for Keycloak is available with credentials ready
- UDS CLI is installed (
uds version) - Authenticated to the UDS Registry with a read token