Skip to content

Advanced Kubernetes Configuration

Proxy Configuration for Kubernetes#

If your clusters rely on a proxy service, on the Privacera host, set the protocol, domain or IP address, and port of your proxy server in the environment variable K8S_AUTH_PROXY in the pm-env.sh script you create at installation.

  1. Run the following command.

    cd privacera/privacera-manager/
    vi config/pm-env.sh
    
  2. Add the following property.

    export K8S_AUTH_PROXY="http://10.0.0.1:1234"
    
  3. Restart Privacera.

    ./privacera-manager.sh update
    

Pod Topology#

If your pods are distributed across different nodes, zones or regions, you can use pod topology in Privacera Manager to control them for high availability and efficient resource utilization. For more information on pod topology, refer to the Kubernetes documentation - click here.

By default, pod topology is disabled. To enable it, do the following

  1. Run the following command:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.kubernetes.pod-topology.yml config/custom-vars/
    vi config/custom-vars/vars.kubernetes.pod-topology.yml
    
  2. Set the following to true.

    K8S_POD_TOPOLOGY_ENABLE: "true"
    

Externalize Access to Privacera Services - Nginx Ingress#

Note

  • NGINX Ingress works only with Privacera core services and Databricks Plugin on the AWS environment.

Deploying NGINX Ingress in Privacera, you can provide external access to Privacera services such as Privacera Portal, Audit Server, Solr and Ranger.

To deploy NGINX Ingress, do the following:

  1. Run the following command:

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.kubernetes.nginx-ingress.yml config/custom-vars/
    vi config/custom-vars/vars.kubernetes.nginx-ingress.yml
    
  2. To enable NGINX Ingress, set the following property to true.

    K8S_NGINX_INGRESS_ENABLE: "true"
    
  3. Choose whether you want to deploy the NGINX Ingress controller for Privacera Manager. If you set it to true, then Privacera Manager deploys NGINX Ingress controller in privacera-services namespace of your Kubernetes cluster.

    Note

    Do not set the property to true, if NGINX Ingress controller is already installed in your cluster.

    K8S_NGINX_INGRESS_CONTROLLER_ENABLE: "false"
    
  4. If K8S_NGINX_INGRESS_CONTROLLER_ENABLE is false, then provide your existing controller service load balancer URL.

    NGINX_INGRESS_EXTERNAL_URL: "aaa71bxxxxx-11xxxxx10.us-east-1.elb.amazonaws.com"
    
  5. By default DNS names of Privacera services are set in the following pattern: service_name-namespace.domain_name. If you want to change the domain-name for the Privacera service URL, edit the following property.

    AWS_ROUTE53_DOMAIN_NAME: "<PLEASE_UPDATE>”
    
  6. Provide AWS Route53 Zone ID to allow Privacera Manager to create records of DNS names.

    PRIVACERA_AWS_ZONE_ID: "<PLEASE_UPDATE>" 
    

    You can get the value by doing one of the following:

    • Run the following command where your Privacera Manager is installed.

      aws route53 list-hosted-zones-by-name --dns-name <ZONE_NAME> --query HostedZones[].Id --output text | cut -d/ -f3
      

      OR

    • Navigate to your AWS account > Route53 > Hosted Zone ID.