Privacera Platform master publication

Advanced Kubernetes configuration

:
Proxy configuration for Kubernetes

If your clusters rely on a proxy service, on the Privacera host, set the protocol, domain or IP address, and port of your proxy server in the environment variable K8S_AUTH_PROXY in the pm-env.sh script you create at installation.

  1. Open the pm-env.sh file

    cd privacera/privacera-manager/
    vi config/pm-env.sh
  2. Add the following property.

    exportK8S_AUTH_PROXY="http://10.0.0.1:1234"
  3. Restart Privacera.

    ./privacera-manager.sh update
Pod topology

If your pods are distributed across different nodes, zones or regions, you can use pod topology in Privacera Manager to control them for high availability and efficient resource utilization. For more information on pod topology, refer to the Kubernetes documentation.

By default, pod topology is disabled. Follow the below steps to enable it:

  1. Copy the .yml file to the custom-vars directory and open it.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.kubernetes.pod-topology.yml config/custom-vars/
    vi config/custom-vars/vars.kubernetes.pod-topology.yml
  2. Set K8S_POD_TOPOLOGY_ENABLE:"true"

Externalize access to Privacera services - Nginx Ingress

Note

NGINX Ingress works only with Privacera core services and Databricks Plugin on the AWS environment.

Deploying NGINX Ingress in Privacera, you can provide external access to Privacera services such as Privacera Portal, Audit Server, Solr and Ranger.

To deploy NGINX Ingress, do the following:

Steps to deploy NGINX Ingress
  1. Copy the .yml file to the /custom-vars directory and open it.

    cd ~/privacera/privacera-manager/ 
    cp config/sample-vars/vars.kubernetes.nginx-ingress.yml config/custom-vars/ 
    vi config/custom-vars/vars.kubernetes.nginx-ingress.yml
  2. To enable NGINX Ingress, set K8S_NGINX_INGRESS_ENABLE:"true".

  3. Choose whether you want to deploy the NGINX Ingress controller for Privacera Manager. If you set it to true, then Privacera Manager deploys NGINX Ingress controller in privacera-services namespace of your Kubernetes cluster.

    Caution

    Do not set the property to true, if NGINX Ingress controller is already installed in your cluster.

    K8S_NGINX_INGRESS_CONTROLLER_ENABLE:"false"
  4. If K8S_NGINX_INGRESS_CONTROLLER_ENABLE is false, then provide your existing controller service load balancer URL.

    NGINX_INGRESS_EXTERNAL_URL:"aaa71bxxxxx-11xxxxx10.us-east-1.elb.amazonaws.com"
  5. By default DNS names of Privacera services are set in the following pattern: service_name-namespace.domain_name. If you want to change the domain-name for the Privacera service URL, edit the following property.

    AWS_ROUTE53_DOMAIN_NAME:"<PLEASE_UPDATE>”
  6. Provide AWS Route53 Zone ID to allow Privacera Manager to create records of DNS names.

    PRIVACERA_AWS_ZONE_ID:"<PLEASE_UPDATE>"

    You can get the value by doing one of the following:

    • Run the following command where your Privacera Manager is installed.

      aws route53 list-hosted-zones-by-name --dns-name <ZONE_NAME> --query HostedZones[].Id --output text | cut -d/ -f3

      OR

    • Navigate to your AWS account > Route53 > Hosted Zone ID.