Skip to main content
Version: 0.7

Prerequisites

This page details the prerequisites you need in place in order for Kore to run successfully.

Tools on your workstation:

Pre-install:

Post-install:

Kubernetes cluster to host Kore#

Kore runs in a Kubernetes cluster. You can use an existing Kubernetes cluster, or follow Bootstrap a Cluster for Kore to use a local install of Kore to create a cluster in which to host your Kore instance.

The cluster where Kore runs must meet the following requirements:

  1. We recommend a dedicated cluster to host Kore because it creates and manages namespaces as teams are created. It is not recommended to install Kore into a cluster running other workloads without significant care, and only a single instance of Kore may be installed into a cluster.

    Kore can be setup to run using credentials managed entirely by AWS on EKS (recomended). To enable this with Kore on EKS, see kore setup cloudidentity.

  2. You must give kubectl access to this cluster with privileges to install a helm chart.

  3. A namespace should be pre-created to install Kore's machinery into - we recommend the namespace kore for this purpose. For example, run kubectl create ns kore.

Identity Provider details#

Kore uses your existing identity provider to grant access to the UI, CLI, and the infrastructure provisioned for teams. If you are testing out Kore, you can use local users (created and managed within the application), however we do not recommend this configuration for production use.

Kore supports Open ID Connect (OIDC) for integrating with identity providers, and must provide the following details when installing Kore:

  • Client ID
  • Server URL
  • Client Secret
  • Client Scopes to use. If the provider does not support the default scopes email, profile, and offline_access (notably Google Workspace/GSuite), you must set this to email and profile.

If you need advice on integrating your existing single sign-on infrastructure with Kore, please get in touch and we will be happy to help.

Ingress controller#

In order for Kore to expose its UI and API for your use, you need an ingress controller configured in your cluster. We recommend configuring the NGINX ingress as follows.

To configure NGINX:

  1. Run the following:

    NGINX_VERSION=2.15.0helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginxhelm repo update
    if ! kubectl get ns ingress >/dev/null 2>&1; then  kubectl create ns ingressfi
    helm upgrade ingress ingress-nginx/ingress-nginx \  --install \  --version ${NGINX_VERSION} \  --namespace=ingress \  --set=controller.autoscaling.enabled=true \  --set=controller.autoscaling.maxReplicas=10 \  --set=controller.autoscaling.minReplicas=2 \  --set=controller.service.externalTrafficPolicy=Local \  --set=controller.service.type=LoadBalancer \  --set=podSecurityPolicy.enabled=true

Certificate Manager#

Optionally, if you do not wish to manually generate and maintain TLS certificates for Kore, you can install cert-manager into your cluster to do this for you.

To install cert-manager:

  1. Create a configuration file cert-issuer.yaml for your issuer - setting the email address as appropriate:

    apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata:  name: letsencryptspec:  acme:    email: you@yourorg.org    server: https://acme-v02.api.letsencrypt.org/directory    privateKeySecretRef:      name: letsencrypt-account-key    solvers:    - http01:        ingress:          class: nginx
  2. Install cert-manager:

    CERTMGR_VERSION=v1.0.2helm repo add jetstack https://charts.jetstack.iohelm repo update
    if ! kubectl get ns cert-manager >/dev/null 2>&1; then  kubectl create ns cert-managerfi
    helm upgrade cert-manager jetstack/cert-manager \  --install \  --version ${CERTMGR_VERSION} \  --namespace cert-manager \  --set installCRDs=true \  --wait
    kubectl apply -f ./cert-issuer.yaml

Cloud accounts#

In order to use Kore, you must provide it with one or more cloud accounts that you want it to use. There are two types of cloud accounts you can provide for each cloud:

  • Shared Accounts—if you want to use existing cloud accounts for your teams' infrastructure, you can add each account individually to Kore and allocate it to the desired teams within Kore. Each account maps to a specific AWS account, GCP project, or Azure subscription. Infrastructure is provisioned directly into the account when requested by teams.

  • Organizations—if you want to use Kore's account automation feature, you must provide Kore with access to a root organizational account in which it should create and manage child accounts. Account automation provides AWS accounts, GCP projects, and Azure subscriptions on demand for your teams.

For more information, see Cloud Accounts.

Last updated on May 24, 2021