Prerequisites for Installing the Policy Workbench
Prerequisites to install Policy Workbench.
Ensure that the jumpbox can connect to the required repositories. If not already authenticated, then log in to the required repository.
- For connecting and deploying from the Protegrity Container Registry (PCR), use the following command and the credentials obtained from the My.Protegrity portal during account creation:
helm registry login registry.protegrity.com:9443
- For connecting and deploying to the local repository, use your local credentials and local repository endpoint as required.
Ensure that the PPC Cluster is installed and accessible, before installing Policy Workbench on PPC.
For more information about installing PPC, refer to the section Installing PPC.
Required Tools
Ensure that the following tools are available on the jump box on which Policy Workbench is installed.
| Tool | Version | Description |
|---|---|---|
| OpenTofu | >=1.10.0 | Used to run the installer. |
| AWS CLI | Any version | Must be configured with credentials that have EKS and IAM permissions. The default region must also be set using either the AWS_DEFAULT_REGION or the AWS_REGION environment variables or the ~/.aws/config configuration file. |
| kubectl | Any version | Required for validating the deployment. It must be configured for the target PPC cluster where Policy Workbench is deployed. |
IAM Permissions
The following IAM permissions are automatically created by the OpenTofu script.
| Permission | Purpose |
|---|---|
iam:CreatePolicy / iam:DeletePolicy / iam:GetPolicy | Create and manage the AWS KMS access policy. |
iam:CreateRole / iam:DeleteRole / iam:GetRole / iam:UpdateAssumeRolePolicy | Create and manage the AWS KMS pod identity role. |
iam:AttachRolePolicy / iam:DetachRolePolicy | Attach the AWS KMS policy to the role. |
EKS Permissions
The following EKS permissions are automatically created by the OpenTofu script.
| Permission | Purpose |
|---|---|
eks:DescribeCluster | Read the cluster endpoint and the certificate authority data for the Helm provider in OpenTofu. The Helm provider requires this information to connect to the PPC. |
eks:DescribeAddon | Verify that the eks-podidentity-agent is installed. |
eks:CreatePodIdentityAssociation /eks:DeletePodIdentityAssociation /eks:DescribePodIdentityAssociation | Associate the AWS KMS role with the Policy Workbench service account. |
Feedback
Was this page helpful?