Requirements

These are requirements for installing the data plane agent into your organization’s cloud. Instructions for installating a local agent can be found here.

Prerequisites

• Helm

• kubectl

Kubernetes Cluster

The data plane agent is installed via Helm on your Kubernetes cluster.

• You (the admin) must have proper permissions to interact with the cluster via Helm and kubectl.

• Recommended to have nodes with 16GiB+ memory. For AWS EC2, this would be a xlarge instances.

• Cluster must allow containers to make external network calls to the RI Platform.

• Cluster must have nodes that the agent and launched jobs can be scheduled on (i.e. without NoSchedule taints).

Robust Intelligence can provide assistance in setting up your cluster.

Data Access Permissions

The data plane agent uses a K8s service account for read access to the data and models you wish to use.

AWS EKS + S3

First, create an IAM role that the rime-agent-model-tester Kubernetes service account can assume.

• IAM roles for service accounts

If not already configured for your cluster, be sure to create an IAM OIDC provider for your cluster to use IAM roles for service accounts.

• Creating an IAM OIDC provider for your cluster

Additionally, be sure to connect the rime-agent-model-tester Kubernetes service account to an IAM role with following policy. This ensures the agent has read access to the appropriate S3 bucket(s).

• Configuring a Kubernetes service account to assume an IAM role

• data plane agent S3 Bucket read policy:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET>"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET>/*"
        }
    ]
  }
  

GCP GKE + GCS

Ensure that your GKE cluster has Workload Identity enabled.

• Enable Workload Identity

Create IAM service account and grant it role(s) that have storage.buckets.get and storage.objects.get permissions.

• IAM roles for Cloud Storage

Add IAM policy binding between the IAM service account and the Kubernetes service account rime-agent-model-tester with role roles/iam.workloadIdentityUser. This will allow the Kubernetes service account to impersonate the IAM service account which possesses the appropriate read access for the GCS bucket(s).

• Use Workload Identity

Other Cloud Providers

If you are using a different cloud provider or want to specify the service account directly, you can specify other configurations via the rimeAgent.modelTestJob.serviceAccount helm values. A Robust Intelligence team member can help you through this process.