Requirements¶
Provisioner host requirements¶
This section outlines the supplementary configuration and software required for the Provisioner host to deploy the DataRobot platform on the Amazon Elastic Kubernetes Service (EKS).
Note
You must fulfill the generic Provisioner host requirements before proceeding.
AWS CLI¶
The AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell. See Installing or updating to the latest version of the AWS CLI.
Provisioner node instance role¶
If you use a provisioner VM, DataRobot recommends configuring the VM with an IAM Instance Role and giving that role the appropriate permissions and policies to interact with the EKS cluster.
The following AWS-managed policies are recommended:
arn:aws:iam::aws:policy/AmazonEKSClusterPolicyarn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccessarn:aws:iam::aws:policy/AmazonEKSServicePolicyarn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessarn:aws:iam::aws:policy/AmazonRoute53FullAccess
Additionally, you can add the below custom policies to facilitate the installation.
IAM read only¶
Provides comprehensive read-only access to IAM entities and configurations. It allows the entity to inspect, audit, and retrieve details about users, roles, policies, and security configurations within the AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetAccountPasswordPolicy",
"iam:ListRoleTags",
"iam:ListServerCertificates",
"iam:GenerateServiceLastAccessedDetails",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListVirtualMFADevices",
"iam:ListSSHPublicKeys",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetAccountEmailAddress",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviderTags",
"iam:ListSAMLProviderTags",
"iam:ListRolePolicies",
"iam:GetAccountAuthorizationDetails",
"iam:GetCredentialReport",
"iam:ListPolicies",
"iam:GetServerCertificate",
"iam:GetRole",
"iam:ListSAMLProviders",
"iam:GetPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListEntitiesForPolicy",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:GetAccountName",
"iam:GetGroupPolicy",
"iam:GetOpenIDConnectProvider",
"iam:ListSTSRegionalEndpointsStatus",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListInstanceProfileTags",
"iam:ListMFADevices",
"iam:GetServiceLastAccessedDetails",
"iam:GetGroup",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetOrganizationsAccessReport",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:ListInstanceProfilesForRole",
"iam:GenerateOrganizationsAccessReport",
"iam:GetCloudFrontPublicKey",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListPolicyTags",
"iam:GetSAMLProvider",
"iam:ListAccessKeys",
"iam:GetInstanceProfile",
"iam:ListGroupPolicies",
"iam:ListCloudFrontPublicKeys",
"iam:GetSSHPublicKey",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListInstanceProfiles",
"iam:GetContextKeysForCustomPolicy",
"iam:ListPolicyVersions",
"iam:ListOpenIDConnectProviders",
"iam:ListServerCertificateTags",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroups",
"iam:ListMFADeviceTags",
"iam:GetLoginProfile",
"iam:ListUserTags"
],
"Resource": "*"
}
]
}
Amazon Elastic Kubernetes Service (EKS) requirements¶
This section outlines the supplementary configuration required for the Amazon Elastic Kubernetes Service (EKS) to successfully run the DataRobot platform.
Note
Fulfillment of the generic Kubernetes requirements is mandatory before proceeding.
The services described below are presumed to be part of an EKS deployment since the target environment is an AWS account. While these services are recommended for a standard DataRobot installation on EKS setup, this page does not cover cluster configurations that omit them.
AWS service integration¶
| Amazon service | Reference |
|---|---|
| EKS | See Supported Kubernetes versions. |
| OIDC | Required for OpenID Connect (OIDC) identity providers. |
| IRSA | Required for IAM Roles for service accounts. |
| S3 | DataRobot object storage. |
| ECR | Primary container image registry and Image Build Service repository. |
EKS managed add-ons¶
| EKS managed add-on | Reference |
|---|---|
| Amazon EBS CSI Driver | See Use Kubernetes volume storage with Amazon EBS |
| Amazon VPC CNI | See Assign IPs to Pods with the Amazon VPC CNI |
| CoreDNS | See Manage CoreDNS for DNS in Amazon EKS clusters |
| kube-proxy | See Manage kube-proxy in Amazon EKS clusters |
Amazon Elastic Container Registry (ECR) {: #ecr-container-registry}¶
You can install the DataRobot platform by pulling the application images from your private Amazon Elastic Container Registry (ECR). Alternatively, you can use the Docker Hub registry.
Note
Private ECR is mandatory if you intend to use DataRobot's Custom Models functionality.
See the Amazon Elastic Container Registry Documentation AWS documentation for details.
Network policy engine¶
Custom model and custom task features benefit from a Network Policy Engine to enforce Kubernetes Network Policies. It is recommended, but not required, to ensure the security of custom model pods.
See Limit Pod traffic with Kubernetes network policies AWS documentation for details.