Skip to content
Unicorn Delivery Service Unicorn Delivery Service

Prerequisites

Work through each section and confirm your environment meets the requirements before building your bundle.

Kubernetes Distribution

Section titled “Kubernetes Distribution”

UDS Core runs on any CNCF-conformant Kubernetes distribution that has not reached End-of-Life. Supported and tested distributions include:

DistributionNotes
RKE2Recommended for on-premises and classified deployments. See RKE2 requirements.
K3sLightweight option for edge and resource-constrained environments. See K3s requirements.
EKSAWS managed Kubernetes. See EKS documentation.
AKSAzure managed Kubernetes. See AKS documentation.

Cluster Capacity

Section titled “Cluster Capacity”

UDS Core deploys multiple platform services. Plan your cluster sizing to accommodate them. As a baseline for a production deployment:

  • CPU: 12+ vCPUs across worker nodes
  • Memory: 32+ GiB RAM across worker nodes
  • Storage: 100+ GiB persistent storage available through the default storage class

These are conservative minimums. Size up based on the workloads you plan to run on top of UDS Core.

Default Storage Class

Section titled “Default Storage Class”

Several UDS Core components require persistent volumes. Verify your cluster has a default storage class configured:

Terminal window
kubectl get storageclass

The output should include (default) next to one of the listed storage classes:

Output
NAME                   PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2 (default)          kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   true                   10d

Networking Requirements

Section titled “Networking Requirements”

Load Balancer

Section titled “Load Balancer”

Istio’s ingress gateways require a load balancer. When a Service of type LoadBalancer is created, your cluster must be able to provision an external IP automatically.

  • Cloud environments: Use your cloud provider’s load balancer controller (e.g., AWS Load Balancer Controller).
  • On-premises: Use a bare-metal load balancer such as MetalLB or kube-vip. A MetalLB UDS Package is available.
  • Conflicting ingress controllers: Some distributions (e.g., RKE2) include ingress-nginx by default. Disable it before deploying UDS Core to avoid conflicts with Istio.

RKE2 with CIS Profile

Section titled “RKE2 with CIS Profile”

If running RKE2 with the CIS hardening profile, control plane components bind to 127.0.0.1 by default, which prevents Prometheus from scraping them. Add the following to your control plane node’s /etc/rancher/rke2/config.yaml:

/etc/rancher/rke2/config.yaml
kube-controller-manager-arg:
  - bind-address=0.0.0.0
kube-scheduler-arg:
  - bind-address=0.0.0.0
etcd-arg:
  - listen-metrics-urls=http://0.0.0.0:2381

Restart RKE2 after making these changes.

DNS

Section titled “DNS”

You must own a domain and be able to create wildcard DNS records pointing to your load balancer IP. See Provision External Services for details.

TLS Certificates

Section titled “TLS Certificates”

You must have TLS certificates (or the ability to obtain them) for both your tenant and admin domains. See Provision External Services for options.

Network Policy Support

Section titled “Network Policy Support”

The UDS Operator dynamically provisions NetworkPolicy resources to secure traffic between components. Your CNI must enforce network policies.

If you are using Cilium, CIDR-based network policies require an additional feature flag for node addressability.

Istio Requirements

Section titled “Istio Requirements”

Istio requires certain kernel modules to be loaded on each node. Run the following as part of your node image build or cloud-init configuration:

Terminal window
modules=("br_netfilter" "xt_REDIRECT" "xt_owner" "xt_statistic" "iptable_mangle" "iptable_nat" "xt_conntrack" "xt_tcpudp" "xt_connmark" "xt_mark" "ip_set")
for module in "${modules[@]}"; do
  modprobe "$module"
  echo "$module" >> "/etc/modules-load.d/istio-modules.conf"
done

See Istio’s platform requirements for the full upstream list.

Falco Requirements

Section titled “Falco Requirements”

UDS Core uses Falco’s Modern eBPF Probe, which requires:

Most modern OS distributions meet these requirements out of the box.

Vector Requirements

Section titled “Vector Requirements”

Vector scrapes logs from all cluster workloads and may require kernel parameter adjustments on your nodes:

Terminal window
declare -A sysctl_settings
sysctl_settings["fs.nr_open"]=13181250
sysctl_settings["fs.inotify.max_user_instances"]=1024
sysctl_settings["fs.inotify.max_user_watches"]=1048576
sysctl_settings["fs.file-max"]=13181250


for key in "${!sysctl_settings[@]}"; do
  value="${sysctl_settings[$key]}"
  sysctl -w "$key=$value"
  echo "$key=$value" > "/etc/sysctl.d/$key.conf"
done
sysctl --system

Apply this as part of your node image build or cloud-init process.

Checklist

Section titled “Checklist”

Before moving on, confirm:

  • Kubernetes cluster is running
  • Default storage class is present
  • Load balancer provisioner is installed
  • You own a domain and can create wildcard DNS records
  • TLS certificates are available (or obtainable) for *.yourdomain.com and *.admin.yourdomain.com
  • Object storage buckets are created with credentials available
  • An external PostgreSQL database for Keycloak is available with credentials ready
  • UDS CLI is installed (uds version)
Cookie Settings Privacy Policy