Skip to content

Requirements for running prokube⚓︎

Kubernetes Cluster⚓︎

To run prokube, you will need a Kubernetes cluster. prokube supports multiple Kubernetes distributions including managed services (GKE, EKS, AKS), MicroK8s for smaller self-managed deployments, and kubeadm-based clusters, OpenShift, or Rancher for larger on-premise installations. See Deployment Options for guidance on choosing a distribution.

Recommended Hardware for a Kubernetes cluster:

  • Kubernetes Version: 1.29 or higher
  • At least 3 Nodes
  • At least 32 GB RAM per Node (recommended: 96 GB RAM per Node)
  • At least 8 CPU Cores per Node (recommended: 24 CPU Cores per Node)
  • At least 100GB Storage per Node (recommended: 1TB Storage per Node)

If you want to run GPU workloads, make sure that your GPUs are supported by the NVIDIA GPU Operator.

DNS and TLS⚓︎

To run prokube, you will need two domain names that resolve to the IP address(es) of your Kubernetes cluster (at least the nodes running ingress or the Load Balancer in front of the cluster), one for accessing most services and one specifically for MinIO, e.g. prokube.example.com and minio.prokube.example.com.

You will also need TLS certificates for these domain names. You can use Let's Encrypt to obtain free TLS certificates, or you can use your own certificates. If you use Let's Encrypt, you will need to ensure that the domain names are publicly accessible and that the ACME challenge can be completed.

Firewall⚓︎

If you are running your own Kubernetes, the nodes need to be able to communicate with each other. This means that the firewall needs to allow traffic on the following ports:

  • 16443 - API server (SSL encrypted, requires client certificates)
  • 10250 - kubelet (X509 client certificate required)
  • 10255 - kubelet read-only port
  • 10257 - kube-controller-manager (HTTPS with authentication)
  • 10259 - kube-scheduler (HTTPS with authentication)
  • 25000 - cluster-agent (requires proper token for authorization)
  • 2379 - etcd client requests
  • 2380 - etcd peer communication
  • 12379 - etcd (SSL encrypted, client certificates required)
  • 19001 - dqlite (SSL encrypted, client certificates required for cluster coordination)
  • 4789 - Calico networking

Furthermore, you will need to allow traffic from the network your users are on to the following ports:

  • 80 - HTTP (optional, only used for redirecting to port 443)
  • 443 - HTTPS
  • 16443 - Kubernetes API server (SSL encrypted, requires client certificates)

SSO⚓︎

If you want to enable Single-Sign On (SSO) for your users, you will need to configure an OIDC application at an OIDC provider that your organization uses.

Registry and Code Repository⚓︎

As your users will likely want to build their own container images, you will need to provide a code repository where they can store their code. This can be a Git repository hosted on a service like GitHub, GitLab, or Bitbucket, or it can be a self-hosted Git server. The code repository should ideally support webhooks to trigger builds in the container registry when code is pushed or updated.

You will need a container registry to store container images. Data Scientists using the platform will need to build and push their own images, so you will need to provide a registry that allows them to do so.

If you do not have either a registry or a code repository, you can use a GitLab instance provided by prokube. Additional resources such as (virtual) machines, domain names, and TLS certificates will be needed.