PaletteAI creates an audit log of platform activity by using Kubernetes admission webhooks to monitor requests. Each event is then sent to the Prometheus Alertmanager instance included in the PaletteAI deployment. This page explains what is captured, how to query audit logs, and how to forward them to a long-term storage destination.
An Open Container Initiative (OCI) registry is required to store OCI artifacts. Instead of the default in-cluster Zot registry, you can configure the PaletteAI Helm chart to use Amazon Elastic Container Registry (ECR). Amazon ECR works on both Amazon EKS and self-managed Kubernetes on AWS (IaaS), and you can configure it during installation or afterward.
The Kubernetes API server can trust an OIDC provider to authenticate users. We recommend that you work with your Kubernetes administrator and security team when you configure this integration. The exact steps vary by infrastructure provider and Kubernetes platform, such as AWS EKS, Azure AKS, or Google GKE.
PaletteAI can ship metrics from spoke clusters to a Prometheus server and use them for autoscaling decisions on the hub cluster. Configure this behavior with the global.metrics section in your Helm values.yaml.
PaletteAI supports Kubernetes User Impersonation. User impersonation is a feature that allows a user to impersonate another user. This is useful for scenarios where you are unable to configure the Kubernetes API server to trust the Dex as an OpenID Connect (OIDC) provider. Through the user impersonation feature, you can continue to use your existing OIDC provider or local Dex users, the key part is to ensure that proper group mappings are configured so that the user has the correct permissions to access the resources they need.
PaletteAI allows you to customize the appearance of the PaletteAI User Interface (UI) during installation or upgrades. Using Helm chart values, you can customize the following front-end elements:
Use this guide to install PaletteAI on a self-managed Kubernetes cluster that runs on AWS EC2 instances. The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry.
Use this guide to install PaletteAI on an Amazon EKS cluster. The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry.
Use this guide to install PaletteAI on Google Kubernetes Engine (GKE). The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry.
Use this guide to install PaletteAI on a self-managed Kubernetes cluster where you control the API server configuration. The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry. Use this guide if you are installing PaletteAI on:
The Zot Open Container Initiative (OCI) registry uses ephemeral emptyDir storage when persistence is disabled during installation. In this configuration, registry artifacts are lost when the pod restarts or is rescheduled.
The paletteai CLI is a command-line tool for authoring and testing Definitions, inspecting Workload statuses, importing profile bundles downloaded from PaletteAI Studio, and building air-gapped mirror bundles. The CLI is useful for local development, CI/CD pipelines, and automation workflows.
PaletteAI enforces role-based access control (RBAC) across the UI. Actions such as creating, editing, or deleting resources are available only to users whose role includes the required permissions. If a button or action described below is not visible, your role likely does not grant the necessary access. Contact your administrator to request access.
To successfully deploy PaletteAI on EKS, specific resources must be created in the AWS accounts where your hub and spoke EKS clusters are located. Additionally, Kubernetes RBAC rules must be configured on your spoke EKS cluster. This guide provides step-by-step instructions for setting up everything required to deploy PaletteAI on an EKS cluster using shell scripts. These scripts enable your spoke clusters to connect to the hub using IAM Roles for Service Accounts (IRSA). The scripts perform the following steps:
This guide is only required if you are deploying PaletteAI with dedicated spoke clusters separate from your hub cluster. If using the default hub-as-spoke pattern, skip this guide and proceed to Install PaletteAI on GKE.
Use this page to upgrade PaletteAI. Choose the workflow that matches your installation method: