PaletteAI creates an audit log of platform activity by using Kubernetes admission webhooks to monitor requests. Each event is then sent to the Prometheus Alertmanager instance included in the PaletteAI deployment. This page explains what is captured, how to query audit logs, and how to forward them to a long-term storage destination.
PaletteAI authenticates users through Dex, which can broker authentication to an external OpenID Connect (OIDC) provider. This page shows how to configure Dex to use Keycloak as its OIDC provider so that PaletteAI users sign in with their Keycloak credentials.
An Open Container Initiative (OCI) registry is required to store OCI artifacts. Instead of the default in-cluster Zot registry, you can configure the PaletteAI Helm chart to use Amazon Elastic Container Registry (ECR). Amazon ECR works on both Amazon EKS and self-managed Kubernetes on AWS (IaaS), and you can configure it during installation or afterward.
The Kubernetes API server can trust an OIDC provider to authenticate users. We recommend that you work with your Kubernetes administrator and security team when you configure this integration. The exact steps vary by infrastructure provider and Kubernetes platform, such as AWS EKS, Azure AKS, or Google GKE.
PaletteAI can ship metrics from spoke clusters to a Prometheus server and use them for autoscaling decisions on the hub cluster. Configure this behavior with the global.metrics section in your Helm values.yaml.
PaletteAI supports Kubernetes User Impersonation. User impersonation is a feature that allows a user to impersonate another user. This is useful for scenarios where you are unable to configure the Kubernetes API server to trust the Dex as an OpenID Connect (OIDC) provider. Through the user impersonation feature, you can continue to use your existing OIDC provider or local Dex users, the key part is to ensure that proper group mappings are configured so that the user has the correct permissions to access the resources they need.
PaletteAI allows you to customize the appearance of the PaletteAI User Interface (UI) during installation or upgrades. Using Helm chart values under canvas.branding, you can customize the following front-end elements:
This guide covers installing PaletteAI on a self-managed Kubernetes cluster deployed with AWS EC2 instances. The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry.
This guide covers installing PaletteAI on an EKS Kubernetes cluster. The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry.
This guide covers installing PaletteAI on Google Kubernetes Engine (GKE). The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry.
This guide covers installing PaletteAI on self-managed Kubernetes clusters where you have full control over the API server configuration. The deployment uses the hub-as-spoke pattern with Zot as the Open Container Initiative (OCI) registry. Use this guide if installing PaletteAI on:
The Zot Open Container Initiative (OCI) registry uses ephemeral emptyDir storage when persistence is disabled during installation. In this configuration, registry artifacts are lost when the pod restarts or is rescheduled.
The paletteai CLI is a command-line tool for authoring and testing Definitions, inspecting Workload statuses, importing profile bundles downloaded from PaletteAI Studio, and building air-gapped mirror bundles. The CLI is useful for local development, CI/CD pipelines, and automation workflows.
The PaletteAI Helm chart renders template ConfigMaps into the Helm release namespace. Each template holds a default list of Kubernetes PolicyRule entries used when defining Project-scoped access for Viewer, Editor, and Admin roles.
To successfully deploy PaletteAI on EKS, specific resources must be created in the AWS accounts where your hub and spoke EKS clusters are located. Additionally, Kubernetes RBAC rules must be configured on your spoke EKS cluster. This guide provides step-by-step instructions for setting up everything required to deploy PaletteAI on an EKS cluster using shell scripts. These scripts enable your spoke clusters to connect to the hub using IAM Roles for Service Accounts (IRSA). The scripts perform the following steps:
This guide is only required if you are deploying PaletteAI with dedicated spoke clusters separate from your hub cluster. If using the default hub-as-spoke pattern, skip this guide and proceed to Install PaletteAI on GKE.
This page explains how to upgrade PaletteAI to a new version. Use the workflow that matches your installation method: