Overview
This guide details all system requirements, infrastructure prerequisites, and network configurations needed to successfully deploy CrewAI Platform on Kubernetes.
Kubernetes Cluster Requirements
Version Requirements
- Recommended Version: Kubernetes 1.32.0 or later
- Required APIs:
apps/v1 (StatefulSets, Deployments)v1 (Services, ConfigMaps, Secrets, PVCs)batch/v1 (Jobs)networking.k8s.io/v1 (Ingress, NetworkPolicy)
Resource Requirements
Minimum Cluster Resources
These are absolute minimum requirements.
- Total Cluster Memory: 8Gi minimum
- Total Cluster CPU: 4 cores minimum
- Nodes: 1 node minimum (3+ nodes recommended for production)
- Ephemeral Storage: 10Gi per node minimum
Database Requirements
External PostgreSQL (Required)
- Version: PostgreSQL 16.8 or later
- Network Connectivity: Database must be accessible from Kubernetes cluster
- User Permissions: CREATE, DROP, and ALTER privileges
- Extensions: Must support standard PostgreSQL extensions
- Configuration:
- Host and port accessible from cluster pods
- Firewall rules allowing Kubernetes cluster IP ranges
- SSL/TLS support recommended
Supported Database Services
- AWS Aurora for PostgreSQL
- Azure Database for PostgreSQL
- Google Cloud SQL for PostgreSQL
- Self-managed PostgreSQL 16+
Object Storage Requirements
External S3-Compatible Storage (Required)
- S3-Compatible API: Full S3 API compatibility required
- Network Connectivity: Storage service must be accessible from cluster
- Bucket Configuration: Pre-created bucket with appropriate permissions
- IAM/Access Keys: Valid credentials with read/write access
Supported Storage Services
- AWS S3
- Azure Blob Storage (via S3-compatible gateway)
- Google Cloud Storage (via S3-compatible gateway)
- Other S3-compatible services
Network Requirements
DNS Resolution
- Cluster DNS: CoreDNS or kube-dns must be functional
- Service Discovery: Pods must resolve service names
- External DNS: Access to external domains for authentication and API calls
- DNS Configuration:
- Cluster domain:
cluster.local (default)
- DNS policy: ClusterFirst for pods
- Search domains properly configured
Network Connectivity
- Internal: Pod-to-pod communication within cluster
- Database: Access to external PostgreSQL (port 5432)
- Object Storage: Access to S3-compatible storage (typically port 443 for HTTPS)
- Ingress: External access to web application (port 80/443)
- Authentication: Outbound HTTPS to authentication provider APIs
Network Policies (Optional)
If using network policies for enhanced security:
- CNI Plugin: Must support NetworkPolicy (Calico, Cilium, Weave, etc.)
- Recommended Policies:
- Database access restrictions (PostgreSQL port 5432)
- Object storage access (HTTPS port 443)
- Web application ingress (port 2603)
- Inter-service communication within namespace
RBAC Requirements
Service Account Permissions
The Kubernetes service account must have permissions to:
- Create/Read/Update/Delete: Pods, Services, ConfigMaps, Secrets
- Create/Read/Update/Delete: StatefulSets, Deployments, Jobs
- Create/Read/Update/Delete: PersistentVolumeClaims
- Read: Nodes (for resource checking)
- Create: Ingress (if ingress enabled)
Cluster Permissions
Some advanced features may require cluster-admin permissions or specific cluster-wide access.
Security Requirements
Secrets Management
Choose one of the following approaches:
- Kubernetes Secrets (default): Native Kubernetes secret storage
- External Secret Stores: Integration with external secret management
- AWS Secrets Manager
- Azure Key Vault
- HashiCorp Vault
- Other ESO-compatible providers
Authentication Provider Requirements
Microsoft Entra ID (Azure AD)
- Application Registration: Client ID and Tenant ID
- Client Secret: Valid client secret for authentication
- Redirect URIs: Configured for your application hostname
- API Permissions: User.Read (minimum)
Okta
- Application: Web application configured in Okta
- Client ID: Okta application client ID
- Authorization Server: Default or custom authorization server
- Audience: Configured API audience
WorkOS
- Client ID: WorkOS application client ID
- AuthKit Domain: Custom AuthKit domain
- Organization Setup: Organizations configured in WorkOS dashboard
- Helm: Version 3.10 or later
- kubectl: Compatible with your cluster version
- Registry Access: Valid credentials for
registry.crewai.com
- kubectl-preflight: For pre-installation validation
kubectl krew install preflight
- kubectl-support-bundle: For diagnostics and troubleshooting
kubectl krew install support-bundle
TLS Certificate Requirements
For production deployments with HTTPS:
- Valid TLS Certificate: Issued by trusted CA or internal CA
- Private Key: Corresponding private key for the certificate
- Certificate Format: PEM-encoded certificate and key
- Subject Alternative Names: Must include your application hostname
Certificate Options
- AWS Certificate Manager (ACM): For AWS ALB ingress
- cert-manager: For automatic certificate management
- Manual Certificates: Upload via Kubernetes secrets
Compliance and Governance
Production Checklist
Before deploying to production, ensure:
Validation
Pre-Installation Validation
Run preflight checks to validate all requirements:
helm template oci://registry.crewai.com/crewai/stable/crewai-platform \
--values my-values.yaml \
| kubectl preflight -
- Kubernetes version compatibility
- Cluster resource availability
- Storage class configuration
- Container runtime compatibility
- DNS resolution
- RBAC permissions
- Database connectivity (external PostgreSQL)
- Network policies support
Address any failures before proceeding with installation.
Next Steps
