Air-Gapped Cluster Prerequisites
Table of Contents
Before installing Wallaroo, verify that the following hardware and software requirements are met.
Cluster Requirements
The following requirements are specific to the cluster that hosts Wallaroo.
Environment Hardware Requirements
The following system requirements are required for the minimum settings for running Wallaroo in a Kubernetes cloud cluster.
- Minimum number of nodes: 4
- Minimum Number of CPU Cores: 8
- Minimum RAM per node: 16 GB
- Minimum Storage: A total of 625 GB of storage will be allocated for the entire cluster based on 5 users with up to four pipelines with five steps per pipeline, with 50 GB allocated per node, including 50 GB specifically for the Jupyter Hub service. Enterprise users who deploy additional pipelines will require an additional 50 GB of storage per lab node deployed.
Wallaroo recommends at least 16 cores total to enable all services. At less than 16 cores, services will have to be disabled to allow basic functionality as detailed in this table.
Note that even when disabling these services, Wallaroo performance may be impacted by the models, pipelines, and data used. The greater the size of the models and steps in a pipeline, the more resources will be required for Wallaroo to operate efficiently. Pipeline resources are set by the pipeline configuration to control how many resources are allocated from the cluster to maintain peak effectiveness for other Wallaroo services. See the following guides for more details.
- Wallaroo SDK Essentials Guide: Pipeline Deployment Configuration
- Wallaroo MLOps API Essentials Guide: Pipeline Management
| Cluster Size | 8 core | 16 core | 32 core | Description | |
| Inference | ✔ | ✔ | ✔ | The Wallaroo inference engine that performs inference requests from deployed pipelines. | |
| Dashboard | ✔ | ✔ | ✔ | The graphics user interface for configuring workspaces, deploying pipelines, tracking metrics, and other uses. | |
| Jupyter HUB/Lab | The JupyterHub service for running Python scripts, JupyterNotebooks, and other related tasks within the Wallaroo instance. | ||||
| Single Lab | ✔ | ✔ | ✔ | ||
| Multiple Labs | ✘ | ✔ | ✔ | ||
| Prometheus | ✔ | ✔ | ✔ | Used for collecting and reporting on metrics. Typical metrics are values such as CPU utilization and memory usage. | |
| Alerting | ✘ | ✔ | ✔ | ||
| Model Validation | ✘ | ✔ | ✔ | ||
| Dashboard Graphs | ✔ | ✔ | ✔ | ||
| Plateau | ✘ | ✔ | ✔ | A Wallaroo developed service for storing inference logs at high speed. This is not a long term service; organizations are encouraged to store logs in long term solutions if required. | |
| Model Insights | ✘ | ✔ | ✔ | ||
| Python API | |||||
| Model Conversion | ✔ | ✔ | ✔ | Converts models into a native runtime for use with the Wallaroo inference engine. | 
To install Wallaroo with minimum services, a configuration file will be used as parts of the kots based installation. For full details on the Wallaroo installation process, see the Wallaroo Install Guides.
Enterprise Network Requirements
The following network requirements are required for the minimum settings for running Wallaroo:
- For Wallaroo Enterprise users: 200 IP addresses are required to be allocated per cloud environment. 
- For Wallaroo Community Edition users: 98 IP addresses are required to be allocated per cloud environment. 
- DNS services integration is required for Wallaroo Enterprise edition. See the DNS Integration Guide for the instructions on configuring Wallaroo Enterprise with your DNS services. - DNS services integration is required to provide access to the various supporting services that are part of the Wallaroo instance. These include: - Simplified user authentication and management.
- Centralized services for accessing the Wallaroo Dashboard, Wallaroo SDK and Authentication.
- Collaboration features allowing teams to work together.
- Managed security, auditing and traceability.
 
IMPORTANT NOTE
Wallaroo requires out-bound network connections to download the required container images and other tasks. For situations that require limiting out-bound access contact your Wallaroo support representative.As part of the installation, Wallaroo deploys an envoy proxy. This terminates into the Wallaroo TLS and reverse proxies HTTPS to the Wallaroo services. If the installation ingress_mode is set to internal or external, the envoy proxy is type LoadBalancer with the cloud-appropriate annotations.
Wallaroo does not create Ingress or API Gateway objects as part of the installation.
Cost Calculators
Organizations that intend to install Wallaroo into a Cloud environment can obtain an estimate of environment costs. The Wallaroo Install Guides list recommended virtual machine types and other settings that can be used to calculate costs for the environment.
For more information, see the pricing calculators for the following cloud services:
- Microsoft Azure Pricing Calculator
- Amazon Web Services Pricing Calculator
- Google Cloud Pricing Calculator
Certificate Requirements
Wallaroo requires TLS certificates that match the host name used to access Wallaroo services. The following details the how to generate CA-signed certificates used for the installation procedures.
- Create a CA-signed TLS certificate for your Wallaroo domain with the following settings:- Certificate Authority Options:- Use a public Certificate Authority such as Let’s Encrypt or Verisign. In general, you would send a Certificate Signing Request to your CA and they would respond with your certificates.
- Use a private Certificate Authority (CA) to provide the certificates. Your organization will have procedures for clients to verify the certificates from the private CA.
- Use a Wallaroo certificate and public name server. Contact our CSS team for details.
 
- Wallaroo Domain:- Set the certificate’s Subject CN to your Wallaroo domain. For example, if the Wallaroo Domain wallaroo.example.com, then the Subject CNs would be:wallaroo.example.com.
 
- Set the certificate’s Subject CN to your Wallaroo domain. For example, if the Wallaroo Domain 
- Save your certificates.- You should have two files: the TLS Certificate (.crt) and TLS private key (.key). Store these in a secure location - these will be installed into Wallaroo at a later step.
 
- You should have two files: the TLS Certificate (
 
- Certificate Authority Options:
OpenShift Requirements
The following details the resources and settings by Wallaroo as part of the installation in OpenShift.
OpenShift Version Requirements
The following software or runtimes are required for Wallaroo 2025.1. Most are automatically available through the supported cloud providers.
| Software or Runtime | Description | Minimum Supported Version | Preferred Version(s) | 
|---|---|---|---|
| OpenShift | Container Platform | 4.17 | 4.18 | 
| Kubernetes | Cluster deployment management | 1.29 with Container Management set to containerd. | 1.31 | 
| kubectl | Kubernetes administrative console application | 1.31 | 1.31 | 
Upgrading Kubernetes After Installing Wallaroo
Organizations that choose to upgrade the Kubernetes version after Wallaroo is installed should consult with their Wallaroo support representative before starting the upgrade process.
Wallaroo does not recommend Kubernetes auto-updates after Wallaroo is installed.
Single Cluster Support
Wallaroo requires being installed in its own Kubernetes cluster. At this time, multi-tenancy is not supported. For additional details, consult your Wallaroo support representative.
Node Selectors
Wallaroo uses different nodes for various services, which can be assigned to a different node pool to contain resources separate from other nodes. The following nodes selectors can be configured:
- ML Engine node selector
- ML Engine Load Balance node selector
- Database Node Selector
- Grafana node selector
- Prometheus node selector
- Each Lab * Node Selector
Kubernetes Install Namespace
For Kubernetes based Wallaroo installations, Wallaroo must be installed to it’s own namespace - by default wallaroo.For single node aka embedded Linux based Wallaroo installations the installation namespace is set to kotsadm.
Kubernetes Dynamic Namespaces
As part of its operations, Wallaroo dynamically creates additional namespaces for transient activities including:
- Assays.- These namespaces begin with assay-.
 
- These namespaces begin with 
- AI Workload Automation Orchestrations and Tasks.- Task namespaces begin with task-.
 
- Task namespaces begin with 
- Model upload and conversion
- Pipeline deployments.- Pipeline namespaces begin with the pipeline name and the pipeline id. For example, the pipeline housepricewith an id28uses the namespacehouseprice-28.
 
- Pipeline namespaces begin with the pipeline name and the pipeline id. For example, the pipeline 
- If installed, the backup service Velero uses the namespace velero.
This allows administrators to visualize and compartmentalize these activities and to facilitate cleanup if necessary. These namespaces typically contain pods, jobs, configmaps, and secrets and do not have persistent volumes or finalizers. All of Wallaroo Kubernetes objects have the label app.kubernetes.io/part-of=wallaroo.
The namespaces kube-* and default are not modified by Wallaroo.
Daemonset Deployments
Wallaroo creates DaemonSet deployments. These run a pod on each cluster node. These are used for:
- Image pulling for Jupyter Lab
- Workload attestation for edge deployment inference log uploads
- Log collection via Fluent Bit
Taints and Labels Requirements
Nodepools created in Wallaroo require the following taints and labels.
For custom taints and labels, see the Custom Taints and Labels Guide.
| Nodepool | Taints | Labels | Description | 
|---|---|---|---|
| general | N/A | wallaroo.ai/node-purpose: general | For general Wallaroo services. No taints are applied to this nodepool to allow any process not assigned with a deployment label to run in this space. | 
| persistent | wallaroo.ai/persistent=true:NoSchedule | wallaroo.ai/node-purpose: persistent | For Wallaroo services with a persistentVolume settings, including JupyterHub, Minio, etc. | 
| pipelines-x86 | wallaroo.ai/pipelines=true:NoSchedule | wallaroo.ai/node-purpose: pipelines | For deploying pipelines for default x86 architectures. The taints and label must be applied to any nodepool used for model deployments. | 
ClusterRoles and ClusterRoleBindings
Wallaroo uses ClusterRoles and ClusterRoleBindings to create, destroy, manage, and assess namespaces and their resources. The following ClusterRoles are created by Wallaroo:
wallaroo-fluent-bit
wallaroo-multi-scaler
wallaroo-prometheus
wallaroo-rest-api
wallaroo-wallsvc
The following includes all of the permissions for the ClusterRoles.
| Resources | Verbs | 
|---|---|
| clusterroles.rbac.authorization.k8s.io | [bind,escalate] | 
| configmaps | [get,create,list,watch,update,patch,delete] | 
| cronjobs.batch | [get,create,list,watch,update,patch,delete] | 
| cronjobs.batch/status | [get,create,list,watch,update,patch,delete] | 
| deployments | [get,create,list,watch,update,patch,delete] | 
| endpoints | [get,list,watch] | 
| horizontalpodautoscalers.autoscaling | [get,list,create,update,patch] | 
| ingresses.extensions | [get,list,watch] | 
| jobs | [get,create,list,watch,update,patch,delete] | 
| jobs.apps | [get,create,list,update,patch,delete] | 
| jobs.batch | [get,create,list,watch,update,patch,delete] | 
| jobs.batch/status | [get,create,list,watch,update,patch,delete] | 
| metrics | [get] | 
| modelconfigs.wallaroo.ai | [*] | 
| namespaces | [get,create,list,watch,update,patch,delete] | 
| nodes | [get,list,watch] | 
| nodes/proxy | [get,list,watch] | 
| pipelines.wallaroo.ai | [*] | 
| pods | [get,create,list,watch,update,patch,delete] | 
| pods.apps | [get,list] | 
| replicasets.apps | [get,create,list,update,patch,delete] | 
| rolebindings.rbac.authorization.k8s.io | [get,create,list,update,patch,delete] | 
| roles.rbac.authorization.k8s.io | [get,create,list,update,patch,delete] | 
| secrets | [get,create,list,watch,update,patch,delete] | 
| services | [get,create,list,watch,update,patch,delete] | 
| tokenreviews.authentication.k8s.io | [create] | 
StorageClass
The StorageClass called wallaroo-standard is created to handle Kubernetes upgrades and differences across platforms. This requires the following volume binding modes:
- WaitForFirstConsumer
- AllowVolumeExpansion
wallaroo-standard uses the default provisioner for the Kubernetes environment.