ClusterRoles and Permissions for Full Kubernetes Agent (KRM)

FlexNet Manager Suite 2024 R2 (On-Premises)

flexera-krm-controller

  • Purpose—The Full Kubernetes Inventory Agent (KRM) relies on the KRM controller to manage its components dynamically. This includes deploying and maintaining resources like StatefulSets and DaemonSets, ensuring they are properly configured and operational. The controller continuously monitors these resources and makes adjustments as needed to align them with the desired state.
  • Permissions:
    • create: Allows the controller to deploy new resources to ensure the agent is operational.
    • delete: Enables the removal of outdated or unnecessary resources.
    • patch and update: Allow modifications to existing resources to align with updated configurations.
    • get, list, and watch: Provide read access to monitor resources and detect changes or issues.
    • events: Allows the creation of new Kubernetes events and updating existing ones. These events are used to log important actions or changes in the cluster, helping with monitoring and debugging.
  • Required—Always required for the KRM controller, which is turn is required for the KRM agent to run.

flexera-krm-agent

  • Purpose—Grants permissions for the Full Kubernetes Agent (KRM) to monitor cluster resources and collect inventory data.
  • Permissions:
    • nodes: get, list, watch
    • pods: get, list, watch
    • pods/exec: get, list, watch, create
      Note: The create permission for pods/exec is necessary to initiate execution sessions inside running containers. This allows the agent to run discovery commands within containers to gather detailed software inventory, including installed software and metadata about the container environment.
  • Required—Always required for the KRM agent.

flexera-krm-agent-olm

  • Purpose—Grants permissions to monitor Operator Lifecycle Manager (OLM) resources for the Full Kubernetes Agent.
  • Permissionsget, list, watch for OLM resources like clusterserviceversions, catalogsources, installplans, subscriptions, operatorgroups, and packagemanifests.
  • Required—If OLM support is enabled for the KRM agent.

flexera-krm-storageresources

  • Purpose—Grants permissions to monitor storage-related resources, such as persistent volumes and storage classes.
  • Permissionsget, list, watch for persistentvolumes, persistentvolumeclaims, and storageclasses.
  • Required—If storage monitoring is enabled for the KRM agent.

flexera-krm-advanced-config

  • Purpose—Grants permissions to manage advanced configurations via ConfigMaps.
  • Permissionsget, list, watch for configmaps.
  • Required—If advanced configuration is enabled for the KRM agent.

flexera-krm-ibmlicensings

  • Purpose—Grants permissions to monitor IBM licensing resources within the Kubernetes cluster.
  • Permissionsget, list, watch for ibmlicensings.
    Note: This ClusterRole allows the KRM agent to monitor the ibmlicensings resource type, which contains IBM licensing data.
  • Required—If IBM Licensing integration is enabled in the KRM agent configuration.

flexera-krm-scc

  • Purpose—Grants permissions to use OpenShift-specific security context constraints.
  • Permissionsuse for securitycontextconstraints.
  • Required—If the KRM agent is deployed on OpenShift.

FlexNet Manager Suite (On-Premises)

2024 R2