Attributes for Agent Features
For employing Helm chart templates to accelerate Flexera Kubernetes Inventory Agent deployments, two predefined Kubernetes Helm chart templates are available and can be pulled from repositories hosted on Flexera AWS ECR - https://gallery.ecr.aws/flexera/:
• | For the Full Flexera Kubernetes Inventory Agent—https://gallery.ecr.aws/flexera/krm-chart |
• | For the Lightweight Flexera Kubernetes Inventory Agent—https://gallery.ecr.aws/flexera/lwk-chart. |
For each Helm chart, the majority of options within the values.yaml file are predefined and each option has a descriptive comment. Customers are required to specify the FlexNet Beacon URL and persistent storage options for the Full Flexera Kubernetes Inventory Agent, and the FlexNet Beacon URL for the lightweight Flexera Kubernetes Inventory Agent. For configuration and installation steps for the Full Flexera Kubernetes Inventory Agent, see Full Flexera Kubernetes Agent Helm chart configuration and installation in the Online Help. For configuration and installation steps for the Lightweight Kubernetes Inventory Agent, see Lightweight Kubernetes Agent Helm chart configuration and installation in the Gathering FlexNet Inventory user guide.
IBM License Service Integration
Containerized IBM software requires the use of the IBM License Service to monitor license usage. The Flexera Kubernetes inventory agent integrates with the IBM License Service, and collects the IBM product(s) capacity usage data for that cluster through the IBM License Service API.
To consume the IBM License Service API, the Flexera Kubernetes inventory agent must first locate the API, and obtain the token used to authenticate. This requires the Flexera Kubernetes inventory agent to read several different resource types from the cluster that it would not otherwise need to read. Permissions to read these resources can be enabled during the installation process. It is also possible to avoid adding these permissions by providing the Flexera Kubernetes inventory agent with all the standard values it needs in the attributes within the YAML file. (This does not include the ones listed under Advanced Flexera Kubernetes Inventory Agent Attributes.)
Note:The entire set of values must be provided. If the set is incomplete, the Flexera Kubernetes inventory agent attempts to discover those that are missing. Exceptions to this general statement are the enable and tlsVerify settings (which are required in all cases).
When enabled (as described next), the Flexera Kubernetes inventory agent first detects the presence of the IBM License Service in the Kubernetes cluster by looking for the CustomResourceDefinition:
ibmLicensings.operator.ibm.com
Tip:The plural ibmLicensings in this context is not a typo, but in line with the Kubernetes naming convention that uses the plural form when referring to a fully-qualified resource type.
It then loads any missing configuration values needed to locate and authenticate with the API by reading the ibmLicensing resource configuration, searching for services in the Kubernetes cluster using label selectors, and reading the secret that provides the authentication token.
Tip:If this process fails, or if the IBM License Service is not installed in the Kubernetes cluster, the Flexera Kubernetes inventory agent re-attempts the process every 5 minutes. This is because your settings in the YAML file specify that you want to enable the integration with the IBM License Service, and if this is deployed at some later time, the regular checks by the Flexera Kubernetes inventory agent cause the integration to begin working without further effort. If this is not what you require, simply change the setting (described next) back to false to turn off the integration, as this also turns off the checking process.
The Flexera Kubernetes inventory agent queries the IBM Licensing Service API either:
• | Immediately on start-up |
• | Immediately after successfully discovering the service and configuration |
• | Every day at 1:00 AM (local time of the cluster). |
The Flexera Kubernetes inventory agent requests a usage snapshot for the prior 180 days each time it queries the API.
Enable the Integration
If this attribute is set to true, integration of the Flexera Kubernetes inventory agent with the IBM Licence Service is turned on.
Important:The default value is false, in which case the Flexera Kubernetes inventory agent does not interact with the IBM License Service. Be aware that use of the IBM License Service is mandatory for compliance with IBM licenses for products running in Kubernetes clusters. If you wish to import the license data collected by the IBM License Service for reporting within IT Asset Management, you must set this attribute to true..
Item |
Description |
Attribute |
spec.ibmLicensing.enable |
Type |
Boolean |
Example |
true |
With this setting, the relevant sections of the YAML file looks similar to this:
apiVersion: agents.flexera.com/v1
kind: KRM
metadata:
name: instance
spec:
ibmLicensing:
enable: true
...
The IBM License Service Namespace
If this attribute is omitted, the Flexera Kubernetes inventory agent automatically searches for the namespace used by the IBM License Service. Alternatively, you may explicitly specify that namespace in this attribute.
Item |
Description |
Attribute |
spec.ibmLicensing.namespace |
Type |
String |
Example |
ibm-common-services |
The Service Name
If this attribute is omitted, the Flexera Kubernetes inventory agent automatically searches for the name of the Service used to expose the IBM License Service API within the Kubernetes cluster. Alternatively, you may explicitly specify that name in this attribute.
Item |
Description |
Attribute |
spec.ibmLicensing.serviceName |
Type |
String |
Example |
ibm-licensing-service-instance |
The Service Port
If this attribute is omitted, the Flexera Kubernetes inventory agent automatically searches for the TCP port in the Service used to expose the IBM License Service API within the Kubernetes cluster. Alternatively, you may explicitly specify that port in this attribute.
Item |
Description |
Attribute |
spec.ibmLicensing.servicePort |
Type |
Integer |
Example |
8080 |
The Service Token
If this attribute is omitted, the Flexera Kubernetes inventory agent automatically searches for the token used to authenticate with the IBM License Service API within the Kubernetes cluster. Alternatively, you may explicitly specify that token in this attribute.
Item |
Description |
Attribute |
spec.ibmLicensing.token |
Type |
String |
Example |
VoOMWJijBWuCxSxwgON11w7z |
The Service Protocol
If this attribute is omitted, the Flexera Kubernetes inventory agent automatically searches the configuration to determine whether the IBM License Service API is served over HTTPS. Alternatively, you may explicitly specify that protocol in this attribute.
Item |
Description |
Attribute |
spec.ibmLicensing.https |
Type |
Boolean |
Example |
true |
The Service Certificate
If the IBM License Service API serves over HTTPS using an untrusted certificate, this setting can be set to false (or left unspecified, since the default value is false).
• | When this value is false (or unspecified), the Flexera Kubernetes inventory agent does not attempt to verify authenticity of the certificate. |
• | When this value is set to true, the Flexera Kubernetes inventory agent verifies the certificate. Connection with the IBM License Service fails if either: |
• | The certificate is not valid |
• | The certificate is signed by an unknown issuer. |
Item |
Description |
Attribute |
spec.ibmLicensing.tlsVerify |
Type |
Boolean |
Example |
false |
Advanced Flexera Kubernetes Inventory Agent Attributes
The following attributes control minor aspects of the behavior of the Flexera Kubernetes inventory agent. All have sensible defaults, so that there is no strong reason to modify these attributes unless you need detailed configuration control in your environment.
Specifies the time interval on which the Flexera Kubernetes inventory agent collects and uploads inventory. The Flexera Kubernetes inventory agent caches the most up-to-date information about each cluster resource it is interested in observing, and retains resources in its cache (even if they have been deleted in the cluster) until it can upload its next inventory. The interval setting is a trade-off between the data volume retained in cache and uploadable in a given inventory versus the number of inventories being uploaded and imported. The default value is 24h, so that the Flexera Kubernetes inventory agent collects and uploads its specified inventory once each day.
The value of this setting is a string using the convention established by Kubernetes and the Go programming language. It consists of an integer followed by a unit suffix such as “s” for seconds, “m” for minutes, or “h” for hours, for example 12h for twelve hours.
Item |
Description |
Attribute |
spec.monitor.interval |
Type |
Duration |
Example |
6h |
Agent Self-Updates
The downloadFromBeacon attribute controls whether the Flexera Kubernetes inventory agent allows updates to the local components of the FlexNet inventory agent:
• | If downloadFromBeacon is set to true (the default) or unspecified, Flexera Kubernetes inventory agent runs the policy components of FlexNet inventory agent to check for, and if necessary to download, updates to the zero-footprint inventory component (ndtrack.sh) and the InventorySettings.xml file of extension capabilities. |
• | If downloadFromBeacon is false, Flexera Kubernetes inventory agent does not permit these updates. Instead, it uses the version of ndtrack.sh that shipped in the container image, and does not use any copy of InventorySettings.xml. While this is the recommended approach for situations where the container must remain immutable at runtime, it may impact the completeness of the inventory produced for container images in the cluster, particularly for software from vendors like Oracle and Microsoft. |
Item |
Description |
Attribute |
spec.monitor.downloadFromBeacon |
Type |
Boolean |
Example |
false |
Collect Software Inventory
The imageInventory attribute controls collection of software inventory from Open Container Initiative (OCI) container images:
• | When set to true (the default) or unspecified, the Flexera Kubernetes inventory agent injects the inventory component of FlexNet inventory agent (ndtrack.sh) into containers in the cluster to obtain software inventories of their content. Thereafter, the tracker is removed again, completing a process of zero footprint inventory collection. |
• | When set to false, the Flexera Kubernetes inventory agent disables this behavior. This means that the Flexera Kubernetes inventory agent cannot report software inventory from any containers in the cluster. |
Important:Unless some other inventory source replaces this software inventory from containers, a license position cannot be correctly resolved, and you may be exposed in a future compliance audit. Keep in mind that the IBM License Service only monitors software from IBM. Consider the requirement to monitor license consumption for other software companies.
Item |
Description |
Attribute |
spec.monitor.imageInventory |
Type |
Boolean |
Example |
true |
Node Component
The enable attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is deployed:
• | When true (the default) or unspecified, normal operations are enabled. |
• | If set to false, the node component of the Flexera Kubernetes inventory agent is not deployed. This means that hardware inventory of the worker nodes cannot be collected. |
Caution:While the option to disable the node component is currently available in the Flexera Kubernetes inventory agent, it is not yet supported by the rest of IT Asset Management. Do not disable the node component until a later release removes this warning.
Item |
Description |
Attribute |
spec.node.enable |
Type |
Boolean |
Example |
true |
Node Inventory Interval
The interval attribute within the node block of the YAML file determines how often (at what time interval) hardware inventory is collected for the worker nodes in the cluster(s). In general, this can be left unspecified, even when:
• | You hold a license modification that authorizes use of IT Asset Management to assess sub-capacity consumption of IBM PVU licenses (when the terms of this modification require assessing the underlying hardware and reporting its inventory every 30 minutes); and |
• | You have IBM product(s) running on one or more worker nodes that are licensed with IBM PVU licenses and are eligible for sub-capacity consumption calculations. |
This is because the default value is already 30m, so that leaving it without further specification already complies with the IBM requirements for sub-capacity PVU points reporting.
Item |
Description |
Attribute |
spec.node.interval |
Type |
Duration |
Example |
30m |
Node Inventory Privilege
The privileged attribute within the node block of the YAML file determines whether the node component of the Flexera Kubernetes inventory agent can collect complete hardware information from worker nodes, in particular data from the BIOS. To allow this, the containers deployed as part of the node component of the Flexera Kubernetes inventory agent must have the privileged attribute set in their security context.
• | When true (the default) or unspecified, normal operations are enabled. |
• | When the setting is false, the node component containers do not have the privileged attribute, and therefore are unable to report the corresponding data. |
Item |
Description |
Attribute |
spec.node.privileged |
Type |
Boolean |
Example |
true |
Force Control Nodes
In Kubernetes, the node-role.kubernetes.io/master taint can be used to repel pods from being scheduled on the control-plane nodes.
• | If forceControlPlane is true, the node component pods are created with a corresponding toleration to force them to be scheduled onto the control-plane nodes as well as the worker nodes. |
• | If this value is false (the default) or unspecified, the toleration is not applied to the node component pods. Inventory is then collected only from worker nodes. |
Item |
Description |
Attribute |
spec.node.forceControlPlane |
Type |
Boolean |
Example |
true |
Node Connection Retries
These attributes rarely need to be set. Together, they specify the behavior of the node component while it is waiting for the monitor component to start:
1. | When it starts, a node component pod attempts to connect to the monitor component. |
2. | If the connection fails, it will wait for readyWait seconds and then retry the connection. |
3. | It repeats the attempts until, after readyRetries attempts, it gives up, and the pod fails. |
4. | The node component DaemonSet automatically restarts the pod. |
Item |
Description |
Attribute |
spec.node.readyWait |
Type |
Duration |
Example |
10s |
Item |
Description |
Attribute |
spec.node.readyRetries |
Type |
Integer |
Example |
20 |
Node Upload Failure
This attribute rarely needs to be set. The default is false, in which case a failure of an inventory upload leave its pod running, and it can re-attempt the inventory upload later. If it is set to true, any inventory upload attempt that fails causes the node component pod to fail.
Item |
Description |
Attribute |
spec.node.mustUpload |
Type |
Boolean |
Example |
true |
Node mount host paths
The mountHostFS attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is allowed to mount the /etc/os-release file and /var/lib directory in read-only mode from the node host file system.
The nodes /etc/os-release file is mounted within the krm daemonset pod as /flexera-daemonset-node-host-os-release (read-only access) and OS inventory is collected from the /flexera-daemonset-node-host-os-release file rather than the krm daemonset pods /etc/os-release (which would return the Ubuntu 22.04 OS info of the pod image and not the actual nodes OS info)
The nodes /var/lib directory is mounted within the krm daemonset pod as /flexera-daemonset-node-host-var-lib/ (read-only access) and OS package inventory is collected by enabling the spec.node.collectHostRpmInfo attribute documented below.
Important:Changing this setting requires the spec.node.enable attribute to be toggled to false and applied, then toggled to true and applied. This is needed to remove or add the volume mount definitions from/to the krm daemonset definition.
Also note - using a hostPath mount (see hostPath volume type in the Kubernetes Online Help documentation) might be blocked by a pod security policy which would need to be evaluated to allow this option for the krm daemonset pod.
Item |
Description |
Attribute |
spec.node.mountHostFS |
Type |
Boolean |
Example |
true |
Node collect host rpm package information
The collectHostRpmInfo attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is allowed to collect rpm package evidence from the node host file system.
The rpm package inventory will be collected from the mounted directory /flexera-daemonset-node-host-var-lib/ by accessing the rpm Sqlite DB in the /flexera-daemonset-node-host-var-lib/rpm directory if it exists using the rpm command, specifying /bin/rpm --dbpath /flexera-daemonset-node-host-var-lib/rpm --query --all --queryformat ....
Important:The spec.node.mountHostFS attribute mentioned above needs to be enabled (true) for this attribute to work.
Item |
Description |
Attribute |
spec.node.collectHostRpmInfo |
Type |
Boolean |
Example |
true |