Attributes for Agent Features

IT Asset Management (Cloud)

The YAML file format allows you to configure specific features of the Flexera Kubernetes Inventory Agent using the settings described in this topic.

Note: For employing Helm chart templates to accelerate Flexera Kubernetes Inventory Agent deployments, two predefined Kubernetes Helm chart templates are available and can be pulled from repositories hosted on Flexera AWS ECR - https://gallery.ecr.aws/flexera/: For each Helm chart, the majority of options within the values.yaml file are predefined and each option has a descriptive comment. Customers are required to specify the FlexNet Beacon URL and persistent storage for the full Flexera Kubernetes Inventory Agent, and the FlexNet Beacon URL for the lightweight Flexera Kubernetes Inventory Agent. For configuration and installation steps for the Full Flexera Kubernetes Inventory Agent, see Full Flexera Kubernetes Agent Helm chart configuration and installation in the Online Help. For configuration and installation steps for the Lightweight Kubernetes Inventory Agent, see Lightweight Kubernetes Agent Helm chart configuration and installation in the Gathering FlexNet Inventory user guide.

IBM License Service integration

Containerized IBM software requires the use of the IBM License Service to monitor license usage. The Flexera Kubernetes Inventory Agent integrates with the IBM License Service, and collects the IBM product(s) capacity usage data for that cluster through the IBM License Service API.

To consume the IBM License Service API, the Flexera Kubernetes Inventory Agent must first locate the API, and obtain the token used to authenticate. This requires the Flexera Kubernetes Inventory Agent to read several different resource types from the cluster that it would not otherwise need to read. Permissions to read these resources can be enabled during the installation process. It is also possible to avoid adding these permissions by providing the Flexera Kubernetes Inventory Agent with all the standard values it needs in the attributes within the YAML file. (This does not include the ones listed under Advanced Flexera Kubernetes inventory agent attributes.)
Note: The entire set of values must be provided. If the set is incomplete, the Flexera Kubernetes Inventory Agent attempts to discover those that are missing. Exceptions to this general statement are the enable and tlsVerify settings (which are required in all cases).
When enabled (as described next), the Flexera Kubernetes Inventory Agent first detects the presence of the IBM License Service in the Kubernetes cluster by looking for the CustomResourceDefinition:
ibmLicensings.operator.ibm.com
Tip: The plural ibmLicensings in this context is not a typo, but in line with the Kubernetes naming convention that uses the plural form when referring to a fully-qualified resource type.
It then loads any missing configuration values needed to locate and authenticate with the API by reading the ibmLicensing resource configuration, searching for services in the Kubernetes cluster using label selectors, and reading the secret that provides the authentication token.
Tip: If this process fails, or if the IBM License Service is not installed in the Kubernetes cluster, the Flexera Kubernetes Inventory Agent re-attempts the process every 5 minutes. This is because your settings in the YAML file specify that you want to enable the integration with the IBM License Service, and if this is deployed at some later time, the regular checks by the Flexera Kubernetes Inventory Agent cause the integration to begin working without further effort. If this is not what you require, simply change the setting (described next) back to false to turn off the integration, as this also turns off the checking process.
The Flexera Kubernetes Inventory Agent queries the IBM Licensing Service API either:
  • Immediately on start-up
  • Immediately after successfully discovering the service and configuration
  • Every day at 1:00 AM (local time of the cluster).
The Flexera Kubernetes Inventory Agent requests a usage snapshot for the prior 180 days each time it queries the API.

Enable the integration

If this attribute is set to true, integration of the Flexera Kubernetes Inventory Agent with the IBM Licence Service is turned on.
Important: The default value is false, in which case the Flexera Kubernetes Inventory Agent does not interact with the IBM License Service. Be aware that use of the IBM License Service is mandatory for compliance with IBM licenses for products running in Kubernetes clusters. If you wish to import the license data collected by the IBM License Service for reporting within IT Asset Management, you must set this attribute to true.
Attribute spec.ibmLicensing.enable
Type Boolean
Example true
With this setting, the relevant sections of the YAML file looks similar to this:
apiVersion: agents.flexera.com/v1
kind: KRM
metadata:
  name: instance
spec:
  ibmLicensing:
    enable: true
...

The IBM License Service namespace

If this attribute is omitted, the Flexera Kubernetes Inventory Agent automatically searches for the namespace used by the IBM License Service. Alternatively, you may explicitly specify that namespace in this attribute.
Attribute spec.ibmLicensing.namespace
Type String
Example ibm-common-services

The service name

If this attribute is omitted, the Flexera Kubernetes Inventory Agent automatically searches for the name of the Service used to expose the IBM License Service API within the Kubernetes cluster. Alternatively, you may explicitly specify that name in this attribute.
Attribute spec.ibmLicensing.serviceName
Type String
Example ibm-licensing-service-instance

The service port

If this attribute is omitted, the Flexera Kubernetes Inventory Agent automatically searches for the TCP port in the Service used to expose the IBM License Service API within the Kubernetes cluster. Alternatively, you may explicitly specify that port in this attribute.
Attribute spec.ibmLicensing.servicePort
Type Integer
Example 8080

The service token

If this attribute is omitted, the Flexera Kubernetes Inventory Agent automatically searches for the token used to authenticate with the IBM License Service API within the Kubernetes cluster. Alternatively, you may explicitly specify that token in this attribute.
Attribute spec.ibmLicensing.token
Type String
Example VoOMWJijBWuCxSxwgON11w7z

The service protocol

If this attribute is omitted, the Flexera Kubernetes Inventory Agent automatically searches the configuration to determine whether the IBM License Service API is served over HTTPS. Alternatively, you may explicitly specify that protocol in this attribute.
Attribute spec.ibmLicensing.https
Type Boolean
Example true

The service certificate

If the IBM License Service API serves over HTTPS using an untrusted certificate, this setting can be set to false (or left unspecified, since the default value is false).
  • When this value is false (or unspecified), the Flexera Kubernetes Inventory Agent does not attempt to verify authenticity of the certificate.
  • When this value is set to true, the Flexera Kubernetes Inventory Agent verifies the certificate. Connection with the IBM License Service fails if either:
    • The certificate is not valid
    • The certificate is signed by an unknown issuer.
Attribute spec.ibmLicensing.tlsVerify
Type Boolean
Example false

IT Asset Management (Cloud)

Current

Advanced Flexera Kubernetes inventory agent attributes

IT Asset Management (Cloud)

The following attributes control minor aspects of the behavior of the Flexera Kubernetes Inventory Agent. All have sensible defaults, so that there is no strong reason to modify these attributes unless you need detailed configuration control in your environment.

Inventory interval

Specifies the time interval on which the Flexera Kubernetes Inventory Agent collects and uploads inventory. The Flexera Kubernetes Inventory Agent caches the most up-to-date information about each cluster resource it is interested in observing, and retains resources in its cache (even if they have been deleted in the cluster) until it can upload its next inventory. The interval setting is a trade-off between the data volume retained in cache and uploadable in a given inventory versus the number of inventories being uploaded and imported. The default value is 24h, so that the Flexera Kubernetes Inventory Agent collects and uploads its specified inventory once each day.

The value of this setting is a string using the convention established by Kubernetes and the Go programming language. It consists of an integer followed by a unit suffix such as "s" for seconds, "m" for minutes, or "h" for hours, for example 12h for twelve hours.
Attribute spec.monitor.interval
Type Duration
Example 6h

Agent self-updates and policy updates

The downloadFromBeacon attribute controls whether the Flexera Kubernetes Inventory Agent allows any data flows down from its inventory beacon, which includes three important kinds of communication that impact the FlexNet Inventory Agent when it is triggered to collect software inventory within the container:
  • Updates to agent policy, made available through inventory beacons as new versions of the config.ini file distributed from the central application server
  • Further extensions to inventory-gathering functionality, distributed as updated versions of InventorySettings.xml
  • Updated versions of the FlexNet Inventory Agent itself.
The default value of this attribute is true, on the assumption that you may expect to collect software inventory from your containers with optimum, fully-updated functionality:
  • If downloadFromBeacon is set to true or unspecified, the Flexera Kubernetes Inventory Agent runs the policy component of FlexNet Inventory Agent to check for, and if necessary to download, the latest agent policy (config.ini), updates to the zero-footprint inventory component (ndtrack.sh), and latest version of the InventorySettings.xml file of extension capabilities.
  • If downloadFromBeacon is false, Flexera Kubernetes Inventory Agent does not permit these updates. Instead, it uses the version of ndtrack.sh that shipped in the container image, and does not use any copy of InventorySettings.xml. It also uses the config.ini file that shipped in the container image, although this may be updated with local patches for the cluster (see Patching config.ini through Flexera Kubernetes Inventory Agent). While setting downloadFromBeacon to false is the recommended approach for situations where the container must remain immutable at runtime, it may impact the completeness of the inventory produced for container images in the cluster, particularly for software from vendors like Oracle and Microsoft.
Attribute spec.monitor.downloadFromBeacon
Type Boolean
Example false

Collect software inventory

The imageInventory attribute controls collection of software inventory from Open Container Initiative (OCI) container images:
  • When set to true (the default) or unspecified, the Flexera Kubernetes Inventory Agent injects the inventory component of FlexNet Inventory Agent (ndtrack.sh) into containers in the cluster to obtain software inventories of their content. Thereafter, the tracker is removed again, completing a process of zero footprint inventory collection.
  • When set to false, the Flexera Kubernetes Inventory Agent disables this behavior. This means that the Flexera Kubernetes Inventory Agent cannot report software inventory from any containers in the cluster.
    Important: Unless some other inventory source replaces this software inventory from containers, a license position cannot be correctly resolved, and you may be exposed in a future compliance audit. Keep in mind that the IBM License Service only monitors software from IBM. Consider the requirement to monitor license consumption for other software companies.
Attribute spec.monitor.imageInventory
Type Boolean
Example true

Node component

The enable attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes Inventory Agent is deployed:
  • When true (the default) or unspecified, normal operations are enabled.
  • If set to false, the node component of the Flexera Kubernetes Inventory Agent is not deployed. This means that hardware inventory of the worker nodes cannot be collected.
Warning: While the option to disable the node component is currently available in the Flexera Kubernetes Inventory Agent, it is not yet supported by the rest of IT Asset Management. Do not disable the node component until a later release removes this warning.
Attribute spec.node.enable
Type Boolean
Example true

Node inventory interval

The interval attribute within the node block of the YAML file determines how often (at what time interval) hardware inventory is collected for the worker nodes in the cluster(s). In general, this can be left unspecified, even when:
  • You hold a license modification that authorizes use of IT Asset Management to assess sub-capacity consumption of IBM PVU licenses (when the terms of this modification require assessing the underlying hardware and reporting its inventory every 30 minutes); and
  • You have IBM product(s) running on one or more worker nodes that are licensed with IBM PVU licenses and are eligible for sub-capacity consumption calculations.
This is because the default value is already 30m, so that leaving it without further specification already complies with the IBM requirements for sub-capacity PVU points reporting.
Attribute spec.node.interval
Type Duration
Example 30m

Node inventory privilege

The privileged attribute within the node block of the YAML file determines whether the node component of the Flexera Kubernetes Inventory Agent can collect complete hardware information from worker nodes, in particular data from the BIOS. To allow this, the containers deployed as part of the node component of the Flexera Kubernetes Inventory Agent must have the privileged attribute set in their security context.
  • When true (the default) or unspecified, normal operations are enabled.
  • When the setting is false, the node component containers do not have the privileged attribute, and therefore are unable to report the corresponding data.
Attribute spec.node.privileged
Type Boolean
Example true

Force control nodes

In Kubernetes, the node-role.kubernetes.io/master taint can be used to repel pods from being scheduled on the control-plane nodes.
  • If forceControlPlane is true, the node component pods are created with a corresponding toleration to force them to be scheduled onto the control-plane nodes as well as the worker nodes.
  • If this value is false (the default) or unspecified, the toleration is not applied to the node component pods. Inventory is then collected only from worker nodes.
Attribute spec.node.forceControlPlane
Type Boolean
Example true

Node connection retries

These attributes rarely need to be set. Together, they specify the behavior of the node component while it is waiting for the monitor component to start:
  1. When it starts, a node component pod attempts to connect to the monitor component.
  2. If the connection fails, it will wait for readyWait seconds and then retry the connection.
  3. It repeats the attempts until, after readyRetries attempts, it gives up, and the pod fails.
  4. The node component DaemonSet automatically restarts the pod.
Attribute spec.node.readyWait
Type Duration
Example 10s
Attribute spec.node.readyRetries
Type Integer
Example 20

Node upload failure

This attribute rarely needs to be set. The default is false, in which case a failure of an inventory upload leave its pod running, and it can re-attempt the inventory upload later. If it is set to true, any inventory upload attempt that fails causes the node component pod to fail.

Attribute spec.node.mustUpload
Type Boolean
Example true

Node mount host paths

The mountHostFS attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is allowed to mount the /etc/os-release file and /var/lib directory in read-only mode from the node host file system.

The nodes /etc/os-release file is mounted within the krm daemonset pod as /flexera-daemonset-node-host-os-release (read-only access) and OS inventory is collected from the /flexera-daemonset-node-host-os-release file rather than the krm daemonset pods /etc/os-release (which would return the Ubuntu 22.04 OS info of the pod image and not the actual nodes OS info)

The nodes /var/lib directory is mounted within the krm daemonset pod as /flexera-daemonset-node-host-var-lib/ (read-only access) and OS package inventory is collected by enabling the spec.node.collectHostRpmInfo attribute documented below.
Important: Changing this setting requires the spec.node.enable attribute to be toggled to false and applied, then toggled to true and applied. This is needed to remove or add the volume mount definitions remove the krm daemonset definition.

Also note - using a hostPath mount (see hostPath volume type in the Kubernetes Online Help documentation) might be blocked by a pod security policy which would need to be evaluated to allow this option for the krm daemonset pod.

Attribute spec.node.mountHostFS
Type Boolean
Example true

Node collect host rpm package information

The collectHostRpmInfo attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is allowed to collect rpm package evidence from the node host file system.

The rpm package inventory will be collected from the mounted directory /flexera-daemonset-node-host-var-lib/ by accessing the rpm Sqlite DB in the /flexera-daemonset-node-host-var-lib/rpm directory if it exists using the rpm command, specifying /bin/rpm --dbpath /flexera-daemonset-node-host-var-lib/rpm --query --all --queryformat ....

Important: The spec.node.mountHostFS attribute mentioned above needs to be enabled (true) for this attribute to work.
Attribute spec.node.collectHostRpmInfo
Type Boolean
Example true