Attributes for Agent Features
The YAML file format allows you to configure specific features of the Flexera Kubernetes Inventory Agent using the settings described in this topic.
- For the Full Flexera Kubernetes Inventory Agent—https://gallery.ecr.aws/flexera/krm-chart
- For the Lightweight Flexera Kubernetes Inventory Agent—https://gallery.ecr.aws/flexera/lwk-chart.
IBM License Service integration
Containerized IBM software requires the use of the IBM License Service to monitor license usage. The Flexera Kubernetes Inventory Agent integrates with the IBM License Service, and collects the IBM product(s) capacity usage data for that cluster through the IBM License Service API.
enable
and tlsVerify
settings (which are required in all
cases).CustomResourceDefinition
:
ibmLicensings.operator.ibm.com
ibmLicensings
in this context is not a typo, but in line
with the Kubernetes naming convention that uses the plural form when referring
to a fully-qualified resource type.ibmLicensing
resource configuration, searching for services in
the Kubernetes cluster using label selectors, and reading the secret that provides
the authentication token. false
to turn off the
integration, as this also turns off the checking process. - Immediately on start-up
- Immediately after successfully discovering the service and configuration
- Every day at 1:00 AM (local time of the cluster).
Enable the integration
true
, integration of the Flexera Kubernetes Inventory Agent with the IBM Licence Service is turned on.false
, in which case the Flexera Kubernetes Inventory Agent does not interact with the IBM License Service. Be aware
that use of the IBM License Service is mandatory for compliance with IBM
licenses for products running in Kubernetes clusters. If you wish to import the
license data collected by the IBM License Service for reporting within IT Asset Management, you must set this attribute to
true
.Attribute | spec.ibmLicensing.enable |
Type | Boolean |
Example | true |
apiVersion: agents.flexera.com/v1
kind: KRM
metadata:
name: instance
spec:
ibmLicensing:
enable: true
...
The IBM License Service namespace
Attribute | spec.ibmLicensing.namespace |
Type | String |
Example | ibm-common-services |
The service name
Attribute | spec.ibmLicensing.serviceName |
Type | String |
Example | ibm-licensing-service-instance |
The service port
Attribute | spec.ibmLicensing.servicePort |
Type | Integer |
Example | 8080 |
The service token
Attribute | spec.ibmLicensing.token |
Type | String |
Example | VoOMWJijBWuCxSxwgON11w7z |
The service protocol
Attribute | spec.ibmLicensing.https |
Type | Boolean |
Example | true |
The service certificate
If the IBM License Service API serves over HTTPS using an untrusted certificate, this setting can be set tofalse
(or left unspecified, since the default value is false). - When this value is
false
(or unspecified), the Flexera Kubernetes Inventory Agent does not attempt to verify authenticity of the certificate. - When this value is set to
true
, the Flexera Kubernetes Inventory Agent verifies the certificate. Connection with the IBM License Service fails if either:- The certificate is not valid
- The certificate is signed by an unknown issuer.
Attribute | spec.ibmLicensing.tlsVerify |
Type | Boolean |
Example | false |
IT Asset Management (Cloud)
Current
Advanced Flexera Kubernetes inventory agent attributes
The following attributes control minor aspects of the behavior of the Flexera Kubernetes Inventory Agent. All have sensible defaults, so that there is no strong reason to modify these attributes unless you need detailed configuration control in your environment.
Inventory interval
Specifies the time interval on which the Flexera Kubernetes Inventory Agent collects and
uploads inventory. The Flexera Kubernetes Inventory Agent caches the most up-to-date
information about each cluster resource it is interested in observing, and
retains resources in its cache (even if they have been deleted in the cluster)
until it can upload its next inventory. The interval setting is a trade-off
between the data volume retained in cache and uploadable in a given inventory
versus the number of inventories being uploaded and imported. The default value
is 24h
, so that the Flexera Kubernetes Inventory Agent collects and
uploads its specified inventory once each day.
12h
for twelve hours.Attribute | spec.monitor.interval |
Type | Duration |
Example | 6h |
Agent self-updates and policy updates
downloadFromBeacon
attribute controls whether the Flexera Kubernetes Inventory Agent allows any data flows down from its inventory beacon,
which includes three important kinds of communication that impact the FlexNet Inventory Agent when it is triggered to collect software inventory within the
container:- Updates to agent policy, made available through inventory beacons as new versions of the config.ini file distributed from the central application server
- Further extensions to inventory-gathering functionality, distributed as updated versions of InventorySettings.xml
- Updated versions of the FlexNet Inventory Agent itself.
true
, on the
assumption that you may expect to collect software inventory from your
containers with optimum, fully-updated functionality:- If
downloadFromBeacon
is set totrue
or unspecified, the Flexera Kubernetes Inventory Agent runs the policy component of FlexNet Inventory Agent to check for, and if necessary to download, the latest agent policy (config.ini), updates to the zero-footprint inventory component (ndtrack.sh), and latest version of the InventorySettings.xml file of extension capabilities. - If
downloadFromBeacon
isfalse
, Flexera Kubernetes Inventory Agent does not permit these updates. Instead, it uses the version of ndtrack.sh that shipped in the container image, and does not use any copy of InventorySettings.xml. It also uses the config.ini file that shipped in the container image, although this may be updated with local patches for the cluster (see Patching config.ini through Flexera Kubernetes Inventory Agent). While settingdownloadFromBeacon
tofalse
is the recommended approach for situations where the container must remain immutable at runtime, it may impact the completeness of the inventory produced for container images in the cluster, particularly for software from vendors like Oracle and Microsoft.
Attribute | spec.monitor.downloadFromBeacon |
Type | Boolean |
Example | false |
Collect software inventory
imageInventory
attribute controls collection of software
inventory from Open Container Initiative (OCI) container images:- When set to
true
(the default) or unspecified, the Flexera Kubernetes Inventory Agent injects the inventory component of FlexNet Inventory Agent (ndtrack.sh) into containers in the cluster to obtain software inventories of their content. Thereafter, the tracker is removed again, completing a process of zero footprint inventory collection. - When set to
false
, the Flexera Kubernetes Inventory Agent disables this behavior. This means that the Flexera Kubernetes Inventory Agent cannot report software inventory from any containers in the cluster.Important: Unless some other inventory source replaces this software inventory from containers, a license position cannot be correctly resolved, and you may be exposed in a future compliance audit. Keep in mind that the IBM License Service only monitors software from IBM. Consider the requirement to monitor license consumption for other software companies.
Attribute | spec.monitor.imageInventory |
Type | Boolean |
Example | true |
Node component
enable
attribute within the node
block of
the YAML file determines whether the node-monitoring component of the Flexera Kubernetes Inventory Agent is deployed:- When
true
(the default) or unspecified, normal operations are enabled. - If set to
false
, the node component of the Flexera Kubernetes Inventory Agent is not deployed. This means that hardware inventory of the worker nodes cannot be collected.
Attribute | spec.node.enable |
Type | Boolean |
Example | true |
Node inventory interval
interval
attribute within the node
block of
the YAML file determines how often (at what time interval) hardware inventory is
collected for the worker nodes in the cluster(s). In general, this can be left
unspecified, even when:- You hold a license modification that authorizes use of IT Asset Management to assess sub-capacity consumption of IBM PVU licenses (when the terms of this modification require assessing the underlying hardware and reporting its inventory every 30 minutes); and
- You have IBM product(s) running on one or more worker nodes that are licensed with IBM PVU licenses and are eligible for sub-capacity consumption calculations.
30m
, so that
leaving it without further specification already complies with the IBM
requirements for sub-capacity PVU points reporting.Attribute | spec.node.interval |
Type | Duration |
Example | 30m |
Node inventory privilege
privileged
attribute within the node
block
of the YAML file determines whether the node component of the Flexera Kubernetes Inventory Agent can collect complete hardware information from worker nodes,
in particular data from the BIOS. To allow this, the containers deployed as part
of the node component of the Flexera Kubernetes Inventory Agent must have the
privileged
attribute set in their security context. - When
true
(the default) or unspecified, normal operations are enabled. - When the setting is
false
, the node component containers do not have theprivileged
attribute, and therefore are unable to report the corresponding data.
Attribute | spec.node.privileged |
Type | Boolean |
Example | true |
Force control nodes
node-role.kubernetes.io/master
taint can be
used to repel pods from being scheduled on the control-plane nodes. - If
forceControlPlane
istrue
, the node component pods are created with a corresponding toleration to force them to be scheduled onto the control-plane nodes as well as the worker nodes. - If this value is false (the default) or unspecified, the toleration is not applied to the node component pods. Inventory is then collected only from worker nodes.
Attribute | spec.node.forceControlPlane |
Type | Boolean |
Example | true |
Node connection retries
- When it starts, a node component pod attempts to connect to the monitor component.
- If the connection fails, it will wait for
readyWait
seconds and then retry the connection. - It repeats the attempts until, after
readyRetries
attempts, it gives up, and the pod fails. - The node component
DaemonSet
automatically restarts the pod.
Attribute | spec.node.readyWait |
Type | Duration |
Example | 10s |
Attribute | spec.node.readyRetries |
Type | Integer |
Example | 20 |
Node upload failure
This attribute rarely needs to be set. The default is false
, in
which case a failure of an inventory upload leave its pod running, and it can
re-attempt the inventory upload later. If it is set to true
,
any inventory upload attempt that fails causes the node component pod to
fail.
Attribute | spec.node.mustUpload |
Type | Boolean |
Example | true |
Node mount host paths
The mountHostFS attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is allowed to mount the /etc/os-release file and /var/lib directory in read-only mode from the node host file system.
The nodes /etc/os-release file is mounted within the krm daemonset pod as /flexera-daemonset-node-host-os-release (read-only access) and OS inventory is collected from the /flexera-daemonset-node-host-os-release file rather than the krm daemonset pods /etc/os-release (which would return the Ubuntu 22.04 OS info of the pod image and not the actual nodes OS info)
spec.node.collectHostRpmInfo
attribute documented
below.spec.node.enable
attribute to be toggled to
false
and applied, then toggled to
true
and applied. This is needed to remove or add the
volume mount definitions from/to the krm daemonset definition.Also note - using a hostPath
mount (see hostPath volume type in the
Kubernetes Online Help documentation) might be blocked by a pod
security policy which would need to be evaluated to allow this option for the
krm daemonset pod.
Attribute | spec.node.mountHostFS |
Type | Boolean |
Example | true |
Node collect host rpm package information
The collectHostRpmInfo attribute within the node block of the YAML file determines whether the node-monitoring component of the Flexera Kubernetes inventory agent is allowed to collect rpm package evidence from the node host file system.
The rpm package inventory will be collected from the mounted directory /flexera-daemonset-node-host-var-lib/ by accessing the rpm Sqlite DB in the /flexera-daemonset-node-host-var-lib/rpm directory if it exists using the rpm command, specifying /bin/rpm --dbpath /flexera-daemonset-node-host-var-lib/rpm --query --all --queryformat ....
spec.node.mountHostFS
attribute
mentioned above needs to be enabled (true
) for this
attribute to work.Attribute | spec.node.collectHostRpmInfo |
Type | Boolean |
Example | true |