Agent and Kubernetes configuration
IBM Cloud® Schematics Agent extends the ability to work directly with your cloud infrastructure on your private network or in any isolated network zones. Customization of a deployed agent is performed through configuration options set on the Kubernetes cluster. If the agent is redeployed all customization of the cluster parameters is lost.
When an agent is deployed, by default the following configuration options are applied on the cluster. The applied configuration is reproduced here for reference.
Default network policies
The following network policies are configured to control network traffic on the cluster.
| Policy | Description |
|---|---|
deny-all-jobrunner |
Namespace:schematics-job-runtime, denies all the Ingress and Egress traffic. |
deny-all-runtime |
Namespace:schematics-runtime, denies all the Ingress and Egress traffic. |
deny-all-sandbox |
Namespace:schematics-sandbox, denies all the Ingress and Egress traffic. |
whitelist-egress-jobrunner |
Namespce:schematics-job-runtime, allowed and needed ports for egress TCP = 443, 53, 3000, 3002, and for egress UDP = 443,53. |
runtime-ingress-job |
Namespace:schematics-runtime, allowed and needed ports for ingress is 3002. |
Whitelist-sandbox |
Namespace:schematics-sandbox, allowed list, and needed ports for ingress = 3000, and for egress TCP = 80, 443, 5986, 22, 53, or egress UDP = 53,
443. |
Whitelist-runtime-egress-gen-ports |
Namespace:schematics-runtime, allowed and needed ports for ingress = 3002, and for egress TCP = 80, 443, 5986, 22, 53, 8080, 10250,
9092, 9093, or egress UDP = 53, 443, 10250, 9093, 9093. |
You can customize the network policies by following the steps editing the default configuration.
Default workspace and action runtime-job
Following resource limits and replicas are the default configuration applied to the workspace and action runtime-job namespace.
| Parameter | Description |
|---|---|
resource-limits |
Resource limit setting for the workspace and action jobs are cpu = 500m, and memory = 1Gi. |
replicas |
Number of workspace and action job pods. replica = 3. Note when the number of replica is changed, then the JR_MAXJOBS settings must also be updated. |
You can customize by following the steps to edit the default configuration.
Agent job-runner configuration
The following resource limits and replicas are the default configuration applied to the schematics-job-runner namespace
| Parameter | Description |
|---|---|
resource-limits |
Resource limit setting for the jobrunner are cpu = 500m, and memory = 1Gi. |
replicas |
Number of job pods. replica = 1. Note when the number of replica is changed, then the JR_MAXJOBS settings must also be updated. |
You can customize the job-runner configuration following the steps, editing the default configuration.
Sandbox configuration
Following resource limits and replicas are the default configuration applied to the schematics-sandbox namespace.
| Parameter | Description |
|---|---|
resource-limits |
Resource limit setting for the sandbox are cpu = 500m, and memory = 1Gi. |
replicas |
Number of job pods. replica = 3. Note when the number of replica is changed, then the JR_MAXJOBS settings must also be updated. |
You can customize the sandbox configuring following the steps, editing the default configuration.
Schematics agents controller manager
The following resource limits and replicas are the default configuration applied in the schematics-agents-observe namespace.
| Parameter | Description |
|---|---|
resource-limits |
Resource limit setting for the workspace and action jobs are cpu = 500m, and memory = 25Mi. |
replicas |
Number of job pods. replica = 1. Note when the number of replica is changed, then the JR_MAXJOBS settings must also be updated. |
You can customize by following the steps to edit the default configuration.
Agent sandbox allowed list
Following are the default agent sandbox file type and allowlist configuration set for the schematics-sandbox namespace.
| Parameter | Description |
|---|---|
SANDBOX_WHITELISTEXTN |
From the Terraform Git repositories following are the allowed file extensions. .tf, .tfvars, .md, .yaml, .sh, .txt, .yml, .html,
.gitignore, .tf.json, license, .js, .pub, .service, _rsa, .py, .json, .tpl, .cfg, .ps1,
.j2, .zip, .conf, .crt, .key, .der, .jacl, .properties, .cer, .pem, .tmpl, .netrc. |
SANDBOX_ANSIBLEACTIONWHITELISTEXTN |
From the Ansible Git repositories following are the allowed file extensions. .tf, .tfvars, .md, .yaml, .sh, .txt, .yml, .html,
.gitignore, license, .js, .pub, .service, _rsa, .py, .json, .tpl, .cfg, .ps1, .j2,
.zip, .conf, .crt, .key, .der, .cer, .pem, .bash, .tmpl. |
SANDBOX_BLACKLISTEXTN |
From the Git repositories following are the blocked file extensions. .php5, .pht, .phtml, .shtml, .asa, .asax, .swf, .xap, .tfstate,
.tfstate.backup, .exe. |
SANDBOX_IMAGEEXTN |
From the Git repositories following are the allowed image file extensions. .tif, .tiff, .gif, .png, .bmp, .jpg, .jpeg, .so. |
SANDBOX_MAX_FILE_SIZE |
Maximum file that is allowed from the Git repositories is 2 MB. (Yet to be implemented) |
You can customize by following the steps to edit the default configuration.
Agent runtime configuration for Terraform
The following parameters are the default agent runtime configuration for the Terraform runtime.
| Parameter | Description |
|---|---|
JOB_WHITELISTEXTN |
The allowed file extensions from the Git repositories (includes the dependent module repository)..tf, .tfvars, .md, .yaml, .sh, .txt, .yml,
.html, .gitignore, .tf.json, license, .js, .pub, .service, _rsa, .py, .json, .tpl, .cfg,
.ps1, .j2, .zip, .conf, .crt, .key, .der, .jacl, .properties, .cer, .pem, .tmpl,
.netrc. |
JOB_BLACKLISTEXTN |
The blocked file extensions from the Git repositories..php5, .pht, .phtml, .shtml, .asa, .asax, .swf, .xap, .tfstate,
.tfstate.backup, .exe. |
JOB_IMAGEEXTN |
The allowed image file extensions from the Git repositories..tif, .tiff, .gif, .png, .bmp, .jpg, .jpeg, .so. |
You can customize by following the steps to edit the default configuration.
Agent runtime configuration for Ansible
The following parameters are the default agent runtime configuration for the Ansible runtime.
| Parameter | Description |
|---|---|
ANSIBLE_JOB_WHITELISTEXTN |
The allowed file extensions from the Git repositories that includes the dependent module repository..tf, .tfvars, .md, .yaml, .sh, .txt, .yml,
.html, .gitignore, .tf.json, license, .js, .pub, .service, _rsa, .py, .json, .tpl, .cfg,
.ps1, .j2, .zip, .conf, .crt, .key, .der, .jacl, .properties, .cer, .pem, .tmpl,
.netrc. |
ANSIBLE_JOB_BLACKLISTEXTN |
The blocked file extensions from the Git repositories..php5, .pht, .phtml, .shtml, .asa, .asax, .swf, .xap, .tfstate,
.tfstate.backup, .exe. |
You can customize by following the steps to edit the default configuration.
Editing the agent namespace configurations
You can follow these steps to edit the default configuration of an agent namespace.
- Log in to IBM Cloud.
- Click Kubernetes from the navigator pane, then click Clusters
- On the Kubernetes Clusters page, click your cluster > Kubernetes dashboard.
- Click the default drop down to view the list of Namespaces:
- In the drop down, type the Schematics-runtime Namespaces to view the Workload Status, Deployments, Pods, Replica sets, and so on.
- From the Deployments panel. Click the three dots against runtime-ansible-job.
- Click Edit to view the Edit a resource page with the YAML, and JSON tabs.
- You can now view the parameters and reconfigure to customize your agent configuration.
- Click Update to apply your edits.
- Restart the deployment and check if all the pods are in running state.
- Click the default drop down to view the list of Namespaces:
- Similarly, you can edit the configuration for all the agent namespaces to customize.