Kubernetes Visibility Agent (formerly CNO for Visibility) Advanced Configuration Options - Support and Troubleshooting

Kubernetes Visibility Agent (formerly CNO for Visibility) Advanced Configuration Options .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } }

Configuration Parameters

Each of the parameters below can be configured using the --set command in the Helm chart, or by setting an environment variable in the k8s_informer.yaml file.

Some of the parameters can be configured also from the instance. To configure from the instance, navigate to Kubernetes Visibility Agent/Home, and click on the required informer. Then add or edit parameter in the lower part of the screen.

If you want to create a parameter that applies to all the informers, navigate to Kubernetes Visibility Agent/Configuration Parameters and add or edit records. A record associated with a specific informer overrides records targeted to all informers.

When picking an option the parameter drop-down, place the mouse over a given option. A tooltip will appear on the right.

Helm Parameter

Environment Variable

Description

Default Value

clusterName

CLUSTER_NAME

The Kubernetes cluster name as should be reflected in the CMDB

None

sendIntervalSec

SEND_INTERVAL_SEC

The time window in seconds for accumulating changes arriving from the API server before preparing payload to be sent to the instanc

10

eccSenderIntervalSec

ECC_SENDER_INTERVAL_SEC

The interval (in seconds) in which the ECC sender may insert records to the ECC queue

30

maxElapsedTimeMs

MAX_ELAPSED_TIME_MS

When the elapsed time of sending ECC message exceeds this number (in miliseconds), the informer will assume the instance is loaded and will back off

10000

maxCiInMessage

MAX_CI_IN_MESSAGE

The maximum number of items in a single accumulated payload. When we reach this number, we prepare the payload for sending and start a new payload

50

refreshTimeMin

REFRESH_TIME_MIN

If the time between now and the last time the item was reported exceeds this value, we re-send it even if there was no change. 0 means no refresh of idetical

0

fullDiscoveryMin

FULL_DISCOVERY_MIN

The time interval in minutes for sending to the instance a full inventory of items

1440

readCommandSec

READ_COMMAND_SEC

The time interval in seconds during which the informer looks for command coming from the instance

60

heartbeatMin

HEARTBEAT_MIN

The time interval for sending a payload of the cluster CI, if no other change has happened. Relevant only to the standalone mode

5

proxyUrl

PROXY_URL

If access from the cluster to the internet requires a proxy, the proxy URL should be in the format http://proxy _host:proxy_port

None

maxQueueSizeBytes

MAX_QUEUE_SIZE_BYTES

The max allowed size of the in-memory queue holding outgoing messages to the instance in standalone mode. If the queue is overflowed, we start to drop messages

262144000

maxRetry

MAX_RETRY

The retry count on failures to send messages to the instance. If we exceed this number, the message is dropped

5

maxEccPayloadSizeBytes

MAX_ECC_PAYLOAD_SIZE_BYTES

The maximum size of the payload on a single ECC input message

1048576

continuousDiscovery

CONTINUOUS_DISCOVERY

Should the informer report to the instance on changes in real-time mode. If false, the informer will report only during full-discovery

true

instanceCredSecretName

N/A (change directly in the yaml)

The prefix of the secret holding the instance credentials. keys are .user and .password

cpuLimit

N/A (change directly in the yaml)

The CPU limit for the informer pod

500m

cpuRequest

N/A (change directly in the yaml)

The CPU request for the informer pod

100m

memoryRequest

N/A (change directly in the yaml)

The memory request for the informer pod

200Mi

memoryLimit

N/A (change directly in the yaml)

The memory limit for the informer pod

None

dnsPolicy

N/A (change directly in the yaml)

See options in https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

Default

verboseLogging

VERBOSE_LOGGING

When true, the informer prints messages per every object processed

false

customClusterRole

N/A (change directly in the yaml)

Override this value if you want to use a pre-defined clusterRole and not the one defined by ServiceNow in this helm chart

None

skipTLSCertificateValidation

SKIP_TLS_CERT_VALIDATION

Skip certificate validation on the https calls to the ServiceNow instance

false

suppressFrequentChanges

SUPPRESS_FREQUENT_CHANGES

Should we suppress and not report on frequent changes

true

suppressChangesRatePerMin

SUPPRESS_CHANGES_RATE_PER_MIN

Threshold of rate of changes per minute above which changes will be suppressed

0.15

secretProvider

N/A

Options: empty value: secrets stored in Kubernetes, aws: secret is stored in AWS secret manager, azure: secret is store in Azure value, google (from version 2.4.x) - secret is stored in Google secret manager

None

awsSecretManagerRoleArn

N/A

if AWS Secret manager is used, this should hold the ARN of the role for accessing the secret (e.g. arn:aws:iam::123456789012:role/EKSSecrets)

None

awsSecretManagerSecretArn

N/A

if AWS Secret manager is used, this should hold the secret ARN (e.g. arn:aws:secretsmanager:eu-central-1:123456789012:secret:aws-secrets-7vzPh1)

None

openShift

OPENSHIFT

Should be true if informer is installed in OpenShift and we need to bring OpenShift specific resources

false

addNodeLabels

ADD_NODE_LABELS

Should the system bring the node labels and annotations to the CMDB

instanceCredentials.username

N/A

The instance username. Will be stored in a Kubernetes secret

None

instanceCredentials.password

N/A

The instance password. Will be stored in a Kubernetes secret

None

clusterResourceId

CLUSTER_RESOURCE_ID

the Kubernetes cloud resource ID, in case the cluster is hosted in EKS, AKS, or GKE Examples: EKS: arn:aws:eks:us-east-1:123456779012:cluster/my-cluster AKS: /subscriptions/061b9311-9c54-4471-9a59-4909517d6f07/resourceGroups/qe_group/providers/Microsoft.ContainerService/managedClusters/mycluster

None

Parameters available from version 2.1.1 and above

createServerCi

CREATE_SERVER_CI

Should the informer create cmdb_ci_linux_server CI per each of the Kubernetes nodes

true

includeLabelsAndAnnotations

INCLUDE_LABELS_AND_ANNOTATIONS

Comma separated list of labels and annotation the system should bring to the CMDB. Empty list means all

None

excludeLabelsAndAnnotations

EXCLUDE_LABELS_AND_ANNOTATIONS

Comma separated list of labels and annotations we should not bring to the CMDB

None

getClusterVersion

GET_CLUSTER_VERSION

Should the system populate the cluster_version field in cmdb_ci_kubernetes_cluster CI

false

commonLabels

N/A

Labels common to resources installed with the informer. For example: --set commonLabels.mylabel1=value1 --set commonLabels.mylabel2=value2

None

commonAnnotations

N/A

Annotations common to resources installed with the informer. For example: --set commonAnnotations.anno1=value1

None

additionalResources

N/A

Additional resources to bring into the CMDB. See details KB1638668

None

Parameters available from version 2.2.x and above:

getResourceMaxBytes

GET_RESOURCE_MAX_BYTES

The maximum size in bytes of the result of the API call to K8sInformerGetResourceApi. Results larger than those will be ignored

5242880

maxGetResourceRequests

MAX_GET_RESOURCE_REQUESTS

The maximum number of requests in one get_resource command issued by K8sInformerGetResourceApi

10

httpRestApiPostRetryCount

HTTP_REST_API_POST_RETRY_COUNT

Retry count for Http rest API Post call (on get_resource request)

2

selfPatchingAllowed

SELF_PATCHING_ALLOWED

Will the system allow self patching of the informer for auto-upgrade or changing some runtime parameters

true

nodeSelector

N/A

Labels of the designated node on which the informer should run

kubernetes.io/os: linux

azureVault.vaultName azureVault.tenantId azureVault.userAssignedIdentityId azureVault.cloudName azureVault.vaultType

N/A

Configure the informer to pull credentials from Azure key vault

None

Parameters available from version 2.4.x and above:

minEstimatedEccDelaySeconds

MIN_ESTIMATED_ECC_DELAY_SECONDS

The expected delay in sending ECC messages above which we start push new resources to the top of the queue

300

suppressChanges.resource_life_span_minutes

SHORT_LIVED_MIN_LIFESPAN_MINUTES

We consider a resource to be short-lived if the expected life span is below this number in minutes. 0 means that the feature is disabled.

15

suppressChanges.suppressRatio

SHORT_LIVED_SUPPRESS_RATIO

When a resource is short-lived we will report on one of N changes, where N is this number

10

googleSecrets.gkeSecretProvider googleSecrets.projectId googleSecrets.userSecret googleSecrets.userSecretVersion googleSecrets.passwordSecret

In case OAuth is used: googleSecrets.oauthClientIdSecret googleSecrets.oauthClientIdVersion

In case proxy authentication is used: googleSecrets.proxyUserSecret googleSecrets.proxyUserSecretVersion googleSecrets.proxyPasswordSecret googleSecrets.proxyPasswordSecretVersion

N/A

Configure the informer to pull secrets from Google Secret Manager

The default of gkeSecretProvider is secrets-store-gke.csi.k8s.io

The default of secret versions is 1

projectId, userSecret and passwordSecret are mandatory if Google Secret Manager is used

secrets-store-gke.csi.k8s.io

customRootCA.use

USE_CUSTOM_ROOT_CA

Is custom root certificate authority being used

false

customRootCA.certificate

N/A

This should be populated by the content of a certificate

Parameters available from version 2.5.x and above:

createContainers CREATE_CONTAINERS Should we create init containers. Options are: non_init_containers, all non_init_containers podSecurityContext N/A Option to override the default securityContext rubAsNotRoot: true containerSecurityContext N/A Option to override the default securityContext rubAsNotRoot: true imageInfoSource IMAGE_INFO_SOURCE Where should the image ID taken from. Options are: image: will be taken from containerStatuses.image

imageID: containerStatues.imageID

both: We will create two images

image

Parameters related to connections discovery and mappings available from version 2.5.x and above.

All the Helm parameters below should be prefixed by connectionsDiscovery . For example connectionsDiscovery.method

method GET_CONNECTIONS_METHOD The connections discovery method. Options are: servicenow, istio, linkerd. Empty value means connections discovery is disabled empty value, meaning connections discovery is disabled packetCaptureEnabled PACKET_CAPTURE_ENABLED When using the servicenow connections discovery method, do we allow the daemonset pod to capture packets. Options are true/false false installOpenshiftSecurityContextConstraint Uncomment the relevant parts in the k8s_informer.yaml When connectionsDiscovety.method=servicenow and the informer is installed in Openshift, this parameter should be set to true false tls.mode CONNECTIONS_TLS_MODE Should tls be used on the connection between the daemonset pod and the main informer pod. Options are: None, VerifyServerCertificate, VerifyClientCertificate, mTLS, NoCertificateVerification

If tls is used, certificates should be provided during the installation None tls.customCa CONNECTIONS_CUSTOM_CA was custom certificate authority used to sign the client and server certificate (when tls.mode is such that used certificates) true daeonsetServiceAccount Edit the daemonset part in k8s_informer.yaml The service account used by the daemonset pod, when such is created servicenow-ds-account