Kubernetes Visibility Agent (formerly CNO for Visibility) Advanced Configuration Options - Support and Troubleshooting

Kubernetes Visibility Agent (formerly CNO for Visibility) Advanced Configuration Options Each of the parameters below can be configured using the --set command in the Helm chart, or by setting an environment variable in the k8s_informer.yaml file.

Helm Parameter

Environment Variable

Description

Default Value

clusterName

CLUSTER_NAME

The Kubernetes cluster name as should be reflected in the CMDB

None

sendIntervalSec

SEND_INTERVAL_SEC

The time window in seconds for accumulating changes arriving from the API server before preparing payload to be sent to the instanc

10

eccSenderIntervalSec

ECC_SENDER_INTERVAL_SEC

The interval (in seconds) in which the ECC sender may insert records to the ECC queue

30

maxElapsedTimeMs

MAX_ELAPSED_TIME_MS

When the elapsed time of sending ECC message exceeds this number (in miliseconds), the informer will assume the instance is loaded and will back off

10000

maxCiInMessage

MAX_CI_IN_MESSAGE

The maximum number of items in a single accumulated payload. When we reach this number, we prepare the payload for sending and start a new payload

50

refreshTimeMin

REFRESH_TIME_MIN

If the time between now and the last time the item was reported exceeds this value, we re-send it even if there was no change. 0 means no refresh of idetical

0

fullDiscoveryMin

FULL_DISCOVERY_MIN

The time interval in minutes for sending to the instance a full inventory of items

1440

readCommandSec

READ_COMMAND_SEC

The time interval in seconds during which the informer looks for command coming from the instance

60

heartbeatMin

HEARTBEAT_MIN

The time interval for sending a payload of the cluster CI, if no other change has happened. Relevant only to the standalone mode

5

proxyUrl

PROXY_URL

If access from the cluster to the internet requires a proxy, the proxy URL should be in the format http://proxy _host:proxy_port

None

maxQueueSizeBytes

MAX_QUEUE_SIZE_BYTES

The max allowed size of the in-memory queue holding outgoing messages to the instance in standalone mode. If the queue is overflowed, we start to drop messages

262144000

maxRetry

MAX_RETRY

The retry count on failures to send messages to the instance. If we exceed this number, the message is dropped

5

maxEccPayloadSizeBytes

MAX_ECC_PAYLOAD_SIZE_BYTES

The maximum size of the payload on a single ECC input message

1048576

continuousDiscovery

CONTINUOUS_DISCOVERY

Should the informer report to the instance on changes in real-time mode. If false, the informer will report only during full-discovery

true

instanceCredSecretName

N/A (change directly in the yaml)

The prefix of the secret holding the instance credentials. keys are .user and .password

cpuLimit

N/A (change directly in the yaml)

The CPU limit for the informer pod

500m

cpuRequest

N/A (change directly in the yaml)

The CPU request for the informer pod

100m

memoryRequest

N/A (change directly in the yaml)

The memory request for the informer pod

200Mi

memoryLimit

N/A (change directly in the yaml)

The memory limit for the informer pod

None

dnsPolicy

N/A (change directly in the yaml)

See options in https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

Default

verboseLogging

VERBOSE_LOGGING

When true, the informer prints messages per every object processed

false

customClusterRole

N/A (change directly in the yaml)

Override this value if you want to use a pre-defined clusterRole and not the one defined by ServiceNow in this helm chart

None

skipTLSCertificateValidation

SKIP_TLS_CERT_VALIDATION

Skip certificate validation on the https calls to the ServiceNow instance

false

suppressFrequentChanges

SUPPRESS_FREQUENT_CHANGES

Should we suppress and not report on frequent changes

true

suppressChangesRatePerMin

SUPPRESS_CHANGES_RATE_PER_MIN

Threshold of rate of changes per minute above which changes will be suppressed

0.15

secretProvider

N/A

Options: empty value: secrets stored in Kubernetes, aws: secret is stored in AWS secret manager, azure: secret is store in Azure value, google (from version 2.4.x) - secret is stored in Google secret manager

None

awsSecretManagerRoleArn

N/A

if AWS Secret manager is used, this should hold the ARN of the role for accessing the secret (e.g. arn:aws:iam::123456789012:role/EKSSecrets)

None

awsSecretManagerSecretArn

N/A

if AWS Secret manager is used, this should hold the secret ARN (e.g. arn:aws:secretsmanager:eu-central-1:123456789012:secret:aws-secrets-7vzPh1)

None

openShift

OPENSHIFT

Should be true if informer is installed in OpenShift and we need to bring OpenShift specific resources

false

addNodeLabels

ADD_NODE_LABELS

Should the system bring the node labels and annotations to the CMDB

instanceCredentials.username

N/A

The instance username. Will be stored in a Kubernetes secret

None

instanceCredentials.password

N/A

The instance password. Will be stored in a Kubernetes secret

None

clusterResourceId

CLUSTER_RESOURCE_ID

the Kubernetes cloud resource ID, in case the cluster is hosted in EKS, AKS, or GKE Examples: EKS: arn:aws:eks:us-east-1:123456779012:cluster/my-cluster AKS: /subscriptions/061b9311-9c54-4471-9a59-4909517d6f07/resourceGroups/qe_group/providers/Microsoft.ContainerService/managedClusters/mycluster

None

Parameters available from version 2.1.1 and above

createServerCi

CREATE_SERVER_CI

Should the informer create cmdb_ci_linux_server CI per each of the Kubernetes nodes

true

includeLabelsAndAnnotations

INCLUDE_LABELS_AND_ANNOTATIONS

Comma separated list of labels and annotation the system should bring to the CMDB. Empty list means all

None

excludeLabelsAndAnnotations

EXCLUDE_LABELS_AND_ANNOTATIONS

Comma separated list of labels and annotations we should not bring to the CMDB

None

getClusterVersion

GET_CLUSTER_VERSION

Should the system populate the cluster_version field in cmdb_ci_kubernetes_cluster CI

false

commonLabels

N/A

Labels common to resources installed with the informer. For example: --set commonLabels.mylabel1=value1 --set commonLabels.mylabel2=value2

None

commonAnnotations

N/A

Annotations common to resources installed with the informer. For example: --set commonAnnotations.anno1=value1

None

additionalResources

N/A

Additional resources to bring into the CMDB. See details KB1638668

None

Parameters available from version 2.2.x and above:

getResourceMaxBytes

GET_RESOURCE_MAX_BYTES

The maximum size in bytes of the result of the API call to K8sInformerGetResourceApi. Results larger than those will be ignored

5242880

maxGetResourceRequests

MAX_GET_RESOURCE_REQUESTS

The maximum number of requests in one get_resource command issued by K8sInformerGetResourceApi

10

httpRestApiPostRetryCount

HTTP_REST_API_POST_RETRY_COUNT

Retry count for Http rest API Post call (on get_resource request)

2

selfPatchingAllowed

SELF_PATCHING_ALLOWED

Will the system allow self patching of the informer for auto-upgrade or changing some runtime parameters

true

nodeSelector

N/A

Labels of the designated node on which the informer should run

kubernetes.io/os: linux

azureVault.vaultName azureVault.tenantId azureVault.userAssignedIdentityId azureVault.cloudName azureVault.vaultType

N/A

Configure the informer to pull credentials from Azure key vault

None

Parameters available from version 2.4.x and above:

minEstimatedEccDelaySeconds

MIN_ESTIMATED_ECC_DELAY_SECONDS

The expected delay in sending ECC messages above which we start push new resources to the top of the queue

300

suppressChanges.resource_life_span_minutes

SHORT_LIVED_MIN_LIFESPAN_MINUTES

We consider a resource to be short-lived if the expected life span is below this number in minutes. 0 means that the feature is disabled.

15

suppressChanges.suppressRatio

SHORT_LIVED_SUPPRESS_RATIO

When a resource is short-lived we will report on one of N changes, where N is this number

10

googleSecrets.gkeSecretProvider googleSecrets.projectId googleSecrets.userSecret googleSecrets.userSecretVersion googleSecrets.passwordSecret

In case OAuth is used: googleSecrets.oauthClientIdSecret googleSecrets.oauthClientIdVersion

In case proxy authentication is used: googleSecrets.proxyUserSecret googleSecrets.proxyUserSecretVersion googleSecrets.proxyPasswordSecret googleSecrets.proxyPasswordSecretVersion

N/A

Configure the informer to pull secrets from Google Secret Manager

The default of gkeSecretProvider is secrets-store-gke.csi.k8s.io

The default of secret versions is 1

projectId, userSecret and passwordSecret are mandatory if Google Secret Manager is used

secrets-store-gke.csi.k8s.io

customRootCA.use

USE_CUSTOM_ROOT_CA

Is custom root certificate authority being used

false

customRootCA.certificate

N/A

This should be populated by the content of a certificate