Application Engine parameters

Provide the details that are relevant to your Application Engine environment and your decisions for the deployment of the container.

The following tables list the configurable parameters and their default values. All properties are mandatory, unless they have a default value or are explicitly optional. Although Application Engine might seem to install correctly when some parameters are omitted, this kind of configuration is not supported.

The application_engine_configuration parameter is a list. You can deploy multiple instances of Application Engine. You can assign different configurations for each instance by following these rules.
  • Assign a different name to each instance by giving application_engine_configuration[*].name a different value.
  • Assign a different hostname to each instance by giving application_engine_configuration[*].hostname a different value to make it accessible.
The following tables list the parameters for configuring Application Engine.

Application Engine parameters

The following table lists the parameters for configuring Application Engine. The Required column shows the parameters that are required.

Table 1. Application Engine parameters: spec.application_engine_configuration
Parameter name Description Example value Required
admin_secret_name Existing Application Engine administrative secret for sensitive configuration data. The default value is <CR name>-<AE name>-aae-app-engine-admin-secret for Application Engine. The default value is <CR name>-pbk-app-engine-admin-secret for Business Automation Studio playback server. <CR name>-<AE name>-aae-app-engine-admin-secret OR <CR name>-pbk-app-engine-admin-secret No
admin_user Designate an LDAP user for the Application Engine admin user. This user must have IBM Business Automation Navigator administrator rights. For more information, see Completing post-deployment tasks for Application Engine.   Yes
autoscaling.enabled Whether to enable the Horizontal Pod Autoscaler for Application Engine. The default value is false. false No
autoscaling.max_replicas Maximum number of pods for Application Engine when autoscaling is enabled. The default value is 5. 5 No
autoscaling.min_replicas Minimum number of pods for Application Engine when autoscaling is enabled. The default value is 2. 2 No
autoscaling.target_average_utilization Target average CPU utilization over all the pods for the Application Engine init container when autoscaling is enabled. The default value is 80. 80 No
content_security_policy.allowlist Configuration of the Application Engine content security policy allowlist.   No
content_security_policy.enable Whether to enable the content security policy for Application Engine. The default value is false. false No
content_security_policy.frame_ancestor Configuration of the Application Engine content security policy frame_ancestor.   No
custom_annotations Values in this field are used as annotations in all generated pods. They must be valid annotation key-value pairs. customAnnotationKey: customAnnotationValue No
custom_labels Values in this field are used as labels in all generated pods. They must be valid label key-value pairs. customLabelKey: customLabelValue No
data_persistence.enable To enable the data persistence feature on Application Engine, set this to true. The default value is false. false No
data_persistence.object_store_name The object store name used for data persistence. If application data persistence is enabled, input one CPE object store name. The default value is AEOS. AEOS No
database.alternative_host (Only for Db2®, PostgreSQL, or SQL Server) Application Engine database alternative host for database automatic client reroute (ACR) with high availability disaster recovery (HADR). If you want to enable the database ACR and HADR, configure both alternative_host and alternative_port. You must have Db2 servers whose hostnames can be resolved to IP addresses correctly in App Engine containers.   No
database.alternative_port (Only for Db2, PostgreSQL, or SQL Server) Application Engine database alternative host for database automatic client reroute (ACR) with high availability disaster recovery (HADR). If you want to enable the database ACR and HADR, configure both alternative_host and alternative_port.   No
database.current_schema Application Engine database schema.

If it is set to empty, the default schema name is DBASB for Db2 and PostgreSQL database types, and the default value of admin_secret_name is AE_DATABASE_USER for Oracle and SQL Server database types. Customization of database schema names are supported only for Db2 and PostgreSQL. For Db2, the schema name is case-sensitive, and must be specified in uppercase characters. For more information, see IBM® Data Server Driver for JDBC and SQLJ configuration properties External link opens a new window or tab.

 DBASB No
database.db_cert_secret_name Secret name for storing the database TLS certificate when an SSL connection is enabled.   Yes
database.dbcompatibility_max_retries Maximum number of times to retry checking database compatibility. The default value is 30. 30 No
database.dbcompatibility_retry_interval Retry interval for checking database compatibility. The default value is 10. 10 No
database.enable_ssl Whether to enable Secure Sockets Layer (SSL) support for the database connection. The default value is false. false No
database.host (Only for Db2, PostgreSQL, or SQL Server) Application Engine database host. It must be an accessible address, such as an IP, hostname, or Kubernetes service name.   Yes
database.initial_pool_size Initial pool size of the Application Engine database. The default value is 1. 1 No
database.max_lru_cache_age Maximum LRU cache age of the Application Engine database. The default value is 600000. 600000 No
database.max_lru_cache_size Maximum Least Recently Used (LRU) cache size of the Application Engine database. The default value is 1000. 1000 No
database.max_pool_size Maximum pool size of the Application Engine database. The default value is 100. 100 No
database.name (Only for Db2, PostgreSQL, or SQL Server) Application Engine database name.   Yes
database.oracle_sso_wallet_secret_name Secret name for storing wallet SSO binary file when an SSL connection is enabled and Oracle database is selected.   No
database.oracle_url_with_wallet_directory Required when you enable SSL for Oracle database, you must enter the Oracle connection URL with the wallet path. The format is (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<your-oracle-database-hostname>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=<your-oracle-database-service-name>))(SECURITY=(SSL_SERVER_DN_MATCH=FALSE)(MY_WALLET_DIRECTORY=/shared/resources/oracle/wallet))).   No
database.oracle_url_without_wallet_directory If you use an Oracle database, enter the Oracle connection URL. The format is (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<your-oracle-database-hostname>)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=<your-oracle-database-service-name>)))).   No
database.port (Only for Db2, PostgreSQL, or SQL Server) Application Engine database port.   Yes
database.type Application Engine database type. A "db2", "db2HADR", "db2rds", "db2rdsHADR", "oracle", "sqlserver", or "postgresql" database is supported. The default value is db2. postgresql No
disable_fips To disable FIPS for the component, change the value to true. Use this only if FIPS mode for the deployment is enabled with shared_configuration.enable_fips set to true. false No
env.apps_threshold (Application Engine playback server only) Minimum number of existing apps for purging job to start purging stale apps. The default value is 100. 100 No
env.connection_timeout Service socket connection timeout in milliseconds. The default value is 120000. 120000 No
env.custom_environment_variables Set the custom variables for your environment. For example, to set the timezone for the pod, you might enter:
  • -key: TZ
  • value: Europe/Warsaw
   No
env.max_size_lru_cache_rr Maximum size of the cache for the Resource Registry. The default value is 1000. 1000 No
env.public_app_context The context root used to expose the public applications. public-app No
env.purge_stale_apps_interval (Application Engine playback server only) Interval for the purging job to run to purge stale apps. The default value is 86400000. 86400000 No
env.server_env_type Application Engine deployment type. The default value is development. development No
env.service_stale_threshold (Application Engine playback server only) Age, in milliseconds, of preview-only automation service since publish to be considered as stale. The default value is 172800000. 172800000 No
env.service_threshold (Application Engine playback server only) Minimum number of preview-only automation services in the server for purging job to start purging stale preview-only automation services. The default value is 100. 100 No
env.stale_threshold (Application Engine playback server only) Age of the apps to be considered as stale. The default value is 172800000. 172800000 No
env.uv_thread_pool_size UV thread pool size of the Application Engine NodeJS server. Increase this number if your Application Engine must support a high volume of traffic. The default value is 40. 40 No
external_connection_timeout Number of seconds after which the Route connection times out. The default value is 90s. 90s No
external_tls_secret This parameter is used only by stand-alone Business Automation Workflow on containers. For the aae-ae-service route, the name of the secret that contains the certificates and Transport Layer Security (TLS) private key to be used for the route. If you set this parameter, the setting overrides the default generated certificate and the shared setting for route certificates. If you need to customize the route's certificate, create a secret using the following command and set the secret name to the property.
kubectl create secret generic ext-tls-crt-secret --from-file=tls.crt=<path to crt file> --from-file=tls.key=<path to key file>
The crt file must contain the route certificate followed by any intermediate CA signer certificates and the root CA signer certificate in an unencrypted PEM format. The key file must also be in unencrypted PEM format.		   No
hostname aae-ae-service route hostname. If the hostname is not set, a default hostname with the following format is used.
ae-<AE instance name>-<shared_configuration.sc_deployment_hostname_suffix>
This parameter is used only by stand-alone Business Automation Workflow on containers.		   No
images.db_job.repository Image name for the Application Engine database job container. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is <path>/solution-server-helmjob-db where <path> is cp.icr.io/cp/cp4a/aae/. If sc_image_repository has a value, the path is that value. <path>/solution-server-helmjob-db No
images.db_job.tag Image tag for the Application Engine database job container. If you want to use a specific image version, you can override the default tag or digest. 26.0.0 No
images.solution_server.repository Image name for the Application Engine container. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is <path>/solution-server where <path> is cp.icr.io/cp/cp4a/aae/. If sc_image_repository has a value, the path is that value. <path>/solution-server No
images.solution_server.tag Image tag for the Application Engine container. If you want to use a specific image version, you can override the default tag or digest. 26.0.0 No
localhost_profile The local path of the seccomp profile file. This parameter is required if sc_seccomp_profile is set to Localhost. The custom profile must be accessible by the pod. /profiles/fine-grained.json if seccomp_profile is Localhost No
log_level.browser Log level for output from the web browser. The default value is 2. 2 No
log_level.node Log level for output from the Application Engine server. The default value is audit. info No
log_storage.auto_provision.enabled Dynamic provisioner to provision the PVs and PVCs for log storage. The default value is true. true No
log_storage.auto_provision.size Storage size for the PVs for log storage. The default value is 5Gi. 5Gi No
log_storage.auto_provision.storage_class The dynamic storage classname for provisioning the PVs and PVCs for log storage   No
log_storage.enabled Log storage to store the logs for Application Engine. The default value is true. true No
log_storage.log_file_size Storage size for the PVs for log storage. The default value is 20M. 20M No
log_storage.log_rotate_size Save up to the maximum files. The default value is 5. 5 No
log_storage.pvc_name The name of the persistent volume claim (PVC) for log storage. The default value is cp4a-shared-log-pvc. cp4a-shared-log-pvc No
max_age.auth_cookie Maximum age of an authentication cookie. The default value is 900000. 900000 No
max_age.csrf_cookie Maximum age of a Cross-Site Request Forgery (CSRF) cookie. The default value is 3600000. 3600000 No
max_age.hsts_header The HTTP Strict-Transport-Security response header (often abbreviated as HSTS). The default value is 2592000. 2592000 No
max_age.static_asset Maximum age of a static asset cache. The default value is 2592000. 2592000 No
max_request_body_size Maximum size of request body (KB). The default value is 2000. 2000 No
name Name of the Application Engine instance. The name for each item in the array must be different. The name can consist of lowercase alphanumeric characters or '-', and must start and end with an alphanumeric character. Keep the instance name short.   No
node_affinity.custom_node_selector_match_expression Added in node selector match expressions. It accepts array list inputs. You can assign multiple selector match expressions except (kubernetes.io/arch). 
- key: kubernetes.io/hostname
  operator: In
  values:
    - worker0
    - worker1
    - worker3
 No
node_affinity.deploy_arch Values in this field are used as kubernetes.io/arch selector values. The valid values are amd64, s390x, and ppc64le.   No
port Application Engine port (only when using NodePort service). The default value is 443. 443 No
probe.liveness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 5. 5 No
probe.liveness.initial_delay_seconds Number of seconds after the container starts before the liveness probe is initiated. The default value is 60. 60 No
probe.liveness.period_seconds How often to do the liveness probe (in seconds). The default value is 10. 10 No
probe.liveness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1 No
probe.liveness.timeout_seconds Number of seconds after which the probe times out. The default value is 180. 180 No
probe.readiness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 5. 5 No
probe.readiness.initial_delay_seconds Number of seconds after the container starts before the readiness probe is initiated. The default value is 10. 10 No
probe.readiness.period_seconds How often to do the readiness probe (in seconds). The default value is 10. 10 No
probe.readiness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1 No
probe.readiness.timeout_seconds Number of seconds after which the probe times out. The default value is 180. 180 No
redis.host Hostname of the Remote Dictionary Server (Redis) database that is used by Application Engine   No
redis.port Port number of the Redis database that is used by Application Engine   No
redis.tls_enabled Whether to enable TLS connection for Redis.

If yes, set it to true, and put your redis server CA certificate in tls_trust_list or trusted_certificate_list of your custom resource. The default value is false.

 false No
redis.ttl Time To Live for the session in the Redis database. The default value is 1800. 1800 No
redis.username Redis username. If you are using Redis V6 or later, fill in this field. Otherwise, leave this field empty.   No
replica_size Number of Application Engine deployment replicas. The default value is 1. 1 No
resource_ae.limits.cpu Maximum amount of CPU that is required for the Application Engine container. The default value is 500m. 500m No
resource_ae.limits.ephemeral_storage Maximum amount of ephemeral storage that is required for the Application Engine container. The default value is 2Gi. 2Gi No
resource_ae.limits.memory Maximum amount of memory that is required for the Application Engine container. The default value is 1Gi. 1Gi No
resource_ae.requests.cpu Minimum amount of CPU that is required for the Application Engine container. The default value is 300m. 300m No
resource_ae.requests.ephemeral_storage Minimum amount of ephemeral storage that is required for the Application Engine container. The default value is 512Mi. 512Mi No
resource_ae.requests.memory Minimum amount of memory that is required for the Application Engine container. The default value is 256Mi. 256Mi No
resource_init.limits.cpu Maximum amount of CPU that is required for the Application Engine init container. The default value is 500m. 500m No
resource_init.limits.ephemeral_storage Maximum amount of ephemeral storage that is required for the Application Engine init container. The default value is 2Gi. 2Gi No
resource_init.limits.memory Maximum amount of memory that is required for the Application Engine init container. The default value is 256Mi. 256Mi No
resource_init.requests.cpu Minimum amount of CPU that is required for the Application Engine init container. The default value is 100m. 100m No
resource_init.requests.ephemeral_storage Minimum amount of ephemeral storage that is required for the Application Engine init container. The default value is 512Mi. 512Mi No
resource_init.requests.memory Minimum amount of memory that is required for the Application Engine init container. The default value is 128Mi. 128Mi No
rolling_update.max_surge Maximum number of extra pods that can be created during a rolling update. Accepts an integer or percentage value. "25%" No
rolling_update.max_unavailable Maximum number of pods that can be unavailable during a rolling update. Accepts an integer or percentage value. "1" No
seccomp_profile Setting for secure computing mode (seccomp) profile in CP4A containers. You can also define the seccomp profile globally at shared_configuration.sc_seccomp_profile. Supported values are: Unconfined, RuntimeDefault, and Localhost. The default value is RuntimeDefault on OpenShift® Container Platform 4.11 (Kubernetes 1.24) and later. Seccomp profile is not created on OpenShift Container Platform 4.10 (Kubernetes 1.23) or earlier. For more information about seccomp profile, see Restrict a Container's Syscalls with seccomp External link opens a new window or tab and Restrict seccomp profiles External link opens a new window or tab.
Note: Defining a custom, Localhost seccomp profile that is stricter than the default RuntimeDefault profile may cause the pods to fail to start.
 RuntimeDefault No
service_type Application Engine service type. The default value is Route. Route No
session.check_period (For non-external session store) Interval to purge expired sessions from the session store. The default value is 3600000. 3600000 No
session.duration (For non-external session store) Time to live for the session. The default value is 1800000. 1800000 No
session.max (For non-external session store) Maximum number of sessions stored. The default value is 10000. 10000 No
session.resave Whether to enable session resaving. The default value is false. false No
session.rolling Whether to enable session rolling. The default value is true. true No
session.save_uninitialized Whether to save uninitialized sessions. The default value is false. false No
session.use_external_store Use an external store for storing sessions. The default value is false. false No
share_storage.auto_provision.enabled Dynamic provisioner to provision the PVs and PVCs. The default value is true. true No
share_storage.auto_provision.size Storage size for the PVs for Application Engine. The default value is 20Gi. 20Gi No
share_storage.auto_provision.storage_class The dynamic storage classname for provisioning the PVs and PVCs   No
share_storage.enabled Shared storage to share the file upload cache among servers for Application Engine. The default value is true. true No
share_storage.pvc_name PVC for the Application Engine shared storage   No
tls.tls_trust_list Trusted certificate secret names. Application Engine trusts those certificates for communication. The default value is []. [] No
use_custom_jdbc_drivers Whether to use a custom JDBC driverHidden until this is supported for Db2 database instead of the embedded one. If you don't want to use a custom driver, keep the default. The default value is false.

If you use an Oracle, a PostgreSQL, or a Microsoft SQL Server database, make sure that the value is set to true.

 false No
zen_performance.keepalive Number of idle keepalive connections to an upstream server that remain open for each worker process. This parameter is optional. The default value is 512. 512 No
zen_performance.keepalive_requests Number of requests a client can make over a single keepalive connection. This parameter is optional. The default value is 500. 500 No
zen_performance.keepalive_timeout How long an idle keepalive connection remains open. This parameter is optional. The default value is 30s. 30s No
zen_performance.proxy_buffer_size Size of the buffer used to read the first part of the response received from the proxied server. This parameter is optional. The default value is 256k. 256k No
zen_performance.proxy_buffers Number and size of the buffers used for reading a response from the proxied server, for a single connection. This parameter is optional. The default value is 8 512k. 8 512k No
zen_performance.proxy_busy_buffers_size When buffering of responses from the proxied server is enabled, this parameter limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read. This parameter is optional. The default value is 512k. 512k No
zen_performance.proxy_connect_timeout Timeout for establishing a connection with a proxied server. This parameter is optional. The default value is 300s. 300s No
zen_performance.proxy_read_timeout Timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. This parameter is optional. The default value is 300s. 300s No
zen_performance.proxy_send_timeout Timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. This parameter is optional. The default value is 300s. 300s No

Resource Registry parameters

The following table lists the parameters for configuring Resource Registry. All parameters are optional.

Table 2. Resource Registry parameters: spec.resource_registry_configuration
Parameter name Description Example values
admin_secret_name Existing Resource Registry administrative secret for sensitive configuration data. The default value is <CR name>-rr-admin-secret. <CR name>-rr-admin-secret
hostname rr-route hostname. If the hostname is not set, a default hostname with the following format is used.
rr-<shared_configuration.sc_deployment_hostname_suffix>
This parameter is used only by stand-alone Business Automation Workflow on containers.		  
port Resource Registry port for using the NodePort service. The default value is 443. 443
replica_size Number of etcd nodes in the cluster. Always set it to an odd number, as explained in the etcd FAQ External link opens a new window or tab. The default value is 1. 1
images.resource_registry.repository Repository and name of the Resource Registry image. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is <path>/dba-etcd where <path> is cp.icr.io/cp/cp4a/aae/. If sc_image_repository has a value, the path is that value. <path>/dba-etcd
images.resource_registry.tag Tag name of the Resource Registry image. .If you want to use a specific image version, you can override the default tag or digest. 26.0.0
tls.tls_secret Existing TLS secret that contains tls.key and tls.crt  
probe.liveness.initial_delay_seconds Number of seconds after the container starts before the liveness probe is initiated. The default value is 60. 60
probe.liveness.period_seconds How often (in seconds) to perform the probe. The default value is 10. 10
probe.liveness.timeout_seconds Number of seconds after which the probe times out. The default value is 5. 5
probe.liveness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1
probe.liveness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 3. 3
probe.readiness.initial_delay_seconds Number of seconds after the container starts before the readiness probe is initiated. The default value is 10. 10
probe.readiness.period_seconds How often (in seconds) to perform the probe. The default value is 10. 10
probe.readiness.timeout_seconds Number of seconds after which the probe times out. The default value is 5. 5
probe.readiness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1
probe.readiness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 3. 3
resources.limits.cpu CPU limit for Resource Registry configuration. The default value is 500m. 500m
resources.limits.memory Memory limit for Resource Registry configuration. The default value is 512Mi. 512Mi
resources.limits.ephemeral_storage Ephemeral storage limit for Resource Registry configuration. The default value is 2Gi. 2Gi
resources.requests.cpu Requested CPU for Resource Registry configuration. The default value is 100m. 100m
resources.requests.memory Requested memory for Resource Registry configuration. The default value is 256Mi. 256Mi
resources.requests.ephemeral_storage Requested ephemeral storage for Resource Registry configuration. The default value is 128Mi. 128Mi
auto_backup.enable Whether to enable automatic backup for Resource Registry. If you enable automatic backup, you must create a persistent volume (PV). See Optional: Implementing storage. The default value is true. true
auto_backup.minimal_time_interval Minimal time interval for automatic backup. The default value is 300. 300
auto_backup.pvc_name The name of the persistent volume claim (PVC) for automatic backup. The default value is <name>-dba-rr-pvc. <name>-dba-rr-pvc
auto_backup.log_pvc_name The name of the persistent volume claim (PVC) for log storage for automatic backup. The default value is cp4a-shared-log-pvc. cp4a-shared-log-pvc
auto_backup.dynamic_provision.enable Whether to enable dynamic provisioning to provision the PVs and PVCs. The default value is true. true
auto_backup.dynamic_provision.size Storage size for PVs. The default value is 3Gi. 3Gi
auto_backup.dynamic_provision.size_for_logstore Storage size for PVs of log store  
auto_backup.dynamic_provision.storage_class Dynamic storage class name to provision the PVs and PVCs. The default value is {{ shared_configuration.storage_configuration.sc_fast_file_storage_classname }}. {{ shared_configuration.storage_configuration.sc_fast_file_storage_classname }}
node_affinity.deploy_arch Values in this field are used as kubernetes.io/arch selector values. The valid values are amd64, s390x, and ppc64le.  
node_affinity.custom_node_selector_match_expression Added in node selector match expressions. It accepts array list inputs. You can assign multiple selector match expressions except (kubernetes.io/arch). 
- key: kubernetes.io/hostname
  operator: In
  values:
    - worker0
    - worker1
    - worker3
custom_annotations Values in this field are used as annotations in all generated pods. They must be valid annotation key-value pairs. customAnnotationKey: customAnnotationValue
custom_labels Values in this field are used as labels in all generated pods. They must be valid label key-value pairs. customLabelKey: customLabelValue
seccomp_profile Setting for secure computing mode (seccomp) profile in CP4A containers. You can also define the seccomp profile globally at shared_configuration.sc_seccomp_profile. Supported values are: Unconfined, RuntimeDefault, and Localhost. The default value is RuntimeDefault on OpenShift Container Platform 4.11 (Kubernetes 1.24) and later. Seccomp profile is not created on OpenShift Container Platform 4.10 (Kubernetes 1.23) or earlier. For more information about seccomp profile, see Restrict a Container's Syscalls with seccomp External link opens a new window or tab and Restrict seccomp profiles External link opens a new window or tab.
Note: Defining a custom, Localhost seccomp profile that is stricter than the default RuntimeDefault profile may cause the pods to fail to start.
 RuntimeDefault
localhost_profile The local path of the seccomp profile file. This parameter is required if sc_seccomp_profile is set to Localhost. The custom profile must be accessible by the pod. /profiles/fine-grained.json if seccomp_profile is Localhost