IBM® Cloud Private components
IBM Cloud Private has two main components: a container manager (Docker) and a container orchestrator (Kubernetes).
Other components of an IBM Cloud Private cluster work with the main components to provide services such as authentication, storage, networking, logging, and monitoring. A cluster management console is also provided, which serves as a centralized management location for the services.
For more information about architecture models and node types, see Architecture.
Note: Management components such as monitoring, metering, and logging, run on the management node. If no management node is present in your cluster, then the management components run on the master node.
- Components
- Component services and dependencies
- Vulnerability Advisor (VA) components (optional feature)
Components
View the following table for a description of the IBM Cloud Private node components.
| Component | Version | Role |
|---|---|---|
| Alert manager | 0.15.0 | Handles alerts sent by the Prometheus server. It sends data from deduplicating, grouping, and routing alerts to the correct receiver integration such as slack, email, or PagerDuty. |
| Ansible basedauth-apikeys, installer and ops manager | 2.5.0 | Deploys IBM Cloud Private on master and worker nodes. The boot node is also used to scale the size of the cluster on demand, and for rolling updates. |
| Audit Logging | 3.2.0 | Forwards audit logs generated by the Kubernetes API server and platform services to Elasticsearch and SIEM servers. |
| Authentication manager | 3.2.0 | Provides an HTTP API for managing users. Protocols are implemented in a RESTful manner. OpenID Connect is used for authentication. |
| Calico (node) | 3.5.2 | Sets the Calico network configurations on each node. For more information about Calico components, see v3.5.2  . |
| calicoctl | 3.5.2 | A client tool that is used to create, read, update, and delete Calico objects from the command line. |
| Calico (CNI) | 3.5.2 | Sets the network CNI plug-ins on each node. |
| calico (kube-controllers) | 3.5.2 | A controller center that sets the network policy in the IBM Cloud Private cluster. |
| Catalog management console | 3.2.0 | Catalog user interface to view, deploy and manage Kubernetes workloads |
| Certificate manager | 0.7.0 | A component that manages the lifecycle of certificates. |
| CoreDNS | 1.2.6 | Provides service discovery for Kubernetes applications. |
| Docker registry | 18.06.2 | Private image registry that is used to store container image files in an image repositories. The Docker distribution and registry version is API V2. |
| Default backend | 1.5 | Minor component of the ingress controller that assists with the routing of inbound connections to services in your cluster. |
| Elasticsearch | 5.5.1 | Stores the system and application logs, and metrics. Elasticsearch also provides an advanced API that can be used for querying your logs and metrics. |
| etcd | 3.2.24 | Distributed key-value store that maintains configuration data. |
| Filebeat | 5.5.1 | Collects the logs for all system components, and user application containers that are running on each node. |
| GlusterFS | 4.1.5 | A storage file system. |
| Grafana | 5.2.0 | Data visualization & monitoring with support for Prometheus as datasource. |
| Policy management console | 3.2.0 | Policy user interface to view, deploy, and manage policies. |
| Heapster | 1.4.0.2 | Connects to the kubelet that is running in each worker node and collects node and container metrics. These metrics include CPU, memory, and network usage. |
| Heketi | 8.0.0 | CLI to manage GlusterFS. |
| Helm (Tiller) | 2.12.3 | Manages Kubernetes charts (packages). |
| IBM Cloud Private management console | 3.2.0 | A web portal that is based on the Open DC/OS GUI. This management console connects to the leading master node by using the virtual IP (VIP) provided by the VIP manager. |
| Image manager | 2.2.5 | Manages images by providing extended features to the Docker registry. These features include authorization for push, pull, and remove operations. The image manager also provides authorization for cataloging of image libraries. |
| Indices-cleaner | 1.0 | Cleans up Elasticsearch data. |
| Istio | 1.0.6 | Istio is an open platform that you can use to connect, secure, control, and observe microservices. With Istio, you can create a network of deployed services that include load balancing, service-to-service authentication, monitoring, and more, without changing the service code. |
| Key management Service | 3.1.1 | Provision and manage encryption keys. |
| Kibana | 5.5.1 | A user interface that provides easy access to data stored in Elasticsearch, plus the ability to create visualizations and dashboards of that data. |
| Kubelet | 1.13.5 | Supervises the system components of the cluster. |
| Kubernetes API server | 1.13.5 | Provides a REST API for validating and configuring data for Kubernetes objects. These Kubernetes objects include pods, service, and replication controllers. |
| Kubernetes control manager | 1.13.5 | Maintains the shared state of the Kubernetes cluster by monitoring, and adjusting the current state to ensure that the required service standard is in effect. This maintenance is done through the Kubernetes API server. |
| Kubernetes pause | 3.1 | Stores the IP address for pods, and sets up the network namespace for other containers that join the pod. |
| Kubernetes proxy | 1.13.5 | Takes traffic that is directed at Kubernetes services and forwards it to the appropriate pods. Kubernetes proxy is started by Kubernetes minion. |
| Kubernetes scheduler | 1.13.5 | Assigns pods to worker nodes based on scheduling policy. |
| kube_state_metrics | 1.2.0 | Communicates with the Kubernetes API server to generates metrics about the state of Kubernetes objects. |
| Logstash | 5.5.1 | Transforms and forwards the logs that are collected by Filebeat to Elasticsearch. |
| Multicluster hub | 3.2.0 | Provides management dashboard and the search service for clusters. |
| Metering | 3.2.0 | Collects usage metrics for your applications and cluster. |
| Metrics server | 0.3.1 | Metrics Server is a cluster-wide aggregator of resource usage data. Horizontal Pod Autoscaler (HPA) relies on the Metrics API to get node metrics. |
| MongoDB | 3.6 | Database that is used by OIDC, metering service (IBM® Cloud Product Insights), Helm repository server, and Helm API server. |
| NGINX Ingress controller | 0.23.0 | Used to load balance NodePort Kubernetes services. |
| nvidia-device-plugin | 1.2 | Provide GPU resource to the Kubernetes cluster. |
| OpenID Connect (OIDC) | 1.0 | Identity protocol over OAuth 2.0. WebSphere Liberty profile is used as the OIDC provider. Liberty profile can be configured to integrate with an existing enterprise LDAP server. |
| Platform API / cloudctl CLI | 3.2.0 | Serves downloads of CLI binaries including the cloudctl CLI and the backend API of cloudctl. |
| Platform management console | 3.2.0 | Provides the management console for resources within the cluster. |
| Prometheus components |
|
Collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. |
| IBM Cloud Private management ingress | 2.2.3 | Hosts the management console and acts as the reverse proxy for all system components API. |
| Service Catalog | 0.1.40 | Implements the Open Service Broker API to provide service broker integration for IBM Cloud Private |
| System health service | 3.2 | Provides health status of the cluster components like node status, management services status, pod failure details |
| UCarp | 1.5.2 | Used to manage virtual IP (VIP) on the master node. This component helps to maintain high availability (HA) in the cluster. UCarp requires an HA master environment to start. |
| Unified router | 3.2.0 | Used to support backend functioning of the IBM Cloud Private management console. |
| vip_manager | 1.1 | |
| Web terminal | 3.2.0 | Provides the backend for the web-terminal feature in the management console. |
Component services and dependencies
View the following table for a list of IBM Cloud Private components and associated management services, and component dependencies.
Note: The management services in bold identify the primary service for the component.
| Component | Services | Dependency |
|---|---|---|
| Alert manager | monitoring | |
| Audit logging | audit-logging | Certificate manager |
| Authentication manager | auth-apikeys, auth-idp, auth-pap, auth-pdp, secret-watcher |
Certificate manager, Calico , MongoDB |
| Calico (node) | calico, calico-route-reflector |
|
| calicoctl | calico | |
| Calico (CNI) | calico | |
| calico (kube-controllers) | calico | |
| Catalog management console | catalog-ui | Kubernetes API server, Authentication manager, Helm (tiller), Platform management console |
| Certificate manager | ibm-cert-manager | |
| CoreDNS | kube-dns | |
| Default backend | nginx-ingress | |
| Elasticsearch | logging | Authentication manager |
| Filebeat | logging | |
| GlusterFS | storage-glusterfs | |
| Grafana | monitoring | Authentication manager |
| Policy management console | grc-ui | Kubernetes API server, Authentication manager, Platform management console |
| Heapster | heapster | |
| Heketi | storage-glusterfs | |
| Helm (Tiller) | tiller, helm-api, helm-repo, mgmt-repo |
Authentication manager, Certificate manager, Default backend, MongoDB, Platform API |
| IBM Cloud Private management console | platform-ui, catalog-ui |
Authentication manager, MongoDB |
| Image manager | image-manager | Certificate manager |
| Indices-cleaner | logging | |
| Istio | istio-citadel, istio-egressgateway, istio-galley, istio-ingressgateway, istio-pilot, istio-policy, istio-sidecar-injector, istio-statsd-prom-bridge,
istio-telemetry, jaeger-agent, jaeger-collector, jaeger-query, kiali, kiali-jaeger, prometheus, tracing, zipkin, grafana |
|
| Key management service | key-management, key-management-hsm, kmsplugin |
Authentication manager, MongoDB |
| Kibana | logging | Authentication manager |
| Logstash | logging | |
| Multicluster hub | multicluster-hub, search | Kubernetes API server, Authentication manager, Helm (tiller) |
| Metering | metering | Authentication manager, MongoDB, IBM Cloud Private management ingress |
| Metrics server | metrics-server, custom-metrics-adapter |
Authentication manager |
| MongoDB | mongodb | |
| NGINX Ingress controller | nginx-ingress | Default backend |
| OpenID Connect (OIDC) | auth-idp | Authentication manager |
| Platform API / cloudctl CLI | platform-api | Kubernetes API server, Authentication manager |
| Platform management console | platform-ui | Kubernetes API server, Authentication manager, Catalog management console, Image manager |
| Prometheus components | monitoring, monitoring-crd |
Metrics-server, Authentication manager |
| IBM Cloud Private management ingress | icp-management-ingress | Certificate manager |
| Service Catalog | service-catalog | Kubernetes API server, Metrics-server, CoreDNS |
| System health service | system-healthcheck-service | Kubernetes API server, IBM Cloud Private management ingress |
| Unified router | unified-router | |
| Web terminal | web-terminal | Kubernetes API server, Platform API, Authentication manager |
Vulnerability Advisor (VA) components (optional feature)
| Component | Version | Location | Role |
|---|---|---|---|
| Kafka | 0.10.0.4 | VA node | Data pipeline component that is used for data ingestion and curation. |
| VA-Minio | RELEASE.2019-04-09T01-22-30Z.1 | VA node | Objective data store component that is used for indexing and querying Vulnerability Advisor data. |
| VA-minioCleaner | RELEASE.2019-04-03T17-59-57Z.1 | VA node | Used to manage Vulnerability Advisor data size and prune old data. The VA-minioCleaner curator is deployed as a CronJob. |
Security Analytics Service (SAS) components
|
3.2.0 | VA node | Vulnerability Advisor frontend service components. SAS components provide RESTful APIs for the Vulnerability Advisor crawlers and the Vulnerability Advisor dashboard.
The crawlers output scanned container and image information, which are known as frames, into the Vulnerability Advisor data pipeline by using the SAS APIs. The Vulnerability Advisor dashboard, also uses SAS APIs to report Vulnerability Advisor findings. |
| Statsd | 0.7.2.1 | VA node | Used by the Vulnerability Advisor service for internal system monitoring. |
VA Annotators
|
3.2.0 | VA node | Vulnerability Advisor data pipeline components that improve the security of scanned containers and image data by using various analytics, including vulnerability analysis, compliance checking, password analysis, configuration analysis, and
rootkit detection.
These annotators use internal and external security and compliance information to improve the security of your containers and images. |
VA Indexers
|
3.2.0 | VA node | Data pipeline components that are used to index Vulnerability Advisor findings into the Vulnerability Advisor backend. |
| VA Usncrawler | 3.2.0 | VA node | Data pipeline component that is used to ingest and aggregate external security notices for the Vulnerability Advisor analytics components. |
| VA Crawlers | 3.2.0 | all nodes | Vulnerability Advisor data collectors, also known as crawlers, that inspect running containers and airgap images.
These crawlers extract system and application information that is used by all the Vulnerability Advisor analytics components. Live and metrics crawlers run on worker nodes and are deployed as DaemonSets. The registry crawlers runs as a separate deployment and scans images that are deployed into the IBM Cloud Private image registry. |
| MA mcm controller | 3.2.0 | VA node | MA policy controller that is used to get MA result and perform MCM MA policies on ICP cluster. |
| Zookeeper | 3.4.10 | VA node | Used by the kafka component in the Vulnerability Advisor. |