Enabling and disabling IBM Cloud Private components
IBM® Cloud Private includes several components which are composed of one or more management services.
After you install IBM Cloud Private, you can enable or disable management services that are comprised in a component. For more information on the default values for the management services, see Customizing the cluster with the config.yaml file. For more information on the components that are available and the management services that are included with the component, see IBM® Cloud Private components. This topic covers the platform that a service can run on, service dependencies.
See IBM® Cloud Private components for more information on the components that are available and the management services that are included with the component.
Required user type or access level: Cluster administrator.
If you are enabling or disabling a service, you must configure the helm command line interface (CLI) as a cluster admin user. For more information about configuring the Helm CLI, see Installing the Helm CLI (helm).
-
If you are upgrading to version 3.1.0, or later, you must reformat the management services section in the
config.yamlfile before you upgrade. The section of the file before the upgrade reads similar to the following example:disabled_management_services:["istio","vulnerability-advisor","custom-metrics-adapter"]The section of the file after the changes for the upgrade reads similar to the following example:
management-services: istio: disabled vulnerability-advisor: disabled custom-metrics-adapter: disabledIf you are enabling the
vulnerability-advisorafter upgrade, deploy the new vulnerability advisor (VA) nodes. For more information about deploying the new VA nodes, see Adding an IBM Cloud Private cluster node.Note: If you enabled
vulnerability-advisoron the previous version, ensure that thevulnerability-advisorentry is enabled in themanagement-servicessection of theconfig.yamlfile after the upgrade. Yourvulnerability-advisorparameter might resemble the following parameter value:vulnerability-advisor: enabled. The setting is disabled by default in the upgraded version, and the setting is not automatically retained during the upgrade. -
Add a service to the
management_servicesparameter list in theconfig.yamlfile to disable or enable a service. Change the service parameter value todisabledto disable a service, or change the service parameter value toenabledto enable the service.Important: You must also enable or disable all services that comprise a component. The following services cannot be disabled:
tiller,calico/nsx-t,kube-dns,monitoring-crd,cert-manager. -
Run the add-on command to enable or disable the service on your CPU architecture:
docker run --rm -t -e LICENSE=accept --net=host -v $(pwd):/installer/cluster ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.2.0-ee addonIf IBM Cloud Private is installed with OpenShift, run the following command to enable or disable the service:
sudo docker run -t --net=host -e LICENSE=accept -v $(pwd):/installer/cluster ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.2.0-rhel-ee install-with-openshift
IBM Cloud Private management services have dependency relationships between each other. For example, the auth-idp service depends on the mongodb service. If mongodb is disabled, the auth-idp service
cannot function.
Important: Disabling services may impact the installation of IBM Cloud Pak.
Note: The dependency relationships are valid only if tiller, calico/nsx-t, kube-dns, monitoring-crd and cert-manager are enabled.
View the following table of the IBM Cloud Private management services, their dependencies, and whether they are required for the IBM Cloud Private with OpenShift environment or for supporting IBM Cloud Pak:
| Management service | Dependencies | Supported platforms | Required for IBM Cloud Private with OpenShift | Required for IBM Cloud Paks |
|---|---|---|---|---|
kmsplugin |
IAM, key-management |
IBM Cloud Private | No | No |
tiller |
IBM Cloud Private | Yes | Yes | |
image-manager |
IBM Cloud Private | No | No | |
kube-dns |
IBM Cloud Private | No | No | |
calico |
IBM Cloud Private | No | No | |
nsx-t |
IBM Cloud Private | No | No | |
cert-manager |
IBM Cloud Private, IBM Cloud Private with OpenShift | Yes | Yes | |
mongodb |
IBM Cloud Private, IBM Cloud Private with OpenShift | Yes | Yes | |
monitoring-crd |
IBM Cloud Private, IBM Cloud Private with OpenShift | Yes | Yes | |
auth-idp |
mongodb |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
auth-apikeys |
mongodb |
IBM Cloud Private, IBM Cloud Private with OpenShift | Yes | Yes |
auth-pap |
mongodb |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
auth-pdp |
mongodb, auth-idp, auth-pap, auth-apikeys |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
catalog-ui |
auth-idp, platform-api, helm-api, helm-repo, multicluster-hub |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
custom-metrics-adapter |
monitoring |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | No |
heapster |
None | IBM Cloud Private | No | No |
helm-api |
mongodb, platform-api, icp-management-ingress, helm-repo, mgmt-repo |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
helm-repo |
mongodb |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
icp-management-ingress |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes | |
image-security-enforcement |
IBM Cloud Private | No | No | |
istio |
IBM Cloud Private | No | No | |
nvidia-device-plugin |
IBM Cloud Private | No | No | |
key-management |
IAM, mongodb |
IBM Cloud Private | No | No |
key-management-hsm |
IBM Cloud Private | No | No | |
logging |
IAM | IBM Cloud Private, IBM Cloud Private with OpenShift | No | No |
metering |
mongodb, IAM |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
metrics-server |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | No | |
nginx-ingress |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes | |
mgmt-repo |
mongodb |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | No |
monitoring |
IAM | IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
mongdb |
IAM | IBM Cloud Private, IBM Cloud Private with OpenShift, IBM Cloud Private with IKS | No | No |
multicluster-hub |
mongodb monitoring IAM | IBM Cloud Private | No | No |
node-problem-detector-draino |
IBM Cloud Private | No | No | |
platform-api |
IAM | IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
platform-ui |
auth-idp, platform-api, catalog-ui, image-manager |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
platform-pod-security |
IBM Cloud Private, IBM Cloud Private with OpenShift, IBM Cloud Private with IKS | Yes | No | |
platform-security-netpols |
IBM Cloud Private | No | No | |
secret-watcher |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes | |
security-onboarding |
IAM | IBM Cloud Private, IBM Cloud Private with OpenShift | No | Yes |
service-catalog |
metrics-server |
IBM Cloud Private | No | Yes |
storage-glusterfs |
monitoring |
IBM Cloud Private | No | No |
storage-minio |
icp-management-ingress, monitoring |
IBM Cloud Private | No | Do not use the system instance. |
vulnerability-advisor |
logging, image-manager, IAM |
IBM Cloud Private | No | No |
web-terminal |
platform-api, IAM |
IBM Cloud Private, IBM Cloud Private with OpenShift | No | No |
multicluster-hub |
IAM, monitoring, mongodb |
IBM Cloud Private | No | No |
multicluster-endpoint |
monitoring |
IBM Cloud Private | No | No |
system-healthcheck-service |
icp-management-ingress |
IBM Cloud Private | No | No |
Note: Identity and Access Management (IAM) includes the following services: auth-idp, auth-pap, auth-pdp, auth-apikeys, and secret-watcher.