IBM® Cloud Private components
IBM Cloud Private has two main components: a container manager (Docker) and a container orchestrator (Kubernetes).
Other components of an IBM Cloud Private cluster work alongside these main components to provide services such as authentication, storage, networking, logging, and monitoring. A cluster management console is also provided, which serves as a centralized management location for these services.
For more information about architecture models and node types, see Architecture.
Note: Management components, such as monitoring, metering, and logging, run on the management node. If no management node is present in your cluster, then the management components run on the master node.
Components
| Component | Version | Location | Role |
|---|---|---|---|
| Alert manager | 0.15.0 | Single management node | Handles alerts sent by the Prometheus server. It takes care of deduplicating, grouping, and routing them to the correct receiver integration such as slack, email, or PagerDuty. |
| Ansible based installer and ops manager | 2.5.0 | Boot node | Deploys IBM Cloud Private on master and worker nodes. The boot node is also used to scale the size of the cluster on demand, and for doing rolling updates. |
| Authentication manager | 3.1.1 | Each master node | Provides an HTTP API for managing users. Protocols are implemented in a RESTful manner. OpenID Connect is used for authentication. |
| calico/node | 3.1.3 | All nodes, except the boot node. | Sets the Calico network configurations on each node. For more information about Calico components, see https://docs.projectcalico.org/v3.1/releases/  . |
| calicoctl | 3.1.3 | Download from https://<cluster_lb_address>/console/tools/cli. It can be installed on any node in your cluster, or outside the cluster. |
A client tool that is used to create, read, update, and delete Calico objects from the command line. |
| calico/cni | 3.1.3 | All nodes, except the boot node. | Sets the network CNI plug-ins on each node. |
| calico/kube-controllers | 3.1.3 | Each master node | A controller center that sets the network policy in the IBM Cloud Private cluster. |
| Certificate Manager | 0.5.0 | Single master node | A component that manages the life cycle of certificates. |
| CoreDNS | 1.1.3 | All master nodes | Provides service discovery for Kubernetes applications. |
| Docker Registry | 2.6.2.2 | Each master node | Private image registry that is used to store container image files in image repositories. The Docker distribution and registry version is API V2. |
| Default backend | 1.4 | Single master node | Minor component of the ingress controller that assists with the routing of inbound connections to services in your cluster. |
| Elasticsearch | 5.5.1 | Single management node | Stores the system and application logs and metrics. Elasticsearch also provides an advanced API that can be used for querying these logs and metrics. |
| etcd | 3.2.24 | Each master node | Distributed key-value store that maintains configuration data. |
| Filebeat | 5.5.1 | All nodes, except the boot node. | Collects the logs for all system components, and user application containers that are running on each node. |
| GlusterFS | 4.0.2 | Selected worker nodes | A storage file system. |
| Grafana | 5.2.0 | Single management node | Data visualization & Monitoring with support for Prometheus as datasource. |
| Heapster | 1.4.0.2 | Single master node | Connects to the kubelet that is running in each worker node and collects node and container metrics. These metrics include CPU, memory, and network usage. |
| Heketi | 8.0.0 | Runs as a pod on any worker node. | CLI to manage GlusterFS. |
| Helm (Tiller) | 2.9.1 | Single master node | Manages Kubernetes charts (packages). |
| IBM Cloud Private management console | 3.1.1 | Each master node | A web portal that is based on the Open DC/OS GUI. This management console connects to the leading master node by using the virtual IP (VIP) provided by the VIP manager. |
| Image manager | 2.2.4 | Each master node | Manages images by providing extended features to the Docker registry. These features include authorization for push, pull, and remove operations. The image manager also provides authorization for cataloging of image libraries. |
| Indices-cleaner | 1.0 | Single management node | Cleans up Elasticsearch data. |
| Key Management Service | 3.1.1 | Management Node | Provision and manage encryption keys. |
| Kibana | 5.5.1 | Single management node | A UI providing easy access to data stored in Elasticsearch, plus the ability to create visualizations and dashboards of that data. |
| Kubelet | 1.11.3 | All nodes, except the boot node. | Supervises the system components of the cluster. |
| Kubernetes apiserver | 1.11.3 | Each master node | Provides a REST API for validating and configuring data for Kubernetes objects. These Kubernetes objects include pods, service, and replication controllers. |
| Kubernetes control manager | 1.11.3 | Each master node | Maintains the shared state of the Kubernetes cluster by monitoring, and adjusting the current state to ensure that the required service standard is in effect. This maintenance is done through the km apiserver. |
| Kubernetes pause | 3.1 | All nodes, except the boot node. | Stores the IP address for pods, and sets up the network namespace for other containers that join the pod. |
| Kubernetes proxy | 1.11.3 | All nodes, except the boot node. | Takes traffic that is directed at Kubernetes services and forwards it to the appropriate pods. Kubernetes proxy is started by km minion. |
| Kubernetes scheduler | 1.11.3 | Each master node | Assigns pods to worker nodes based on scheduling policy. |
| kube_state_metrics | 1.2.0 | Single management node | Communicates with the Kubernetes API server to generates metrics about the state of Kubernetes objects. |
| Logstash | 5.5.1 | Single management node | Transforms and forwards the logs that are collected by Filebeat to Elasticsearch. |
| MariaDB | 10.2.17 | Each master node | Database that is used by OIDC. |
Metering components
|
3.1.1 |
|
Collects usage metrics for your applications and cluster. |
| MongoDB | 3.6 | Each master node | Database that is used by metering service (IBM® Cloud Product Insights), Helm repository server, and Helm API server. |
| OpenID Connect (OIDC) | 1.0 | Each master node | Identity protocol over OAuth 2.0. WebSphere Liberty profile is used as the OIDC provider. Liberty profile can be configured to integrate with an existing enterprise LDAP server. |
| Prometheus components |
|
Single management node | Collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. |
| IBM Cloud Private management ingress | 2.2.2 | Each master node | Hosts the management console and acts as the reverse proxy for all system components API. |
| Service Catalog | 0.1.26 | Each master node | Implements the Open Service Broker API to provide service broker integration for IBM Cloud Private |
| UCarp | 1.5.2 | Each master and proxy node | Used to manage virtual IP (VIP) on the master node. This component helps to maintain high availability (HA) in the cluster. UCarp requires an HA master environment to start. |
| Unified router | 3.1.1 | Single master node | Used to support backend functioning of the IBM Cloud Private management console. |
| vip_manager | 1.1 | Master and proxy nodes | |
| NGINX Ingress controller | 0.19.0 | Each proxy node | Used to load balance NodePort Kubernetes services. |
Vulnerability Advisor (VA) components (optional feature)
| Component | Version | Location | Role |
|---|---|---|---|
| Kafka | 0.10.0.2 | VA node | Data pipeline component that is used for data ingestion and curation. |
| VA-Minio | RELEASE.2018-08-21T00-37-20Z | VA node | Objective data store component that is used for indexing and querying Vulnerability Advisor data. |
| VA-minioCleaner | RELEASE.2018-08-21T00-37-20Z | VA node | Used to manage Vulnerability Advisor data size and prune old data. The VA-minioCleaner curator is deployed as a CronJob. |
Security Analytics Service (SAS) components
|
1.3.1 | VA node | Vulnerability Advisor frontend service components. SAS components provide RESTful APIs for the Vulnerability Advisor crawlers and the Vulnerability Advisor dashboard.
The crawlers output scanned container and image information, which are known as frames, into the Vulnerability Advisor data pipeline by using the SAS APIs. The Vulnerability Advisor dashboard, also uses SAS APIs to report Vulnerability Advisor findings. |
| Statsd | 0.7.2.1 | VA node | Used by the Vulnerability Advisor service for internal system monitoring. |
VA Annotators
|
1.3.1 | VA node | Vulnerability Advisor data pipeline components that improve the security of scanned containers and image data by using various analytics, including vulnerability analysis, compliance checking, password analysis, configuration analysis, and
rootkit detection.
These annotators use internal and external security and compliance information to improve the security of your containers and images. |
VA Indexers
|
1.3.1 | VA node | Data pipeline components that are used to index Vulnerability Advisor findings into the Vulnerability Advisor backend. |
| VA Usncrawler | 1.3.1 | VA node | Data pipeline component that is used to ingest and aggregate external security notices for the Vulnerability Advisor analytics components. |
| VA Crawlers | 1.3.1 | VA node | Vulnerability Advisor data collectors, also known as crawlers, that inspect running containers and offline images.
These crawlers extract system and application information that is used by all the Vulnerability Advisor analytics components. Live and metrics crawlers run on worker nodes and are deployed as DaemonSets. The registry crawlers runs as a separate deployment and scans images that are deployed into the IBM Cloud Private image registry. |
| Zookeeper | 3.4.10 | VA node | Used by the kafka component in the Vulnerability Advisor. |