Skip to content

Identity Document

Scope

When creating a license, you may pass in a scope parameter to select how tightly coupled the license is to the environment.

The license pinning is implemented using the IDs (collected during enrolment of the environment) described in the following sub-section and applies in descending order of priority:

  • local scope (default): ties the license to the local host
    • bare metal, VMs:
      1. cid
      2. fqdn and mid
    • cloud instances:
      1. cloud:{aws,gcp,azr}:<ID>
    • containers:
      1. container and cloud:{aws,gcp,azr}:<ID>
      2. container and cid
      3. container and emid
      4. container and bid (will not survive a reboot!)
  • global scope:
    • cloud instances:
      1. cloudacct:{aws,gcp,azr}:<ID>
    • containers:
      1. container and kubernetes_ca;
      2. container and cloudacct:{aws,gcp,azr}:<ID>

If any of the above combinations are not possible for your environment, the license server will return an 'HTTP 409 Conflict' response. You can determine what is missing by comparing the environment identity recorded in klic environment describe ... with the above coupling rules.

IDs

Scope uses the following system identifiers where possible:

  • fqdn: fully-qualified domain name (.Q.host .z.a)
  • bid: Boot ID (/proc/sys/kernel/random/boot_id)
    • random UUID generated at boot time
  • mid: Machine ID (/etc/machine-id)
    • random UUID generated at OS install/creation time
  • emid: Machine ID via environment variable named KX_MID
    • suitable for containers where administrator should pass in the host /etc/machine-id
  • cid: Chassis ID (/sys/devices/virtual/dmi/id/product_uuid)
    • requires root permissions to read
    • crucial that when running q it must have the same permissions as when on boarding to also be able to read this
  • vm: virtualization detected (aws, gcp, azr, xen, ...)
  • container: Container technology detected
  • kubernetes_ca: Signature of CA used for API endpoint
    • MD5 of /var/run/secrets/kubernetes.io/serviceaccount/ca.crt after removing superfluous whitespace and using \n for EOL
      • signature is comparable to: cat ca.crt | sed -e 's/\r$//; /^$/ d;' | head -c -1 | openssl md5
    • ca.crt must contain a single CA
    • tests the CA by in effect running: curl -s -f -D /dev/stderr --capath /run/secrets/kubernetes.io/serviceaccount/ca.crt https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/healthz
    • requires kdb+/q SSL/TLS support to be installed
  • Cloud:
    • cloud:{aws,gcp,azr}:<ID>: instance identifier
    • cloudacct:{aws,gcp,azr}:<ID>: AWS account, GCP project or Azure subscription ID