Identity Document
Scope
When creating a license, you may pass in a scope parameter to select how tightly coupled the license is to the environment.
The license pinning is implemented using the IDs (collected during enrolment of the environment) described in the following sub-section and applies in descending order of priority:
local
scope (default): ties the license to the local host- bare metal, VMs:
cid
fqdn
andmid
- cloud instances:
cloud:{aws,gcp,azr}:<ID>
- containers:
container
andcloud:{aws,gcp,azr}:<ID>
container
andcid
container
andemid
container
andbid
(will not survive a reboot!)
- bare metal, VMs:
global
scope:- cloud instances:
cloudacct:{aws,gcp,azr}:<ID>
- containers:
container
andkubernetes_ca;
container
andcloudacct:{aws,gcp,azr}:<ID>
- cloud instances:
If any of the above combinations are not possible for your environment, the license server will return an 'HTTP 409 Conflict' response. You can determine what is missing by comparing the environment identity recorded in klic environment describe ...
with the above coupling rules.
IDs
Scope uses the following system identifiers where possible:
fqdn
: fully-qualified domain name (.Q.host .z.a
)bid
: Boot ID (/proc/sys/kernel/random/boot_id
)- random UUID generated at boot time
mid
: Machine ID (/etc/machine-id
)- random UUID generated at OS install/creation time
emid
: Machine ID via environment variable namedKX_MID
- suitable for containers where administrator should pass in the host
/etc/machine-id
- suitable for containers where administrator should pass in the host
cid
: Chassis ID (/sys/devices/virtual/dmi/id/product_uuid
)- requires
root
permissions to read - crucial that when running
q
it must have the same permissions as when on boarding to also be able to read this
- requires
vm
: virtualization detected (aws
,gcp
,azr
,xen
, ...)container
: Container technology detectedkubernetes_ca
: Signature of CA used for API endpoint- MD5 of
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
after removing superfluous whitespace and using\n
for EOL- signature is comparable to:
cat ca.crt | sed -e 's/\r$//; /^$/ d;' | head -c -1 | openssl md5
- signature is comparable to:
ca.crt
must contain a single CA- tests the CA by in effect running:
curl -s -f -D /dev/stderr --capath /run/secrets/kubernetes.io/serviceaccount/ca.crt https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/healthz
- requires kdb+/q SSL/TLS support to be installed
- MD5 of
- Cloud:
cloud:{aws,gcp,azr}:<ID>
: instance identifiercloudacct:{aws,gcp,azr}:<ID>
: AWS account, GCP project or Azure subscription ID