PAM system requirements

You can install Puppet Application Manager (PAM) on a Puppet-supported cluster or add PAM to a customer-supported cluster. Before installing PAM, ensure that your system meets these requirements.

Customer-supported cluster hardware requirements

The following Kubernetes distributions are supported:
  • Google Kubernetes Engine

  • AWS Elastic Kubernetes Service

  • Red Hat OpenShift

If you use a different distribution, contact Puppet Support for more information on compatibility with PAM.

Application requirements:
Application CPU Memory Storage Ports
Continuous Delivery for Puppet Enterprise (PE) 3 CPU 8 GB 280 GB Ingress, NodePort 8000
Note: NodePort is configurable
Puppet Comply 6 CPU 6 GB 35 GB Ingress, NodePort 30303
Note: NodePort is configurable

Make sure that your Kubernetes cluster meets the minimum requirements:

  • Kubernetes version 1.17 or newer.

  • A default storage class that can be used for relocatable storage.

  • A standard Ingress controller that supports websockets (we have tested with Project Contour and NGINX).

  • We currently test and support Google Kubernetes Engine (GKE) clusters.

Cluster ports

In addition to the NodePorts used by your Puppet applications, make sure that TCP port 443 is open for your ingress controller.

Puppet-supported HA cluster hardware requirements

A high availability (HA) configuration uses multiple servers to provide availability in the event of a server failure. A majority of servers must be available to preserve service availability. Below are suggested configurations for each application.

Continuous Delivery for Puppet Enterprise (PE)

Three servers (referred to as primaries during installation) with the following minimum requirements:
CPU Memory Storage Open ports
6 CPU 10 GB

100 GB on an unformatted storage device

An additional 100 GB for /var/lib. This is primarily divided among:
  • 2 GB for /var/lib/etcd
  • 4 GB for /var/lib/rook (plus buffer)
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd
Note: The storage backend prefers the file system inhabited by /var/lib/rook to remain below 70% utilization.

SSDs (or similarly low-latency storage) are recommended for /var/lib/etcd and /var/lib/rook.

TCP: 80, 443, 2379, 2380, 6443, 6783, 8000, 8800, and 10250

UDP: 6783, 6784

Puppet Comply

Three servers (referred to as primaries during installation) with the following minimum requirements:
CPU Memory Storage Open ports
6 CPU 9 GB

100 GB on an unformatted storage device

An additional 100 GB for /var/lib. This is primarily divided among:
  • 2 GB for /var/lib/etcd
  • 4 GB for /var/lib/rook (plus buffer)
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd
Note: The storage backend prefers the file system inhabited by /var/lib/rook to remain below 70% utilization.

SSDs (or similarly low-latency storage) are recommended for /var/lib/etcd and /var/lib/rook.

TCP: 80, 443, 2379, 2380, 6443, 6783, 8800, 10250, and 30303

UDP: 6783, 6784

Continuous Delivery for Puppet Enterprise (PE) and Puppet Comply

Three servers (referred to as primaries during installation) with the following minimum requirements:
CPU Memory Storage Open ports
7 CPU 12 GB

150 GB on an unformatted storage device

An additional 100 GB for /var/lib. This is primarily divided among:
  • 2 GB for /var/lib/etcd
  • 4 GB for /var/lib/rook (plus buffer)
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd
Note: The storage backend prefers the file system inhabited by /var/lib/rook to remain below 70% utilization.

SSDs (or similarly low-latency storage) are recommended for /var/lib/etcd and /var/lib/rook.

TCP: 80, 443, 2379, 2380, 6443, 6783, 8000, 8800, 10250, and 30303

UDP: 6783, 6784

For a detailed example of an HA configuration running Continuous Delivery for PE and Puppet Comply, see Example of an HA cluster that supports CDPE and Comply.

Cluster port requirements

Puppet Application Manager (PAM) uses the following ports:

Port Protocol Purpose Source
Puppet application ports
443 TCP Web UI (Relies on Server Name Indication to route requests to the application) Browser
Continuous Delivery for Puppet Enterprise (PE)
8000 TCP Webhook service Source control
Puppet Comply
30303 TCP Communication with Puppet Enterprise (PE) PE instance
Platform ports
2379 TCP High availability (HA) communication etcd on the Kubernetes host
2380 TCP
6443 TCP Kubernetes API Admin workstation
6783 TCP/ UDP Kubernetes networking - Weave Kubernetes host
6784 UDP
8800 TCP Puppet Application Manager Admin browser
10250 TCP Kubernetes cluster management Kubernetes host

IP address range requirements

Ensure that IP address ranges 10.96.0.0/22 and 10.32.0.0/22 are locally accessible. See Resolve IP address range conflicts for instructions.

Note: The minimum size for CIDR blocks used by PAM are:
  • /23 for pod and service CIDRs

  • Default of /22 is recommended to support future expansion

Antivirus and antimalware considerations

Antivirus and antimalware software can impact PAM and its applications or prevent them from functioning properly.

To avoid issues, exclude the following directories from antivirus and antimalware tools that scan disk write operations:
  • /var/lib/rook
  • /var/lib/kubelet
  • /var/lib/containerd

Firewall modules

If you use the puppetlabs/firewall module to manage your cluster's firewall rules with Puppet, be advised that purging unknown rules from changes breaks Kubernetes communication. To avoid this, apply the puppetlabs/pam_firewall module before installing Puppet Application Manager.

If you've already installed PAM, apply the pam_firewall module and then restart the kube-proxy service to recreate its iptables rules by running the following on a primary:
systemctl restart kubelet
                    kubectl -n kube-system delete pod -l k8s-app=kube-proxy
                    kubectl -n kube-system delete pod -l name=weave-net

For more information, see the PAM firewall module.

Supported operating systems

Puppet Application Manager and the applications it supports can be installed on these operating systems:

Operating system Supported versions
CentOS 7.4, 7.5, 7.6, 7.7, 7.8, 7.9

8.1, 8.2, 8.3

Red Hat Enterprise Linux (RHEL) 7.4, 7.5, 7.6, 7.7, 7.8, 7.9

8.1, 8.2, 8.3

Ubuntu (General availability kernels)

16.04

18.04

20.04

Puppet-supported standalone hardware requirements

Here are the suggested configurations for standalone installations.

Continuous Delivery for Puppet Enterprise (PE)

CPU Memory Storage Open ports
4 CPU 8 GB
130 GB for /var/lib and /var/lib/openebsThis is primarily divided among:
  • 2 GB for /var/lib/etcd
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd
  • 50 GB for /var/lib/openebs

TCP: 80, 443, 2379, 2380, 6443, 6783, 8000, 8800, and 10250

UDP: 6783, 6784

Puppet Comply

CPU Memory Storage Open ports
6 CPU 6 GB 130 GB for /var/lib and /var/lib/openebsThis is primarily divided among:
  • 2 GB for /var/lib/etcd
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd
  • 50 GB for /var/lib/openebs

TCP: 80, 443, 2379, 2380, 6443, 6783, 8800, 10250, and 30303

UDP: 6783, 6784

Cluster port requirements

Puppet Application Manager uses the following ports:

Port Protocol Purpose Source
Puppet application ports
443 TCP Web UI (Relies on Server Name Indication to route requests to the application) Browser
Continuous Delivery for Puppet Enterprise (PE)
8000 TCP Webhook service Source control
Puppet Comply
30303 TCP Communication with Puppet Enterprise PE instance
Platform ports
6443 TCP Kubernetes API Admin workstation
6783 TCP/ UDP Kubernetes networking - Weave Kubernetes host
6784 UDP
8800 TCP Puppet Application Manager Admin browser
10250 TCP Kubernetes cluster management Kubernetes host

IP address range requirements

Ensure that IP address ranges 10.96.0.0/22 and 10.32.0.0/22 are locally accessible. See Resolve IP address range conflicts for instructions.

Note: The minimum size for CIDR blocks used by PAM are:
  • /24 for pod and service CIDRs

  • Default of /22 is recommended to support future expansion

Antivirus and antimalware considerations

Antivirus and antimalware software can impact PAM and its applications or prevent them from functioning properly.

To avoid issues, exclude the following directories from antivirus and antimalware tools that scan disk write operations:
  • /var/openebs
  • /var/lib/kubelet
  • /var/lib/containerd

Firewall modules

If you use the puppetlabs/firewall module to manage your cluster's firewall rules with Puppet, be advised that purging unknown rules from changes breaks Kubernetes communication. To avoid this, apply the puppetlabs/pam_firewall module before installing Puppet Application Manager.

If you've already installed PAM, apply the pam_firewall module and then restart the kube-proxy service to recreate its iptables rules by running the following on a primary:
systemctl restart kubelet
                    kubectl -n kube-system delete pod -l k8s-app=kube-proxy
                    kubectl -n kube-system delete pod -l name=weave-net

For more information, see the PAM firewall module.

Detailed hardware requirements

For additional compute capacity, you can horizontally scale HA and standalone architectures by adding secondary nodes. During installation, only add secondaries after setting up all primaries.

You can add secondaries to HA and standalone architectures; however in standalone architectures, secondaries do not increase availability of the application, and data storage services are pinned to the host they start on and cannot be moved.

Here are the baseline requirements to run cluster services on primaries and secondaries. Any Puppet applications require additional resources on top of these requirements.
Node type CPU Memory Storage Open ports
Primary 4 CPU 7 GB At least 50 GB on an unformatted storage device in addition to application-specific storage (below) for the Ceph storage backend. This can be satisfied by multiple devices if more storage is needed later, but should be balanced across primaries.
An additional 100 GB for /var/lib. This is primarily divided among:
  • 2 GB for /var/lib/etcd

  • 4 GB for /var/lib/rook (plus buffer)

  • 32 GB for /var/lib/kubelet

  • 40 GB for /var/lib/containerd

Note: Ceph storage backend prefers the file system inhabited by /var/lib/rook to remain below 70% utilization.

SSDs (or similarly low-latency storage) are recommended for /var/lib/etcd and /var/lib/rook.

TCP: 80, 443, 2379,2380, 6443, 6783, 8800, and 10250

UDP: 6783, 6784

Secondary 1 CPU 1.5 GB
80 GB for /var/lib. This is primarily divided among:
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd

Applications are composed of multiple smaller services, so you can divide CPU and memory requirements across multiple servers. The listed ports can be accessed from all primaries and secondaries, but only need to be exposed on nodes you include in your load balancer. Apply application-specific storage to all primary nodes.

Application-specific requirements:
Application CPU Memory Storage Ports
Continuous Delivery for Puppet Enterprise (PE) 3 CPU 8 GB 50 GB 80, 443, 8000
Puppet Comply 6 CPU 6 GB 50 GB 80, 443, 30303

The minimum recommended size for a secondary node is 4 CPU and 8 GB of memory to allow some scheduling flexibility for individual services.

Example of an HA cluster capable of running Continuous Delivery for PE and Comply

An HA cluster capable of running both Continuous Delivery for Puppet Enterprise (PE) and Puppet Comply requires 9 CPU and 14 GB of application-specific memory in addition to per-node baselines. You can create a cluster from 4 CPU, 8 GB nodes. Each primary uses all CPU and 7 GB of memory for cluster services, providing 0 CPU and 1 GB of memory for application workloads; each secondary uses 1 CPU and 1.5 GB of memory for cluster services, providing 3 CPU and 6.5 GB of memory for application workloads. Create the cluster as follows:

  • Three primaries provide an excess of 3 GB of memory for application workloads. Each primary must have 150 GB of storage in an unformatted, unpartitioned storage device for Ceph and 100 GB of storage for /var/lib.

  • Three secondaries provide an excess of 9 CPU and 19.5 GB of memory for application workloads. Each secondary must have 80 GB of storage for /var/lib.

This diagram illustrates the suggested three-node configuration for a cluster capable of running Continuous Delivery for Puppet Enterprise (PE) and Puppet Comply:PAM HA cluster example with Comply and Continuous Delivery for Puppet Enterprise

Web URL and port requirements for firewalls

Puppet Application Manager interacts with external web URLs for a variety of installation, configuration, upgrade, and deployment tasks. Puppet Application Manager uses the following web URLs for internal and outbound network traffic.

Category URLs
Puppet Application Manager and platform
  • get.replicated.com
  • registry.replicated.com
  • proxy.replicated.com
  • api.replicated.com
  • k8s.kurl.sh
  • kurl-sh.s3.amazonaws.com
  • replicated.app
  • registry-data.replicated.com
Container registries
  • gcr.io
  • docker.io
  • index.docker.io
  • registry-1.docker.io
  • auth.docker.io
  • production.cloudflare.docker.com
  • quay.io
Puppet Enterprise
  • pup.pt
  • forgeapi.puppet.com
  • pm.puppetlabs.com
  • amazonaws.com
  • s3.amazonaws.com
  • rubygems.org

Supported browsers

The following browsers are supported for use with the Puppet Application Manager UI:

Browser Supported versions
Google Chrome Current version as of release
Mozilla Firefox Current version as of release
Microsoft Edge Current version as of release
Apple Safari Current version as of release