PAM system requirements

You can install Puppet Application Manager (PAM) on a Puppet-supported cluster or add PAM to a customer-supported cluster. Before installing PAM, ensure that your system meets these requirements.

Customer-supported cluster hardware requirements

Hardware requirements for customer-supported cluster deployments are dictated largely by your system capabilities. Make sure, however, that your Kubernetes cluster meets the minimum requirements:

  • Kubernetes version 1.17 or newer.

  • A default storage class that can be used for relocatable storage.

  • A standard Ingress controller that supports websockets (we have tested with Project Contour and NGINX).

Puppet-supported cluster hardware requirements

While you can install PAM on a single standalone server, if you want to provide availability in the event of server failures, choose a high availability (HA) configuration with multiple servers.

For standalone implementations:

Memory Storage CPUs Open ports
2 GB + application requirements

At least 100 GB for /var/lib and /var/openebs. This is primarily divided among:

  • 2 GB for /var/lib/etcd
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd
  • 20 GB for /var/openebs + additional application-specific storage.
2 + application requirements

TCP: 443, 2379,2380, 6443, 6783, 8800, 9001 (offline only), and 10250

UDP: 6783, 6784

For HA implementations, each server must meet the following minimum requirements. Secondaries must only be added after setting up three primaries:

Node type Memory Storage CPUs Open ports
Primary 7 GB + application requirements

At least 50 GB on an unformatted storage device (such as a partition or raw device) + additional application-specific storage

At least 100 GB for /var/lib. This is primarily divided among:

  • 2 GB for /var/lib/etcd
  • 4 GB for /var/lib/rook (plus buffer)
  • 32 GB for /var/lib/kubelet
  • 40 GB for /var/lib/containerd

Note: Ceph storage back-end prefers the file system inhabited by /var/lib/rook to remain below 70% utilization.

SSDs (or similarly low-latency storage) are recommended for /var/lib/etcd and /var/lib/rook.

4 + application requirements

TCP: 443, 2379,2380, 6443, 6783, 8000, 8800, 9001 (offline only) and 10250

UDP: 6783, 6784

Secondary 1.5 GB + application requirements

At least 80 GB for /var/lib. This is primarily divided among:

  • 32 GB for /var/lib/kubelet

  • 40 GB for /var/lib/containerd

1 + application requirements

Hardware requirements for individual applications

Hardware requirements for applications run on customer-supported Kubernetes clusters are the same as those on Puppet-supported clusters.

For standalone implementations, the application hardware requirements for the application are directly added to the cluster hardware. However, for HA implementations, CPU and memory requirements are spread across multiple servers, because the individual service requirements are covered by the multiple servers within the cluster. The estimates for an HA implementation include a buffer that accounts for the eventuality of a single server failure situation. The minimum requirements for secondary nodes are 4 CPUs and 8 GB of memory. Apply the application-specific storage requirements to primary nodes only.

Application Memory Storage CPU
Continuous Delivery for PE with 1-2 concurrent pipelines 4 GB 30 GB 2 CPU
Continuous Delivery for PE with 3 or more concurrent pipelines and/or HA 8 GB 50 GB 3 CPU
Puppet Comply Standalone with low activity 4 GB 30 GB 4 CPU
Puppet Comply with frequent use and/or HA 6 GB 50 GB 6 CPU

Example: HA cluster with Continuous Delivery for PE

An HA cluster capable of running Continuous Delivery for PE requires 3 CPU and 8 GB memory in addition to the per-node baselines listed above; 4 CPUs and 7 GB of a primary server's memory are used for core services, while a secondary server uses 1 CPU and 1.5 GB of memory.

Create the cluster as follows:

  • Three primaries with 4 CPUs and 8 GB memory which provides an excess 3 GB of memory for application workloads. Each primary must have 100 GB storage in an unformatted partition for Ceph (the cluster uses 50 GB of storage for core services and 50 GB for Continuous Delivery for PE), and 100 GB for /var/lib.
  • One secondary with 4 CPUs and 8 GB memory, which provides an excess 3 CPUs and 6.5 GB of memory for application workloads. Each secondary must have 80 GB for /var/lib.

The four nodes provide a total of 3 CPUs and 9.5 GB of memory for application workloads, of which Continuous Delivery for PE uses 3 CPUs and 8 GB of memory.

Example: HA cluster with Puppet Comply

An HA cluster capable of running Puppet Comply requires 6 CPUs and 6 GB of memory in addition to per-node baselines.

Create the cluster as follows:

  • Three primaries with 4 CPUs and 8 GB of memory, which provides an excess 3 GB of memory for application workloads. Each primary must have 100 GB storage in an unformatted partition for Ceph and 100 GB of storage for /var/lib.
  • Two secondaries with 4 CPUs and 8 GB of memory, which provides an excess 6 CPUs and 13 GB of memory for application workloads. Each secondary must have 80 GB of storage for /var/lib.

The five nodes provide a total of 6 CPUs and 16 GB of memory for application workloads, of which Puppet Comply uses 6 CPUs and 6 GB of memory.

Example: HA cluster with both

An HA cluster capable of running both Continuous Delivery for PE and Puppet Comply requires 9 CPUs and 14 GB of memory in addition to per-node baselines.

Create the cluster as follows:

  • Three primaries with 4 CPUs and 8 GB of memory, which provides an excess 3 GB of memory for application workloads. Each primary must have 150 GB of storage in an unformatted partition for Ceph and 100 GB of storage for /var/lib.
  • Three secondaries with 4 CPUs and 8 GB of memory which provides an excess 9 CPUs and 19.5 GB of memory for application workloads. Each secondary must have 80 GB of storage for /var/lib.

The six nodes provide a total of 9 CPUs and 22.5 GB of memory for application workloads, of which Continuous Delivery for PE uses 3 CPUs and 8 GB of memory and Puppet Comply uses 6 CPUs and 6 GB of memory.

Or, with larger nodes:

  • Three primaries with 7 CPUs and 12 GB of memory, which provides an excess 9 CPUs and 15 GB of memory for application workloads. Each primary must have 150 GB of storage in an unformatted partition for Ceph and 100 GB of storage for /var/lib.

Puppet-supported cluster port requirements

Puppet Application Manager uses the following ports:

Port Protocol Purpose Source Destination
Puppet application ports
443 TCP Web UI

(Relies on Server Name Indication to route requests to the application)

Browser Kubernetes host
8000 TCP Webhook service

(Can be configured to a different port number)

Source control Kubernetes host
Platform ports
2379 TCP High availability (HA) communication etcd on the Kubernetes host etcd on the Kubernetes host
2380 TCP
6443 TCP Kubernetes API Admin workstation Kubernetes host
6783 TCP/UDP Kubernetes networking - Weave Kubernetes host Kubernetes host
6784 UDP
8800 TCP Puppet Application Manager Admin browser Kubernetes host
9001 (Offline installations only) TCP Docker registry for offline installations Job hardware Kubernetes host
10250 TCP Kubernetes cluster management Kubernetes host Kubernetes host
Remember: Applications that you install with Puppet Application Manager may require other ports to be open. For more information on application-specific port requirements, check the relevant application documentation.

Customer-supported cluster port requirements

Ensure that the ports listed in the following table are open:

Port Protocol Purpose Source Destination
443 TCP Web UI Browser Puppet Application Manager
8000 TCP Webhook service Source control Puppet Application Manager
8800 TCP Puppet Application Manager Admin browser Kubernetes host

IP address range requirements

Ensure that IP address ranges 10.96.0.0/22 and 10.32.0.0/22 are locally accessible. See Resolve IP address range conflicts for instructions.
Note: The minimum size for CIDR blocks used by Puppet Application Manager are:
  • Standalone - /24 for pod and service CIDRs
  • HA - /23 for pod and service CIDRs
  • Default of /22 is recommended to support future expansion

Web URL requirements for firewalls

Puppet Application Manager interacts with external web URLs for a variety of installation, configuration, upgrade, and deployment tasks. The following list of web URLs are used by Puppet Application Manager for internal and outbound network traffic.

Category URLs
Puppet Application Manager and platform
  • get.replicated.com
  • registry.replicated.com
  • proxy.replicated.com
  • api.replicated.com
  • k8s.kurl.sh
  • kurl-sh.s3.amazonaws.com
  • replicated.app
  • registry-data.replicated.com
Container registries
  • gcr.io
  • docker.io
  • index.docker.io
  • registry-1.docker.io
  • auth.docker.io
  • production.cloudflare.docker.com
  • quay.io
Puppet Enterprise
  • pup.pt
  • forgeapi.puppet.com
  • pm.puppetlabs.com
  • amazonaws.com
  • s3.amazonaws.com
  • rubygems.org

Firewall modules

If you use the puppetlabs/firewall module to manage your cluster's firewall rules with Puppet, be advised that purging unknown rules from changes breaks Kubernetes communication. To avoid this, apply the puppetlabs/pam_firewall module before installing Puppet Application Manager.

Find more information in the pam_firewall README.

If you've already installed PAM, apply the pam_firewall module and then restart the kube-proxy service to recreate its iptables rules by running the following on a primary:
systemctl restart kubelet
kubectl -n kube-system delete pod -l k8s-app=kube-proxy
kubectl -n kube-system delete pod -l name=weave-net

Antivirus and antimalware considerations

Antivirus and antimalware software can impact Puppet Application Manager and its applications or prevent them from functioning properly.

To avoid issues, exclude the following directories from antivirus and antimalware tools that scan disk write operations:
  • /var/openebs (Standalone)
  • /var/lib/rook (HA)
  • /var/lib/docker
  • /var/lib/kubelet
  • /var/lib/containerd

Supported operating systems

Puppet Application Manager and the applications it supports can be installed on these operating systems:

Operating system Supported versions
CentOS 7.4, 7.5, 7.6, 7.7, 7.8, 7.9

8.1, 8.2, 8.3

Red Hat Enterprise Linux (RHEL) 7.4, 7.5, 7.6, 7.7, 7.8, 7.9

8.1, 8.2, 8.3

Ubuntu (General availability kernels) 18.04

20.04

Supported browsers

The following browsers are supported for use with the Puppet Application Manager UI:

Browser Supported versions
Google Chrome Current version as of release
Mozilla Firefox Current version as of release
Microsoft Edge Current version as of release
Apple Safari Current version as of release