Skip to content


128 lines (115 loc) · 9.3 KB

File metadata and controls

128 lines (115 loc) · 9.3 KB
copyright lastupdated keywords subcollection
2014, 2019
kubernetes, iks

{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download} {:preview: .preview}

Your responsibilities with using {{}}

{: #responsibilities_iks}

Learn about cluster management responsibilities that you have when you use {{}}. For overall terms of use, see Cloud Services terms. {:shortdesc}

IBM provides you with an enterprise cloud platform for you to deploy apps alongside {{}} DevOps, AI, data, and security services. You choose how you set up, integrate, and operate your apps and services in the cloud. {:shortdesc}

    <td align="center"><img src="images/icon_code.svg" alt="Icon of code brackets"/><br>App orchestration</td>
    **IBM responsibilities**:
    <li>Provision clusters with Kubernetes components installed so that you can access the Kubernetes API.</li>
    <li>Provide a number of managed add-ons to extend your app's capabilities, such as [Istio](/docs/containers?topic=containers-istio#istio) and [Knative](/docs/containers?topic=containers-serverless-apps-knative). Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons.</li>
    <li>Provide cluster integration with select third-party partnership technologies, such as {{}}, {{}}, and Portworx.</li>
    <li>Provide automation to enable service binding to other {{}} services.</li>
    <li>Create clusters with image pull secrets so that your deployments in the `default` Kubernetes namespace can pull images from {{}}.</li>
    <li>Provide storage classes and plug-ins to support persistent volumes for use with your apps.</li>
    <li>Create clusters with subnet IP addresses reserved to use to expose apps externally.</li>
    <li>Support native Kubernetes public and private load balancers and Ingress routes for exposing services externally.</li>
    **Your responsibilities**:
    <li>Use the provided tools and features to [configure and deploy](/docs/containers?topic=containers-app#app); [set up permissions](/docs/containers?topic=containers-users#users); [integrate with other services](/docs/containers?topic=containers-supported_integrations#supported_integrations); [externally serve](/docs/containers?topic=containers-cs_network_planning#cs_network_planning); [monitor the health](/docs/containers?topic=containers-health#health); [save, back up, and restore data](/docs/containers?topic=containers-storage_planning#storage_planning); and otherwise manage your [highly available](/docs/containers?topic=containers-ha#ha) and resilient workloads.</li>
Responsibilities of IBM and you
Responsibilities by type
Icon of a cloud with an arrow pointing down
Cloud infrastructure
**IBM responsibilities**:
  • Deploy a fully managed, highly available dedicated master in a secured, IBM-owned infrastructure account for each cluster.
  • Provision worker nodes in your IBM Cloud infrastructure account.
  • Set up cluster management components, such as VLANs and load balancers.
  • Fulfill requests for more infrastructure, such as adding and removing worker nodes, creating default subnets, and provisioning storage volumes in response to persistent volume claims.
  • Integrate ordered infrastructure resources to work automatically with your cluster architecture and become available to your deployed apps and workloads.

**Your responsibilities**:
  • Use the provided API, CLI, or console tools to adjust [compute](/docs/containers?topic=containers-clusters#clusters) and [storage](/docs/containers?topic=containers-storage_planning#storage_planning) capacity, and to adjust [networking configuration](/docs/containers?topic=containers-cs_network_cluster#cs_network_cluster) to meet the needs of your workload.

Icon of a wrench
Managed cluster
**IBM responsibilities**:
  • Provide a suite of tools to automate cluster management, such as the {{}} [API ![External link icon](../icons/launch-glyph.svg "External link icon")](, [CLI plug-in](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli), and [console ![External link icon](../icons/launch-glyph.svg "External link icon")](
  • Automatically apply Kubernetes master patch OS, version, and security updates. Make major and minor updates available for you to apply.
  • Update and recover operational {{}} and Kubernetes components within the cluster, such as the Ingress application load balancer and file storage plug-in.
  • Back up and recover data in etcd, such as your Kubernetes workload configuration files
  • Set up an OpenVPN connection between the master and worker nodes when the cluster is created.
  • Monitor and report the health of the master and worker nodes in the various interfaces.
  • Provide worker node major, minor, and patch OS, version, and security updates.
  • Fulfill automation requests to update and recover worker nodes. Provide the optional [worker node Autorecovery](/docs/containers?topic=containers-health#autorecovery).
  • Provide tools, such as the [cluster autoscaler](/docs/containers?topic=containers-ca#ca), to extend your cluster infrastructure.

**Your responsibilities**:
  • Use the API, CLI, or console tools to [apply](/docs/containers?topic=containers-update#update) the provided major and minor Kubernetes master updates and major, minor, and patch worker node updates.
  • Use the API, CLI, or console tools to [recover](/docs/containers?topic=containers-cs_troubleshoot#cs_troubleshoot) your infrastructure resources, or set up and configure the optional [worker node Autorecovery](/docs/containers?topic=containers-health#autorecovery).

Icon of lock
Security-rich environment
**IBM responsibilities**:
  • Maintain controls commensurate to [various industry compliance standards](/docs/containers?topic=containers-faqs#standards), such as PCI DSS.
  • Monitor, isolate, and recover the cluster master.
  • Provide highly available replicas of the Kubernetes master API server, etcd, scheduler, and controller manager components to protect against a master outage.
  • Automatically apply master security patch updates, and provide worker node security patch updates.
  • Enable certain security settings, such as encrypted disks on worker nodes
  • Disable certain insecure actions for worker nodes, such as not permitting users to SSH into the host.
  • Encrypt communication between the master and worker nodes with TLS.
  • Provide CIS-compliant Linux images for worker node operating systems.
  • Continuously monitor master and worker node images to detect vulnerability and security compliance issues.
  • Provision worker nodes with two local SSD, AES 256-bit encrypted data partitions.
  • Provide options for cluster network connectivity, such as public and private service endpoints.
  • Provide options for compute isolation, such as dedicated virtual machines or bare metal.
  • Integrate Kubernetes role-based access control (RBAC) with {{}} Identity and Access Management (IAM).

**Your responsibilities**:
  • Use the API, CLI, or console tools to apply the provided [security patch updates](/docs/containers?topic=containers-changelog#changelog) to your worker nodes.
  • Choose how to set up your [cluster network](/docs/containers?topic=containers-plan_clusters) and configure further [security settings](/docs/containers?topic=containers-security#security) to meet your workload's security and compliance needs. If applicable, configure your [firewall](/docs/containers?topic=containers-firewall#firewall).