You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Your responsibilities with using {{site.data.keyword.containerlong_notm}}
{: #responsibilities_iks}
Learn about cluster management responsibilities that you have when you use {{site.data.keyword.containerlong}}. For overall terms of use, see Cloud Services terms.
{:shortdesc}
IBM provides you with an enterprise cloud platform for you to deploy apps alongside {{site.data.keyword.cloud_notm}} DevOps, AI, data, and security services. You choose how you set up, integrate, and operate your apps and services in the cloud.
{:shortdesc}
<tr>
<td align="center"><img src="images/icon_code.svg" alt="Icon of code brackets"/><br>App orchestration</td>
<td>
**IBM responsibilities**:
<ul>
<li>Provision clusters with Kubernetes components installed so that you can access the Kubernetes API.</li>
<li>Provide a number of managed add-ons to extend your app's capabilities, such as [Istio](/docs/containers?topic=containers-istio#istio) and [Knative](/docs/containers?topic=containers-serverless-apps-knative). Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons.</li>
<li>Provide cluster integration with select third-party partnership technologies, such as {{site.data.keyword.la_short}}, {{site.data.keyword.mon_short}}, and Portworx.</li>
<li>Provide automation to enable service binding to other {{site.data.keyword.cloud_notm}} services.</li>
<li>Create clusters with image pull secrets so that your deployments in the `default` Kubernetes namespace can pull images from {{site.data.keyword.registrylong_notm}}.</li>
<li>Provide storage classes and plug-ins to support persistent volumes for use with your apps.</li>
<li>Create clusters with subnet IP addresses reserved to use to expose apps externally.</li>
<li>Support native Kubernetes public and private load balancers and Ingress routes for exposing services externally.</li>
</ul>
<br><br>
**Your responsibilities**:
<ul>
<li>Use the provided tools and features to [configure and deploy](/docs/containers?topic=containers-app#app); [set up permissions](/docs/containers?topic=containers-users#users); [integrate with other services](/docs/containers?topic=containers-supported_integrations#supported_integrations); [externally serve](/docs/containers?topic=containers-cs_network_planning#cs_network_planning); [monitor the health](/docs/containers?topic=containers-health#health); [save, back up, and restore data](/docs/containers?topic=containers-storage_planning#storage_planning); and otherwise manage your [highly available](/docs/containers?topic=containers-ha#ha) and resilient workloads.</li>
</ul>
</td>
</tr>
Responsibilities of IBM and you
Responsibilities by type
Cloud infrastructure
**IBM responsibilities**:
Deploy a fully managed, highly available dedicated master in a secured, IBM-owned infrastructure account for each cluster.
Provision worker nodes in your IBM Cloud infrastructure account.
Set up cluster management components, such as VLANs and load balancers.
Fulfill requests for more infrastructure, such as adding and removing worker nodes, creating default subnets, and provisioning storage volumes in response to persistent volume claims.
Integrate ordered infrastructure resources to work automatically with your cluster architecture and become available to your deployed apps and workloads.
**Your responsibilities**:
Use the provided API, CLI, or console tools to adjust [compute](/docs/containers?topic=containers-clusters#clusters) and [storage](/docs/containers?topic=containers-storage_planning#storage_planning) capacity, and to adjust [networking configuration](/docs/containers?topic=containers-cs_network_cluster#cs_network_cluster) to meet the needs of your workload.
Managed cluster
**IBM responsibilities**:
Provide a suite of tools to automate cluster management, such as the {{site.data.keyword.containerlong_notm}} [API ](https://containers.cloud.ibm.com/global/swagger-global-api/), [CLI plug-in](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli), and [console ](https://cloud.ibm.com/kubernetes/clusters).
Automatically apply Kubernetes master patch OS, version, and security updates. Make major and minor updates available for you to apply.
Update and recover operational {{site.data.keyword.containerlong_notm}} and Kubernetes components within the cluster, such as the Ingress application load balancer and file storage plug-in.
Back up and recover data in etcd, such as your Kubernetes workload configuration files
Set up an OpenVPN connection between the master and worker nodes when the cluster is created.
Monitor and report the health of the master and worker nodes in the various interfaces.
Provide worker node major, minor, and patch OS, version, and security updates.
Fulfill automation requests to update and recover worker nodes. Provide the optional [worker node Autorecovery](/docs/containers?topic=containers-health#autorecovery).
Provide tools, such as the [cluster autoscaler](/docs/containers?topic=containers-ca#ca), to extend your cluster infrastructure.
**Your responsibilities**:
Use the API, CLI, or console tools to [apply](/docs/containers?topic=containers-update#update) the provided major and minor Kubernetes master updates and major, minor, and patch worker node updates.
Use the API, CLI, or console tools to [recover](/docs/containers?topic=containers-cs_troubleshoot#cs_troubleshoot) your infrastructure resources, or set up and configure the optional [worker node Autorecovery](/docs/containers?topic=containers-health#autorecovery).
Security-rich environment
**IBM responsibilities**:
Maintain controls commensurate to [various industry compliance standards](/docs/containers?topic=containers-faqs#standards), such as PCI DSS.
Monitor, isolate, and recover the cluster master.
Provide highly available replicas of the Kubernetes master API server, etcd, scheduler, and controller manager components to protect against a master outage.
Automatically apply master security patch updates, and provide worker node security patch updates.
Enable certain security settings, such as encrypted disks on worker nodes
Disable certain insecure actions for worker nodes, such as not permitting users to SSH into the host.
Encrypt communication between the master and worker nodes with TLS.
Provide CIS-compliant Linux images for worker node operating systems.
Continuously monitor master and worker node images to detect vulnerability and security compliance issues.
Provision worker nodes with two local SSD, AES 256-bit encrypted data partitions.
Provide options for cluster network connectivity, such as public and private service endpoints.
Provide options for compute isolation, such as dedicated virtual machines or bare metal.
Integrate Kubernetes role-based access control (RBAC) with {{site.data.keyword.Bluemix_notm}} Identity and Access Management (IAM).
**Your responsibilities**:
Use the API, CLI, or console tools to apply the provided [security patch updates](/docs/containers?topic=containers-changelog#changelog) to your worker nodes.
Choose how to set up your [cluster network](/docs/containers?topic=containers-plan_clusters) and configure further [security settings](/docs/containers?topic=containers-security#security) to meet your workload's security and compliance needs. If applicable, configure your [firewall](/docs/containers?topic=containers-firewall#firewall).
