cs_sitemap.md

copyright	years	lastupdated
	2014, 2019	2019-10-03

{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download} {:preview: .preview}

Site map

{: #cs_sitemap}

Getting started with {{site.data.keyword.containerlong_notm}}

{: #sitemap-gs}

Getting started with {{site.data.keyword.containerlong_notm}}

About

{: #sitemap-about}

Why {{site.data.keyword.containerlong_notm}}

• Benefits of using the service
• Comparison of offerings and their combinations
• Comparison of free and standard clusters

Overview of Classic and VPC infrastructure providers

{{site.data.keyword.containerlong_notm}} technology

• Docker containers
  • Key benefits of using containers
• Kubernetes clusters
• Service architecture
  • Classic cluster architecture
  • VPC cluster architecture
• Service limitations
• VPC cluster limitations

Use cases

{: #sitemap-usecases}

Overview of use cases

Financial services use cases for {{site.data.keyword.cloud_notm}}

• Mortgage company trims costs and accelerates regulatory compliance
• Payment tech company streamlines developer productivity, deploying AI-enabled tools to their partners 4 times faster

Healthcare use cases for {{site.data.keyword.cloud_notm}}

• Healthcare provider migrates workloads from inefficient VMs to Ops-friendly containers for reporting and patient systems
• Research nonprofit securely hosts sensitive data while it grows research with partners

Retail use cases for {{site.data.keyword.cloud_notm}}

• Brick-and-mortar retailer shares data, by using APIs with global partners to drive omnichannel sales
• Traditional grocer increases customer traffic and sales with digital insights

Transportation use cases for {{site.data.keyword.cloud_notm}}

• Shipping company increases availability of worldwide systems for business partner ecosystem
• Airline delivers innovative Human Resources (HR) benefits site in under 3 weeks

Government use cases for {{site.data.keyword.cloud_notm}}

• Regional government improves collaboration and velocity with community Developers who combine public-private data
• Large public port secures exchange of port data and shipping manifests that connect public and private organizations

Your cluster strategy

{: #sitemap-strategy}

Your responsibilities by using {{site.data.keyword.containerlong_notm}}

• Cluster management responsibilities

Security for {{site.data.keyword.containerlong_notm}}

• Overview of security threats for your cluster
• Kubernetes API server and etcd
• Worker node
• Network
  • Network segmentation and privacy for classic clusters
  • Network segmentation and privacy for VPC clusters
  • LoadBalancer and Ingress services
• Persistent storage
• Monitoring and logging
• Image and registry
• Container isolation and security
• Storing personal information
• Kubernetes security bulletins

High availability for {{site.data.keyword.containerlong_notm}}

• Overview of potential points of failure in {{site.data.keyword.containerlong_notm}}

Defining your Kubernetes strategy

• Moving your workloads to the {{site.data.keyword.cloud_notm}}
  • What can I move to the {{site.data.keyword.cloud_notm}}?
  • What kind of apps can I run in {{site.data.keyword.containerlong_notm}}?
  • What are some guidelines for developing stateless, cloud-native apps?
  • I already have an app. How can I migrate it to {{site.data.keyword.containerlong_notm}}?
  • What knowledge and technical skills are good to have before I move my apps to {{site.data.keyword.containerlong_notm}}?
• Sizing your Kubernetes cluster to support your workload
  • How many resources does my app require?
  • What else besides my app might use resources in the cluster?
  • What type of availability do I want my workload to have?
  • How many worker nodes do I need to handle my workload?
• Structuring your Kubernetes environment
  • What type of cluster and flavors should I get?
  • Do I use multiple clusters, or just add more workers to an existing cluster?
  • How can I set up my resources within the cluster?
• Making your resources highly available
• Setting up service discovery
  • Can I customize the Kubernetes cluster DNS provider?
  • How can I make sure that my services are connected to the right deployments and ready to go?
  • How do I control network traffic among the services that run in my cluster?
  • How can I expose my services on the Internet?
• Deploying app workloads to clusters
  • I thought that I needed to put my app in a container. Now what's all this stuff about pods?
  • So if I can just use a pod, why do I need all these different types of objects?
  • How can I organize my deployments to make them easier to update and manage?
  • What else can I do to prepare my app for deployment?
• Packing your app
• Keeping your app up-to-date
  • How can I keep my cluster in a supported state?
  • What app update strategies can I use?
• Monitoring your cluster performance

Tutorials

{: #sitemap-tutorials}

Tutorial overview

• Create a cluster and deploy your first app
• Deploy apps to clusters
• Set up high availability and security
• Automate app and cluster deployments
• Monitor and log cluster activity
• Migrate apps to the cloud

Creating Kubernetes clusters

• Objectives
• Time required
• Audience
• Prerequisites
• Lesson 1: Setting up your cluster environment
• Lesson 2: Adding an IBM Cloud service to your cluster
• Lesson 3: Deploying single instance apps to Kubernetes clusters
• Lesson 4: Deploying and updating apps with higher availability
• Lesson 5: Deploying and updating the Watson Tone Analyzer app
  • Lesson 5a: Deploying the Watson Tone Analyzer app
  • Lesson 5b: Updating the running Watson Tone Analyzer deployment
• What's next?

Creating a classic cluster in your Virtual Private Cloud (VPC)

• Objectives
• Time required
• Audience
• Prerequisites
• Lesson 1: Creating a cluster in VPC
• Lesson 2: Deploying a privately available app
• Lesson 3: Setting up a Load Balancer for VPC to expose your app publicly
• What's next?

Deploy a starter kit app to a Kubernetes cluster

• Objectives
• Time required
• Audience
• Prerequisites
• Lesson 1: Add services to your app
• Lesson 2: Deploy your app by using a DevOps toolchain
• Lesson 3: Explore the toolchain tools, logs, and history
• Lesson 4: Verify the health of your app

Using Calico network policies to block traffic

• Objectives
• Time required
• Audience
• Prerequisites
• Lesson 1: Deploy an app and expose it by using a load balancer
• Lesson 2: Block all incoming traffic to all node ports
• Lesson 3: Allow incoming traffic from a whitelisted IP to the load balancer
• Lesson 4: Deny incoming traffic from blacklisted IPs to the load balancer
• Lesson 5: Logging blocked traffic from blacklisted IPs to the NLB
• What's next?

Migrating an app from Cloud Foundry to a cluster

• Objectives
• Time required
• Audience
• Prerequisites
• Lesson 1: Download app code
• Lesson 2: Creating a Docker image with your app code
• Lesson 3: Deploying a container from your image

Move a VM-based application to Kubernetes

Create a multi-region cluster using Cloud Internet Services

Set up a continuous integration and delivery pipeline for containerized apps that run in Kubernetes

Installing the CLI and API

{: #sitemap-cli-api}

Setting up the CLI

• Installing the IBM Cloud CLI and plug-ins
• Installing the Kubernetes CLI (kubectl)
• Running the CLI in a container on your computer
• Configuring the CLI to run kubectl
• Updating the CLI
• Uninstalling the CLI
• Using the Kubernetes Terminal in your web browser (beta)

Setting up the API

• About the API
• Automating cluster deployments with the API
• Working with your cluster by using the Kubernetes API
• Refreshing {{site.data.keyword.cloud_notm}} IAM access tokens and obtaining new refresh tokens with the API
• Refreshing {{site.data.keyword.cloud_notm}} IAM access tokens and obtaining new refresh tokens with the CLI

Setting up clusters

{: #sitemap-setup-clusters}

Planning your cluster network setup

• Understanding network basics of VPC clusters
  • Worker-to-worker communication: VPC subnets
  • Worker-to-master and user-to-master communication: Service endpoints
  • Worker communication to other services or networks
  • External communication to apps that run on worker nodes
• Example scenarios for VPC cluster network setups
  • Scenario: Run internet-facing app workloads in a VPC cluster
  • Scenario: Run internet-facing app workloads in a VPC cluster with limited public egress
  • Scenario: Extend your on-premises data center to a VPC cluster
• Understanding network basics of classic clusters
  • Worker-to-worker communication
  • Master-to-worker communication
  • Worker communication to other {{site.data.keyword.cloud_notm}} services or on-premises networks
  • External communication to apps running on worker nodes
• Example scenarios for classic cluster network setups
  • Scenario: Run internet-facing app workloads in a cluster
  • Scenario: Extend your on-premises data center to a cluster on the private network and add limited public access
    • Using a gateway-enabled cluster
    • Using a gateway appliance
  • Scenario: Extend your on-premises data center to a cluster on the private network

Planning your cluster for high availability

• Single zone cluster
• Multizone cluster
• Multiple clusters connected with a global load balancer

Planning your worker node setup

• Available hardware for worker nodes
• Virtual machines
• Physical machines (bare metal)
• Software-defined storage (SDS) machines
• Worker node resource reserves

Creating clusters

• Prepare to create clusters at the account level
• Deciding on your cluster setup
• Creating a standard classic cluster
  • Creating a standard classic cluster in the console
  • Creating a standard classic cluster in the CLI
  • Creating a standard classic cluster with a gateway in the CLI
• Creating a standard VPC on Classic cluster
  • /docs/containers?topic=containers-clusters#clusters_vpc_ui
  • Creating standard VPC on Classic clusters from the CLI
• Accessing your cluster
  • Accessing clusters through the public service endpoint
  • Accessing clusters through the private service endpoint
• Next steps

Adding worker nodes and zones to clusters

• Adding worker nodes by resizing an existing worker pool
• VPC: Adding worker nodes by creating a new worker pool
• Classic: Adding worker nodes by creating a new worker pool
• VPC: Adding worker nodes by adding a zone to a worker pool
• Classic: Adding worker nodes by adding a zone to a worker pool
• Deprecated: Adding stand-alone worker nodes
• Adding labels to existing worker pools
• Autorecovery for your worker nodes

Administering clusters

{: #sitemap-clusters-admin}

Scaling clusters

• Understanding scale-up and scale-down
• Following scalable deployment practices
  • Can I autoscale multiple worker pools at once?
  • How can I make sure that the cluster autoscaler responds to what resources my app needs?
  • Can I scale down a worker pool to zero (0) nodes?
  • Can I optimize my deployments for autoscaling?
  • Can I use taints and tolerations with autoscaled worker pools?
  • Why are my autoscaled worker pools unbalanced?
  • Why can't I resize or rebalance my worker pool?
• Deploying the cluster autoscaler Helm chart to your cluster
• Updating the cluster autoscaler configmap
• Customizing the cluster autoscaler Helm chart configuration values
• Limiting apps to run on only certain autoscaled worker pools
• Scaling up worker nodes before the worker pool has insufficient resources
• Updating the cluster autoscaler Helm chart
  • Updating to the latest Helm chart from version 1.0.2 or earlier
• Removing the cluster autoscaler

Updating clusters, worker nodes, and add-ons

• Updating the Kubernetes master
• Updating classic worker nodes
  • Prerequisites
  • Updating classic worker nodes in the CLI with a configmap
  • Updating classic worker nodes in the console
• Updating VPC worker nodes
  • Prerequisites
  • Updating VPC worker nodes in the CLI
  • Updating VPC worker nodes in the console
• Updating flavors
• Updating cluster components
  • Managing automatic updates for the Fluentd for logging add-on
  • Managing automatic updates for the Ingress ALB add-on
• Updating cluster add-ons
• Updating from stand-alone worker nodes to worker pools

Assigning cluster access

• Understanding access policies and roles
  • Pick the right access policy and role for your users
  • Assign access roles to individual or groups of users in {{site.data.keyword.cloud_notm}} IAM
  • Scope user access to cluster instances, namespaces, or resource groups
• Setting up access to your cluster
• Setting up the API key to enable access to the infrastructure portfolio
  • Understanding access to the IBM Cloud infrastructure portfolio
  • Ensuring that the API key or infrastructure credentials owner has the correct permissions
  • Accessing the infrastructure portfolio with your default {{site.data.keyword.cloud_notm}} Pay-As-You-Go account
  • Accessing a different IBM Cloud infrastructure account
• Granting users access to your cluster through {{site.data.keyword.cloud_notm}} IAM
  • Assigning {{site.data.keyword.cloud_notm}} IAM roles with the console
  • Assigning {{site.data.keyword.cloud_notm}} IAM roles with the CLI
• Assigning RBAC permissions
  • Creating custom RBAC permissions for users, groups, or service accounts
• Customizing infrastructure permissions
• Removing user permissions
  • Removing a user from your account
  • Removing specific permissions
    • Remove a user from an access group
    • Remove {{site.data.keyword.cloud_notm}} IAM platform permissions and the associated pre-defined RBAC permissions
    • Remove custom RBAC permissions
    • Remove Cloud Foundry permissions
    • Remove IBM Cloud infrastructure permissions

Protecting sensitive information in your cluster

• Understanding when to use secrets
  • Adding a service to a cluster
  • Encrypting traffic to your apps with TLS secrets
  • Accessing your registry with credentials stored in a Kubernetes imagePullSecret
• Encrypting the Kubernetes master's local disk and secrets by using Key Protect (beta)
• Encrypting data by using {{site.data.keyword.datashield_full_notm}} (Beta)

Configuring pod security policies

• Customizing pod security policies
• Understanding default resources for {{site.data.keyword.IBM_notm}} cluster management

Setting pod priority

• Understanding default priority classes
• Creating a priority class
• Assigning priority to your pods

Logging and monitoring

• Choosing a logging solution
• Forwarding cluster, app, and Kubernetes API audit logs to {{site.data.keyword.la_full_notm}}
  • Forwarding cluster and app logs
  • Forwarding Kubernetes API audit logs
• Forwarding cluster, app, and Kubernetes API audit logs to an external server
  • Understanding log forwarding to an external server
  • Forwarding cluster and app logs
  • Forwarding Kubernetes API audit logs
  • Filtering logs that are forwarded
  • Verifying, updating, and deleting log forwarding
• Collecting master logs in an {{site.data.keyword.cos_full_notm}} bucket
• Choosing a monitoring solution
• Viewing cluster states
• Configuring health monitoring for worker nodes with Autorecovery

Tuning performance

• Optimizing worker node performance
• Optimizing pod performance
• Adjusting cluster metrics provider resources

Removing clusters

Managing cluster network traffic for classic clusters

{: #sitemap-clusters-networking}

Opening required ports and IP addresses in your firewall

• Opening ports in a corporate firewall
  • Running ibmcloud, ibmcloud ks, and ibmcloud cr commands from behind a firewall
  • Running kubectl commands from behind a firewall
  • Running calicoctl commands from behind a firewall
• Opening ports in gateway device firewalls
  • Opening required ports in a public firewall
  • Opening required ports in a private firewall
  • Opening ports in a public or private firewall for inbound traffic to NodePort, load balancer, and Ingress services
• Allowing the cluster to access resources through Calico network policies
• Whitelisting your cluster in other services' firewalls or in on-premises firewalls
• Updating IAM whitelists for Kubernetes Service IP addresses

Controlling traffic with network policies

• Default Calico and Kubernetes network policies
• Installing and configuring the Calico CLI
• Viewing network policies
• Adding network policies
• Controlling inbound traffic to load balancer or node port services
• Isolating clusters on the public network
• Isolating clusters on the private network
• Controlling traffic between pods
  • Isolate app services within a namespace
  • Isolate app services between namespaces
• Logging denied traffic

Restricting network traffic to edge worker nodes

• Isolating networking workloads to edge nodes
• Preventing workloads from running on edge worker nodes
• Isolating networking workloads to edge nodes in classic gateway-enabled clusters

Setting up VPN connectivity

• Using the strongSwan IPSec VPN service Helm chart
• strongSwan VPN service considerations
• Configuring the strongSwan VPN in a multizone cluster
  • Configuring one outbound VPN connection from a multizone cluster
  • Configuring one inbound VPN connection to a multizone cluster
  • Configuring an inbound VPN connection in each zone of a multizone cluster
• Configuring the strongSwan Helm chart
  • Step 1: Get the strongSwan Helm chart
  • Step 2: Configure basic IPSec settings
  • Step 3: Select inbound or outbound VPN connection
  • Step 4: Access cluster resources over the VPN connection
  • Step 5: Access remote network resources over the VPN connection
  • Step 6 (optional): Enable monitoring with the Slack webhook integration
  • Step 7: Deploy the Helm chart
• Testing and verifying strongSwan VPN connectivity
• Limiting strongSwan VPN traffic by namespace or worker node
  • Limiting strongSwan VPN traffic by namespace
  • Limiting strongSwan VPN traffic by worker node
• Upgrading or disabling the strongSwan Helm chart
• Using a Virtual Router Appliance

Using the managed Istio add-on (beta)

• Understanding Istio on {{site.data.keyword.containerlong_notm}}
  • What is Istio?
  • What is Istio on {{site.data.keyword.containerlong_notm}} (beta)?
• What can I install?
• Installing the Istio add-ons
  • Installing managed Istio add-ons from the console
  • Installing managed Istio add-ons from the CLI
• Trying out the BookInfo sample app
  • Publicly accessing BookInfo
  • Exposing BookInfo by using an IBM-provided subdomain
  • Understanding what happened
• Logging, monitoring, tracing, and visualizing Istio on {{site.data.keyword.containerlong_notm}}
  • Launching the Grafana, Jaeger, and Kiali dashboards
  • Setting up logging with {{site.data.keyword.la_full_notm}}
  • Setting up monitoring with {{site.data.keyword.mon_full_notm}}
• Including apps in the Istio service mesh by setting up sidecar injection
  • Enabling automatic sidecar injection
  • Manually injecting sidecars
• Exposing Istio-managed apps by using an IBM-provided subdomain
  • Exposing Istio-managed apps without TLS termination
  • Exposing Istio-managed apps with TLS termination
• Securing in-cluster traffic by enabling mTLS
• Securing Istio-managed apps with App ID
• Updating the Istio add-ons
• Uninstalling Istio
  • Uninstalling managed Istio add-ons from the console
  • Uninstalling managed Istio add-ons from the CLI
  • Uninstalling other Istio installations in your cluster
• What's next?

Configuring subnets for classic clusters

• Overview of networking in IBM Cloud Kubernetes Service
  • VLANs
  • Subnets and IP addresses
  • Network segmentation
• Using existing subnets to create a cluster
• Managing existing portable IP addresses
  • Viewing available portable public IP addresses
  • Freeing up used IP addresses
• Adding portable IP addresses
  • Adding portable IPs by ordering more subnets
  • Adding portable IPs by adding existing subnets to your cluster
  • Adding portable private IPs by using user-managed subnets
• Managing subnet routing
  • Enabling routing between primary subnets on the same VLAN
  • Managing subnet routing for gateway appliances
• Removing subnets from a cluster
  • Removing a subnet in an IBM Cloud infrastructure account from a cluster
  • Removing a subnet in an on-premises network from a cluster

Changing service endpoints or VLAN connections for classic clusters

• Setting up the private service endpoint
• Setting up the public service endpoint
• Switching from the public service endpoint to the private service endpoint
• Changing your worker node VLAN connections

Configuring the cluster DNS provider for classic clusters

• Autoscaling the cluster DNS provider
• Customizing the cluster DNS provider
• Setting the cluster DNS provider to CoreDNS or KubeDNS
  • Setting up CoreDNS as the cluster DNS provider
  • Setting up KubeDNS as the cluster DNS provider

Managing cluster network traffic for VPC clusters

{: #sitemap-clusters-vpc-networking}

Opening required ports and IP addresses in your firewall

• Opening ports in a corporate firewall
  • Running ibmcloud, ibmcloud ks, and ibmcloud cr commands from behind a firewall
  • Running kubectl commands from behind a firewall
  • Running calicoctl commands from behind a firewall
• Allowing the cluster to access resources through ACLs
• Whitelisting your cluster in other services' firewalls or in on-premises firewalls

Controlling traffic with VPC ACLs and network policies

• Restricting public network traffic to a subnet with a public gateway
• Creating access control lists (ACLs) to control traffic to and from your cluster
• Creating Kubernetes policies to control traffic between pods
  • Isolate app services within a namespace
  • Isolate app services between namespaces

Setting up VPC VPN connectivity

• Choosing a VPN solution
  • Communication with resources in on-premises data centers
  • Communication with resources in other VPCs
  • Communication with IBM Cloud classic resources
• Using the strongSwan IPSec VPN service Helm chart
  • strongSwan VPN service considerations
  • Configuring the strongSwan VPN in a multizone cluster
• Configuring the strongSwan Helm chart
  • Step 1: Enable a public gateway on the subnet
  • Step 2: Get the strongSwan Helm chart
  • Step 3: Configure basic IPSec settings
  • Step 4: Access cluster resources over the VPN connection
  • Step 5: Access remote network resources over the VPN connection
  • Step 6 (optional): Enable monitoring with the Slack webhook integration
  • Step 7: Deploy the Helm chart
• Testing and verifying strongSwan VPN connectivity
• Limiting strongSwan VPN traffic by namespace or worker node
  • Limiting strongSwan VPN traffic by namespace
  • Limiting strongSwan VPN traffic by worker node
• Upgrading or disabling the strongSwan Helm chart

Using the managed Istio add-on (beta)

• Understanding Istio on {{site.data.keyword.containerlong_notm}}
  • What is Istio?
  • What is Istio on {{site.data.keyword.containerlong_notm}} (beta)?
• What can I install?
• Installing the Istio add-ons
  • Installing managed Istio add-ons from the console
  • Installing managed Istio add-ons from the CLI
• Trying out the BookInfo sample app
  • Publicly accessing BookInfo
  • Exposing BookInfo by using an IBM-provided subdomain
  • Understanding what happened
• Logging, monitoring, tracing, and visualizing Istio on {{site.data.keyword.containerlong_notm}}
  • Launching the Grafana, Jaeger, and Kiali dashboards
  • Setting up logging with {{site.data.keyword.la_full_notm}}
  • Setting up monitoring with {{site.data.keyword.mon_full_notm}}
• Including apps in the Istio service mesh by setting up sidecar injection
  • Enabling automatic sidecar injection
  • Manually injecting sidecars
• Exposing Istio-managed apps by using an IBM-provided subdomain
  • Exposing Istio-managed apps without TLS termination
  • Exposing Istio-managed apps with TLS termination
• Securing in-cluster traffic by enabling mTLS
• Securing Istio-managed apps with App ID
• Updating the Istio add-ons
• Uninstalling Istio
  • Uninstalling managed Istio add-ons from the console
  • Uninstalling managed Istio add-ons from the CLI
  • Uninstalling other Istio installations in your cluster
• What's next?

Configuring CoreDNS for VPC clusters

• Autoscaling the cluster DNS provider
• Customizing the cluster DNS provider

Deploying apps

{: #sitemap-images}

Building containers from images

• Planning image registries
• Setting up trusted content for container images
• Deploying containers from an {{site.data.keyword.registryshort_notm}} image to the default Kubernetes namespace
• Understanding how your cluster is authorized to pull images from {{site.data.keyword.registryshort_notm}}
• Updating existing clusters to use the API key image pull secret
• Using an image pull secret to access other Kubernetes namespaces, other {{site.data.keyword.cloud_notm}} accounts, or external private registries
  • Copying the image pull secret from the default namespace to other namespaces in your cluster
  • Creating an image pull secret to access images in other {{site.data.keyword.cloud_notm}} accounts or to use IAM policies to restrict registry access
  • Accessing images that are stored in other private registries
• Using the image pull secret to deploy containers
  • Referring to the image pull secret in your pod deployment
  • Storing the image pull secret in the Kubernetes service account for the selected namespace
• Setting up a cluster to pull entitled software
• Deprecated: Using a registry token to deploy containers from an {{site.data.keyword.registryshort_notm}} image
  • Deprecated: Deploying images to the default Kubernetes namespace with a registry token
  • Deprecated: Copying the token-based image pull secret from the default namespace to other namespaces in your cluster
  • Deprecated: Creating a token-based image pull secret to access images in other {{site.data.keyword.cloud_notm}} regions and accounts

Deploying Kubernetes-native apps in clusters

• Planning to run apps in clusters
  • What type of Kubernetes objects can I make for my app?
  • How can I add capabilities to my Kubernetes app configuration?
  • What if I want my Kubernetes app configuration to use variables? How do I add these to the YAML?
  • How can I add {{site.data.keyword.IBM_notm}} services to my app, such as Watson?
  • How can I make sure that my app has the right resources?
  • How can I access my app?
  • After I deploy my app, how can I monitor its health?
  • How can I keep my app up-to-date?
  • How can I control who has access to my app deployments?
• Planning highly available deployments
  • Increasing the availability of your app
• Specifying your app requirements in your YAML file
  • Complete example deployment YAML
• Launching the Kubernetes dashboard
• Deploying apps with the Kubernetes dashboard
• Deploying apps with the CLI
• Deploying apps to specific worker nodes by using labels
• Deploying an app on a GPU machine
• Scaling apps
• Managing rolling deployments to update your apps

Deploying serverless apps with Knative

• Setting up Knative in your cluster
  • Updating the Knative managed add-on
• Using Knative services to deploy a serverless app
• Setting up custom domain names and certificates
• Using volumes to access Kubernetes secrets and config maps
• Pulling images from a private container registry
• Accessing a Knative service from another Knative service
• Common Knative service settings
  • Setting minimum and maximum number of pods
  • Specifying the maximum number of requests per pod
  • Creating private-only serverless apps
  • Forcing the Knative service to repull a container image
• Related links

Planning to expose your apps with in-cluster and external networking

• Understanding load balancing for apps through Kubernetes service discovery
• Understanding Kubernetes service types
• Planning public external load balancing
  • Choosing a deployment pattern for classic clusters
  • Choosing a deployment pattern for VPC clusters
• Planning public external load balancing
  • Choosing a deployment pattern for classic clusters
  • Choosing a deployment pattern for VPC clusters

Testing access to apps with NodePorts

• Managing network traffic by using NodePorts
• Enabling access to an app by using a NodePort service

Exposing apps with load balancers

{: #sitemap-nlb}

VPC: Exposing apps with VPC load balancers

• About VPC load balancing in IBM Cloud Kubernetes Service
• Setting up a Load Balancer for VPC
• Limitations

Classic: About network load balancers (NLBs)

• Comparison of basic and DSR load balancing in version 1.0 and 2.0 NLBs
• Components and architecture of an NLB 1.0
  • Traffic flow in a single-zone cluster
  • Traffic flow in a multizone cluster
  • Traffic flow in a gateway-enabled cluster
• Components and architecture of an NLB 2.0 (beta)
  • Traffic flow in a single-zone cluster
  • Traffic flow in a multizone cluster
  • Traffic flow in a gateway-enabled cluster

Classic: Setting up basic load balancing with an NLB 1.0

• Setting up an NLB 1.0 in a multizone cluster
• Setting up an NLB 1.0 in a single-zone cluster
• Enabling source IP preservation
  • Adding edge node affinity rules and tolerations
  • Adding affinity rules for multiple public or private VLANs

Classic: Setting up DSR load balancing with an NLB 2.0 (beta)

• Prerequisites
• Setting up an NLB 2.0 in a multizone cluster
• Setting up an NLB 2.0 in a single-zone cluster
• Scheduling algorithms
  • Supported scheduling algorithms
  • Unsupported scheduling algorithms

Classic: Registering a DNS subdomain for an NLB

• Registering load balancer IPs with a DNS subdomain
• Understanding the subdomain format
• Enable health checks on a subdomain by creating a health monitor
  • Updating and removing IPs and monitors from subdomains

HTTPS load balancing with Ingress application load balancers (ALB)

{: #sitemap-ingress}

About Ingress and ALBs

• What comes with Ingress?
  • Ingress resource
  • Application load balancer (ALB)
  • Multizone load balancer (MZLB)
• How does a request get to my app with Ingress in a classic cluster?
  • Single-zone cluster
  • Multizone cluster
  • Gateway-enabled cluster
• How does a request get to my app with Ingress in a VPC cluster?

Setting up Ingress

• Sample YAMLs
• Prerequisites
• Planning networking for single or multiple namespaces
  • All apps are in one namespace
  • Apps are in multiple namespaces
  • Multiple domains within a namespace
• Exposing apps that are inside your cluster to the public
  • Step 1: Deploy apps and create app services
  • Step 2: Select an app domain
  • Step 3: Select TLS termination
  • Step 4: Create the Ingress resource
  • Step 5: Access your app from the internet
• Exposing apps that are outside your cluster to the public
• Exposing apps to a private network
  • Step 1: Deploy apps and create app services
  • Step 2: Enable the default private ALB
  • Step 3: Map your custom domain
  • Step 4: Select TLS termination
  • Step 5: Create the Ingress resource
  • Step 6: Access your app from your private network

Customizing Ingress routing with annotations

• General annotations
  • Custom error actions (custom-errors, custom-error-actions)
  • Location snippets (location-snippets)
  • Private ALB routing (ALB-ID)
  • Server snippets (server-snippets)
• Connection annotations
  • Custom connect-timeouts and read-timeouts (proxy-connect-timeout, proxy-read-timeout)
  • Keepalive requests (keepalive-requests)
  • Keepalive timeout (keepalive-timeout)
  • Proxy next upstream (proxy-next-upstream-config)
  • Session-affinity with cookies (sticky-cookie-services)
  • Upstream fail timeout (upstream-fail-timeout)
  • Upstream keep alive (upstream-keepalive)
  • Upstream max fails (upstream-max-fails)
• HTTPS and TLS/SSL authentication annotations
  • Custom HTTP and HTTPS ports (custom-port)
  • HTTP redirects to HTTPS (redirect-to-https)
  • HTTP Strict Transport Security (hsts)
  • Mutual authentication (mutual-auth)
  • SSL services support (ssl-services)
  • TCP ports (tcp-ports)
• Path routing annotations
  • External services (proxy-external-service)
  • Location modifier (location-modifier)
  • Rewrite paths (rewrite-path)
• Proxy buffer annotations
  • Large client header buffers (large-client-header-buffers)
  • Client response data buffering (proxy-buffering)
  • Proxy buffers (proxy-buffers)
  • Proxy buffer size (proxy-buffer-size)
  • Proxy busy buffers size (proxy-busy-buffers-size)
• Request and response annotations
  • Add server port to host header (add-host-port)
    • Additional client request or response header (proxy-add-headers, response-add-headers)
  • Client response header removal (response-remove-headers)
  • Client request body size (client-max-body-size)
• Service limit annotations
  • Global rate limits (global-rate-limit)
  • Service rate limits (service-rate-limit)
• User authentication annotations
  • App ID Authentication (appid-auth)

Modifying default Ingress behavior

• Opening ports in the Ingress ALB
• Preserving the source IP address
• Configuring SSL protocols and SSL ciphers at the HTTP level
• Increasing the restart readiness check time for ALB pods
• Sending your custom certificate to legacy clients
• Tuning ALB performance
  • Adding ALB socket listeners for each NGINX worker process
  • Enabling log buffering and flush timeout
  • Changing the number or duration of keepalive connections
  • Changing the pending connections backlog
  • Tuning kernel performance

Logging and monitoring Ingress

• Viewing Ingress logs
• Customizing Ingress log content and format
• Monitoring the Ingress ALB
  • ALB metrics
  • Server metrics
  • Upstream metrics
    • Type 1 upstream metrics
    • Type 2 upstream metrics
• Increasing the shared memory zone size for Ingress metrics collection

Bringing your own Ingress controller

• Expose your Ingress controller by creating an NLB and a hostname

Storing data on persistent storage

{: #sitemap-storage}

Planning highly available persistent storage

• Choosing a storage solution
• Comparison of non-persistent storage options
• Comparison of persistent storage options for single zone clusters
• Comparison of persistent storage options for multizone clusters

Understanding Kubernetes storage basics

• Persistent volumes and persistent volume claims
• Dynamic provisioning
• Static provisioning
• Storage classes
  • Customizing a storage class
  • Changing or updating to a different storage class

Storing data on classic {{site.data.keyword.filestorage_full_notm}}

• Deciding on the file storage configuration
• Adding file storage to apps
• Using existing file storage in your cluster
  • Step 1: Preparing your existing storage.
  • Step 2: Creating a persistent volume (PV) and a matching persistent volume claim (PVC)
• Using file storage in a stateful set
  • Dynamically provision the PVC when you create a stateful set
  • Pre-provisioning the PVC before creating the stateful set
• Changing the size and IOPS of your existing storage device
• Changing the default NFS version
• Backing up and restoring data
• Storage class reference
• Sample customized storage classes
  • Creating topology-aware storage
  • Specifying the zone for multizone clusters
  • Changing the default NFS version

Storing data on classic {{site.data.keyword.blockstoragefull}}

• Installing the {{site.data.keyword.blockstorageshort}} plug-in in your cluster
  • Updating the {{site.data.keyword.blockstorageshort}} plug-in
  • Removing the {{site.data.keyword.blockstorageshort}} plug-in
• Deciding on the block storage configuration
• Adding block storage to apps
• Using existing block storage in your cluster
  • Step 1: Retrieving the information of your existing block storage
  • Step 2: Creating a persistent volume (PV) and a matching persistent volume claim (PVC)
• Using block storage in a stateful set
  • Dynamically provision the PVC when you create a stateful set
  • Pre-provisioning the PVC before creating the stateful set
• Changing the size and IOPS of your existing storage device
• Backing up and restoring data
• Storage class reference
• Sample customized storage classes
  • Creating topology-aware storage
  • Specifying the zone and region
  • Mounting block storage with an XFS file system

Storing data on VPC Block Storage

• Installing the VPC Block Storage add-on
• Adding VPC Block Storage to your apps
• Using an existing VPC Block Storage instance
• Creating VPC Block Storage with a different file system
• Setting up encryption for your VPC Block Storage
• Customizing the default storage settings
  • Customizing a storage class
  • Storing your custom PVC settings in a Kubernetes secret
• Backing up and restoring data
• Storage class reference

Storing data on {{site.data.keyword.cos_full_notm}}

• Creating your object storage service instance
• Creating a secret for the object storage service credentials
• Installing the {{site.data.keyword.cos_full_notm}} plug-in
  • Updating the {{site.data.keyword.cos_full_notm}} plug-in
  • Removing the {{site.data.keyword.cos_full_notm}} plug-in
• Deciding on the object storage configuration
• Adding object storage to apps
• Using object storage in a stateful set
• Backing up and restoring data
• Storage class reference
  • Standard
  • Vault
  • Cold
  • Flex

Storing data on software-defined storage (SDS) with Portworx

• Creating raw, unformatted, and unmounted block storage for non-SDS worker nodes
• Getting a Portworx license
• Setting up a Databases for etcd service instance for Portworx metadata
• Setting up volume encryption with {{site.data.keyword.keymanagementservicelong_notm}}
  • Portworx per-volume encryption workflow
  • Portworx per-volume decryption workflow
  • Enabling per-volume encryption for your Portworx volumes
• Installing Portworx in your cluster
  • Updating Portworx in your cluster
  • Removing Portworx from your cluster
• Getting started with Portworx
  • Verifying your Portworx installation
  • Creating a Portworx volume
  • Mounting the PVC to your app
• Exploring other Portworx features
• Cleaning up your Portworx volumes and cluster
  • Removing Portworx volumes from apps
  • Removing a worker node from your Portworx cluster or the entire Portworx cluster
• Getting help and support

{{site.data.keyword.cloud_notm}} storage utilities

• Installing the {{site.data.keyword.cloud_notm}} Block Storage Attacher plug-in (beta)
  • Updating the {{site.data.keyword.cloud_notm}} Block Storage Attacher plug-in
  • Removing the {{site.data.keyword.cloud_notm}} Block Volume Attacher plug-in
• Automatically provisioning unformatted block storage and authorizing your worker nodes to access the storage
• Manually adding block storage to specific worker nodes
• Attaching raw block storage to non-SDS worker nodes

Removing persistent storage from a cluster

• Understanding your storage removal options
• Cleaning up persistent storage

Enhancing cluster capabilities with integrations

{: #sitemap-integrations}

{{site.data.keyword.containerlong_notm}} partners

• LogDNA
  • Benefits
  • Integration
  • Billing and support
• Sysdig
  • Benefits
  • Integration
  • Billing and support
• Portworx
  • Benefits
  • Integration
  • Billing and support

{{site.data.keyword.cloud_notm}} services and third-party integrations

• {{site.data.keyword.cloud_notm}} services
  • {{site.data.keyword.cloud_notm}} platform services
  • {{site.data.keyword.cloud_notm}} classic infrastructure services
  • {{site.data.keyword.cloud_notm}} VPC infrastructure services
• Kubernetes community and open source integrations
  • Integrations operated in partnership
  • Managed add-ons
  • Other third-party integrations

Adding services by using managed add-ons

• Adding managed add-ons
• Updating managed add-ons

Adding services by using Helm

• Setting up Helm in a cluster with public access
• Private clusters: Pushing the Tiller image to your private registry in {{site.data.keyword.registryshort_notm}}
• Private clusters: Installing Helm charts without using Tiller
• Related Helm links

Adding services by using {{site.data.keyword.cloud_notm}} service binding

• Adding {{site.data.keyword.cloud_notm}} services to clusters
• Accessing service credentials from your apps
  • Mounting the secret as a volume to your pod
  • Referencing the secret in environment variables
• Removing a service from a cluster

CLI plug-in reference

{: #sitemap-cli-plugin}

Command reference

• Using the beta command structure
• Comparison of Classic and VPC commands
• ibmcloud ks commands
• cluster commands
• worker commands
• worker pool commands
• zone commands
• alb commands
• Beta: key-protect-enable command
• logging commands
• nlb-dns commands
• webhook-create command
• api-key commands
• credential commands
• infra-permissions commands
• subnets command
• vlan commands
• vpcs command
• addon-versions command
• flavors command
• messages command
• supported-locations command
• versions command
• api command
• init command
• Deprecated: region commands
• script commands

CLI changelog

API reference

{: #sitemap-apis}

• IBM Cloud Kubernetes Service API
• IBM Cloud Kubernetes Service API JSON
• IBM Cloud Container Registry API
• IBM Cloud Vulnerability Advisor API
• Community Kubernetes API

Version history

{: #sitemap-versions}

Version information and update actions

• Kubernetes version types
• Update types
• Release history
• Version 1.15
  • Update before master
  • Update after master
  • Update after worker nodes
• Version 1.14
  • Update before master
  • Update after master
• Version 1.13
  • Update before master
  • Update after master
  • Update after worker nodes
• Deprecated: Version 1.12
  • Update before master
  • Update after master
• Archive
  • Version 1.11 (Unsupported)
  • Version 1.10 (Unsupported)
  • Version 1.9 (Unsupported)
  • Version 1.8 (Unsupported)
  • Version 1.7 (Unsupported)
  • Version 1.5 (Unsupported)

Version changelog

• Overview
• Version 1.15 changelog
• Version 1.14 changelog
• Version 1.13 changelog
• Version 1.12 changelog
• Archive
  • Version 1.11 changelog (unsupported as of 20 July 2019)
  • Version 1.10 changelog (unsupported as of 16 May 2019)
  • Version 1.9 changelog (unsupported as of 27 December 2018)
  • Version 1.8 changelog (Unsupported)
  • Version 1.7 changelog (Unsupported)

Fluentd and Ingress ALB changelog

• Ingress ALBs changelog
• Fluentd for logging changelog

Locations

{: #sitemap-locations}

Locations

• {{site.data.keyword.containerlong_notm}} locations
  • How locations are organized
  • Available locations
  • Single zone and multizone locations in {{site.data.keyword.containerlong_notm}}
  • Single-zone clusters
  • Multizone clusters
• Accessing the global endpoint
  • Logging in to {{site.data.keyword.cloud_notm}}
  • Logging in to {{site.data.keyword.containerlong_notm}}
• Deprecated: Previous {{site.data.keyword.cloud_notm}} region and zone structure

Hybrid cloud

{: #sitemap-hybrid}

Hybrid cloud

• Connecting your public and private cloud with the strongSwan VPN
• Connecting your public and private cloud with IBM Cloud Direct Link
• Running {{site.data.keyword.icpfull_notm}} images in public Kubernetes containers

Supported integrations

{: #sitemap-supported-integrations}

Supported integrations

• Popular integrations
• DevOps services
• Hybrid cloud services
• Logging and monitoring services
• Security services
• Storage services
• Database services

Activity Tracker events

{: #sitemap-at}

{{site.data.keyword.at_full_notm}} events

• Tracking cluster management events
• Viewing your cluster events

User access permissions

{: #sitemap-user-access}

User access permissions

• {{site.data.keyword.cloud_notm}} IAM platform roles
• {{site.data.keyword.cloud_notm}} IAM service roles
• Kubernetes resource permissions per RBAC role
• Cloud Foundry roles
• Classic infrastructure roles

FAQs

{: #sitemap-faqs}

FAQs

• What is Kubernetes?
• How does {{site.data.keyword.containerlong_notm}} work?
• Why should I use {{site.data.keyword.containerlong_notm}}?
• Can I get a free cluster?
• What container platforms are available for my cluster?
• Does the service come with a managed Kubernetes master and worker nodes?
• Are the Kubernetes master and worker nodes highly available?
• What options do I have to secure my cluster?
• What access policies do I give my cluster users?
• Where can I find a list of security bulletins that affect my cluster?
• Does the service offer support for bare metal and GPU?
• Which Kubernetes versions does the service support?
• Where is the service available?
• What standards does the service comply to?
• Can I use {{site.data.keyword.cloud_notm}} and other services with my cluster?
• Can I connect my cluster in {{site.data.keyword.cloud_notm}} Public with apps that run in my on-prem data center?
• Can I deploy {{site.data.keyword.containerlong_notm}} in my own data center?
• Where can I find more information about IBM Cloud Kubernetes Service pricing models?
• What am I charged for when I use {{site.data.keyword.containerlong_notm}}?
• Are my platform and infrastructure resources consolidated in one bill?
• Can I estimate my costs?
• Can I view my current usage?

Troubleshooting clusters

{: #sitemap-ts}

Debugging your cluster

• Running tests with the {{site.data.keyword.containerlong_notm}} Diagnostics and Debug Tool
• Debugging clusters
• Debugging worker nodes
• Common issues with worker nodes
• Reviewing master health
• Debugging app deployments
• Getting help and support

Troubleshooting clusters and worker nodes

• Unable to create a cluster due to permission errors
• Unable to create a cluster or manage worker nodes due to paid account error
• Firewall prevents running CLI commands
• Cannot access resources in my cluster
• Unable to view or work with a cluster
• Accessing your worker node with SSH fails
• Bare metal instance ID is inconsistent with worker records
• Unable to modify or delete infrastructure in an orphaned cluster
• kubectl commands do not work
• kubectl commands time out
• Binding a service to a cluster results in same name error
• Binding a service to a cluster results in service not found error
• Binding a service to a cluster results in service does not support service keys error
• After a worker node updates or reloads, duplicate nodes and pods appear
• Accessing a pod on a new worker node fails with a timeout
• Pods fail to deploy because of a pod security policy
• Cluster remains in a pending State
• Cluster create error cannot pull images from registry
• Failed to pull image from registry with ImagePullBackOff or authorization errors
• Pods remain in pending state
• Containers do not start
• Pods repeatedly fail to restart or are unexpectedly removed
• Cannot install a Helm chart with updated configuration values
• Cannot install Helm tiller or deploy containers from public images in my cluster
• Getting help and support

Troubleshooting cluster storage

• Debugging persistent storage failures
• File storage and block storage: PVC remains in a pending state
• File storage: App cannot access or write to PVC
  • File storage: File systems for worker nodes change to read-only
  • File storage: App fails when a non-root user owns the NFS file storage mount path
  • File storage: Adding non-root user access to persistent storage fails
• Block storage: App cannot access or write to PVC
  • Block storage: Block storage changes to read-only
  • Block storage: Mounting existing block storage to a pod fails due to the wrong file system
• Object storage: Installing the {{site.data.keyword.cos_full_notm}} ibmc Helm plug-in fails
• Object storage: PVC remains in a pending state
  • Object storage: PVC or pod creation fails due to not finding the Kubernetes secret
  • Object storage: PVC creation fails due to wrong credentials or access denied
  • Object storage: PVC creation fails due to wrong s3fs or IAM API endpoint
  • Object storage: Cannot access an existing bucket
• Object storage: Changing the ownership of the mount path fails
• Object storage: Accessing files with a non-root user fails
• PVC creation fails because of missing permissions
• Getting help and support

Troubleshooting logging and monitoring

• Kubernetes dashboard does not display utilization graphs
• Log lines are too long
• Getting help and support

Debugging Ingress

• Step 1: Run Ingress tests in the {{site.data.keyword.containerlong_notm}} Diagnostics and Debug Tool
• Step 2: Check for error messages in your Ingress deployment and the ALB pod logs
• Step 3: Ping the ALB subdomain and public IP addresses
• Step 4: Check your domain mappings and Ingress resource configuration
• Removing an ALB from DNS for debugging
• Getting help and support

Troubleshooting cluster networking

• Cannot connect to an app via a network load balancer (NLB) service
• Cannot connect to an app via Ingress
• Ingress application load balancer (ALB) secret issues
• Cannot get a subdomain for Ingress ALB, ALB does not deploy in a zone, or cannot deploy a load balancer
• Connection via WebSocket closes after 60 seconds
• Source IP preservation fails when using tainted nodes
• Cannot establish VPN connectivity with the strongSwan Helm chart
• Cannot install a new strongSwan Helm chart release
• strongSwan VPN connectivity fails after you add or delete worker nodes
• Cannot retrieve Calico network policies
• Cannot add worker nodes due to an invalid VLAN ID
• Getting help and support

Troubleshooting VPC clusters

• Cannot connect to an app via load balancer
• Kubernetes LoadBalancer service fails because no IPs are available
• Cannot connect to an app via Ingress

Release notes

• October 2019
• September 2019
• August 2019
• July 2019
• June 2019
• May 2019