The IBM Cloud Kubernetes Service is turning two!
The Kubernetes Service at IBM is celebrating another milestone. It has been a fast-paced evolution over the past 24 months since releasing IBM Cloud Kubernetes Service as a generally available offering on May 17, 2017.
Simplifying a complex stack
Our mission for a managed Kubernetes Service was to simplify the user experience, from day-one cluster deployments to on-going maintenance, thereby allowing our users to focus on developing innovation and delivering business objectives. Containers and Kubernetes are about workload portability, and IBM is proud to participate in the CNCF Conformance Program, ensuring your building blocks (e.g., images, yaml files, CLI & API commands) work consistently in IBM Cloud Kubernetes Service.
What happens with new updates?
IBM will maintain the Kubernetes Service cluster lifecycle, including operating system patches, vulnerability remediation, and updates for any component in the stack. We'll notify you when updates are available and you can decide when is a good time to perform the upgrade. IBM has consistently been the first managed public Kubernetes Service to support the latest community Kubernetes versions. For example, we announced 1.14.1 support on May 6, 2019.
We do not expect our users to be experts in Kubernetes, so when a new version is available, the user clicks a button to upgrade and sits back. The IBM Cloud Kubernetes Service will automatically drain any deployments from a given worker node, update, and bring the node back online before continuing to upgrade the remaining cluster's nodes.
Built-in operational characteristics
IBM Cloud Kubernetes Service supports all six IBM Cloud multizone regions and 35+ single zone regions. Every cluster is deployed with highly available (HA) master nodes, ensuring your Kubernetes api-server is always accessible. GDPR and other regulations require data residency, and deploying a Kubernetes Service cluster in any region or data center ensures the masters and workers for that cluster all remain in that geographic boundary. The Kubernetes Service also supports multizone cluster, which distributes masters and workers to three different data centers in that region.
Multizone clusters also provide an integrated multizone load balancer, powered by our Cloud Internet Services to provide healthcheck and DNS. This architecture dramatically improves your infrastructure and application availability without putting additional responsibility on the user. We also support the ability to bring your own application load balancer to the Kubernetes Service. Instead of monitoring and tending to cluster capacity, users can define worker node auto-scaling policies for infrastructure and horizontal pod auto-scaling for apps to ensure they have the capacity to handle fluctuations in required resources.
Service Level Agreements
IBM Cloud Kubernetes Service is a Tier 1 offering in IBM Cloud and aligns with the financially backed SLA terms for the platform. We support a large variety of production workloads, from stateless web applications to very resource intensive apps such as IBM Cloud Databases (ICD). In addition to ICD, the Kubernetes Service is running production IBM workloads from Watson, The Weather Company (TWC), IBM Event Streams, Cloud Foundry Enterprise Environment (CFEE), Identity and Access Manager (IAM), and IBM Blockchain, among many others.
External workloads have stringent availability requirements as well. A transportation customer requires 5x9s of uptime for their application, which equates to ~five minutes of downtime per year! They are able to achieve this by running the workload in multiple IBM Cloud regions to ensure app availability to their users. We have many other examples, including Evolufarma and Think Research in the healthcare industry and Eurobits in FSS.
Security and compute isolation
Security is a critical requirement in every user's journey to cloud. Security begins with cluster isolation. Every Kubernetes cluster is single-tenant and dedicated by default, but we provide three isolation options for worker node compute—shared or dedicated virtual machines and bare metal. The shared model is a standard cloud IaaS, providing a single-tenant virtual machine on multi-tenant hypervisor and hardware, still without any over commitment of those physical resources. The dedicated compute model is a single-tenant offering including VM, hypervisor, and hardware, providing additional isolation to your workloads. Bare metal worker nodes are available to provide greater isolation and performance for your containerized workloads, including GPU support.
Another aspect of security is handled by IBM Cloud Container Registry (ICCR) and Vulnerability Advisor (VA). VA is integrated seamlessly into the Kubernetes service and IBM Cloud DevOps provides image vulnerability scanning with deployment enforcement, allowing you to define what can be deployed in your Kubernetes clusters. The Container Registry provides image signing using Docker Notary and encryption at-rest and in-flight.
Improve your security posture by controlling which users have what level of access to various resources. Using Identity and Access Manager, users can set a variety of roles at the service, region, specific Kubernetes cluster, or even down to the Kubernetes namespace. You can leverage Resource Groups to streamline user access. Administrators can audit API calls to monitor the requests coming into your cluster.
Users can bring their own keys and manage the lifecycle by integrations with IBM Key Protect. Key Protect manages the entire lifecycle of keys, from key creation through application use, key archival, and key destruction, while also enforcing separation of duties between data management and key management.
Lastly, IBM Cloud Kubernetes Services supports a completely air gapped cluster via private endpoints. Users can determine if their masters and/or workers have outbound network connectivity or not. This not only improves security but also ensures no billed or metered bandwidth charges on IBM’s internal network.
Containers are ephemeral and will be replaced with new versions or crash, so it is imperative to manage the lifecycle of data outside of your containers. One option is to leverage a fully managed database service and choose one of the IBM Cloud Databases. Another is to manage the data directly using persistent volume claims for file, block, or object storage.
There are a variety of on-prem-to-IBM-Cloud connectivity solutions available based on your requirements. Within IBM Cloud Kubernetes Service, there is a free, integrated VPN solution based on strongSwan. After deploying using a Helm chart, configure an IPSec tunnel from resources running in the Kubernetes Service to any of your other managed networks
Istio and Knative
IBM, Google, and Lyft announced a new joint project for Istio Service Mesh on May 24, 2017, as a way for developers to seamlessly connect, manage and secure networks of different microservices—regardless of platform, source or vendor. The Istio community continues to grow and mature, leading to IBM announcing a Managed Istio offering within IBM Cloud Kubernetes Service in February 2019.
IBM, Google, and the community announced Knative on July 24, 2018, to provide the building blocks for serverless platforms to run on top of Kubernetes. There is also a lot of excitement in this growing ecosystem. IBM announced a Managed Knative offering within IBM Cloud Kubernetes Service in February 2019.
We're really excited about the partner ecosystem and giving users choice and flexibility to run their desired tools in IBM Cloud Kubernetes Service. You can learn more about partnering with IBM too! Here are a few of the partners we have worked with:
- Portworx - Getting started, HA Postgres, Couchbase Autonomous Operator
- New Relic
- Aqua Security
I'm so excited to be part of a development organization that continues to deliver industry-leading capabilities and innovation to the Kubernetes Service. We have a lot of new capabilities coming, so stay tuned to learn where we are taking the service. We would love your input as well. Engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.
Learn more about Kubernetes and containers
Full IBM Cloud YouTube lightboarding video playlist here