How does a container-based platform work?
IBM Cloud Kubernetes Services provides a fully managed container service for Docker (OCI) containers, allowing customers to deploy containerized apps onto a pool of compute hosts, and subsequently manage those containers. Containers are automatically scheduled and placed onto available compute hosts based on the requirements that you define and availability in the cluster. The integrated Kubernetes infrastructure helps you manage containers with an isolated and secure app platform that is portable, extensible and self-healing in case of failovers.
How is the Kubernetes-based container service managed?
Every cluster is provisioned with a Kubernetes master that IBM operates and manages, and worker nodes that are deployed into the customer-owned infrastructure. Your worker nodes are single-tenant and dedicated to you as the customer. You are responsible to manage your worker nodes by using IBM-provided tools for operating system patch deployment, container runtime updates and new Kubernetes versions.
How can I run Docker containers on my own infrastructure?
With IBM Cloud Kubernetes Service, you can deploy Docker containers into pods that run on your worker nodes. The worker nodes come with a set of add-on pods that help you manage your containers, and you can also install more add-ons such as through Helm, a Kubernetes Package Manager. These add-ons can extend your apps with dashboards, logging, monitoring, storage and networking resources, as well as IBM Cloud and IBM Watson® services.
How does autoscaling work for my Docker containers in Kubernetes?
In the IBM Cloud Kubernetes Service, you can enable horizontal pod autoscaling to automatically increase or decrease your app pods in response to your workload needs.
How is container hosting managed when using service provider instances?
As an enterprise customer, you want control and access to compute infrastructure running your containerized workloads so that you can ensure that your app has the resources it needs. However, you also want a stable environment for your apps and lower maintenance overhead. The IBM Cloud Kubernetes Service manages your master, freeing you from having to manage the host OS, container runtime and Kubernetes version update process. Because the apps are deployed to worker nodes, the compute instances in your infrastructure account, you can access and control your workload resources.
Can I integrate block storage with my apps?
You can provision block storage for your cluster and use the storage by your app as a persistent data store. IBM Cloud Kubernetes Service provides pre-defined Kubernetes storage classes that you can use to choose the block storage capacity and performance characteristics that meet your app requirements.
How does networking work in a cluster?
The IBM Cloud Kubernetes Service fully integrates with the IBM Cloud platform’s IP addressing, network routing, ACL, load balancing and firewall capabilities. When you deploy standard clusters, you can specify the virtual network for your worker nodes that provide network segmentation and isolation for your teams and projects. Every cluster is set up with pre-defined network policies that control the worker nodes public network interface. You can choose to customize network policies, add an extra layer of security with firewalls, or connect your worker nodes in the cloud with instances in your on-premises data center by using secure VPN tunnels.
How are security controls integrated?
Every cluster is set up as a single-tenant cluster that is dedicated to you only. To secure the communication between the Kubernetes API server and your worker nodes, the IBM Cloud Kubernetes Service uses an OpenVPN tunnel and TLS certificates, and monitors the master network to detect and remediate malicious attacks. You can control user access to cluster resources with IBM Identity and Access Manager, Kubernetes role-based access control (RBAC), and Kubernetes admission controllers.
All clusters are set up with default network policies to secure public interfaces that you can customize to the needs of your apps. To minimize the risk for potential attacks, you can set up edge nodes and expose these nodes to the public network only, leaving all other nodes and your app workloads on the private network. Data that is stored on persistent file or block storage is encrypted at rest on LUKS-protected disks. Sensitive data, such as credentials, that is stored in Kubernetes secrets is automatically encrypted by the IBM Cloud Kubernetes Service.
How do I store Docker images in the cloud?
The customer can obtain a private Docker image registry as a service within the platform. Each tenant within the IBM Cloud Container Registry has a private hosted registry, built using open source Docker v2 registry, allowing secure storage of Docker images in the cloud. Integrated Vulnerability Advisor not only scans images with IBM X-Force® Exchange insights, but also its ISO27k policy scans live containers and packages.
You can set up your own namespace in the IBM Cloud Container Registry to build, safely store and share your Docker images in a multi-tenant private image registry. The integrated Vulnerability Advisor not only scans your images against potential vulnerabilities using IBM X-Force Exchange insights, but also continually scans deployed containers and packages against ISO27k standards. You can also enforce image security by signing images as trusted content and specifying that deployments can use only trusted images that pass vulnerability scanning.
Can I set up my own Kubernetes scheduler to place containers in a cluster?
With IBM Cloud Kubernetes Service, you are in control of your cluster and can implement your own custom Kubernetes scheduling and affinity logic for your Kubernetes deployments.
Get started in minutes
Manage highly available apps inside Docker containers and IBM Cloud Kubernetes Service clusters on the IBM Cloud.