What are the Kubernetes components in IBM z/OS Container Platform?
Kubernetes components in IBM® z/OS® Container Platform (zOSCP) provide orchestration for the deployment, scaling, and management of applications running in containers on z/OS.
To find out more about what Kubernetes offers, see Kubernetes overview
in the
Kubernetes documentation. For help with container terminology, see Terms to understand about
containers.
The Kubernetes components of zOSCP are one of three groups of components, as illustrated in Components of IBM z/OS Container Platform.
For more information about the container runtime components, see What are the container runtime components in IBM z/OS Container Platform?.
For more information about the image management tools, see What are the image management tools?.
IBM z/OS Control Plane Appliance
The zCPA runs in a z/OS address space and enables one or more z/OS systems to participate as control plane nodes in a Kubernetes cluster. The zCPA contains preinstalled Kubernetes components that are required for operating as a control plane node and the Container Network Interface (CNI) plug-in for control plane networking.
zCPA instances are provisioned through the z/OS Management Facility (z/OSMF). z/OSMF workflows guide z/OS system administrators and automate the processes that are required to manage the lifecycle of the zCPA instance.
To interact with zCPA, two command-line interfaces are part of zOSCP: IBM z/OS Appliance Manager for Kubernetes (kam) and Kubeadm for IBM z/OS (kubeadmz).
Kubernetes control plane
A control plane manages the worker nodes and the resources in the Kubernetes cluster. For more
information about the components of a Kubernetes control plane, see Kubernetes components in
the Kubernetes documentation.
In zOSCP, IBM z/OS Control Plane Appliance (zCPA) provides a control plane node. This allows the entire Kubernetes cluster environment for zOSCP to run exclusively on z/OS systems.
Admission controllers
- Containerized applications deployed to z/OS adhere to a set of security rules.
- Pod templates for applications contain the information to ensure that they work correctly on z/OS.
The admission controllers validate that Kubernetes resources meet specific security criteria and containers are run under the appropriate user IDs on z/OS.
zOSCP provides two validating admission controllers. For details about the z/OS admission controllers, when they are called, and the checks that they make, see Using admission controllers for security.
The zOSCP admission controllers are enabled and started as part of the control plane initialization. There is a unique Kubernetes namespace created for each admission controller.
IBM z/OS Appliance Manager for Kubernetes (kam)
- Obtain a dump of all diagnostic logs for a zCPA.
- Retrieve audit logs from a zCPA.
- Allow the zCPA audit logs to be preserved over a zCPA upgrade.
- Display the version of kam and optionally the version of a zCPA.
For information on the supported commands, see kam commands.
Kubeadm for IBM z/OS (kubeadmz)
kubeadm is a Kubernetes command-line interface for setting up clusters on non-z/OS platforms only.
- Initializing a control plane node in a zCPA and create a Kubernetes cluster.
- Initializing a control plane node in a zCPA and join a Kubernetes cluster.
- Resetting a control plane node in a zCPA and leave a Kubernetes cluster.
- Getting the status of a control plane node in a zCPA.
- Joining a z/OS worker node to the Kubernetes cluster.
- Resetting a z/OS worker node and leave a Kubernetes cluster.
- Upgrading a control plane node in a zCPA.
For information on the supported commands, see kubeadmz commands.
Kubelet for IBM z/OS (kubelet)
The Kubelet for IBM z/OS (kubelet) is an agent that runs on a worker node to manage the node and to communicate with the Kubernetes control plane and with cri-o for IBM z/OS (cri-o). A kubelet is responsible for scheduling and ensuring that applications are healthy and running in its worker node. In zOSCP, the kubelet and Kubectl for IBM z/OS (kubectl) can manage z/OS systems as part of the cluster.
Kubectl for IBM z/OS (kubectl)
kubectl is the standard command-line interface for working with Kubernetes, for example to create deployments or check the state. Use kubectl to work with the Kubernetes cluster on z/OS. You can use kubectl on other platforms to connect to the cluster on z/OS.
cri-o for IBM z/OS (cri-o)
cri-o for IBM z/OS is an implementation of the cri-o container runtime interface that is used by Kubernetes. It calls IBM z/OS for runC (runC), which is another one of the container runtime components that are used in zOSCP. For information about runC, see What are the container runtime components in IBM z/OS Container Platform?.
crictl for IBM z/OS (crictl)
crictl for IBM z/OS (crictl) is the command-line interface for CRI-compatible container runtimes in zOSCP . You can use it to inspect and debug the z/OS container runtime and applications on a z/OS worker node.
How Kubernetes components work
A user can deploy a container by using the Kubernetes API through the command-line interface (kubectl). Kubernetes schedules the pods to one or more z/OS worker nodes by using REST APIs. The kubelet on the worker node calls cri-o using gRPC. cri-o calls the container runtime components, passing the relevant information from Kubernetes on what container image needs to be run.
