IBM Cloud Kubernetes Service CLI reference
Refer to these commands to create and manage both community Kubernetes or Red Hat OpenShift clusters in IBM Cloud® Kubernetes Service.
- Kubernetes: Install the Kubernetes CLI plug-in.
- OpenShift: Install the Red Hat OpenShift CLI plug-in.
In the command line, you are notified when updates to the ibmcloud
CLI and plug-ins are available. Be sure to keep your CLI up-to-date so that you can use all available commands and options.
Looking for ibmcloud cr
commands? See the IBM Cloud Container Registry CLI reference. Looking for kubectl
commands? See the Kubernetes documentation.
IBM Cloud Kubernetes Service commands
The following tables list the ibmcloud ks
command groups. For a complete list of all ibmcloud ks
commands as they are structured in the CLI, see the IBM Cloud Kubernetes Service CLI map.
Command group | Description |
---|---|
Cluster commands | Create, view, and modify clusters and cluster settings, such as add-on, subnet, and master settings. |
Worker commands | View and modify worker nodes for a cluster. |
Worker-pool commands | View and modify worker pools for a cluster. |
Zone commands | List availability zones and modify the zones attached to a worker pool. |
Ingress commands | View and modify Ingress services and settings. |
Logging commands | Forward logs from your cluster. |
NLB-DNS commands | Create and manage host names for network load balancer (NLB) IP addresses in a cluster and health check monitors for host names. |
Webhook-create commands | Register a webhook in a cluster. |
API-key commands | View information about the API key for a cluster or reset it to a new key. |
Credential commands | Set and unset credentials that allow you to access the IBM Cloud classic infrastructure portfolio through your IBM Cloud account. |
Infra-permissions commands | Check classic IBM Cloud infrastructure permissions that are used in IBM Cloud Kubernetes Service. |
KMS commands | Enable a key management service (KMS) provider in your cluster to encrypt the etcd component and Kubernetes secrets with a root key that you control. |
Quota commands | View the quota and limits for cluster-related resources in your IBM Cloud account. |
Subnets commands | List available subnets in your IBM Cloud infrastructure account. |
VLAN commands | List public and private VLANs for a zone and view the VLAN spanning status. |
VPCS commands | List all VPCs in the targeted resource group. If no resource group is targeted, then all VPCs in the account are listed. |
Flavor commands | Get the information of a flavor or list available flavors for a zone. |
Locations commands | List the locations that are supported by IBM Cloud Kubernetes Service. |
Messages commands | View the current user messages. |
Versions commands | List the container platform versions that are available for IBM Cloud Kubernetes Service clusters. |
Deprecated API commands | View or target the API endpoint and API version for the service. |
Deprecated init commands |
Initialize the IBM Cloud Kubernetes Service plug-in or specify the region where you want to create or access Kubernetes clusters. |
Script commands | Rewrite scripts that call IBM Cloud Kubernetes Service plug-in commands. |
Beta Storage commands | View and modify storage resources. |
cluster
commands
Create, view, and modify clusters and cluster settings, such as add-on, subnet, and master settings.
ibmcloud ks cluster addon disable
Disable a managed add-on in an existing cluster. This command must be combined with one of the following subcommands for the managed add-on that you want to disable.
ibmcloud ks cluster addon disable alb-oauth-proxy
Virtual Private Cloud Classic infrastructure
Disable the add-on for the ALB OAuth Proxy in a cluster.
ibmcloud ks cluster addon disable alb-oauth-proxy --cluster CLUSTER
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
Example addon disable alb-oauth-proxy
command
ibmcloud ks cluster addon disable alb-oauth-proxy --cluster my_cluster
ibmcloud ks cluster addon disable debug-tool
Virtual Private Cloud Classic infrastructure
Disable the add-on for the IBM Cloud Kubernetes Service Diagnostics and Debug Tool.
ibmcloud ks cluster addon disable debug-tool --cluster CLUSTER [-f]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
ibmcloud ks cluster addon disable istio
Classic infrastructure
Disable the managed Istio add-on. Removes all Istio core components from the cluster, including Prometheus.
ibmcloud ks cluster addon disable istio --cluster CLUSTER [-f]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: This Istio add-on is a dependency for the
istio-extras
andistio-sample-bookinfo
managed add-ons. Include this option to also disable those add-ons.
ibmcloud ks cluster addon disable istio-extras
Classic infrastructure
Disable the managed Istio extras add-on, which is unsupported. Removes Grafana, Jeager, and Kiali from the cluster.
ibmcloud ks cluster addon disable istio-extras --cluster CLUSTER [-f]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: This Istio add-on is a dependency for the
istio-sample-bookinfo
managed add-on. Include this option to also disable that add-on.
ibmcloud ks cluster addon disable istio-sample-bookinfo
Classic infrastructure
Disable the managed Istio BookInfo add-on, which is unsupported. Removes all deployments, pods, and other BookInfo app resources from the cluster.
ibmcloud ks cluster addon disable istio-sample-bookinfo --cluster CLUSTER
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
ibmcloud ks cluster addon disable kube-terminal
Virtual Private Cloud Classic infrastructure
Disable the Kubernetes web terminal add-on. To use the Kubernetes web terminal in the IBM Cloud Kubernetes Service cluster console, you must re-enable the add-on first.
ibmcloud ks cluster addon disable kube-terminal --cluster CLUSTER [-f]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
ibmcloud ks cluster addon disable static-route
Virtual Private Cloud Classic infrastructure
Disable the static route add-on.
ibmcloud ks cluster addon disable static-route --cluster CLUSTER
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks cluster addon disable vpc-block-csi-driver
Classic infrastructure
Disable the IBM Cloud VPC Block Storage CSI Driver add-on.
ibmcloud ks cluster addon disable vpc-block-csi-driver --cluster CLUSTER [-f]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
ibmcloud ks cluster addon enable
Enable a managed add-on in an existing cluster. This command must be combined with one of the following subcommands for the managed add-on that you want to enable.
ibmcloud ks cluster addon enable alb-oauth-proxy
Virtual Private Cloud Classic infrastructure
Enable the add-on for the ALB OAuth Proxy in a cluster. When your ALBs run the Kubernetes Ingress image, you can use the ALB OAuth proxy to enforce authentication for your apps by configuring Ingress with IBM Cloud App ID.
ibmcloud ks cluster addon enable alb-oauth-proxy --cluster CLUSTER [--version VERSION]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--version VERSION
- Optional: Specify the version of the add-on to install. If no version is specified, the default version is installed.
Example addon enable alb-oauth-proxy
command
ibmcloud ks cluster addon enable alb-oauth-proxy --cluster my_cluster
ibmcloud ks cluster addon enable debug-tool
Virtual Private Cloud Classic infrastructure
Enable the add-on for the IBM Cloud Kubernetes Service Diagnostics and Debug Tool in a cluster.
ibmcloud ks cluster addon enable debug-tool --cluster CLUSTER [--version VERSION]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--version VERSION
- Optional: Specify the version of the add-on to install. If no version is specified, the default version is installed.
Example addon enable debug-tool
command
ibmcloud ks cluster addon enable debug-tool --cluster my_cluster
ibmcloud ks cluster addon enable istio
Classic infrastructure
Enable the managed Istio add-on. Installs the core components of Istio, including Prometheus.
ibmcloud ks cluster addon enable istio --cluster CLUSTER [--version VERSION]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--version VERSION
- Optional: Specify the version of the add-on to install. If no version is specified, the default version is installed. Note that Istio version 1.3 is supported only in Kubernetes version 1.15 and earlier clusters, and Istio versions 1.4 and later are supported only in Kubernetes version 1.16 and later clusters.
ibmcloud ks cluster addon enable static-route
Virtual Private Cloud Classic infrastructure
Enable the static route add-on.
ibmcloud ks cluster addon enable static-route --cluster CLUSTER [--version VERSION]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--cluster CLUSTER
- Required: The name or ID of the cluster.
--version VERSION
- Optional: Specify the version of the add-on to install. If no version is specified, the default version is installed.
ibmcloud ks cluster addon enable vpc-block-csi-driver
Virtual Private Cloud
Enable the IBM Cloud VPC Block Storage CSI Driver add-on.
ibmcloud ks cluster addon enable vpc-block-csi-driver --cluster CLUSTER [--version VERSION]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--cluster CLUSTER
- Required: The name or ID of the cluster.
--version VERSION
- Optional: Specify the version of the add-on to install. If no version is specified, the default version is installed.
ibmcloud ks cluster addon get
Virtual Private Cloud Classic infrastructure
View the details of an installed add-on.
ibmcloud ks cluster addon get --addon ADDON --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--addon ADDON
- Required: The name of the
addon
. To list installed add-ons, runibmcloud ks cluster addon ls
. -c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks cluster addon ls
Virtual Private Cloud Classic infrastructure
List any managed add-ons that are enabled in a cluster.
ibmcloud ks cluster addon ls --cluster CLUSTER
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
ibmcloud ks cluster addon options
Virtual Private Cloud Classic infrastructure
Before you enable an add-on, view its installation options.
ibmcloud ks cluster addon options --addon ADDON [--output OUTPUT] [-q] [--version VERSION]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--addon ADDON
- Required: The name of the
addon
. To list available add-ons, runibmcloud ks cluster addon versions
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
--version VERSION
- Optional: Specify an add-on version to display options for. If no version is specified, the default version's options are displayed. To list available add-on versions, run
ibmcloud ks cluster addon versions
.
ibmcloud ks cluster addon update
Virtual Private Cloud Classic infrastructure
Update an installed add-on.
ibmcloud ks cluster addon update ADD-ON_NAME --cluster CLUSTER [-f] [-q] [--version VERSION] [-y]
- Minimum required permissions
- None
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
--version VERSION
- Optional: Specify the version to update the add-on to. If no version is specified, the add-on is updated to the default version. To list available add-on versions, run
ibmcloud ks cluster addon versions
.
ibmcloud ks cluster addon versions
Virtual Private Cloud Classic infrastructure
View a list of supported versions for managed add-ons in IBM Cloud Kubernetes Service.
ibmcloud ks cluster addon versions [--addon ADD-ON_NAME] [--output json] [-q]
- Minimum required permissions
- None
Command options:
--addon ADD-ON_NAME
- Optional: Specify an add-on name such as
istio
to filter versions for. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example addon versions
command
ibmcloud ks cluster addon versions --addon istio
ibmcloud ks cluster ca create
Virtual Private Cloud Classic infrastructure
Create a new certificate authority (CA) for your cluster. After the CA is created and new CA certificates are issued for components in your cluster, the API server of the cluster is automatically refreshed.
After you run this command and before you run the ibmcloud ks cluster ca rotate
command, follow the steps in Rotating CA certificates in your cluster to ensure that any
tooling that uses certificates that are signed by the old CA is updated to use the new certificates and to update your worker nodes.
ibmcloud ks cluster ca create --cluster CLUSTER [-f] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster ca create
command
ibmcloud ks cluster ca create --cluster my_cluster
ibmcloud ks cluster ca get
Virtual Private Cloud Classic infrastructure
View the details of a cluster's CA certificate.
ibmcloud ks cluster ca get --cluster CLUSTER [ --output OUTPUT] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster ca get
command
ibmcloud ks cluster ca get --cluster my_cluster
ibmcloud ks cluster ca rotate
Virtual Private Cloud Classic infrastructure
Rotate the certificate authority (CA) certificates of a cluster. Rotating invalidates certificates signed by the cluster's previous CA and issues certificates signed by the cluster's new CA to worker nodes.
Before you run this command, follow the steps in Rotating CA certificates in your cluster to ensure that any tooling that uses the old CA certificates is updated to use the new certificates and to update your worker nodes.
ibmcloud ks cluster ca rotate --cluster CLUSTER [-f] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster ca rotate
command
ibmcloud ks cluster ca rotate --cluster my_cluster
ibmcloud ks cluster ca status
Virtual Private Cloud Classic infrastructure
After you run ibmcloud ks cluster ca rotate
, view the rotation status of certificate authority (CA) certificates for a cluster.
ibmcloud ks cluster ca status --cluster CLUSTER [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster ca status
command
ibmcloud ks cluster ca status --cluster my_cluster
ibmcloud ks cluster config
Virtual Private Cloud Classic infrastructure
After logging in to IBM Cloud, download the Kubernetes configuration data and certificates as a kubeconfig
file to your local machine so that you can connect to your cluster and run kubectl
commands.
The kubeconfig
file is merged to your existing kubeconfig
file in ~/.kube/config
(<user_profile>/.kube/config
in Windows), or to the last file that is set by the KUBECONFIG
environment variable in your command line session. After you run ibmcloud ks cluster config
, you can interact with your cluster immediately, and quickly change the context to other clusters in the Kubernetes context.
ibmcloud ks cluster config --cluster CLUSTER [--admin] [--endpoint ENDPOINT_TYPE] [--network] [--skip-rbac] [-q] [-o]
- Minimum required permissions
- Viewer or Reader IBM Cloud IAM service access role for the cluster in IBM Cloud Kubernetes Service. Further, if you have only a platform access role or only a service access role, additional constraints apply.
- Platform: If you have only a platform access role, you can perform this command, but you need a service access role to perform Kubernetes actions in the cluster.
- Service: If you have the
service
access role, you can perform this command. However, your cluster admin must gather the cluster details for you by either running theibmcloud ks cluster ls
command or using the IBM Cloud Kubernetes Service console. After you receive the cluster name and ID, you can launch the Kubernetes dashboard from the CLI and work with Kubernetes.
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--admin
- Optional: The Administrator Platform role is required to use this option. Download the TLS certificates and permission files for the Super User role. The files are downloaded to
<user_home_directory>/.bluemix/plugins/kubernetes-service/clusters/<cluster_name>-admin
. The certificates can be revoked or rotated. Fore more information, see Rotating CA certificates in your cluster. --endpoint ENDPOINT_TYPE
- Optional: Specify the type of endpoint to use to connect to the cluster. If you don't specify this option, the default service endpoint for your cluster is used.
-
private
: If the private cloud service endpoint is enabled for your cluster, set toprivate
to use the private cloud service endpoint for your cluster context. Note you must be in your IBM Cloud private network or connected to the private network through a VPC VPN connection, or for classic infrastructure, a classic VPN connection or IBM Cloud Direct Link. -
vpe
: If it is a VPC cluster, set tovpe
to use the Virtual Private Endpoint gateway for your cluster context. Note you must be connected to the same VPC where the cluster is deployed through VPC VPN connection.
-
--network
- Optional: Download the Calico configuration file, TLS certificates, and permission files that are required to run
calicoctl
commands in your cluster. --skip-rbac
- Skip adding user Kubernetes RBAC roles based on the IBM Cloud IAM service access roles to the cluster configuration. Include this option only if you manage your own Kubernetes RBAC roles. If you use IBM Cloud IAM service access roles to manage all your RBAC users, don't include this option.
-q
- Optional: Do not show the message of the day or update reminders.
-o
- Optional: Prints the command output in YAML, JSON, or
.zip
format.
Example cluster config
command
ibmcloud ks cluster config --cluster my_cluster
ibmcloud ks cluster create classic
Classic infrastructure
Create a cluster with worker nodes on classic infrastructure.
ibmcloud ks cluster create classic [--hardware HARDWARE] --zone ZONE --flavor FLAVOR --name NAME [--operating-system SYSTEM] [--version MAJOR.MINOR.PATCH] [--no-subnet] [--sm-group GROUP] [--sm-instance INSTANCE] [--private-vlan PRIVATE_VLAN] [--public-vlan PUBLIC_VLAN] [--private-only] [--private-service-endpoint] [--public-service-endpoint] [--workers WORKER] [--disable-disk-encrypt] [--pod-subnet SUBNET] [--service-subnet SUBNET] [--skip-advance-permissions-check] [-q]
To create a VPC cluster, use the ibmcloud ks cluster create vpc-gen2
command instead.
- Minimum required permissions
- Administrator platform access role for IBM Cloud Kubernetes Service at the account level
- Administrator platform access role for IBM Cloud Container Registry at the account level
- Super User role for IBM Cloud infrastructure
Command options:
--hardware HARDWARE
-
The level of hardware isolation for your worker node. Use
dedicated
so that available physical resources are dedicated to you only, orshared
to allow physical resources to be shared with other IBM customers. The default isshared
. For bare metal flavors, specifydedicated
. --zone ZONE
-
The zone where you want to create the cluster. This value is required for standard clusters.
-
Review available classic or VPC zones. When you select a zone that is located outside your country, keep in mind that you might require legal authorization before data can be physically stored in a foreign country.
--flavor FLAVOR
-
Choose a flavor, or machine type, for your worker nodes. You can deploy your worker nodes as virtual machines on shared or dedicated hardware, or as physical machines on bare metal. Available physical and virtual flavors vary by the zone in which you deploy the cluster. For more information, see the documentation for the
ibmcloud ks flavors (machine-types)
command. --name NAME
-
Required: The name for the cluster. The name must start with a letter, can contain letters, numbers, periods (.), and hyphen (-), and must be 35 characters or fewer. Use a name that is unique across regions. The cluster name and the region in which the cluster is deployed form the fully qualified domain name for the Ingress subdomain. To ensure that the Ingress subdomain is unique within a region, the cluster name might be truncated and appended with a random value within the Ingress domain name.
--operating-system UBUNTU_20_64
-
Optional. The operating system of the worker nodes in your cluster. For a list of available operating sysems by cluster version, see the Kubernetes version information. If no option is specified, the default operating system that corresponds to the cluster version is used.
--version MAJOR.MINOR.PATCH
-
Optional: The Kubernetes version for the cluster master node. When the version is not specified, the cluster is created with the default of supported Kubernetes versions. To see available versions, run
ibmcloud ks versions
. --no-subnet
-
By default, a public and a private portable subnet are created on the VLAN associated with the cluster. Include the
--no-subnet
option to avoid creating subnets with the cluster. You can create or add subnets to a cluster later. --sm-group GROUP
-
The secret group ID of the Secrets Manager instance where your secrets are persisted. To get a secret group ID, see the Secrets Manager CLI reference.
--sm-instance INSTANCE
-
The CRN of the Secrets Manager instance. To get the CRN of an instance, run
ibmcloud ks ingress instance ls --cluster CLUSTER
. --private-vlan PRIVATE_VLAN
-
If this standard cluster is the first standard cluster that you create in this zone, don't include this option. A private VLAN is created for you when the cluster is created. If you created a standard cluster before in this zone or created a private VLAN in IBM Cloud infrastructure before, you must specify that private VLAN. Private VLAN routers always begin with
bcr
(back-end router) and public VLAN routers always begin withfcr
(front-end router). When you create a cluster and specify the public and private VLANs, the number and letter combination after those prefixes must match. -
To find out whether you already have a private VLAN for a specific zone or to find the name of an existing private VLAN, run
ibmcloud ks vlan ls --zone ZONE
. --public-vlan PUBLIC_VLAN
-
If this standard cluster is the first standard cluster that you create in this zone, don't use this option. A public VLAN is created for you when the cluster is created. If you created a standard cluster before in this zone or created a public VLAN in IBM Cloud infrastructure before, specify that public VLAN. If you want to connect your worker nodes to a private VLAN only, don't specify this option. Private VLAN routers always begin with
bcr
(back-end router) and public VLAN routers always begin withfcr
(front-end router). When you create a cluster and specify the public and private VLANs, the number and letter combination after those prefixes must match. -
To find out whether you already have a public VLAN for a specific zone or to find the name of an existing public VLAN, run
ibmcloud ks vlan ls --zone ZONE
. --private-only
-
Use this option to prevent a public VLAN from being created. Required only when you specify the
--private-vlan
option and don't include the--public-vlan
option. If worker nodes are set up with a private VLAN only, you must enable the private cloud service endpoint or configure a gateway appliance. For more information, see Worker-to-master and user-to-master communication. --private-service-endpoint
-
Standard clusters in accounts that are enabled with VRF and service endpoints: Enable the private cloud service endpoint so that your Kubernetes master and the worker nodes communicate over the private VLAN. In addition, you can choose to enable the public cloud service endpoint by using the
--public-service-endpoint
option to access your cluster over the internet. If you enable the private cloud service endpoint only, you must be connected to the private VLAN to communicate with your Kubernetes master. After you enable a private cloud service endpoint, you can't later disable it. After you create the cluster, you can get the endpoint by runningibmcloud ks cluster get --cluster <cluster_name_or_ID>
. --public-service-endpoint
-
Enable the public cloud service endpoint so that your Kubernetes master can be accessed over the public network, for example to run
kubectl
commands from your command line. Public-only clusters can only be created in accounts that don't have VRF enabled. If you have an account that is enabled with VRF and service endpoints and also include the--private-service-endpoint
option, master-worker node communication goes over the private and the public network. You can later disable the public cloud service endpoint if you want a private-only cluster. After you create the cluster, you can get the endpoint by runningibmcloud ks cluster get --cluster <cluster_name_or_ID>
. --workers WORKERS
-
Optional: Specify the number of worker nodes to include in the cluster. The default value is 1. If you create a cluster with only one worker node per zone, you might experience issues with Ingress. For high availability, create a cluster with at least two workers per zone. Every worker node is assigned a unique worker node ID and domain name that must not be manually changed after the cluster is created. Changing the ID or domain name prevents the Kubernetes master from managing your cluster.
--disable-disk-encrypt
-
Worker nodes feature AES 256-bit disk encryption by default; learn more. To disable encryption, include this option.
--pod-subnet SUBNET
-
All pods that are deployed to a worker node are assigned a private IP address in the
172.17.0.0/18
range by default. If you plan to connect your cluster to on-premises networks through IBM Cloud® Direct Link or a VPN service, you can avoid subnet conflicts by specifying a custom subnet CIDR that provides the private IP addresses for your pods. -
When you choose a subnet size, consider the size of the cluster that you plan to create and the number of worker nodes that you might add in the future. The subnet must have a CIDR of at least
/23
, which provides enough pod IPs for a maximum of four worker nodes in a cluster. For larger clusters, use/22
to have enough pod IP addresses for eight worker nodes,/21
to have enough pod IP addresses for 16 worker nodes, and so on. -
The subnet that you choose must be within one of the following ranges:
-
172.17.0.0 - 172.17.255.255
-
172.21.0.0 - 172.31.255.255
-
192.168.0.0 - 192.168.255.255
-
198.18.0.0 - 198.19.255.255
-
-
Note that the pod and service subnets can't overlap. The service subnet is in the 172.21.0.0/16 range by default.
--service-subnet *SUBNET
-
All services that are deployed to the cluster are assigned a private IP address in the 172.21.0.0/16 range by default. If you plan to connect your cluster to on-premises networks through IBM Cloud Direct Link or a VPN service, you can avoid subnet conflicts by specifying a custom subnet CIDR that provides the private IP addresses for your services.
-
The subnet must be specified in CIDR format with a size of at least
/24
, which allows a maximum of 255 services in the cluster, or larger. The subnet that you choose must be within one of the following ranges:-
172.17.0.0 - 172.17.255.255
-
172.21.0.0 - 172.31.255.255
-
192.168.0.0 - 192.168.255.255
-
198.18.0.0 - 198.19.255.255
-
-
Note that the pod and service subnets can't overlap. The pod subnet is in the 172.30.0.0/16 range by default.
--skip-advance-permissions-check
-
Optional: Skip the check for infrastructure permissions before creating the cluster. Note that if you don't have the correct infrastructure permissions, the cluster creation might only partially succeed, such as the master provisioning but the worker nodes unable to provision. You might skip the permissions check if you want to continue an otherwise blocked operation, such as when you use multiple infrastructure accounts and can handle the infrastructure resources separately from the master, if needed later.
-q
-
Optional: Do not show the message of the day or update reminders.
Example cluster create classic
commands
Create your first cluster: The first standard cluster that is created in a zone also creates a private VLAN. Therefore, don't include the --public-vlan
option.
ibmcloud ks cluster create classic --zone dal10 --private-vlan my_private_VLAN_ID --flavor b3c.4x16 --name my_cluster --hardware shared --workers 2 --operating-system UBUNTU_20_64
Create subsequent standard clusters: If you already created a standard cluster in this zone or created a public VLAN in IBM Cloud infrastructure before, specify that public VLAN with the --public-vlan
option.
To find out whether you already have a public VLAN for a specific zone or to find the name of an existing public VLAN, run ibmcloud ks vlan ls --zone <zone>
.
ibmcloud ks cluster create classic --zone dal10 --public-vlan my_public_VLAN_ID --private-vlan my_private_VLAN_ID --flavor b3c.4x16 --name my_cluster --hardware shared --workers 2 --operating-system UBUNTU_20_64
ibmcloud ks cluster create vpc-gen2
Virtual Private Cloud
Create a Virtual Private Cloud (VPC) cluster with worker nodes on Generation 2 infrastructure. When you log in to your IBM Cloud account, target the IBM Cloud region and resource group where you want to create your VPC cluster. For supported regions, see Creating a VPC in a different region. The cluster's resource group can differ from the VPC resource group.
VPC Gen 2 cluster flavors with instance storage are available for allowlisted accounts. To get added to the allowlist, open a case with support.
ibmcloud ks cluster create vpc-gen2 --name NAME --zone ZONE --vpc-id VPC_ID --subnet-id VPC_SUBNET_ID --flavor WORKER_FLAVOR [--cluster-security-group GROUP_ID] [--operating-system SYSTEM] [--version VERSION] [--workers NUMBER_WORKERS_PER_ZONE] [--dedicated-host-pool POOL] [--disable-outbound-traffic-protection] [--disable-public-service-endpoint] [--pod-subnet SUBNET] [--service-subnet SUBNET] [--kms-account-id ID] [--kms-instance KMS_INSTANCE_ID] [--crk ROOT_KEY_ID][--skip-advance-permissions-check] [--sm-group GROUP] [--sm-instance INSTANCE] [-q] [--secondary-storage STORAGE]
- Minimum required permissions
- Administrator platform access role for VPC Infrastructure.
- Administrator platform access role for IBM Cloud Kubernetes Service at the account level.
- Writer or Manager service access role for IBM Cloud Kubernetes Service.
- Administrator platform access role for IBM Cloud Container Registry at the account level.
Command options:
--name NAME
-
Required: The name for the cluster. The name must start with a letter, can contain letters, numbers, periods (.), and hyphen (-), and must be 35 characters or fewer. Use a name that is unique across regions. The cluster name and the region in which the cluster is deployed form the fully qualified domain name for the Ingress subdomain. To ensure that the Ingress subdomain is unique within a region, the cluster name might be truncated and appended with a random value within the Ingress domain name.
--zone ZONE
-
Required: Select a zone to deploy the initial cluster worker pool in. If you create the cluster in a multizone metro, you can add a zone to the worker pool later. To list available VPC zones, run
When you select a zone that is located outside your country, keep in mind that you might require legal authorization before data can be physically stored in a foreign country.ibmcloud ks zone ls --provider vpc-gen2
. --vpc-id VPC_ID
-
Required: The ID of the VPC in which to create the cluster and worker nodes. To list available IDs, run
ibmcloud ks vpcs
. --subnet-id VPC_SUBNET_ID
-
Required: The VPC subnet to assign the cluster. To list available VPC subnets, run
ibmcloud ks subnets --provider vpc-gen2
. --version VERSION
-
The Kubernetes version for the cluster master node. To see available versions, run
ibmcloud ks versions
. --flavor FLAVOR
-
Choose a flavor for your worker nodes. You can deploy your worker nodes as virtual machines on shared or dedicated hardware. To see flavors that are available in a zone, run
ibmcloud ks flavors --zone <vpc_zone> --provider vpc-gen2
. --cluster-security-group GROUP_ID
-
Optional. Specify additional security group IDs to apply to all workers on the cluster. You must include a separate
--cluster-security-group
option for each individual security group you want to add. To apply the IBM-createdkube-clusterID
, use--cluster-security-group cluster
. If no value is specified, only thekube-clusterID
and the default VPC security group are applied. A maximum of five security groups can be applied to workers, including the default security groups. Note that the VPC security group is only applied if no other security groups are specified. For more information, see Adding VPC security groups to clusters and worker pools during create time. The security groups applied to a cluster cannot be changed once the cluster is created. You can change the rules of the security groups that are applied to the cluster, but you cannot add or remove security groups at the cluster level. If you apply the incorrect security groups at cluster create time, you must delete the cluster and create a new one. For more information, see Adding VPC security groups to clusters and worker pools during create time. --operating-system UBUNTU_20_64
-
Optional. The operating system of the worker nodes in your cluster. For a list of available operating sysems by cluster version, see the Kubernetes version information. If no option is specified, the default operating system that corresponds to the cluster version is used.
--preview PREVIEW
-
Optional: Specify one or more cluster level preview features, such as
fips
. --dedicated-host-pool POOL
-
Optional: The ID of the dedicated host pool where you want to run your workers.
--workers NUMBER_WORKERS_PER_ZONE
-
Optional: Specify the number of worker nodes to include in the cluster. The default value is 1.
--disable-outbound-traffic-protection
-
Include this option to allow public outbound access from the cluster workers. By default, public outbound access is blocked in OpenShift versions 4.15 and later and Kubernetes versions 1.30 and later.
--disable-public-service-endpoint
-
To ensure that worker nodes and authorized cluster users communicate with the master through the private cloud service endpoint only, include this option to create the cluster without the public cloud service endpoint.
--pod-subnet SUBNET
-
In the first cluster that you create in a VPC, the default pod subnet is
172.17.0.0/18
. In the second cluster that you create in that VPC, the default pod subnet is172.17.64.0/18
. In each subsequent cluster, the pod subnet range is the next available, non-overlapping/18
subnet. If you plan to connect your cluster to on-premises networks through IBM Cloud® Direct Link or a VPN service, you can avoid subnet conflicts by specifying a custom subnet CIDR that provides the private IP addresses for your pods. -
When you choose a subnet size, consider the size of the cluster that you plan to create and the number of worker nodes that you might add in the future. The subnet must have a CIDR of at least
/23
, which provides enough pod IPs for a maximum of four worker nodes in a cluster. For larger clusters, use/22
to have enough pod IP addresses for eight worker nodes,/21
to have enough pod IP addresses for 16 worker nodes, and so on. -
: All pods that are deployed to a worker node are assigned a private IP address in the
172.17.0.0/18
range by default. If you plan to connect your cluster to on-premises networks through IBM Cloud® Direct Link or a VPN service, you can avoid subnet conflicts by specifying a custom subnet CIDR that provides the private IP addresses for your pods. -
For VPC clusters, you can specify the subnet size by including it in the
--pod-subnet
option. For example:--pod-subnet 0.0.0.0/X
whereX
is the required pod subnet size. Then pod subnet is then automatically selected. When allocating the pod subnet automatically, the allocation will start from172.17.0.0
, the biggest subnet is limited to13
, and the smallest subnet size is limited to23
. For more information, see Configuring VPC subnets. The subnet that you choose must be within one of the following ranges.-
172.17.0.0 - 172.17.255.255
-
172.21.0.0 - 172.31.255.255
-
192.168.0.0 - 192.168.255.255
-
198.18.0.0 - 198.19.255.255
-
-
Note that the pod and service subnets can't overlap. If you use custom-range subnets for your worker nodes, you must ensure that your worker node subnets don't overlap with your cluster's pod subnet.
--service-subnet SUBNET
-
All services that are deployed to the cluster are assigned a private IP address in the 172.21.0.0/16 range by default. If you plan to connect your cluster to on-premises networks through IBM Cloud Direct Link or a VPN service, you can avoid subnet conflicts by specifying a custom subnet CIDR that provides the private IP addresses for your services. The subnet must be specified in CIDR format with a size of at least
/24
, which allows a maximum of 255 services in the cluster, or larger. The subnet that you choose must be within one of the following ranges.172.17.0.0 - 172.17.255.255
172.21.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
198.18.0.0 - 198.19.255.255
-
Note that the pod and service subnets can't overlap.
--skip-advance-permissions-check
-
Optional: Skip the check for infrastructure permissions before creating the cluster. Note that if you don't have the correct infrastructure permissions, the cluster creation might only partially succeed, such as the master provisioning but the worker nodes unable to provision. You might skip the permissions check if you want to continue an otherwise blocked operation, such as when you use multiple infrastructure accounts and can handle the infrastructure resources separately from the master, if needed later.
--kms-account-id ID
-
Optional: The ID of the account that contains the KMS instance you want to use for local disk or secret encryption.
--kms-instance KMS_INSTANCE_ID
-
Optional: Include the ID of a key management service (KMS) instance to use to encrypt the local disk on the worker nodes in the
default
worker pool. To list available KMS instances, runibmcloud ks kms instance ls
. If you include this option, you must also include the--crk
option. Before you can use KMS encryption, you must create a KMS instance and set up the required service authorization in IAM. See Managing encryption for the worker nodes in your cluster. --crk ROOT_KEY
-
Optional: Include the ID of the root key in the KMS instance to use to encrypt the local disk on the worker nodes in the
default
worker pool. To list available root keys, runibmcloud ks kms crk ls --instance-id
. If you include this option, you must also include the--kms-instance
option. Before you can use KMS encryption, you must create a KMS instance and set up the required service authorization in IAM. See Managing encryption for the worker nodes in your cluster. --sm-group GROUP
-
The secret group ID of the Secrets Manager instance where your secrets are persisted. To get a secret group ID, see the Secrets Manager CLI reference.
--sm-instance INSTANCE
-
The CRN of the Secrets Manager instance. To find the CRN of an instance, run
ibmcloud ks ingress instance ls --cluster CLUSTER
. --secondary-storage STORAGE
-
Optional: The storage option for the flavor. For example,
900gb.5iops-tier
. When you add a secondary disk, that disk is used for the container runtime, while the primary disk is used for the operating system. To view the storage options for a flavor, run the**ibmcloud ks flavor get --flavor FLAVOR --zone ZONE --provider vpc-gen2
command. -q
-
Optional: Do not show the message of the day or update reminders.
Example cluster create vpc-gen2
command
ibmcloud ks cluster create vpc-gen2 --name mycluster --version 1.31 --zone us-south-1 --vpc-id a0123456-78b9-0c1d-23d4-567890123ef4 --subnet-id 1ab23c45-6789-0123-456d-789ef01gh234 --flavor bx2.4x16 --workers 3
ibmcloud ks cluster get
Virtual Private Cloud Classic infrastructure
View the details of a cluster.
ibmcloud ks cluster get --cluster CLUSTER [--show-resources] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--show-resources
- Show more cluster resources such as add-ons, VLANs, subnets, and storage.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster get
command
ibmcloud ks cluster get --cluster my_cluster --show-resources
ibmcloud ks cluster image-security disable
Virtual Private Cloud Classic infrastructure
Disable image security enforcement. When you disable the feature, the underlying ClusterImagePolicy
CRD is removed, which removes all the default image
policies and any custom images policies that you created.
ibmcloud ks cluster image-security disable --cluster CLUSTER [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster image-security disable
command
ibmcloud ks cluster image-security disable --cluster my_cluster
ibmcloud ks cluster image-security enable
Virtual Private Cloud Classic infrastructure
Enable image security enforcement by installing the Portieris Kubernetes admission controller and the associated default image policies in your cluster.
ibmcloud ks cluster image-security enable --cluster CLUSTER [-f] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster image-security enable
command
ibmcloud ks cluster image-security enable --cluster my_cluster
ibmcloud ks cluster ls
Virtual Private Cloud Classic infrastructure Satellite
List all clusters in your IBM Cloud account.
Clusters in all locations are returned. To filter clusters by a specific location, include the --location
option. For example, if you filter clusters for the dal
metro, multizone clusters in that metro and single-zone
clusters in data centers (zones) within that metro are returned. If you filter clusters for the dal10
data center (zone), multizone clusters that have a worker node in that zone and single-zone clusters in that zone are returned.
You can pass one location or a comma-separated list of locations.
ibmcloud ks cluster ls [--provider (classic | vpc-gen2)] [--location LOCATION] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--provider (classic | vpc-gen2)
- Optional: Filter output based on infrastructure provider type.
-l, --location LOCATION
- Filter output by a specific location. To see supported locations, run
ibmcloud ks locations
. To specify multiple locations, use one option for each location, such as-l dal -l seo
. --output json
- Optional: Prints the command output in JSON format. Note: If you don't include the
--provider
option, only classic clusters are returned. -q
- Optional: Do not show the message of the day or update reminders.
Example cluster ls
command
ibmcloud ks cluster ls -l ams03 -l wdc -l ap
ibmcloud ks cluster master audit-webhook
Modify the webhook back end that forwards API server audit logs to a remote server.
The apiserver-config-get|set|unset audit-webhook
aliases for these commands are deprecated.
ibmcloud ks cluster master audit-webhook get
View the URL for the remote logging service that you are sending API server audit logs to. The URL was specified when you created the webhook back end for the API server configuration.
ibmcloud ks cluster master audit-webhook get --cluster CLUSTER [-q]
Classic infrastructure
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master audit-webhook get
command
ibmcloud ks cluster master audit-webhook get --cluster mycluster
ibmcloud ks cluster master audit-webhook set
Classic infrastructure
Set the webhook back end for the API server configuration. The webhook back end forwards API server audit logs to a remote server. After you set the webhook, you must run the ibmcloud ks cluster master refresh
command to apply
the changes to the Kubernetes master.
ibmcloud ks cluster master audit-webhook set --cluster CLUSTER [--remote-server SERVER_URL_OR_IP] [--ca-cert CA_CERT_PATH] [--client-cert CLIENT_CERT_PATH] [--client-key CLIENT_KEY_PATH] [--policy POLICY] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--remote-server SERVER_URL
- Optional: The URL or IP address for the remote logging service you want to send audit logs to. If you provide an insecure server URL, any certificates are ignored. If you provide an IP address, add the
http://
prefix to the IP. --ca-cert CA_CERT_PATH
- Optional: The file path for the CA certificate that is used to verify the remote logging service.
--client-cert CLIENT_CERT_PATH
- Optional: The file path for the client certificate that is used to authenticate against the remote logging service.
--client-key CLIENT_KEY_PATH
- Optional: The file path for the corresponding client key that is used to connect to the remote logging service.
--policy POLICY
- Optional: The type of policy that is used for auditing. Use
default
orverbose
. Note that theverbose
policy type audits a larger number of API transactions, which might impact cluster performance, and is only recommended for occasional use. -q
- Optional: Do not show the message of the day or update reminders.
Example cluster master audit-webhook set
command
ibmcloud ks cluster master audit-webhook set --cluster my_cluster --remote-server https://audit.example.com/audit --ca-cert /mnt/etc/kubernetes/apiserver audit/ca.pem --client-cert /mnt/etc/kubernetes/apiserver audit/cert.pem --client-key /mnt/etc/kubernetes/apiserver audit/key.pem
ibmcloud ks cluster master audit-webhook unset
Classic infrastructure
Disable the webhook back-end configuration for the cluster's API server. Disabling the webhook back end stops forwarding API server audit logs to a remote server.
ibmcloud ks cluster master audit-webhook unset --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks cluster master console-oauth-access get
Get the OpenShift web console and OAuth server access type.
ibmcloud ks cluster master console-oauth-access get --cluster CLUSTER [--output OUTPUT] [-q]
Command options
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
--output OUTPUT
- Prints the command output in the provided format. Accepted values:
json
-q
- Do not show the message of the day or update reminders.
ibmcloud ks cluster master console-oauth-access set
Set the OpenShift web console and OAuth server access type.
ibmcloud ks cluster master console-oauth-access set --cluster CLUSTER [-f] [-q] [--type TYPE]
Command options
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
-f
- Force the command to run without user prompts.
-q
- Do not show the message of the day or update reminders.
--type TYPE
- Specify the OpenShift web console and OAuth server access type. Accepted values:
vpe-gateway
,legacy
ibmcloud ks cluster master pod-security get
Virtual Private Cloud Classic infrastructure
View the pod security admission configuration for a cluster's Kubernetes API server.
ibmcloud ks cluster master pod-security get --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master pod-security get
command
ibmcloud ks cluster master pod-security get --cluster mycluster
ibmcloud ks cluster master pod-security policy disable
Virtual Private Cloud Classic infrastructure
Disable the pod security policy for a cluster's Kubernetes API server.
ibmcloud ks cluster master pod-security policy disable --cluster CLUSTER [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master pod-security policy disable
command
ibmcloud ks cluster master pod-security policy disable --cluster mycluster
ibmcloud ks cluster master pod-security policy enable
Virtual Private Cloud Classic infrastructure
Enable the pod security policy for a cluster's Kubernetes API server. Note that pod security policies are not available in clusters that run version 1.25 or later.
ibmcloud ks cluster master pod-security policy enable --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master pod-security policy enable
command
ibmcloud ks cluster master pod-security policy enable --cluster mycluster
ibmcloud ks cluster master pod-security policy get
Virtual Private Cloud Classic infrastructure
View the pod security policy configuration for a cluster's Kubernetes API server. Note that pod security policies are not available in clusters that run version 1.25 or later.
ibmcloud ks cluster master pod-security policy get --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master pod-security policy get
command
ibmcloud ks cluster master pod-security policy get --cluster mycluster
ibmcloud ks cluster master pod-security set
Virtual Private Cloud Classic infrastructure
Set and enable the pod security admission for a cluster's Kubernetes API server.
ibmcloud ks cluster master pod-security set --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master pod-security set
command
ibmcloud ks cluster master pod-security set --cluster mycluster
ibmcloud ks cluster master pod-security unset
Virtual Private Cloud Classic infrastructure
Remove the pod security admission configuration for a cluster's Kubernetes API server.
ibmcloud ks cluster master pod-security unset --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master pod-security unset
command
ibmcloud ks cluster master pod-security unset --cluster mycluster
ibmcloud ks cluster master private-service-endpoint allowlist
Private service endpoint allowlists are deprecated and support ends on 10 February 2025. Migrate from allowlists to context based restrictions as soon as possible. For more information, see Migrating from a private service endpoint allowlist to context based restrictions (CBR).
Manage a private cloud service endpoint allowlist so that authorized users can access your private cloud service endpoint from only the subnets that are specified in the allowlist.
ibmcloud ks cluster master private-service-endpoint allowlist add
Virtual Private Cloud Classic infrastructure
After you enable a private cloud service endpoint allowlist, add subnets from which authorized users can access your private cloud service endpoint to the allowlist.
For example, to access your cluster's private cloud service endpoint, you must connect to your IBM Cloud classic network or your VPC network through a VPN or IBM Cloud Direct Link. You can add the subnet for the VPN or IBM Cloud Direct Link tunnel so that authorized users in your organization can only access the private cloud service endpoint from that subnet.
Worker node subnets are automatically added to and removed from your allowlist so that worker nodes can always access the master through the private cloud service endpoint.
ibmcloud ks cluster master private-service-endpoint allowlist add --cluster CLUSTER --subnet SUBNET [--subnet SUBNET ...] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--subnet SUBNET
- Required: The subnet in CIDR format. Specify more than one subnet by using multiple repeated options.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master private-service-endpoint allowlist add
command
ibmcloud ks cluster master private-service-endpoint allowlist add --cluster mycluster --subnet 1.1.1.1/16
ibmcloud ks cluster master private-service-endpoint allowlist disable
Virtual Private Cloud Classic infrastructure
Disable the subnet allowlist feature for a cluster's private cloud service endpoint.
After you disable this feature, authorized requests to your cluster master through the cluster's private cloud service endpoint can originate from any subnet.
ibmcloud ks cluster master private-service-endpoint allowlist disable --cluster CLUSTER [-f] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run without user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master private-service-endpoint allowlist disable
command
ibmcloud ks cluster master private-service-endpoint allowlist disable --cluster mycluster
ibmcloud ks cluster master private-service-endpoint allowlist enable
Virtual Private Cloud Classic infrastructure
Enable the subnet allowlist feature for a cluster's private cloud service endpoint.
After you run this command, use the ibmcloud ks cluster master private-service-endpoint allowlist
command to add subnets to the allowlist. Only authorized requests to your cluster master
that originate from subnets in the allowlist are permitted through the cluster's private cloud service endpoint. If the public cloud service endpoint is enabled for your cluster, authorized requests are still permitted through the public
cloud service endpoint.
ibmcloud ks cluster master private-service-endpoint allowlist enable --cluster CLUSTER [-f] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run without user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master private-service-endpoint allowlist enable
command
ibmcloud ks cluster master private-service-endpoint allowlist enable --cluster mycluster
ibmcloud ks cluster master private-service-endpoint allowlist get
Virtual Private Cloud Classic infrastructure
List all subnets in the allowlist for a cluster's private cloud service endpoint.
This list includes subnets that you manually added by using the ibmcloud ks cluster master private-service-endpoint allowlist add
command and subnets that are automatically added and managed by IBM, such as worker node subnets.
ibmcloud ks cluster master private-service-endpoint allowlist get --cluster CLUSTER [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master private-service-endpoint allowlist get
command
ibmcloud ks cluster master private-service-endpoint allowlist get --cluster mycluster
ibmcloud ks cluster master private-service-endpoint allowlist rm
Virtual Private Cloud Classic infrastructure
Remove subnets that you previously added to the allowlist for a cluster's private cloud service endpoint.
After a subnet is removed, any requests that originate from this subnet to the cluster master through the private cloud service endpoint are denied.
ibmcloud ks cluster master private-service-endpoint allowlist rm --cluster CLUSTER --subnet SUBNET [--subnet SUBNET ...] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--subnet SUBNET
- Required: The subnet CIDR. Specify more than one subnet by using multiple repeated options.
-f
- Optional: Force the command to run without user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master private-service-endpoint allowlist rm
command
ibmcloud ks cluster master private-service-endpoint allowlist rm --cluster mycluster
--subnet 1.1.1.1/16
ibmcloud ks cluster master private-service-endpoint disable
Classic infrastructure
Disable the private cloud service endpoint to remove private accessibility to your cluster master.
Important: Before you disable the private endpoint, you first must complete the following steps to enable the public cloud service endpoint:
- Enable the public cloud service endpoint by running
ibmcloud ks cluster master public-service-endpoint enable --cluster <cluster_name>
. - Follow the prompt in the CLI to refresh the Kubernetes master API server.
- Reload all the worker nodes in your cluster to pick up the public endpoint configuration.
ibmcloud ks cluster master private-service-endpoint disable --cluster CLUSTER [-f] [-q] [-y]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
-y
- Optional: Refresh the cluster master and reload worker nodes with no user prompts.
Example cluster master private-service-endpoint disable
command
ibmcloud ks cluster master private-service-endpoint disable --cluster my_cluster
ibmcloud ks cluster master private-service-endpoint enable
Classic infrastructure
Enable the private cloud service endpoint to make your cluster master privately accessible.
To run this command:
- Enable VRF in your IBM Cloud infrastructure account. To check whether a VRF is already enabled, use the
ibmcloud account show
command. - Enable your IBM Cloud account to use service endpoints.
- Run
ibmcloud ks cluster master private-service-endpoint enable --cluster <cluster_name>
. - Follow the prompt in the CLI to refresh the Kubernetes master API server.
- Reload all the worker nodes in your cluster to pick up the private endpoint configuration.
ibmcloud ks cluster master private-service-endpoint enable --cluster CLUSTER [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
-y
- Optional: Refresh the cluster master and reload worker nodes with no user prompts.
Example cluster master private-service-endpoint enable
command
ibmcloud ks cluster master private-service-endpoint enable --cluster my_cluster
ibmcloud ks cluster master public-service-endpoint disable
Virtual Private Cloud Classic infrastructure
Disable the public cloud service endpoint for a cluster.
Important: Before you disable the public endpoint, you first must complete the following steps to enable the private cloud service endpoint:
- Enable the private cloud service endpoint by running
ibmcloud ks cluster master private-service-endpoint enable --cluster <cluster_name>
. - Follow the prompt in the CLI to refresh the Kubernetes master API server.
- Reload all the worker nodes in your cluster to pick up the private endpoint configuration.
ibmcloud ks cluster master public-service-endpoint disable --cluster CLUSTER [-q] [-f]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-y
- Optional: Refresh the cluster master and reload worker nodes with no user prompts.
Example cluster master public-service-endpoint disable
command
ibmcloud ks cluster master public-service-endpoint disable --cluster my_cluster
ibmcloud ks cluster master public-service-endpoint enable
Virtual Private Cloud Classic infrastructure
Enable the public cloud service endpoint to make your cluster master publicly accessible.
After you run this command, you must refresh the API server to use the service endpoint by following the prompt in the CLI.
ibmcloud ks cluster master public-service-endpoint enable --cluster CLUSTER [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
-y
- Optional: Refresh the cluster master with no user prompts.
Example cluster master public-service-endpoint enable
command
ibmcloud ks cluster master public-service-endpoint enable --cluster my_cluster
ibmcloud ks cluster master refresh
Virtual Private Cloud Classic infrastructure
Apply configuration changes for the Kubernetes master that are requested with the ibmcloud ks cluster master
commands. The highly available Kubernetes master components are restarted in a rolling restart. Your worker nodes, apps,
and resources are not modified and continue to run.
The apiserver-refresh
and cluster-refresh
aliases for this command are deprecated.
ibmcloud ks cluster master refresh --cluster CLUSTER [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks cluster master update
Virtual Private Cloud Classic infrastructure Satellite
Update the Kubernetes master and API server. During the update, you can't access or change the cluster. Worker nodes, apps, and resources that were deployed are not modified and continue to run.
You might need to change your YAML files for future deployments. Review this release note for details.
The cluster-update
alias for this command is deprecated.
ibmcloud ks cluster master update --cluster CLUSTER [--version MAJOR.MINOR.PATCH] [--force-update] [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--version MAJOR.MINOR.PATCH
- Optional: The Kubernetes version of the cluster. If you don't specify a version, the Kubernetes master is updated to the default API version. To see available versions, run ibmcloud ks versions.
--force-update
- Optional: Attempt the update even if the change is greater than two minor versions from the worker node version.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster master update
command
ibmcloud ks cluster master update --cluster my_cluster
ibmcloud ks cluster pull-secret apply
Virtual Private Cloud Classic infrastructure
Make an IBM Cloud IAM service ID for the cluster, create a policy for the service ID that assigns the Reader service access role in IBM Cloud Container Registry, and then create an API key for the service ID. The API key is
then stored in a Kubernetes image pull secret so that you can pull images from your IBM Cloud Container Registry namespaces for containers that are in the default
Kubernetes namespace. This process happens automatically when
you create a cluster. If you got an error during the cluster creation process or have an existing cluster, you can use this command to apply the process again.
This API key method replaces the previous method of authorizing a cluster to access IBM Cloud Container Registry by automatically creating a token and storing the token in an image pull secret. Now, by using IAM API keys to access IBM Cloud Container Registry, you can customize IAM policies for the service ID to restrict access to your namespaces or specific images. For example, you can change the service ID policies in the cluster's image pull secret to pull images from only a certain registry region or namespace. Before you can customize IAM policies, you must enable IBM Cloud IAM policies for IBM Cloud Container Registry. For more information, see Understanding how your cluster is authorized to pull images from IBM Cloud Container Registry.
When you run this command, the creation of IAM credentials and image pull secrets is initiated and can take some time to complete. You can't deploy containers that pull an image from the IBM Cloud Container Registry icr.io
domains
until the image pull secrets are created. To check the image pull secrets, run kubectl get secrets | grep icr-io
. If you added IAM policies to an existing service ID, such as to restrict access to a regional registry, the service
ID, IAM policies, and API key for the image pull secret are reset by this command.
ibmcloud ks cluster pull-secret apply --cluster CLUSTER
Minimum required permissions:
- Operator or Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
- Administrator platform access role in IBM Cloud Container Registry across all regions and resource groups. The policy can't be scoped to a particular region or resource group.
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
ibmcloud ks cluster rm
Virtual Private Cloud Classic infrastructure
Delete a cluster. All worker nodes, apps, and containers are permanently deleted. This action can't be undone.
ibmcloud ks cluster rm --cluster CLUSTER [--force-delete-storage] [--skip-advance-permissions-check] [-f] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--force-delete-storage
- Optional: Deletes the cluster and any persistent storage that the cluster uses. Attention: If you include this option, the data that is stored in the cluster or its associated storage instances can't be recovered.
--skip-advance-permissions-check
- Optional: Skip the check for infrastructure permissions before deleting the cluster. Note that if you don't have the correct infrastructure permissions, the cluster deletion might only partially succeed, such as the IBM-managed master being removed but the worker nodes unable to be removed from your infrastructure account. You might skip the permissions check if you want to continue an otherwise blocked operation, such as when you use multiple infrastructure accounts and can handle the infrastructure resources separately from the master, if needed later.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster rm
command
ibmcloud ks cluster rm --cluster my_cluster
ibmcloud ks cluster service bind
Virtual Private Cloud Classic infrastructure
Add an IBM Cloud service to a cluster by binding the service instance to a Kubernetes namespace. This command creates service credentials of an IBM Cloud service and stores these credentials in a Kubernetes secret in your cluster.
To view available IBM Cloud services from the IBM Cloud catalog, run ibmcloud service offerings
. Note: You can add only IBM Cloud services that support service keys. For more information about service binding
and what services you can add to your cluster, see Adding services by using IBM Cloud service binding.
ibmcloud ks cluster service bind --cluster CLUSTER --namespace KUBERNETES_NAMESPACE [--key SERVICE_INSTANCE_KEY] [--role IAM_SERVICE_ROLE] --service SERVICE_INSTANCE [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-n, --namespace KUBERNETES_NAMESPACE
- Required: The name of the Kubernetes namespace where you want to create the Kubernetes secret for your service credentials.
--key SERVICE_INSTANCE_KEY
- Optional: The name or GUID of an existing service key. When you use the
service-binding
command, new service credentials are automatically created for your service instance and assigned the IAM Writer service access role for IAM-enabled services. If you want to use an existing service key that you created earlier, use this option. If you define a service key, you can't set the--role
option at the same time because your service keys are already created with a specific IAM service access role. --role IAM_SERVICE_ROLE
- The IBM Cloud IAM role that you want the service key to have. This value is optional and can be used for IAM-enabled services only. If you don't set this option, your service credentials are automatically created and assigned the IAM Writer service access role. If you want to use existing service keys by specifying the
--key
option, don't include this option. To list available roles for the service, runibmcloud iam roles --service <service_name>
. The service name is the name of the service in the catalog, which you can get by runningibmcloud catalog search
. --service SERVICE_INSTANCE
- Required: The name of the IBM Cloud service instance that you want to bind. To find the name, run
ibmcloud resource service-instances
. -q
- Optional: Do not show the message of the day or update reminders.
Example cluster service bind
command
ibmcloud ks cluster service bind --cluster my_cluster --namespace my_namespace --service my_service_instance
ibmcloud ks cluster service ls
Virtual Private Cloud Classic infrastructure
List the services that are bound to one or all the Kubernetes namespace in a cluster. If no options are specified, the services for the default namespace are displayed.
ibmcloud ks cluster service ls --cluster CLUSTER [--namespace KUBERNETES_NAMESPACE] [--all-namespaces] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-n, --namespace KUBERNETES_NAMESPACE
- Optional: Include the services that are bound to a specific namespace in a cluster.
--all-namespaces
- Optional: Include the services that are bound to all the namespaces in a cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster service ls
command
ibmcloud ks cluster service ls --cluster my_cluster --namespace my_namespace
ibmcloud ks cluster service unbind
Virtual Private Cloud Classic infrastructure
Remove an IBM Cloud service from a cluster by unbinding it from a Kubernetes namespace.
When you remove an IBM Cloud service, the service credentials are removed from the cluster. If a pod is still using the service, it fails because the service credentials can't be found.
ibmcloud ks cluster service unbind --cluster CLUSTER --namespace KUBERNETES_NAMESPACE --service SERVICE_INSTANCE [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-n, --namespace KUBERNETES_NAMESPACE
- Required: The name of the Kubernetes namespace.
--service SERVICE_INSTANCE
- Required: The name of the IBM Cloud service instance that you want to remove. To find the name of the service instance, run
ibmcloud ks cluster service ls --cluster <cluster_name_or_ID>
. -q
- Optional: Do not show the message of the day or update reminders.
Example cluster service unbind
command
ibmcloud ks cluster service unbind --cluster my_cluster --namespace my_namespace --service 8567221
ibmcloud ks cluster subnet add
Classic infrastructure
Make an existing portable public or private classic subnet in your IBM Cloud infrastructure account available to a cluster or reuse subnets from a deleted cluster instead of using the automatically provisioned subnets.
When you make a subnet available to a cluster, IP addresses of this subnet are used for cluster networking purposes. To avoid IP address conflicts, make sure that you use a subnet with one cluster only. Do not use a subnet for multiple clusters or for other purposes outside of IBM Cloud Kubernetes Service at the same time. If you use the same subnet across multiple clusters, your default Ingress TLS certificate might become invalidated. To enable communication between workers that are on different subnets on the same VLAN in non-VRF accounts, you must enable routing between subnets on the same VLAN.
ibmcloud ks cluster subnet add --cluster CLUSTER --subnet-id SUBNET [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--subnet-id SUBNET
- Required: The ID of the subnet.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster subnet add
command
ibmcloud ks cluster subnet add --cluster my_cluster --subnet-id 1643389
ibmcloud ks cluster subnet create
Classic infrastructure
Create a portable classic subnet in an IBM Cloud infrastructure account on your public or private VLAN and make it available to a cluster.
Portable public IP addresses are charged monthly. If you remove portable public IP addresses after your cluster is provisioned, you still must pay the monthly charge, even if you used them only for a short amount of time. When you make a subnet
available to a cluster, IP addresses of this subnet are used for cluster networking purposes. To avoid IP address conflicts, make sure that you use a subnet with one cluster only. Do not use a subnet for multiple clusters or for other purposes
outside of IBM Cloud Kubernetes Service at the same time. If you use the same subnet across multiple clusters, your default Ingress TLS certificate might become invalidated. In classic clusters, if you have multiple VLANs for your cluster,
multiple subnets on the same VLAN, or a multizone classic cluster, you must enable a Virtual Router Function (VRF) for your IBM Cloud infrastructure account
so your worker nodes can communicate with each other on the private network. To enable VRF, see Enabling VRF. To check whether a VRF is already enabled, use
the ibmcloud account show
command. If you can't or don't want to enable VRF, enable VLAN spanning. To perform this action, you need the Network > Manage Network VLAN Spanning infrastructure permission, or you can request the account owner to enable it. To check whether VLAN spanning is already enabled, use the ibmcloud ks vlan spanning get --region <region>
command.
ibmcloud ks cluster subnet create --cluster CLUSTER --size SIZE --vlan VLAN_ID [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster. To list your clusters, use the
ibmcloud ks cluster ls
command. --size SIZE
- The number of IP addresses that you want to create in the portable subnet. Accepted values are 8, 16, 32, or 64. When you add portable IP addresses for your subnet, three IP addresses are used to establish cluster-internal networking. You can't use these three IP addresses for your Ingress application load balancers (ALBs) or to create network load balancer (NLB) services. For example, if you request eight portable public IP addresses, you can use five of them to expose your apps to the public.
--vlan VLAN_ID
- The ID of the public or private VLAN on which you want to create the subnet. You must select a public or private VLAN that an existing worker node is connected to. To review the public or private VLANs that your worker nodes are connected
to, run
ibmcloud ks cluster get --cluster <cluster> --show-resources
and look for the Subnet VLANs section in the output. The subnet is provisioned in the same zone that the VLAN is in. -q
- Optional: Do not show the message of the day or update reminders.
Example cluster subnet create
command
ibmcloud ks cluster subnet create --cluster my_cluster --size 8 --vlan 1764905
ibmcloud ks cluster subnet detach
Classic infrastructure
Detach a public or private portable classic subnet in an IBM Cloud infrastructure account from a cluster. The subnet remains available in your IBM Cloud infrastructure account. Note: Any services that were deployed to an IP address from the subnet remain active after the subnet is removed.
ibmcloud ks cluster subnet detach --cluster CLUSTER --subnet-id SUBNET_ID [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster. To list your clusters, use the
ibmcloud ks cluster ls
command. --vlan VLAN_ID
- The ID of the public or private subnet that you want to detach. To find the subnet ID, first run
ibmcloud ks cluster get --cluster <cluster> --show-resources
and look for the subnet CIDR in the Subnet VLANs section of the output. Then, using the subnet CIDR, runibmcloud ks subnets --provider classic
and look for the subnet's ID. -f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example cluster subnet detach
command
ibmcloud ks cluster subnet detach --cluster my_cluster --subnet-id 1602829
Deprecated: ibmcloud ks cluster user-subnet add
Classic infrastructure
Bring your own private subnet to your IBM Cloud Kubernetes Service clusters. This private subnet is not one provided by IBM Cloud infrastructure. As such, you must configure any inbound and outbound network traffic routing for the subnet.
This command is deprecated. Add an existing IBM Cloud infrastructure subnet to your cluster by running ibmcloud ks cluster subnet add
.
When you make a subnet available to a cluster, IP addresses of this subnet are used for cluster networking purposes. To avoid IP address conflicts, make sure that you use a subnet with one cluster only. Do not use a subnet for multiple clusters
or for other purposes outside of IBM Cloud Kubernetes Service at the same time. If you use the same subnet across multiple clusters, your default Ingress TLS certificate might become invalidated. In classic clusters, if you have multiple
VLANs for your cluster, multiple subnets on the same VLAN, or a multizone classic cluster, you must enable a Virtual Router Function (VRF) for your IBM Cloud
infrastructure account so your worker nodes can communicate with each other on the private network. To enable VRF, see Enabling VRF. To check whether a VRF is
already enabled, use the ibmcloud account show
command. If you can't or don't want to enable VRF, enable VLAN spanning. To perform this action, you need the Network > Manage Network VLAN Spanning infrastructure permission, or you can request the account owner to enable it. To check whether VLAN spanning is already enabled, use the ibmcloud ks vlan spanning get --region <region>
command.
ibmcloud ks cluster user-subnet add --cluster CLUSTER --subnet-cidr SUBNET_CIDR --private-vlan PRIVATE_VLAN
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--subnet-cidr SUBNET_CIDR
- The subnet Classless InterDomain Routing (CIDR). This value is required, and must not conflict with any subnet that is used by IBM Cloud infrastructure. Supported prefixes range from
/30
(1 IP address) to/24
(253 IP addresses). If you set the CIDR at one prefix length and later need to change it, first add the new CIDR, then remove the old CIDR. --private-vlan PRIVATE_VLAN
- Required: The ID of the private VLAN. The ID must be for a private VLAN in the cluster that one or more of the worker nodes are on. To see private VLANs in your cluster, run
ibmcloud ks cluster get --cluster <cluster_name_or_ID> --show-resources
. In the Subnet VLANs section of the output, look for VLANs that have a Public value offalse
.
Example cluster user-subnet add
command
ibmcloud ks cluster user-subnet add --cluster my_cluster --subnet-cidr 169.xx.xxx.xxx/29 --private-vlan 1502175
Deprecated: ibmcloud ks cluster user-subnet rm
Classic infrastructure
Remove your own private subnet from a specified cluster. Any service that was deployed with an IP address from your own private subnet remains active after the subnet is removed.
This command is deprecated. To remove an IBM Cloud infrastructure subnet from your cluster instead, run ibmcloud ks cluster subnet detach
.
ibmcloud ks cluster user-subnet rm --cluster CLUSTER --subnet-cidr SUBNET_CIDR --private-vlan PRIVATE_VLAN
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--subnet-cidr SUBNET_CIDR
- The subnet Classless InterDomain Routing (CIDR). This value is required, and must match the CIDR that was set by the
ibmcloud ks cluster user-subnet add
command. --private-vlan PRIVATE_VLAN
- The ID of the private VLAN. This value is required, and must match the VLAN ID that was set by the
ibmcloud ks cluster user-subnet add
command.
Example cluster user-subnet rm
command
ibmcloud ks cluster user-subnet rm --cluster my_cluster --subnet-cidr 169.xx.xxx.xxx/29 --private-vlan 1502175
Beta: dedicated
commands
View, create, and remove a dedicated host or dedicated host pool.
The dedicated
commands are available in beta.
Beta: ibmcloud ks dedicated flavors
Virtual Private Cloud
View dedicated host flavors.
ibmcloud ks dedicated flavors --zone ZONE --provider PROVIDER
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--zone ZONE
- The zone to search for dedicated host flavors.
--provider PROVIDER
- The provider to use to search for dedicated host flavors.
--output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks dedicated flavors --zone us-south-1 --provider myprovider1
Beta: ibmcloud ks dedicated host create
Virtual Private Cloud
Create a dedicated host.
ibmcloud ks dedicated host create --flavor FLAVOR --pool POOL --zone ZONE [--output OUTPUT] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
-- flavor FLAVOR
- The flavor of the dedicated host.
-- pool POOL
- The name of the dedicated host pool where the dedicated host is added.
--zone ZONE
- The zone to create the dedicated host in.
--output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks dedicated host create --flavor b3c.4x16 --pool mypool --zone wdc
Beta: ibmcloud ks dedicated host get
Virtual Private Cloud
Get the details of a dedicated host.
ibmcloud ks dedicated host get --host HOST --pool POOL [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--host HOST
- The ID of the dedicated host.
--pool POOL
- The ID of the dedicated host pool that the dedicated host is located in. To list dedicated host pools run
ibmcloud ks dedicated pool ls
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated host get --host myhost --pool mypool
Beta: ibmcloud ks dedicated host ls
Virtual Private Cloud
List all dedicated hosts in a dedicated host pool.
ibmcloud ks dedicated host ls --pool POOL [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--pool POOL
- The ID of the dedicated host pool. To list dedicated host pools run
ibmcloud ks dedicated pool ls
. -q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated host ls --pool mypool
Beta: ibmcloud ks dedicated host placement disable
Virtual Private Cloud
Disable dedicated host placement.
ibmcloud ks dedicated host placement disable --host HOST --pool POOL
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--host HOST
- The ID of the dedicated host to disable placement for.
--pool POOL
- The ID of the dedicated host pool that the dedicated host is located in. To list dedicated host pools run
ibmcloud ks dedicated pool ls
. --q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated host placement disable --host myhost --pool mypool
Beta: ibmcloud ks dedicated host placement enable
Virtual Private Cloud
Enable dedicated host placement.
ibmcloud ks dedicated host placement enable --host HOST --pool POOL
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--host HOST
- The ID of the dedicated host to enable placement for.
--pool POOL
- The ID of the dedicated host pool that the dedicated host is located in. To list dedicated host pools run
ibmcloud ks dedicated pool ls
. --q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated host placement enable --host myhost --pool mypool
Beta: ibmcloud ks dedicated host rm
Virtual Private Cloud
Delete a dedicated host. This action can't be undone.
ibmcloud ks dedicated host rm --host HOST --pool POOL [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--pool POOL
- The ID of the dedicated host pool that contains the dedicated host to delete. To list dedicated host pools run
ibmcloud ks dedicated pool ls
. --output json
- Optional: Prints the command output in JSON format.
--q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated host rm --host myhost --pool mypool
Beta: ibmcloud ks dedicated pool create
Virtual Private Cloud
Create a dedicated host pool.
ibmcloud ks dedicated pool create --flavor-class CLASS --metro METRO --name NAME [--output OUTPUT]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--flavor-class CLASS
- The flavor-class of the dedicated host pool. To see available options, run
ibmcloud ks flavors
. --metro METRO
- The metro to create the dedicated host pool in, such as
dal
orwdc
. --name NAME
- The name of the dedicated host pool.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated pool --flavor-class mb4c.20x64 --metro dal --name mypool
Beta: ibmcloud ks dedicated pool get
Virtual Private Cloud
Get the details of a dedicated host pool.
ibmcloud ks dedicated pool get --pool POOL [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--pool POOL
- The ID of the dedicated host pool. To list dedicated host pools run
ibmcloud ks dedicated pool ls
.
--output OUTPUT
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated pool get --pool mypool
Beta: ibmcloud ks dedicated pool ls
Virtual Private Cloud
List all dedicated host pools.
ibmcloud ks dedicated pool ls [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--output json
- Optional: Prints the command output in JSON format.
--q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated pool ls
Beta: ibmcloud ks dedicated pool rm
Virtual Private Cloud
Delete a dedicated host pool. This action can't be undone.
ibmcloud ks dedicated pool rm --pool POOL [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--pool POOL
- The ID of the dedicated host pool to delete. To list dedicated host pools run
ibmcloud ks dedicated pool ls
. --q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks dedicated pool rm --pool mypool
worker
commands
View and modify worker nodes for a cluster.
Deprecated: ibmcloud ks worker add
Virtual Private Cloud Classic infrastructure
Add stand-alone worker nodes to a cluster.
This command is deprecated. Create a worker pool by running ibmcloud ks worker-pool create classic
or ibmcloud ks worker-pool create vpc-gen2
,
or add workers to an existing worker pool by running ibmcloud ks worker-pool resize
.
ibmcloud ks worker add --cluster CLUSTER [--hardware HARDWARE] --flavor FLAVOR --workers NUMBER --private-vlan PRIVATE_VLAN --public-vlan PUBLIC_VLAN [--disable-disk-encrypt] [--operating-system SYSTEM] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--hardware HARDWARE
- Optional: The level of hardware isolation for your worker node. Use
dedicated
so that available physical resources are dedicated to you only, orshared
to allow physical resources to be shared with other IBM customers. The default isshared
. For bare metal flavors, specifydedicated
. --flavor FLAVOR
- Choose a machine type, or flavor, for your worker nodes. You can deploy your worker nodes as virtual machines on shared or dedicated hardware, or as physical machines on bare metal. Available physical and virtual machines types vary by the
zone in which you deploy the cluster. For more information, see the documentation for the
ibmcloud ks flavors (machine-types)
command. --workers NUMBER
- An integer that represents the number of worker nodes to create in the cluster.
--private-vlan PRIVATE_VLAN
- Required: The private VLAN that was specified when the cluster was created. Private VLAN routers always begin with
bcr
(back-end router) and public VLAN routers always begin withfcr
(front-end router). When you create a cluster and specify the public and private VLANs, the number and letter combination after those prefixes must match. --public-vlan PUBLIC_VLAN
- Optional: The public VLAN that was specified when the cluster was created. If you want your worker nodes to exist on a private VLAN only, don't provide a public VLAN ID. Private VLAN routers always begin with
bcr
(back-end router) and public VLAN routers always begin withfcr
(front-end router). When you create a cluster and specify the public and private VLANs, the number and letter combination after those prefixes must match. If worker nodes are set up with a private VLAN only, you must allow worker nodes and the cluster master to communicate by enabling the private cloud service endpoint or configuring a gateway appliance. --disable-disk-encrypt
- Worker nodes feature AES 256-bit disk encryption by default; learn more. To disable encryption, include this option.
--operating-system UBUNTU_20_64
- Optional. The operating system of the worker nodes in your cluster. For a list of available operating sysems by cluster version, see the Kubernetes version information. If no option is specified, the default operating system that corresponds to the cluster version is used.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker add
command
ibmcloud ks worker add --cluster my_cluster --workers 3 --public-vlan my_public_VLAN_ID --private-vlan my_private_VLAN_ID --flavor b3c.4x16 --hardware shared
ibmcloud ks worker get
Virtual Private Cloud Classic infrastructure
View the details of a worker node.
ibmcloud ks worker get --cluster CLUSTER_NAME_OR_ID --worker WORKER_NODE_ID [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c, --cluster CLUSTER_NAME_OR_ID
- Optional: The name or ID of the worker node's cluster.
--worker WORKER_NODE_ID
- Required: The name of your worker node. Run
ibmcloud ks worker ls --cluster CLUSTER
to view the IDs for the worker nodes in a cluster. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker get
command
ibmcloud ks worker get --cluster my_cluster --worker kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w1
ibmcloud ks worker ls
Virtual Private Cloud Classic infrastructure
List all worker nodes in a cluster.
ibmcloud ks worker ls --cluster CLUSTER [--worker-pool POOL] [--show-pools] [--show-deleted] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster for the available worker nodes.
-p
,--worker-pool POOL
- Optional: View only worker nodes that belong to the worker pool. To list available worker pools, run
ibmcloud ks worker-pool ls --cluster <cluster_name_or_ID>
. --show-pools
- Optional: List the worker pool that each worker node belongs to.
--show-deleted
- Optional: View worker nodes that were deleted from the cluster, including the reason for deletion.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker ls
command
ibmcloud ks worker ls --cluster my_cluster
ibmcloud ks worker reboot
Virtual Private Cloud Classic infrastructure
Reboot a worker node in a cluster.
During the reboot, the state of your worker node does not change. For example, you might use a reboot if the worker node status in classic IBM Cloud infrastructure is Powered Off
and you need to turn on the worker node. A reboot
clears temporary directories, but does not clear the entire file system or reformat the disks. The worker node IP address remains the same after the reboot operation.
Rebooting a worker node can cause data corruption on the worker node. Use this command with caution and when you know that a reboot can help recover your worker node. In all other cases, reload your worker node instead.
Before you reboot your worker node, make sure that you have enough capacity in other worker nodes to reschedule the pods on the worker node. Rescheduling pods helps to avoid downtime for your app or data corruption on your worker node.
-
List all worker nodes in your cluster and note the name of the worker node that you want to remove.
kubectl get nodes
The name that is returned in this command is the private IP address that is assigned to your worker node. You can find more information about your worker node when you run the
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
command and look for the worker node with the same Private IP address. -
Force pods to be removed from your worker node and rescheduled onto remaining worker nodes in the cluster. The worker node is also cordoned, or marked as unavailable for future pod scheduling. Replace
<worker_name>
with the private IP address of the worker node that you previously retrieved.kubectl drain <worker_name>
This process can take a few minutes.
-
Reboot the worker node. Use the worker ID that is returned from the
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
command.ibmcloud ks worker reboot --cluster <cluster_name_or_ID> --worker <worker_name_or_ID>
-
Wait about 5 minutes before you make your worker node available for pod scheduling to ensure that the reboot is finished. During the reboot, the state of your worker node does not change. The reboot of a worker node is usually completed in a few seconds.
-
Make your worker node available for pod scheduling. Use the name for your worker node that is returned from the
kubectl get nodes
command.kubectl uncordon <worker_name>
ibmcloud ks worker reboot [--hard] --cluster CLUSTER --worker WORKER_ID [--skip-master-healthcheck] [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--hard
- Optional: Use this option to force a hard restart of a worker node by cutting off power to the worker node. Use this option if the worker node is unresponsive or the worker node's container runtime is unresponsive.
-w, --worker WORKER
- Specify a worker node ID. To reload multiple worker nodes, use multiple options, such as
-w worker1_id -w worker2_id
. --skip-master-healthcheck
- Skip a health check of your master before reloading or rebooting your worker nodes.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker reboot
command
ibmcloud ks worker reboot --cluster my_cluster -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w1 -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w2
ibmcloud ks worker reload
Classic infrastructure
Reload the configurations for a Classic worker node. To reload a worker node in a VPC cluster, use the ibmcloud ks worker replace
command instead.
A reload can be useful if your worker node experiences problems, such as slow performance or if your worker node is stuck in an unhealthy state. During the reload, your worker node machine is updated with the latest image and data is deleted if not stored outside the worker node. The worker node public and private IP address remain the same after the reload operation.
Reloading a worker node applies patch version updates to your worker node, but not major or minor updates. To see the changes from one patch version to the next, review the Version change log documentation.
Before you reload your worker node, make sure that you have enough capacity in other worker nodes to reschedule the pods on the worker node. Rescheduling pods helps to avoid downtime for your app or data corruption on your worker node.
-
List all worker nodes in your cluster and note the name of the worker node that you want to reload.
kubectl get nodes
The name that is returned in this command is the private IP address that is assigned to your worker node. You can find more information about your worker node when you run the
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
command and look for the worker node with the same Private IP address. -
Reload the worker node. As part of the reload process, the pods that run on the worker node are drained and rescheduled onto remaining worker nodes in the cluster. The worker node is also cordoned, or marked as unavailable for future pod scheduling. Use the worker node ID that is returned from the
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
command.ibmcloud ks worker reload --cluster <cluster_name_or_ID> --worker <worker_name_or_ID>
-
Wait for the reload to complete. When your worker node is in a Normal state, the worker node becomes available for pod scheduling again.
ibmcloud ks worker reload --cluster CLUSTER --worker WORKER_ID [--skip-master-healthcheck] [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-w, --worker WORKER
- Specify a worker node ID. To reload multiple worker nodes, use multiple options, such as
-w worker1_id -w worker2_id
. --skip-master-healthcheck
- Skip a health check of your master before reloading or rebooting your worker nodes.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker reload
command
ibmcloud ks worker reload --cluster my_cluster -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w1 -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w2
ibmcloud ks worker replace
Virtual Private Cloud Classic infrastructure
Delete a worker node and replace it with a new worker node in the same worker pool.
The replacement worker node is created in the same zone and has the same flavor as the old worker node, but might be assigned new public or private IP addresses. You might replace a worker node if you can't reload or update the worker node, such as if it enters a troubled state.
You can also use this command to update the Kubernetes version of the worker node to match the major and minor version of the Kubernetes master by including the --update
option. If you don't include the --update
option,
patch version updates are applied to your worker node, but not major or minor updates. To see the changes from one major, minor, or patch version to the next, review the Version change log documentation. Remember that your worker nodes can be only up to two versions behind the master version (n-2
).
When you replace a worker node, keep in mind the following considerations.
To update Satellite worker nodes, see Updating hosts that are assigned as worker nodes to Satellite-enabled services.
- Multiple worker nodes are replaced concurrently: If you replace multiple worker nodes at the same time, they are deleted and replaced concurrently, not one by one. Make sure that you have enough capacity in your cluster to reschedule your workloads before you replace worker nodes.
- Node-level customizations are not preserved: Any custom labels or taints that you applied at the individual worker node level are not applied to the replacement worker node. Instead, apply labels or taints at the worker pool level so that the replacement worker node gets these attributes.
- Automatic rebalancing: A replacement worker node is not created if the worker pool does not have automatic rebalancing enabled.
Before you begin, make sure that your cluster has enough other worker nodes so that your pods can be rescheduled and continue to run.
-
List all worker nodes in your cluster and note the name of the worker node that you want to replace.
kubectl get nodes
The name that is returned in this command is the private IP address that is assigned to your worker node. You can find more information about your worker node when you run the
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
command and look for the worker node with the same Private IP address. -
Replace the worker node. As part of the replace process, the pods that run on the worker node are drained and rescheduled onto remaining worker nodes in the cluster. The worker node is also cordoned, or marked as unavailable for future pod scheduling. Use the worker node ID that is returned from the
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
command.ibmcloud ks worker replace --cluster <cluster_name_or_ID> --worker <worker_node_ID>
-
Verify that the worker node is replaced.
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
ibmcloud ks worker replace --cluster CLUSTER_NAME_OR_ID --worker WORKER_ID [--update] [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--worker WORKER
- Required: The name or ID of a worker node.
--update
- Include this option to update the worker node to the same major and minor version of the master and the latest patch.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker replace
command
ibmcloud ks worker replace --cluster my_cluster --worker kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w1
ibmcloud ks worker rm
Virtual Private Cloud Classic infrastructure
Remove one or more worker nodes from a cluster. If you remove a worker node, your cluster becomes unbalanced, and replacing a worker node no longer creates a replacement worker node. You can automatically
rebalance your worker pool by running the ibmcloud ks worker-pool rebalance
command after you remove a worker node.
ibmcloud ks worker rm --cluster CLUSTER --worker WORKER [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-w, --worker WORKER
- Specify a worker node ID. To reload multiple worker nodes, use multiple options, such as
-w worker1_id -w worker2_id
. -f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker rm
command
ibmcloud ks worker rm --cluster my_cluster -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w1 -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w2
ibmcloud ks worker update
Classic infrastructure
Update worker nodes to apply the latest security updates and patches to the operating system, and to update the Kubernetes version to match the version of the Kubernetes master. You can update the master Kubernetes version with the ibmcloud ks cluster master update
command. Remember that your worker nodes can be only up to two versions behind the master version (n-2
). The worker node IP address remains the same after the update operation.
To update a worker node in a VPC cluster, use the ibmcloud ks worker replace
command instead.
Running ibmcloud ks worker update
can cause downtime for your apps and services. During the update, all pods are rescheduled onto other worker nodes, the worker node is reimaged, and data is deleted if not stored outside the pod.
To avoid downtime, ensure that you have enough worker nodes to handle your workload while the selected worker nodes are updating.
To update Satellite worker nodes, see Updating hosts that are assigned as worker nodes to Satellite-enabled services.
You might need to change your YAML files for deployments before you update. Review this release note for details.
ibmcloud ks worker update --cluster CLUSTER --worker WORKER_ID [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you list available worker nodes.
-w, --worker WORKER
- Specify a worker node ID. To reload multiple worker nodes, use multiple options, such as
-w worker1_id -w worker2_id
. -f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker update
command
ibmcloud ks worker update --cluster my_cluster -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w1 -w kube-dal10-cr18a61a63a6a94b658596aa93d087aaa9-w2
worker-pool
commands
View and modify worker pools for a cluster.
ibmcloud ks worker-pool create classic
Classic infrastructure
You can create a worker pool in your cluster. When you add a worker pool, it is not assigned a zone by default. You specify the number of workers that you want in each zone and the flavors for the workers. The worker pool is given the default Kubernetes versions. To finish creating the workers, add a zone or zones to your pool.
To create a worker pool in a VPC cluster, use the ibmcloud ks worker-pool create vpc-gen2
command.
ibmcloud ks worker-pool create classic --name POOL_NAME --cluster CLUSTER --flavor FLAVOR --size-per-zone WORKERS_PER_ZONE --hardware ISOLATION [--disable-disk-encrypt] [--label KEY1=VALUE1] [--operating-system SYSTEM] [-q] [--output json]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--name POOL_NAME
- The name that you want to give your worker pool.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--flavor FLAVOR
- Choose a machine type, or flavor. You can deploy your worker nodes as virtual machines on shared or dedicated hardware, or as physical machines on bare metal. Available physical and virtual machines types vary by the zone in which you deploy
the cluster. For more information, see the documentation for the
ibmcloud ks flavors (machine-types)
command. --size-per-zone WORKERS_PER_ZONE
- The number of workers to create in each zone.
--hardware ISOLATION
- Required: The level of hardware isolation for your worker node. Use
dedicated
if you want to have available physical resources that are dedicated to you only, orshared
to allow physical resources to be shared with other IBM customers. The default isshared
. For bare metal flavors, specifydedicated
. --disable-disk-encrypt
- Specifies that the disk is not encrypted. The default value is
false
. -l, --label KEY1=VALUE1
- Optional: Apply key-value labels to each worker node in the worker pool. To specify multiple labels, use multiple options, such as
-l key1=value1 -l key2=value2
. --operating-system UBUNTU_20_64
- Optional. The operating system of the worker nodes in your cluster. For a list of available operating sysems by cluster version, see the Kubernetes version information. If no option is specified, the default operating system that corresponds to the cluster version is used.
-q
- Optional: Do not show the message of the day or update reminders.
--output json
- Optional: Prints the command output in JSON format.
Example worker-pool create classic
command
ibmcloud ks worker-pool create classic --name my_pool --cluster my_cluster --flavor b3c.4x16 --size-per-zone 6
ibmcloud ks worker-pool create vpc-gen2
Virtual Private Cloud
Add a worker pool to a VPC cluster. No worker nodes are created until you add zones to the worker pool.
ibmcloud ks worker-pool create vpc-gen2 --name <worker_pool_name> --cluster <cluster_name_or_ID> --flavor <flavor> --size-per-zone <number_of_workers_per_zone> [--operating-system SYSTEM][--dedicated-host-pool POOL][--vpc-id <VPC ID>] [--label KEY1=VALUE1] [--kms-account-id ID] [--kms-instance KMS_INSTANCE_ID] [--crk ROOT_KEY_ID] [--operating-system SYSTEM] [-q] [--secondary-storage STORAGE] [--security-group GROUP ...] [--output json]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
--name NAME
- Required: Set the name for the worker pool.
-c
,--cluster CLUSTER
- Required: Specify the name or ID of the cluster. To list VPC clusters, run
ibmcloud ks cluster ls --provider vpc-gen2
. --size-per-zone NUMBER_WORKERS_PER_ZONE
- Specify the number of worker nodes to create per zone in this worker pool. No worker nodes are created until you add zones to the worker pool.
--operating-system UBUNTU_20_64
- Optional. The operating system of the worker nodes in your cluster. For a list of available operating sysems by cluster version, see the Kubernetes version information. If no option is specified, the default operating system that corresponds to the cluster version is used.
--flavor FLAVOR
- Choose a flavor for your worker nodes. You can deploy your worker nodes as virtual machines on shared or dedicated hardware. To see flavors that are available in a VPC zone, run
ibmcloud ks flavors --zone <vpc_zone> --provider vpc-gen2
. --dedicated-host-pool POOL
- Optional. The ID of the dedicated host pool where you want to run your workers.
--vpc-id VPC_ID
- Optional: Specify the ID of the VPC in which to create the worker pool's worker nodes. The value must match the VPC ID that the cluster is in. To list the cluster's VPC ID, run
ibmcloud ks cluster get -c <cluster_name_or_ID>
. If this option is not provided, then the worker pool defaults to the VPC ID of existing worker pools in the cluster. -l, --label KEY1=VALUE1
- Optional: Apply key-value labels to each worker node in the worker pool. To specify multiple labels, use multiple options, such as
-l key1=value1 -l key2=value2
. --kms-account-id ID
- Optional: The ID of the account that contains the KMS instance you want to use for local disk or secret encryption.
--kms-instance KMS_INSTANCE_ID
- Optional: Include the ID of a key management service (KMS) instance to use to encrypt the local disk on the worker nodes in the
default
worker pool. To list available KMS instances, runibmcloud ks kms instance ls
. If you include this option, you must also include the--crk
option. For more information including steps to create, see Managing encryption for the worker nodes in your cluster. --crk ROOT_KEY
- Optional: Include the ID of the root key in the KMS instance to use to encrypt the local disk on the worker nodes in this worker pool. To list available root keys, run
ibmcloud ks kms crk ls --instance-id
. If you include this option, you must also include the--kms-instance
option. Before you can use KMS encryption, you must create a KMS instance and set up the required service authorization in IAM. See Managing encryption for the worker nodes in your cluster. -q
- Optional: Do not show the message of the day or update reminders.
--secondary-storage STORAGE
- Optional: The storage option for the flavor. For example,
900gb.5iops-tier
. When you add a secondary disk, that disk is used for the container runtime, while the primary disk is used for the operating system. To view the storage options for a flavor, run the**ibmcloud ks flavor get --flavor FLAVOR --zone ZONE --provider vpc-gen2
command. --security-group GROUP
- Optional. Specify one or more security group IDs to apply to all workers on the cluster. For OpenShift version 4.15 and Kubernetes version 1.30 and later, these security groups are applied in addition to the IBM-managed
kube-clusterID
security group. For earlier cluster versions, specify the--cluster-security-group cluster
option to apply thekube-clusterID
security group. If no value is specified, a default set of security groups includingkube-clusterID
are applied. --output json
- Optional: Prints the command output in JSON format.
Example worker-pool create vpc-gen2
command
ibmcloud ks worker-pool create vpc-gen2 --name my_pool --cluster my_cluster --flavor bx2.4x16 --size-per-zone 3
ibmcloud ks worker-pool get
Virtual Private Cloud Classic infrastructure
View the details of a worker pool.
ibmcloud ks worker-pool get --worker-pool WORKER_POOL --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to view the details of. To list available worker pools, run
ibmcloud ks worker-pool ls --cluster <cluster_name_or_ID>
. -c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the worker pool is located.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool get
command
ibmcloud ks worker-pool get --worker-pool pool1 --cluster my_cluster
ibmcloud ks worker-pool label rm
Virtual Private Cloud Classic infrastructure
Remove all custom Kubernetes labels from all worker nodes in a worker pool.
An individual taint cannot be removed from a working pool. Instead use kubectl taint node <worker_privateIP> key:effect-
command to remove a taint from an individual worker node.
ibmcloud ks worker-pool label rm --cluster CLUSTER --worker-pool POOL [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the worker pool is located.
-p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to view the details of. To list available worker pools, run
ibmcloud ks worker-pool ls --cluster <cluster_name_or_ID>
. -f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool label rm
command
ibmcloud ks worker-pool label rm --worker-pool pool1 --cluster my_cluster
ibmcloud ks worker-pool label set
Virtual Private Cloud Classic infrastructure
Set custom Kubernetes labels in the format key=value
for all the worker nodes in the worker pool. To keep any existing custom labels on the worker pool, you must include those labels in this command.
ibmcloud ks worker-pool label set --cluster CLUSTER --label LABEL [--label LABEL ...] --worker-pool POOL [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the worker pool is located.
--label LABEL
- Required: A custom label in the format
key=value
to set for all the worker nodes in the worker pool. For multiple labels, repeat this option. To keep any existing custom labels on the worker pool, include those labels with this option. You can list the existing custom labels on worker nodes in the worker pool by runningibmcloud ks worker-pool get -c <cluster_name_or_ID> --worker-pool <pool>
. -p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to view the details of. To list available worker pools, run
ibmcloud ks worker-pool ls --cluster <cluster_name_or_ID>
. -f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool label set
command
ibmcloud ks worker-pool label set --worker-pool pool1 --cluster my_cluster --label app=dev
ibmcloud ks worker-pool ls
Virtual Private Cloud Classic infrastructure
List all worker pools in a cluster.
ibmcloud ks worker-pool ls --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c, --cluster CLUSTER_NAME_OR_ID
- Required: The name or ID of the cluster for which you want to list worker pools.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool ls
command
ibmcloud ks worker-pool ls --cluster my_cluster
ibmcloud ks worker-pool operating-system set
Set the operating system. After you set the operating system, you must update your workers by running either ibmcloud ks worker update
or ibmcloud ks worker replace
.
ibmcloud ks worker-pool operating-system set --cluster CLUSTER --operating-system SYSTEM --worker-pool POOL [-q]
Command options
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
--operating-system SYSTEM
- Specify the name of the operating system.
-q
- Do not show the message of the day or update reminders.
--worker-pool POOL
,-p POOL
- Specify a worker pool.
ibmcloud ks worker-pool rebalance
Virtual Private Cloud Classic infrastructure
Rebalance a worker pool in a cluster after you delete a worker node. When you run this command, a new worker or workers are added to your worker pool so that the worker pool has the same number of nodes per zone that you specified.
ibmcloud ks worker-pool rebalance --cluster CLUSTER --worker-pool WORKER_POOL [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-p, --worker-pool WORKER_POOL
- Required: The worker pool that you want to rebalance.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool rebalance
command
ibmcloud ks worker-pool rebalance --cluster my_cluster --worker-pool my_pool
ibmcloud ks worker-pool resize
Virtual Private Cloud Classic infrastructure
Resize your worker pool to increase or decrease the number of worker nodes that are in each zone of your cluster.
ibmcloud ks worker-pool resize --cluster CLUSTER --worker-pool WORKER_POOL --size-per-zone WORKERS_PER_ZONE [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster for which you want to resize worker pools.
--worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to update.
--size-per-zone WORKERS_PER_ZONE
- The number of workers that you want to have in each zone.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool resize
command
ibmcloud ks worker-pool resize --cluster my_cluster --worker-pool my_pool --size-per-zone 3
ibmcloud ks worker-pool rm
Virtual Private Cloud Classic infrastructure
Remove a worker pool from your cluster. All worker nodes in the pool are deleted. Your pods are rescheduled when you delete. To avoid downtime, be sure that you have enough workers to run your workload.
ibmcloud ks worker-pool rm --worker-pool WORKER_POOL --cluster CLUSTER [-q] [-f]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to remove.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster that you want to remove the worker pool from.
-q
- Optional: Do not show the message of the day or update reminders.
-f
- Optional: Force the command to run with no user prompts.
Example worker-pool rm
command
ibmcloud ks worker-pool rm --cluster my_cluster --worker-pool pool1
ibmcloud ks worker-pool taint
Set or remove Kubernetes taints for all the worker nodes in a worker pool. After you set up taints, pods without a matching toleration can't run on the worker pool. You might use taints to dedicate your worker pool exclusively for a certain type of workload, such as for networking edge nodes or the cluster autoscaler. For more information about how taints and tolerations work, see the Kubernetes documentation.
ibmcloud ks worker-pool taint set
Virtual Private Cloud Classic infrastructure
Set Kubernetes taints for all the worker nodes in a worker pool. Taints prevent pods without matching tolerations from running on the worker nodes. After you set your custom taint for the worker pool, confirm that the taints are set on the
worker nodes by getting the private IP address of the worker node (ibmcloud ks worker ls -c <cluster_name_or_ID>
) and running kubectl describe node <worker_private_IP>
.
When you set taints for the worker pool, any custom taints that you previously set with this command are overwritten. To keep your existing custom taints and set new taints, check the worker pool's existing taints and include them when you rerun this command.
ibmcloud ks worker-pool taint set --worker-pool WORKER_POOL --cluster CLUSTER --taint KEY=VALUE:EFFECT [--taint KEY=VALUE2:EFFECT] [-f]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to add the taint to. To list available worker pools, run
ibmcloud ks worker-pool ls -c <cluster_name_or_ID>
. -c
,--cluster CLUSTER
- Required: The name or ID of the cluster with the worker pool that you want to taint.
--taint KEY=VALUE:EFFECT
- Required: The label and effect for the Kubernetes taint that you want to set for the worker pool. Specify the taint in the format
key=value:effect
. Thekey=value
is a label pair such asenv=prod
that you use to manage the worker node taint and matching pod tolerations. Theeffect
is a Kubernetes taint effect such asNoSchedule
,PreferNoSchedule
, orNoExecute
that describes how the taint works. Depending on the effect of the taint that you set, pods that are running on your worker nodes might be evicted. -f
- Optional: Force the command to run with no user prompts.
Example worker-pool taint set
command
ibmcloud ks worker-pool taint set --cluster my_cluster --worker-pool pool1 --taint env=prod:NoSchedule
ibmcloud ks worker-pool taint rm
Virtual Private Cloud Classic infrastructure
Remove all Kubernetes taints for all the worker nodes in a worker pool. To check the taints before you remove them, run ibmcloud ks worker-pool get -c <cluster_name_or_ID> --worker-pool <worker_pool_name_or_ID>
.
When you remove taints for the worker pool, all Kubernetes taints are removed from the worker pool and its worker nodes. To remove an individual taint from all worker nodes, rerun the ibmcloud ks worker-pool taint set
command
and include only the taints that you want to keep. Or, use kubectl taint node <worker_privateIP> key:effect-
command to remove a taint from an individual worker node.
ibmcloud ks worker-pool taint rm --worker-pool WORKER_POOL --cluster CLUSTER [-f]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to add the taint to. To list available worker pools, run
ibmcloud ks worker-pool ls -c <cluster_name_or_ID>
. -c
,--cluster CLUSTER
- Required: The name or ID of the cluster with the worker pool that you want to taint.
-f
- Optional: Force the command to run with no user prompts.
Example worker-pool taint rm
command
ibmcloud ks worker-pool taint rm --cluster my_cluster --worker-pool pool1
ibmcloud ks worker-pool zones
Virtual Private Cloud Classic infrastructure
View the zones that are attached to a worker pool.
ibmcloud ks worker-pool zones --worker-pool WORKER_POOL --cluster CLUSTER [-q] [-f]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the worker pool exists.
-p, --worker-pool WORKER_POOL
- Required: The name of the worker node pool that you want to see zones for.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example worker-pool zones
command
ibmcloud ks worker-pool zones --cluster my_cluster --worker-pool pool1
zone
commands
ibmcloud ks zone add classic
Classic infrastructure
After you create a classic cluster or worker pool, you can add a zone. When you add a zone, worker nodes are added to the new zone to match the number of workers per zone that you specified for the worker pool. You can add more than one zone only if your cluster is in a multizone metro.
To add a zone to worker pools in a VPC cluster, use the ibmcloud ks zone add vpc-gen2
command.
ibmcloud ks zone add classic --zone ZONE --cluster CLUSTER --worker-pool WORKER_POOL [--private-vlan PRIVATE_VLAN] [--public-vlan PUBLIC_VLAN] [--private-only] [--output json] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--zone ZONE
- Required: The zone that you want to add. The zone must be a multizone-capable zone within the cluster's region.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-p, --worker-pool WORKER_POOL
- The name of the worker pool to add the zone to. To specify multiple worker pools, use multiple options, such as
-p pool1 -p pool2
. --private-vlan PRIVATE_VLAN
- The ID of the private VLAN. This value is conditional. If you have a private VLAN in the zone, this value must match the private VLAN ID of one or more of the worker nodes in the cluster. To see the VLANs that you have available, run
ibmcloud ks cluster get --cluster <cluster> --show-resources
. New worker nodes are added to the VLAN that you specify, but the VLANs for any existing worker nodes are not changed. If you don't have a private or public VLAN in that zone, don't specify this option. A private and a public VLAN are automatically created for you when you initially add a zone to your worker pool. In classic clusters, if you have multiple VLANs for your cluster, multiple subnets on the same VLAN, or a multizone classic cluster, you must enable a Virtual Router Function (VRF) for your IBM Cloud infrastructure account so your worker nodes can communicate with each other on the private network. To enable VRF, see Enabling VRF. To check whether a VRF is already enabled, use theibmcloud account show
command. If you can't or don't want to enable VRF, enable VLAN spanning. To perform this action, you need the Network > Manage Network VLAN Spanning infrastructure permission, or you can request the account owner to enable it. To check whether VLAN spanning is already enabled, use theibmcloud ks vlan spanning get --region <region>
command. --public-vlan PUBLIC_VLAN
- The ID of the public VLAN. This value is required if you want to expose workloads on the nodes to the public after you create the cluster. It must match the public VLAN ID of one or more of the worker nodes in the cluster for the zone. To
see the VLANs that you have available, run
ibmcloud ks cluster get --cluster <cluster> --show-resources
. New worker nodes are added to the VLAN that you specify, but the VLANs for any existing worker nodes are not changed. If you don't have a private or public VLAN in that zone, don't specify this option. A private and a public VLAN are automatically created for you when you initially add a zone to your worker pool. In classic clusters, if you have multiple VLANs for your cluster, multiple subnets on the same VLAN, or a multizone classic cluster, you must enable a Virtual Router Function (VRF) for your IBM Cloud infrastructure account so your worker nodes can communicate with each other on the private network. To enable VRF, see Enabling VRF. To check whether a VRF is already enabled, use theibmcloud account show
command. If you can't or don't want to enable VRF, enable VLAN spanning. To perform this action, you need the Network > Manage Network VLAN Spanning infrastructure permission, or you can request the account owner to enable it. To check whether VLAN spanning is already enabled, use theibmcloud ks vlan spanning get --region <region>
command. --private-only
- Use this option to prevent a public VLAN from being created. Required only when you specify the
--private-vlan
option and don't include the--public-vlan
option. If worker nodes are set up with a private VLAN only, you must enable the private cloud service endpoint or configure a gateway appliance. For more information, see Planning your private cluster and worker node setup. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example zone add classic
command
ibmcloud ks zone add classic --zone dal10 --cluster my_cluster -p pool1 -w pool2 --private-vlan 2294021
ibmcloud ks zone add vpc-gen2
Virtual Private Cloud
After you create a Generation 2 VPC cluster or worker pool, you can add a zone. When you add a zone, worker nodes are added to the new zone to match the number of workers per zone that you specified for the worker pool. You can add more than one zone only if your cluster is in a multizone metro.
ibmcloud ks zone add vpc-gen2 --zone ZONE --subnet-id VPC_SUBNET_ID --cluster CLUSTER --worker-pool WORKER_POOL [--output json] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--zone ZONE
- Required: The zone that you want to add. It must be a VPC zone within the cluster's region. To see available VPC zones, run
ibmcloud ks zone ls --provider vpc-gen2
. --subnet-id SUBNET_ID
- Required: The ID of the subnet that you want to add. The VPC subnet must be within the
zone
that you specify. To see available VPC subnets, runibmcloud ks subnets --provider vpc-gen2 --vpc-id <vpc> --zone <vpc_zone>
. VPC subnets provide IP addresses for your worker nodes and load balancer services in the cluster, so use a VPC subnet with enough IP addresses, such as 256. -c
,--cluster CLUSTER
- Required: The name or ID of the cluster. To list VPC clusters, run
ibmcloud ks cluster ls --provider vpc-gen2
. -p, --worker-pool WORKER_POOL
- The name of the worker pool to add the zone to. To specify multiple worker pools, use multiple options, such as
-p pool1 -p pool2
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example zone add vpc-gen2
command
ibmcloud ks zone add vpc-gen2 --zone us-south-3 --cluster my_cluster -p pool1 -w pool2
ibmcloud ks zone ls
Virtual Private Cloud Classic infrastructure Satellite
View a list of available zones that you can create a cluster in.
The locations
alias for this command is deprecated.
ibmcloud ks zone ls --provider (classic | satellite | vpc-gen2) [--location LOCATION] [--region-only] [--output json] [-q]
Minimum permissions: None
Command options:
--provider (classic | satellite | vpc-gen2)
- The infrastructure provider type to list zones for. This option is required.
-l, --location LOCATION
- Filter output by a specific location. To see supported locations, run
ibmcloud ks locations
. To specify multiple locations, use one option for each location, such as-l dal -l seo
. --region-only
- Optional: List multizones only within the region that you are logged in to.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks zone ls -l ap
ibmcloud ks zone network-set
Classic infrastructure
Multizone classic clusters only: Set the network metadata for a worker pool to use a different public or private VLAN for the zone than it previously used. Worker nodes that were already created in the pool continue to use the previous public or private VLAN, but new worker nodes in the pool use the new network data.
ibmcloud ks zone network-set --zone ZONE --cluster CLUSTER --private-vlan PRIVATE_VLAN --worker-pool WORKER_POOL [--public-vlan PUBLIC_VLAN] [--private-only] [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--zone ZONE
- Required: The zone that you want to add. The zone must be a multizone-capable zone within the cluster's region.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-p, --worker-pool WORKER_POOL
- The name of the worker pool to add the zone to. To specify multiple worker pools, use multiple options, such as
-p pool1 -p pool2
. --private-vlan PRIVATE_VLAN
- The ID of the private VLAN. This value is required, whether you want to use the same or a different private VLAN than the one that you used for your other worker nodes. New worker nodes are added to the VLAN that you specify, but the VLANs for any existing worker nodes are not changed. The private and public VLANs must be compatible, which you can determine from the Router ID prefix.
--public-vlan PUBLIC_VLAN
- The ID of the public VLAN. This value is required only if you want to change the public VLAN for the zone. To change the public VLAN, you must always provide a compatible private VLAN. New worker nodes are added to the VLAN that you specify, but the VLANs for any existing worker nodes are not changed. The private and public VLANs must be compatible, which you can determine from the Router ID prefix.
--private-only
- Optional: Unset the public VLAN so that the workers in this zone are connected to a private VLAN only.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Usage:
-
Check the VLANs that are available in your cluster.
ibmcloud ks cluster get --cluster <cluster_name_or_ID> --show-resources
Example output
Subnet VLANs VLAN ID Subnet CIDR Public User-managed 229xxxx 169.xx.xxx.xxx/29 true false 229xxxx 10.xxx.xx.x/29 false false
-
Check that the public and private VLAN IDs that you want to use are compatible. To be compatible, the Router must have the same pod ID. Private VLAN routers always begin with
bcr
(back-end router) and public VLAN routers always begin withfcr
(front-end router). When you create a cluster and specify the public and private VLANs, the number and letter combination after those prefixes must match.ibmcloud ks vlan ls --zone <zone>
In the example output, note that Router pod IDs match:
01a
and01a
. If one pod ID was01a
and the other was02a
, you can't set these public and private VLAN IDs for your worker pool.ID Name Number Type Router Supports Virtual Workers 229xxxx 1234 private bcr01a.dal12 true 229xxxx 5678 public fcr01a.dal12 true
-
If you don't have any VLANs available, you can order new VLANs.
Example zone network-set
command
ibmcloud ks zone network-set --zone dal10 -c my_cluster -p pool1 -p pool2 --private-vlan 2294021
ibmcloud ks zone rm
Virtual Private Cloud Classic infrastructure
Multizone clusters only: Remove a zone from one or more worker pools in your cluster. All worker nodes in the worker pool for this zone are deleted.
Before you remove a zone, make sure that you have enough worker nodes in other zones in the cluster so that your pods can reschedule. Rescheduling your pods can avoid a downtime for your app or data corruption on your worker node.
ibmcloud ks zone rm --cluster CLUSTER --zone ZONE --worker-pool WORKER_POOL [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--zone ZONE
- Required: The zone that you want to remove.
-p, --worker-pool WORKER_POOL
- The name of the worker pool to remove the zone from. To specify multiple worker pools, use multiple options, such as
-p pool1 -p pool2
. To remove the zone from all worker pools in the cluster, don't include this option. -f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example zone rm
command
ibmcloud ks zone rm --zone dal10 --cluster my_cluster
ingress
commands
View and configure Ingress application load balancers (ALBs).
In CLI version 1.0.157 and later, the ibmcloud ks alb
category is deprecated, and these commands are now listed in the ibmcloud ks ingress alb
subcategory. For more information, see the CLI change log.
ibmcloud ks ingress alb autoscale get
Virtual Private Cloud Classic infrastructure
Get the details and status of an Ingress ALB autoscaling configuration.
ibmcloud ks ingress alb autoscale get --alb ALB --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB
- Required: The name or ID of the ALB to configure autoscaling on.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
--output json
- Optional: Prints the command output in JSON format.
Example ingress alb autoscale get
command
ibmcloud ks ingress alb autoscale get --alb myalb123 --cluster mycluster
ibmcloud ks ingress alb autoscale set
Virtual Private Cloud Classic infrastructure
Configure autoscaling to automatically increase or decrease the number of Ingress ALB pods based on the current load. You can choose to scale pods based on CPU utilization, or you can use custom metrics that you specify. If you base autoscaling configuration on CPU utilization, you specify an average CPU utilization rate as well as a maximum and minimum number of pods to be deployed at any given time. If you choose to specify custom metrics for autoscaling, you pass in a path to a custom metric file.
ibmcloud ks ingress alb autoscale set --alb ALB --cluster CLUSTER --max-replicas REPLICAS --min-replicas REPLICAS [--output OUTPUT] [-q] (--cpu-average-utilization PERCENT | --custom-metrics-file FILE)
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB
- Required: The name or ID of the ALB to configure autoscaling on.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--max-replicas REPLICAS
- The maximum number of replicas to deployed at any time. This value is required if you include the
---cpu-average-utilization
option. --min-replicas REPLICAS
- The minimum number of replicas to deploy at any time. This value is required if you include the
---cpu-average-utilization
option. --cpu-average-utilization PERCENTAGE
- The average utilization threshold used to dynamically calculate the number of replicas.
--custom-metrics-file
- The path to the custom metrics file.
-q
- Optional: Do not show the message of the day or update reminders.
--output json
- Optional: Prints the command output in JSON format.
Example ingress alb autoscale set
command
ibmcloud ks ingress alb autoscale set --alb myalb123 --cluster mycluster --max-replicas 5 --min-replicas 2 --cpu-average-utilization 5
ibmcloud ks ingress alb autoscale unset
Virtual Private Cloud Classic infrastructure
Remove autoscaling from your Ingress ALBs by deleting the autoscaling configuration.
ibmcloud ks ingress alb autoscale unset --alb ALB --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB
- Required: The name or ID of the ALB to configure autoscaling on.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb autoscale unset
command
ibmcloud ks ingress alb autoscale unset --alb myalb123 --cluster mycluster
ibmcloud ks ingress alb autoupdate disable
Virtual Private Cloud Classic infrastructure
Disable automatic updates of all Ingress ALB pods in a cluster.
By default, automatic updates to Ingress application load balancers (ALBs) are enabled. ALB pods are automatically updated when a new image version is available. To instead update the add-on manually, use this command to disable automatic
updates. You can then update ALB pods by running the ibmcloud ks ingress alb update
command.
When you update the major or minor Kubernetes version of your cluster, IBM automatically makes necessary changes to the Ingress deployment, but does not change the image version of your Ingress ALB add-on. You are responsible for checking the compatibility of the latest Kubernetes versions and your Ingress ALB add-on images.
ibmcloud ks ingress alb autoupdate disable --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb autoupdate disable
command
ibmcloud ks ingress alb autoupdate disable --cluster mycluster
ibmcloud ks ingress alb autoupdate enable
Virtual Private Cloud Classic infrastructure
Enable automatic updates of all Ingress ALB pods in a cluster.
If automatic updates for the Ingress ALB add-on are disabled, you can re-enable automatic updates. Whenever the next image version becomes available, the ALBs are automatically updated to the latest build.
ibmcloud ks ingress alb autoupdate enable --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks ingress alb autoupdate get
Virtual Private Cloud Classic infrastructure
Check whether automatic updates for the Ingress ALB add-on are enabled and whether your ALBs are updated to the latest image version.
ibmcloud ks ingress alb autoupdate get --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks ingress alb create classic
Classic infrastructure
Create a public or private ALB in a classic cluster. The ALB that you create is enabled by default.
ibmcloud ks ingress alb create classic --cluster CLUSTER --type (PUBLIC|PRIVATE) --vlan VLAN_ID --zone ZONE [--ip IP] [--version IMAGE_VERSION] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster.
--type (PUBLIC|PRIVATE)
- The type of ALB:
public
orprivate
. This type must match thevlan
. --vlan VLAN_ID
- The ID of the VLAN to create the ALB on. This VLAN must match the ALB
type
and must be in the samezone
as the ALB that you want to create. --zone ZONE
- The zone to create the ALB in.
--ip IP
- Optional: An IP address to assign to the ALB. This IP must be on the
vlan
that you specified and must be in the samezone
as the ALB that you want to create. This IP address must not be in use by another load balancer or ALB in the cluster. To see the IP addresses that are currently in use, runkubectl get svc --all-namespaces
. --version IMAGE_VERSION
- Optional: The version of the image that you want the ALB to run. To list available versions, run
ibmcloud ks ingress alb versions
. To specify a version other than the default, you must first disable automatic updates by running theibmcloud ks ingress alb autoupdate disable
command. If you omit this option, the ALB runs the default version of the Kubernetes Ingress image type. -q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb create classic
command
ibmcloud ks ingress alb create classic --cluster mycluster --type public --vlan 2234945 --zone dal10 --ip 1.1.1.1 --version 1.1.2_2507_iks
ibmcloud ks ingress alb create vpc-gen2
Virtual Private Cloud
Create a public or private ALB in a VPC cluster. The ALB that you create is enabled by default.
ibmcloud ks ingress alb create vpc-gen2 --cluster CLUSTER --type PUBLIC|PRIVATE --zone ZONE [--version IMAGE_VERSION] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster. To view VPC clusters, run
ibmcloud ks cluster ls --provider vpc-gen2
. --type PUBLIC|PRIVATE
- The type of ALB:
public
orprivate
. --zone ZONE
- The VPC zone to deploy the ALB to.
--version IMAGE_VERSION
- Optional: The version of the image that you want the ALB to run. To list available versions, run
ibmcloud ks ingress alb versions
. To specify a version other than the default, you must first disable automatic updates by running theibmcloud ks ingress alb autoupdate disable
command. If you omit this option, the ALB runs the default version of the Kubernetes Ingress image type. -q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb create vpc-gen2
command
ibmcloud ks ingress alb create vpc-gen2 --cluster mycluster --type public --zone us-south-1 --version 1.1.2_2507_iks
ibmcloud ks ingress alb disable
Virtual Private Cloud Classic infrastructure
Disable an ALB in your cluster. The ALB and its pods still exist, but stop routing traffic to your apps.
The previous alias for this command, ibmcloud ks ingress alb configure
, is deprecated.
ibmcloud ks ingress alb disable --alb ALB_ID --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB_ID
- Required: The ID for an ALB. To view the IDs for the ALBs in a cluster, run
ibmcloud ks ingress alb ls --cluster CLUSTER
. -c
,--cluster CLUSTER
- The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb disable
command
ibmcloud ks ingress alb disable --alb public-cr18a61a63a6a94b658596aa93a087aaa9-alb1 --cluster mycluster
ibmcloud ks ingress alb enable classic
Classic infrastructure
Enable an ALB in your classic cluster.
The previous alias for this command, ibmcloud ks ingress alb configure classic
, is deprecated.
You can use this command to:
- Enable a default private ALB. When you create a cluster, a default private ALB is created for you in each zone where you have workers and an available private subnet, but the default private ALBs are not enabled. However, all default public
ALBs are automatically enabled, and any public or private ALBs that you create with the
ibmcloud ks ingress alb create classic
command are enabled by default too. - Enable an ALB that you previously disabled.
ibmcloud ks ingress alb enable classic --alb ALB_ID --cluster CLUSTER [--ip IP_ADDRESS] [--version IMAGE_VERSION] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB_ID
- Required: The ID for an ALB. To view the IDs for the ALBs in a cluster, run
ibmcloud ks ingress alb ls --cluster CLUSTER
. -c
,--cluster CLUSTER
- The name or ID of the cluster.
--ip IP_ADDRESS
- Optional: Specify an IP address that is on a VLAN in the zone that the ALB was created in. The ALB is enabled with and uses this public or private IP address. This IP address must not be in use by another load balancer or ALB in the cluster. If no IP address is provided, the ALB is deployed with a public or private IP address from the portable public or private subnet that was provisioned automatically when you created the cluster, or if you re-enable an ALB that was previously enabled, the public or private IP address that was previously assigned to the ALB.
--version IMAGE_VERSION
- Optional: The version of the image that you want the ALB to run. To list available versions, run
ibmcloud ks ingress alb versions
. To specify a version other than the default, you must first disable automatic updates by running theibmcloud ks ingress alb autoupdate disable
command. If you omit this option, the ALB runs the default version of the same image that the ALB previously ran: either the Kubernetes Ingress image or the IBM Cloud Kubernetes Service Ingress image. -q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb enable classic
command
ibmcloud ks ingress alb enable classic --alb private-cr18a61a63a6a94b658596aa93a087aaa9-alb1 --cluster mycluster --ip 169.XX.XXX.XX --version 1.1.2_2507_iks
ibmcloud ks ingress alb enable vpc-gen2
Virtual Private Cloud
Enable an ALB in a VPC cluster.
The previous alias for this command, ibmcloud ks ingress alb configure vpc-gen2
, is deprecated.
You can use this command to:
- Enable a default private ALB. When you create a cluster, a default private ALB is created for you in each zone where you have worker nodes, but the default private ALBs are not enabled. However, all default public ALBs are automatically
enabled, and any public or private ALBs that you create with the
ibmcloud ks ingress alb create vpc-gen2
command are enabled by default too. - Enable an ALB that you previously disabled.
ibmcloud ks ingress alb enable vpc-gen2 --alb ALB_ID --cluster CLUSTER [--version IMAGE_VERSION] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB_ID
- Required: The ID for an ALB. To view the IDs for the ALBs in a cluster, run
ibmcloud ks ingress alb ls --cluster CLUSTER
. -c
,--cluster CLUSTER
- The name or ID of the cluster.
--version IMAGE_VERSION
- Optional: The version of the image that you want the ALB to run. To list available versions, run
ibmcloud ks ingress alb versions
. To specify a version other than the default, you must first disable automatic updates by running theibmcloud ks ingress alb autoupdate disable
command. If you omit this option, the ALB runs the default version of the same image that the ALB previously ran: either the Kubernetes Ingress image or the IBM Cloud Kubernetes Service Ingress image. -q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb enable vpc-gen2
command
ibmcloud ks ingress alb enable vpc-gen2 --alb private-cr18a61a63a6a94b658596aa93a087aaa9-alb1 --cluster mycluster --version 1.1.2_2507_iks
ibmcloud ks ingress alb get
Virtual Private Cloud Classic infrastructure
View the details of an Ingress ALB in a cluster.
ibmcloud ks ingress alb get --alb ALB_ID --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--alb ALB_ID
- Required: The ID for an ALB. To view the IDs for the ALBs in a cluster, run
ibmcloud ks ingress alb ls --cluster CLUSTER
. -c
,--cluster CLUSTER
- The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb get
command
ibmcloud ks ingress alb get --alb public-cr18a61a63a6a94b658596aa93a087aaa9-alb1 --cluster mycluster
ibmcloud ks ingress alb health-checker disable
Virtual Private Cloud Classic infrastructure
Disable the health checker for an Ingress ALB in a cluster.
ibmcloud ks ingress alb health-checker disable --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb health-checker disable
command
ibmcloud ks ingress alb health-checker disable --cluster mycluster
ibmcloud ks ingress alb health-checker enable
Virtual Private Cloud Classic infrastructure
Enable the health checker for an Ingress ALB in a cluster.
ibmcloud ks ingress alb health-checker enable --cluster CLUSTER [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb health-checker enable
command
ibmcloud ks ingress alb health-checker enable --cluster mycluster
ibmcloud ks ingress alb health-checker get
Virtual Private Cloud Classic infrastructure
View the details of the health checker for an Ingress ALB in a cluster.
ibmcloud ks ingress alb health-checker get --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb health-checker get
command
ibmcloud ks ingress alb health-checker get --cluster mycluster
ibmcloud ks ingress alb ls
Virtual Private Cloud Classic infrastructure
List all Ingress ALB IDs in a cluster and view whether an update for the ALB pods is available.
If no ALB IDs are returned, then the cluster does not have a portable subnet. You can create or add subnets to a cluster. Afterward, ALBs are automatically created for you.
ibmcloud ks ingress alb ls --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
*-c, --cluster *CLUSTER
- Required: The name or ID of the cluster where you list available ALBs.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress alb ls
command
ibmcloud ks ingress alb ls --cluster my_cluster
ibmcloud ks ingress alb update
Virtual Private Cloud Classic infrastructure
Force an update of the pods for individual or all Ingress ALBs in the cluster to the latest or a specific version.
If automatic updates for the Ingress ALB add-on are disabled and you want to update the add-on, you can force a one-time update of your ALB pods. If your ALB pods were recently updated, but a custom configuration for your ALBs is affected
by the latest build, you can also use this command to roll back ALB pods to an earlier, supported version. Note that you can use this command to update your ALB image to a different version, but you can't use this command to change your
ALB from one type of image to another. After you force a one-time update, automatic updates remain disabled, but can be re-enabled with the ibmcloud ks ingress alb autoupdate enable
command.
ibmcloud ks ingress alb update --cluster CLUSTER [--alb ALB1_ID --alb ALB2_ID ...] [--version IMAGE_VERSION] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to update the ALBs.
--alb CLUSTER
- Optional: The ID of the individual ALB to update. To list ALB IDs, run
ibmcloud ks ingress alb ls -c <cluster>
. To update multiple ALBs, use multiple options, such as--alb ALB1_ID --alb ALB2_ID
. If you omit this option, all ALBs in the cluster are updated. --version IMAGE_VERSION
- Optional: The version of the image that you want to update ALBs to.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
- To update all ALB pods in the cluster:
ibmcloud ks ingress alb update -c mycluster --version 1.1.2_2507_iks
- To update the ALB pods for one or more specific ALBs:
ibmcloud ks ingress alb update -c mycluster --version 1.1.2_2507_iks --alb public-crdf253b6025d64944ab99ed63bb4567b6-alb1
ibmcloud ks ingress alb versions
Virtual Private Cloud Classic infrastructure
View the available Ingress ALB versions.
ibmcloud ks ingress alb versions [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks ingress domain create
Create an Ingress domain for a cluster.
ibmcloud ks ingress domain create --cluster CLUSTER [--crn CRN] [--default] [--domain DOMAIN] [--hostname HOSTNAME] [--ip IP] [--output OUTPUT] [--domain-provider PROVIDER] [-q] [--secret-namespace NAMESPACE] [--domain-zone ZONE]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to create the domain.
--crn CRN
- Required for IBM Cloud Internet Services domains. The CRN for the IBM Cloud Internet Services instance.
--is-default
- Optional. Include this option to set the relevant domain as the default domain for the cluster.
--domain DOMAIN
- The Ingress domain. You can specify an existing domain, or create a new one. For provider specific information on specifying domains, see Creating your own Ingress domain.
--hostname HOSTNAME
- Optional. For VPC clusters. The hostname to register for the domain.
--ip IP
- Optional. The IP addresses to register for the domain.
--output OUTPUT
- Optional: Prints the command output in JSON format.
--domain-provider PROVIDER
- Optional. The external DNS provider type. Available options are
akamai-ext
,cloudflare-ext
, orcis-ext
. If no provider is specified, a domain is created with the IBM-managed internal provider. --secret-namespace NAMESPACE
- Optional. The namespace that the TLS secret is created in. If no namespace is specified, the secret is created in the
default
namespace. --domain-zone ZONE
- Optional. The Domain ID for your IBM Cloud Internet Services instance. This is a GUID value.
Example ingress domain create
command
This example command creates a domain registered with the IBM Cloud internal provider. For examples to create domains with different providers, see Creating your own Ingress domain.
ibmcloud ks ingress domain create --cluster my-cluster --domain exampledomain
ibmcloud ks ingress domain credential get
View the details of the external domain provider credentials that have been added to your cluster.
ibmcloud ks ingress domain credential get --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the credential is applied.
--output OUPUT
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain credential
command
ibmcloud ks ingress domain credential get --cluster mycluster
ibmcloud ks ingress domain credential rm
Remove external domain provider credentials from the cluster.
ibmcloud ks ingress domain credential rm --cluster CLUSTER [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the credential is applied.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain credential rm
command
ibmcloud ks ingress domain credential rm --cluster mycluster
ibmcloud ks ingress domain credential set akamai
Add external Akamai domain credentials to your cluster.
ibmcloud ks ingress domain credential set akamai --cluster CLUSTER [--access-token TOKEN] [--client-secret SECRET] [--client-token TOKEN] [--host HOST] [-q] [--domain-zone ZONE]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to add the credentials.
--access-token TOKEN
- The access token for the Akamai API Client credentials. This token is provided by Akamai.
--client-secret SECRET
- The client secret for the Akamai API Client credentials. This secret is provided by Akamai.
--client-token TOKEN
- The client token for the Akamai API Client credentials. This token is provided by Akamai.
--host HOST
- The host for the Akamai API Client credentials.
-q
- Optional: Do not show the message of the day or update reminders.
--domain-zone ZONE
- The DNS zone that exists in your external account and is specified in the Akamai credentials. Specify the full zone name, such as
example.external.adppdomain.cloud
.
Example ingress domain credential set akamai
command
ibmcloud ks ingress domain credential set akamai --cluster mycluster [--access-token TOKEN] [--client-secret SECRET] [--client-token TOKEN] [--host HOST] [-q] [--domain-zone ZONE]
ibmcloud ks ingress domain credential set cloudflare
Add external Cloudflare domain credentials to your cluster.
ibmcloud ks ingress domain credential set cloudflare --cluster CLUSTER [-q] [--token TOKEN] [--domain-zone ZONE]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to add the credentials.
-q
- Optional: Do not show the message of the day or update reminders.
--token TOKEN
- The access token for Cloudflare credentials. This token is provided by Cloudflare.
--domain-zone ZONE
- The DNS zone that exists in your external account and is specified in your Cloudflare credentials. This value is a GUID.
Example ingress domain credential set cloudflare
command
ibmcloud ks ingress domain credential set akamai --cluster mycluster [--access-token TOKEN] [--client-secret SECRET] [--client-token TOKEN] [--host HOST] [-q] [--domain-zone ZONE]
ibmcloud ks ingress domain default replace
Change a cluster's default Ingress domain.
ibmcloud ks ingress domain default replace --cluster CLUSTER --domain DOMAIN [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service.
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the domain is applied.
--domain DOMAIN
- Required. The domain that you want to specify as the new default domain for the cluster. You must specify an existing domain.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain default replace
command
ibmcloud ks ingress domain default replace --cluster CLUSTER --domain DOMAIN [-q]
ibmcloud ks ingress domain get
View the details of an Ingress domain.
ibmcloud ks ingress domain get --cluster CLUSTER --domain DOMAIN [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the domain is applied.
--domain DOMAIN
- Required. The domain that you want to view details for.
--output OUTPUT
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain get
command
ibmcloud ks ingress domain get --cluster CLUSTER --domain DOMAIN [--output OUTPUT] [-q]
ibmcloud ks ingress domain ls
List all Ingress domains for a cluster.
ibmcloud ks ingress domain ls --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output OUTPUT
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain ls
command
ibmcloud ks ingress domain ls --cluster CLUSTER [--output OUTPUT] [-q]
ibmcloud ks ingress domain rm
Remove an Ingress domain from a cluster.
ibmcloud ks ingress domain rm --cluster CLUSTER --domain DOMAIN [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the domain is applied.
--domain DOMAIN
- Required. The domain that you want to remove from the cluster. You cannot specify the default domain. If you want to remove the domain that is currently set as the default for your cluster, you must first replace the default with another domain.
-f
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain rm
command
ibmcloud ks ingress domain rm --cluster CLUSTER --domain DOMAIN [-f] [-q]
ibmcloud ks ingress domain secret regenerate
Regenerate the certificate for an Ingress domain. Run this command to generate a new token in your DNS provider and apply it to your cluster
ibmcloud ks ingress domain secret regenerate --cluster CLUSTER --domain DOMAIN [--output OUTPUT] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the domain is applied.
--domain DOMAIN
- Required. The domain you want to regenerate.
--output OUTPUT
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain secret regenerate
command
ibmcloud ks ingress domain secret regenerate --cluster mycluster --domain exampledomain [--output OUTPUT] [-q]
ibmcloud ks ingress domain secret rm
Delete the secret for an Ingress domain and prevent future renewal of the certificate.
ibmcloud ks ingress domain secret rm --cluster CLUSTER --domain DOMAIN [-f] [--output OUTPUT] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the domain is applied.
--domain DOMAIN
- Required. The domain you want to remove the secret from.
-f
--output OUTPUT
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain secret rm
command
ibmcloud ks ingress domain secret rm --cluster CLUSTER --domain DOMAIN [-f] [--output OUTPUT] [-q]
ibmcloud ks ingress domain update
Update an Ingress domain for a cluster to change the hostnames or IP addresses associated with the domain. This command updates all the resources in your cluster with the specified IP addresses or hostnames and changes your app URLs.
ibmcloud ks ingress domain update --cluster CLUSTER --domain DOMAIN [--hostname HOSTNAME] [--ip IP] [--ip IP] [-q]
Note that when you add IP addresses or hostnames, you must include any IPs or hostnames that are currently registered to the domain. The domain updates with the exact values specified, so any current IP addresses or hostnames are overwritten
if they are not included. For example, if 52.137.182.166
is currently registered to your domain and you want to add 52.137.182.270
, you must specify --ip 52.137.182.166 --ip 52.137.182.270
in the command.
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where the domain is applied.
--domain DOMAIN
- Required. The domain you want to update.
--hostname HOSTNAME
- For VPC clusters. The hostname to register for the domain.
--ip IP
- The IP addresses to register for the domain. The IP addresses passed in fully replace those that are currently associated with the domain. If you want to keep the current IP addresses, you must include them. Specifying this flag with no values unregisters the current IP addresses from the domain.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress domain update
command
ibmcloud ks ingress domain update --cluster CLUSTER --domain DOMAIN [--hostname HOSTNAME] [--ip IP] [-q]
ibmcloud ks ingress instance default set
Virtual Private Cloud Classic infrastructure
Set a registered an IBM Cloud Secrets Manager instance to default. If an existing default instance exists, it will be unset from default.
When you set a new default Secrets Manager instance, any existing secrets that are not managed by IBM Cloud must have their certificate CRN manually updated to match the CRN of the new default instance. To update the CRN, use the ibmcloud ks ingress secret update
command. If you do not update the CRN, these secrets do not update at the next scheduled certificate renewal.
ibmcloud ks ingress instance default set --cluster CLUSTER --crn CRN --name NAME [-q] [--secret-group GROUP]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--crn
- Required. The CRN of the IBM Cloud Secret Manager instance.
--name NAME
- Required. The name of the Secret Manager instance.
-q
- Optional: Do not show the message of the day or update reminders.
--secret-group GROUP
- Secret group ID of the IBM Cloud Secret Manager instance where the secrets are persisted. To get a secret group ID, see the Secrets Manager CLI reference.
Example:
ibmcloud ks ingress instance default set --cluster --cluster a111aaa11a1aaaaaaa1 --crn crn:v1:staging:public:secrets-manager:eu-gb:a/1a11a1a111aa11aa111aa1a1111aa1a1:1aaa1a1a-aaaa-11aa-1a11-a11aaa1a11a1:secret:a1a11a11-111a-11a1-aa11-11aaa1a11a11 --name my-secret-manager --namespace default --secret-group 90e059dd-d04e-a32b-010f-4d303b9050b8
ibmcloud ks ingress instance default unset
Virtual Private Cloud Classic infrastructure
Remove a Secrets Manager instance as the default instance.
If no default instance is set, your secrets are only written directly to the cluster and are not written to any Secrets Manager instance.
ibmcloud ks ingress instance default unset --cluster CLUSTER --crn CRN --name NAME [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--crn
- Required. The CRN of the IBM Cloud Secret Manager instance.
--name NAME
- Required. The name of the Secret Manager instance.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks ingress instance default unset --cluster --cluster a111aaa11a1aaaaaaa1 --crn crn:v1:staging:public:secrets-manager:eu-gb:a/1a11a1a111aa11aa111aa1a1111aa1a1:1aaa1a1a-aaaa-11aa-1a11-a11aaa1a11a1:secret:a1a11a11-111a-11a1-aa11-11aaa1a11a11 --name my-secret-manager --namespace default
ibmcloud ks ingress instance get
Virtual Private Cloud Classic infrastructure
View the details of a Secrets Manager instance.
ibmcloud ks ingress instance get --cluster CLUSTER --name NAME [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--name NAME
- Required. The name of the Secret Manager instance.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks ingress instance get --cluster my-cluster --name my-secrets-manager
ibmcloud ks ingress instance ls
Virtual Private Cloud Classic infrastructure
List all Secrets Manager instances registered to a cluster.
ibmcloud ks ingress instance ls --cluster CLUSTER [--output OUTPUT] [-q] [--show-deleted]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
--show-deleted
- Optional. Add this option to include instances that were unregistered from the cluster.
Example:
ibmcloud ks ingress instance ls --cluster my-cluster --show-deleted
ibmcloud ks ingress instance register
Virtual Private Cloud Classic infrastructure
Register a Secrets Manager instance to a cluster.
ibmcloud ks ingress instance register --cluster CLUSTER --crn CRN [--is-default] [--secret-group GROUP] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--crn
- Required. The CRN of the IBM Cloud Secret Manager instance.
--is-default
- Optional. Include this option to also set the registered instance as the default Secrets Manager instance where all Ingress subdomain certificates are stored. If another instance is already set as default, it is removed. Note that you must manually update any certificates or secrets to upload them to the new default instance. Otherwise, they are uploaded at the next scheduled update time for the secret.
-q
- Optional: Do not show the message of the day or update reminders.
--secret-group GROUP
- Secret group ID of the IBM Cloud Secret Manager instance where the secrets are persisted. To get a secret group ID, see the Secrets Manager CLI reference.
Example:
ibmcloud ks ingress instance register --cluster my-cluster --crn crn:v1:staging:public:secrets-manager:eu-gb:a/1a11a1a111aa11aa111aa1a1111aa1a1:1aaa1a1a-aaaa-11aa-1a11-a11aaa1a11a1:secret:a1a11a11-111a-11a1-aa11-11aaa1a11a11 --secret-group 90e059dd-d04e-a32b-010f-4d303b9050b8
ibmcloud ks ingress instance unregister
Virtual Private Cloud Classic infrastructure
Remove a Secrets Manager instance from a cluster.
ibmcloud ks ingress instance unregister --cluster CLUSTER --name NAME [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--name
- Required. The name of the Secrets Manager instance to remove.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks ingress instance unregister --cluster my-cluster --name my-secrets-manager-instance
ibmcloud ks ingress lb get
Virtual Private Cloud Classic infrastructure
Get the configuration of load balancers that expose Ingress ALBs in your cluster.
For example, if you previously ran commands such as ibmcloud ks ingress lb proxy-protocol enable
, you can use this command to view your configuration changes.
ibmcloud ks ingress lb get --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress lb get
command
ibmcloud ks ingress lb get --cluster mycluster
ibmcloud ks ingress lb proxy-protocol disable
Virtual Private Cloud
Disable the NGINX PROXY protocol for the load balancers in front of all Ingress ALBs in your cluster so that client connection information is no longer passed in request headers to ALBs.
After you run this command, the existing load balancers are deleted and re-created, which can cause service disruptions. Two unused IP addresses must be available in each subnet during the load balancer recreation.
ibmcloud ks ingress lb proxy-protocol disable --cluster CLUSTER [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress lb proxy-protocol disable
command
ibmcloud ks ingress lb proxy-protocol disable --cluster mycluster
ibmcloud ks ingress lb proxy-protocol enable
Virtual Private Cloud
Enable the NGINX PROXY protocol for all load balancers that expose Ingress ALBs in your cluster so that client connection information is passed in request headers to ALBs.
The PROXY protocol enables load balancers to pass client connection information that is contained in headers on the client request to the ALBs. This client information can include the client IP address, the proxy server IP address, and both port numbers.
After you run this command, the existing load balancers are deleted and re-created, which can cause service disruptions. Two unused IP addresses must be available in each subnet during the load balancer recreation.
ibmcloud ks ingress lb proxy-protocol enable --cluster CLUSTER [--cidr CIDR ...] [--header-timeout TIMEOUT] [-f] [-q]
- Minimum required permissions
- Operator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--cidr CIDR
- Optional: Load balancer CIDRs from which ALBs process information in PROXY protocol headers. If requests that contain PROXY headers originate from load balancers in other IP ranges, the information in the headers is not process by the ALB.
This option is supported only for ALBs that run the community Kubernetes Ingress image. Default:
0.0.0.0/0
--header-timeout TIMEOUT
- Optional: The timeout value, in seconds, for the load balancer to receive the PROXY protocol headers that contain the client connection information. This option is supported only for ALBs that run the community Kubernetes Ingress image.
Default:
5
-f
- Optional: Force the command to run with no user prompts.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress lb proxy-protocol enable
command
ibmcloud ks ingress lb proxy-protocol enable --cluster mycluster --cidr 1.1.1.1/16
ibmcloud ks ingress secret create
Virtual Private Cloud Classic infrastructure
Create an Ingress secret in a cluster for a certificate that is stored in IBM Cloud® Secrets Manager. This command can be used to create TLS or non-TLS secrets.
The previous alias for this command, ibmcloud ks ingress alb cert deploy
, is deprecated. In CLI version 1.0.157 and later, the ibmcloud ks ingress alb cert
category is deprecated, and these commands are now listed
in the ibmcloud ks ingress secret
subcategory. For more information, see the CLI change log.
To use the ibmcloud ks ingress secret create
command, you must have a default Secrets Manager instance registered to your cluster. If you do not have a Secrets Manager
instance and your secrets are instead written directly to your cluster, your secrets do not have the required CRN value and you must manage them with kubectl
commands.
ibmcloud ks ingress secret create --cert-crn CERTIFICATE_CRN --cluster CLUSTER --name SECRET_NAME [--namespace NAMESPACE] [--field CRN] [--persist] [--type] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--cert-crn CERTIFICATE_CRN
- Required: The certificate CRN.
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--name SECRET_NAME
- Required: Specify a name for the secret. Make sure that you don't create the secret with the same name as the IBM-provided Ingress secret, which you can find by running
ibmcloud ks cluster get --cluster <cluster_name_or_ID> | grep Ingress
. --field CRN
- Required for non-TLS secrets. Add a field to the secret. You can specify more than one field at a time. For more information, see Managing non-TLS secret fields. This
option is not supported for TLS secrets.
- To pull in the secret with the default field name for the secret type, use the default field option:
--field <crn>
. This option is available for all non-TLS secret types. - To specify the field name, use the named field option:
--field name=<crn>
. This option is available for arbitrary and IAM credential secret types. - To use the IBM Cloud Secrets Manager secret as the prefix, use the prefixed field option:
--field prefix=<crn>
. This option is available for IAM credential, username and password, and key value secret types.
- To pull in the secret with the default field name for the secret type, use the default field option:
--namespace NAMESPACE
- Optional: Specify the namespace that your Ingress resource is deployed to. If your ALB runs the Kubernetes Ingress image, this value is required, because the ALB can identify secrets only in the same namespace as your Ingress resource. If
your ALB runs the IBM Cloud Kubernetes Service Ingress image, and you don't specify a namespace, the certificate secret is created in a namespace called
ibm-cert-store
. A reference to this secret is then created in thedefault
namespace, which any Ingress resource in any namespace can access. While processing requests, the ALB follows the reference to pick up and use the certificate secret from theibm-cert-store
namespace. --persist
- Optional: Persist the secret data in your cluster. If the secret is later deleted from the CLI or Red Hat OpenShift web console, the secret is automatically re-created in your cluster. To permanently delete the secret, you must use the
/ingress/v2/secret/deleteSecret
API. --type
- Optional. The type of secret. Choose from
tls
for certificate CRNs oropaque
for non-certificate CRNs. Fortls
, specify up to one CRN. Foropaque
, you can specify multiple CRNs. If no secret type is specified,tls
is applied by default. -q
- Optional: Do not show the message of the day or update reminders.
Example ingress secret create
command
ibmcloud ks ingress secret create --cert-crn crn:v1:staging:public:cloudcerts:us-south:a/06580c923e40314421d3b6cb40c01c68:0db4351b-0ee1-479d-af37-56a4da9ef30f:certificate:4bc35b7e0badb304e60aef00947ae7ff --cluster my_cluster --type tls --name my_alb_secret --namespace demo_ns
ibmcloud ks ingress secret field add
Virtual Private Cloud Classic infrastructure
Add a non-TLS CRN field to an Opaque secret. There are three ways to specify the field type. The one you choose depends on the secret type and how you want to name the field in the non-TLS secret. For more information, see Managing non-TLS secret fields.
ibmcloud ks ingress secret field add --cluster CLUSTER --name SECRET_NAME --field CRN --namespace NAMESPACE [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--name NAME
- Required. The name of the secret to add the field to.
--field CRN
- Required. The secret CRN to add to the field. You can specify more than one field at a time. For more information, see Managing non-TLS secret fields.
- To pull in the secret with the default field name for the secret type, use the default field option:
--field <crn>
. This option is available for all non-TLS secret types. - To specify the field name, use the named field option:
--field name=<crn>
. This option is available for arbitrary and IAM credential secret types. - To use the IBM Cloud Secrets Manager secret as the prefix, use the prefixed field option:
--field prefix=<crn>
. This option is available for IAM credential, username and password, and key value secret types.
- To pull in the secret with the default field name for the secret type, use the default field option:
--namespace NAMESPACE
- Required. The namespace that the secret is deployed to.
-q
- Optional: Do not show the message of the day or update reminders.
Example to add default, named, and prefixed fields to a set of IAM credentials:
ibmcloud ks ingress secret field add --cluster example-cluster --name example-iam-secret --namespace default --field crn:v1:bluemix:public:secrets-manager:us-south:a/1aa111aa1a11111aaa1a1111aa1aa111:111a1111-11a1 --field unique_iam_name=crn:v1:bluemix:public:secrets-manager:us-south:a/1aa111aa1a11111aaa1a1111aa1aa111:111a1111-11a1 --field prefix=crn:v1:bluemix:public:secrets-manager:us-south:a/1aa111aa1a11111aaa1a1111aa1aa111:111a1111-11a1
ibmcloud ks ingress secret field ls
Virtual Private Cloud Classic infrastructure
View the CRN fields of an Ingress secret. This command applies only to Opaque secrets.
ibmcloud ks ingress secret field ls --cluster CLUSTER --name SECRET_NAME --namespace NAMESPACE [--output OUTPUT] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--name NAME
- Required. The name of the secret to add the field to.
--namespace NAMESPACE
- Required. The namespace that the secret is deployed to.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress secret field ls
command
ibmcloud ks ingress secret field ls --cluster a11a11a11a111a1a111a --name my-secret --namespace default
ibmcloud ks ingress secret field rm
Virtual Private Cloud Classic infrastructure
ibmcloud ks ingress secret field rm --cluster CLUSTER --name NAME --namespace NAMESPACE [--field-name NAME]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--c, --cluster CLUSTER
- Required. The name or ID of the cluster.
--name NAME
- Required. The name of the secret to remove the field from.
--namespace NAMESPACE
- Required. The namespace that the secret is deployed to.
--field-name NAME
- The name of the field to remove. To see a list of fields, run
ibmcloud ks ingress secret field ls
.
Example ingress secret field rm
command
ibmcloud ks ingress secret field rm --cluster a11a11a11a111a1a111a --name my-secret --namespace default --field-name test-field-name
ibmcloud ks ingress secret get
Virtual Private Cloud Classic infrastructure
View information about Ingress secrets in your cluster, including secrets stored in IBM Cloud® Secrets Manager.
The previous alias for this command, ibmcloud ks ingress alb cert get
, is deprecated. In CLI version 1.0.157 and later, the ibmcloud ks ingress alb cert
category is deprecated, and these commands are now listed in
the ibmcloud ks ingress secret
subcategory. For more information, see the CLI change log.
ibmcloud ks ingress secret get --cluster CLUSTER --name SECRET_NAME --namespace NAMESPACE [--output json] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--name SECRET_NAME
- Required: The name of the secret.
--namespace NAMESPACE
- Required: The namespace that the secret is deployed to.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress secret get
command
ibmcloud ks ingress secret get --cluster my_cluster --name my_alb_secret --namespace demo_ns
ibmcloud ks ingress secret ls
Virtual Private Cloud Classic infrastructure
List Ingress secrets in your cluster, including secrets stored in IBM Cloud® Secrets Manager.
The previous alias for this command, ibmcloud ks ingress alb cert ls
, is deprecated.
ibmcloud ks ingress secret ls --cluster CLUSTER [--show-deleted] [--output json] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--show-deleted
- Optional: View secrets that were deleted from the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress secret ls
command
ibmcloud ks ingress secret ls --cluster my_cluster
ibmcloud ks ingress secret rm
Virtual Private Cloud Classic infrastructure
Delete an Ingress secret from your cluster. If you created a secret for a certificate from Secrets Manager, only the secret in the cluster is deleted and the certificate remains in your Secrets Manager instance.
The previous alias for this command, ibmcloud ks ingress alb cert rm
, is deprecated. In CLI version 1.0.157 and later, the ibmcloud ks ingress alb cert
category is deprecated, and these commands are now listed in
the ibmcloud ks ingress secret
subcategory. For more information, see the CLI change log.
ibmcloud ks ingress secret rm --cluster CLUSTER --name SECRET_NAME --namespace NAMESPACE [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--name SECRET_NAME
- Required: The name of the secret.
--namespace NAMESPACE
- Required: The namespace that the secret is deployed to.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress secret rm
command
ibmcloud ks ingress secret rm --cluster my_cluster --name my_alb_secret --namespace demo_ns
ibmcloud ks ingress secret update
Virtual Private Cloud Classic infrastructure
Update an Ingress secret for a certificate that is not hosted in the default Secrets Manager instance that was created for your cluster.
Any changes that you make to a certificate in the default Secrets Manager instance in your cluster are automatically reflected in the secret in your cluster. If you make changes to a certificate that is not hosted in your cluster Secrets Manager instance, you must use this command to update the secret in your cluster the pick up the certificate changes.
ibmcloud ks ingress secret update --cluster CLUSTER --name SECRET_NAME --namespace NAMESPACE [--cert-crn CRN] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--name SECRET_NAME
- Required: The name of the secret. To see available secrets, run
ibmcloud ks ingress secret ls
. --namespace NAMESPACE
- Required: The namespace that the secret is deployed to. To see the secret namespace, run
ibmcloud ks ingress secret get --cluster cluster_name_or_ID <--name secret_name> --namespace <namespace>
. --cert-crn CERTIFICATE_CRN
- Optional: The certificate CRN. To see the secret CRN, run
ibmcloud ks ingress secret get --cluster <cluster_name_or_ID> --name secret_name> --namespace <namespace>
. This option requires a default Secrets Manager instance in your cluster. -q
- Optional: Do not show the message of the day or update reminders.
Example ingress secret update
command
Virtual Private Cloud Classic infrastructure
ibmcloud ks ingress secret update --cluster my_cluster --name my_alb_secret --namespace demo_ns
ibmcloud ks ingress status-report disable
Virtual Private Cloud Classic infrastructure
Disable status reporting for Ingress components in a cluster.
ibmcloud ks ingress status-report disable --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress status-report disable
command
ibmcloud ks ingress status-report disable --cluster mycluster
ibmcloud ks ingress status-report enable
Virtual Private Cloud Classic infrastructure
Enable the status reporting of the Ingress components in a cluster.
ibmcloud ks ingress status-report enable --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress status-report enable
command
ibmcloud ks ingress status-report enable --cluster mycluster
ibmcloud ks ingress status-report get
Virtual Private Cloud Classic infrastructure
Get the status report for Ingress components in a cluster.
ibmcloud ks ingress status-report get --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress status-report get
command
ibmcloud ks ingress status-report get --cluster mycluster
ibmcloud ks ingress status-report ignored-errors add
Virtual Private Cloud Classic infrastructure
Add warnings to be ignored by Ingress status for a cluster.
ibmcloud ks ingress status-report ignored-errors add --cluster CLUSTER --code CODE [--code CODE ...] [--output OUTPUT] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-code, --code CODE
- Required: Code of the warning to be ignored.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress status-report ignored-errors add
command
ibmcloud ks ingress status-report ignored-errors add --cluster mycluster --code CODE
ibmcloud ks ingress status-report ignored-errors ls
Virtual Private Cloud Classic infrastructure
List warnings that are currently ignored by Ingress status for a cluster.
ibmcloud ks ingress status-report ignored-errors ls --cluster CLUSTER [--output OUTPUT] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress status-report ignored-errors ls
command
ibmcloud ks ingress status-report ignored-errors ls --cluster mycluster
ibmcloud ks ingress status-report ignored-errors rm
Virtual Private Cloud Classic infrastructure
Remove warnings that are currently ignored by Ingress status for a cluster. Once removed, these warnings are no longer ignored.
ibmcloud ks ingress status-report ignored-errors rm --cluster CLUSTER --code CODE [--code CODE ...] [--output OUTPUT] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-code, --code CODE
- Required: Code of the warning to be removed from the ignored list.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example ingress status-report ignored-errors rm
command
ibmcloud ks ingress status-report ignored-errors rm --cluster mycluster
logging
commands
Forward logs from your cluster to an external server.
ibmcloud ks logging autoupdate disable
Virtual Private Cloud Classic infrastructure
Disable automatic updates of all Fluentd pods in a cluster.
Disable automatic updates of your Fluentd pods in a specific cluster. When you update the major or minor Kubernetes version of your cluster, IBM automatically makes necessary changes to the Fluentd ConfigMap, but does not change the image version of your Fluentd for logging add-on. You are responsible for checking the compatibility of the latest Kubernetes versions and your add-on images.
ibmcloud ks logging autoupdate disable --cluster CLUSTER [-q]
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to disable automatic updates for the Fluentd add-on.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks logging autoupdate enable
Virtual Private Cloud Classic infrastructure
Enable automatic updates for your Fluentd pods in a specific cluster. Fluentd pods are automatically updated when a new image version is available.
ibmcloud ks logging autoupdate enable --cluster CLUSTER [-q]
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to enable automatic updates for the Fluentd add-on.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks logging autoupdate get
Virtual Private Cloud Classic infrastructure
View whether your Fluentd pods are set to automatically update in a cluster.
ibmcloud ks logging autoupdate get --cluster CLUSTER [--output json] [-q]
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster where you want to check whether automatic updates for the Fluentd add-on are enabled.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
ibmcloud ks logging config create
Virtual Private Cloud Classic infrastructure
Create a logging configuration. You can use this command to forward logs for containers, applications, worker nodes, Kubernetes clusters, and Ingress application load balancers to an external syslog server.
ibmcloud ks logging config create --cluster CLUSTER --logsource LOG_SOURCE --type syslog [--namespace KUBERNETES_NAMESPACE] [--hostname LOG_SERVER_HOSTNAME_OR_IP] [--port LOG_SERVER_PORT] [--app-containers CONTAINERS] [--app-paths PATHS_TO_LOGS] [--syslog-protocol PROTOCOL] [--skip-validation] [--force-update] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster.
--logsource LOG_SOURCE
- The log source to enable log forwarding for. This option supports a comma-separated list of log sources to apply for the configuration. Accepted values are
container
,application
,worker
,kubernetes
,storage
, andingress
. If you don't provide a log source, configurations are created forcontainer
andingress
. --type syslog
- Enter
syslog
to forward logs to an external server. -n, --namespace KUBERNETES_NAMESPACE
- The Kubernetes namespace that you want to forward logs from. Log forwarding is not supported for the
ibm-system
andkube-system
Kubernetes namespaces. This value is valid only for the container log source and is optional. If you don't specify a namespace, then all namespaces in the cluster use this configuration. --hostname LOG_SERVER_HOSTNAME
- The hostname or IP address of the log collector server.
--port LOG_SERVER_PORT
- Optional: The port of the log collector server. If you don't specify a port, then the standard port
514
is used forsyslog
and the standard port9091
is used foribm
. -p, --app-path
- The path on the container that the apps are logging to. To forward logs with source type
application
, you must provide a path. Wildcards, such as/var/log/*.log
, can be used, but recursive globs, such as/var/log/**/test.log
, can't be used. To specify more than one path, use multiple options, such as-p /var/log/myApp1/* -p /var/log/myApp2/*
. This value is required for log sourceapplication
. --syslog-protocol
- The transfer layer protocol that is used when the logging type is
syslog
. Supported values aretcp
,tls
, and the defaultudp
. When forwarding to a rsyslog server with theudp
protocol, logs that are over 1 KB are truncated. -C, --app-container
- To forward logs from apps, you can specify the name of the container that contains your app. To specify more than one container, use multiple options, such as
-C /var/log/myApp1/* -C /var/log/myApp2/*
. If no containers are specified, logs are forwarded from all the containers that contain the paths that you provided. This option is only valid for log sourceapplication
. --skip-validation
- Optional: Skip validation of the org and space names when they are specified. Skipping validation decreases processing time, but an invalid logging configuration does not correctly forward logs.
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Examples:
Example for log type syslog
that forwards from a container
log source on default port 514:
ibmcloud ks logging config create my_cluster --logsource container --namespace my_namespace --hostname 169.xx.xxx.xxx --type syslog
Example for log type syslog
that forwards logs from an ingress
source on a port different than the default:
ibmcloud ks logging config create --cluster my_cluster --logsource container --hostname 169.xx.xxx.xxx --port 5514 --type syslog
ibmcloud ks logging config get
Virtual Private Cloud Classic infrastructure
View all log forwarding configurations for a cluster, or filter logging configurations based on log source.
ibmcloud ks logging config get --cluster CLUSTER [--logsource LOG_SOURCE] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--logsource LOG_SOURCE
- Optional: The kind of log source for which you want to filter. Logging configurations of only this log source in the cluster are returned. Accepted values are
container
,storage
,application
,worker
,kubernetes
, andingress
. --show-covering-filters
- Shows the logging filters that render previous filters obsolete.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example logging config get
command
ibmcloud ks logging config get --cluster my_cluster --logsource worker
ibmcloud ks logging config rm
Virtual Private Cloud Classic infrastructure
Delete one log forwarding configuration or all logging configurations for a cluster. Deleting the log configuration stops log forwarding to a remote syslog server.
ibmcloud ks logging config rm --cluster CLUSTER (--namespace NAMESPACE --id LOG_CONFIG_ID] [--all] [--force-update] [-q]
- Minimum required permissions
- Editor platform access role for the cluster
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
-n, --namespace NAMESPACE
- The namespace you want to remove the log forwarding configuration from. If there is more than one config for the same namespace, use the
--id <logging_configuration_ID>
option instead. --id LOG_CONFIG_ID
- If you want to remove a single logging configuration, the logging configuration ID.
--all
- The option to remove all logging configurations in a cluster.
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
-q
- Optional: Do not show the message of the day or update reminders.
Example logging config rm
command
ibmcloud ks logging config rm --cluster my_cluster --id f4bc77c0-ee7d-422d-aabf-a4e6b977264e
ibmcloud ks logging config update
Virtual Private Cloud Classic infrastructure
Update the details of a log forwarding configuration.
ibmcloud ks logging config update --cluster CLUSTER --id LOG_CONFIG_ID --type LOG_TYPE [--namespace NAMESPACE] [--hostname LOG_SERVER_HOSTNAME_OR_IP] [--port LOG_SERVER_PORT] [--app-paths PATH] [--app-containers PATH] [--output json] [--skipValidation] [--force-update] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--id LOG_CONFIG_ID
- Required: The logging configuration ID that you want to update.
--type LOG_TYPE
- Required: The log forwarding protocol that you want to use. Currently,
syslog
andibm
are supported. -n, --namespace NAMESPACE
- The Kubernetes namespace that you want to forward logs from. Log forwarding is not supported for the
ibm-system
andkube-system
Kubernetes namespaces. This value is valid only for thecontainer
log source. If you don't specify a namespace, then all namespaces in the cluster use this configuration. --hostname LOG_SERVER_HOSTNAME
- The hostname or IP address of the log collector server.
--port LOG_SERVER_PORT
- The port of the log collector server. This value is optional when the logging type is
syslog
. If you don't specify a port, then the standard port514
is used forsyslog
and9091
is used foribm
. -p, --app-path
- The path on the container that the apps are logging to. To forward logs with source type
application
, you must provide a path. Wildcards, such as/var/log/*.log
, can be used, but recursive globs, such as/var/log/**/test.log
, can't be used. To specify more than one path, use multiple options, such as-p /var/log/myApp1/* -p /var/log/myApp2/*
. This value is required for log sourceapplication
. -C, --app-container
- To forward logs from apps, you can specify the name of the container that contains your app. To specify more than one container, use multiple options, such as
-C /var/log/myApp1/* -C /var/log/myApp2/*
. If no containers are specified, logs are forwarded from all the containers that contain the paths that you provided. This option is only valid for log sourceapplication
. --output json
- Optional: Prints the command output in JSON format.
--skipValidation
- Optional: Skip validation of the org and space names when they are specified. Skipping validation decreases processing time, but an invalid logging configuration does not correctly forward logs.
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
-q
- Optional: Do not show the message of the day or update reminders.
Example for log type ibm
:
ibmcloud ks logging config update --cluster my_cluster --id f4bc77c0-ee7d-422d-aabf-a4e6b977264e --type ibm
Example for log type syslog
:
ibmcloud ks logging config update --cluster my_cluster --id f4bc77c0-ee7d-422d-aabf-a4e6b977264e --hostname localhost --port 5514 --type syslog
ibmcloud ks logging filter create
Virtual Private Cloud Classic infrastructure
Filter out logs that are forwarded by your logging configuration.
ibmcloud ks logging filter create --cluster CLUSTER --type LOG_TYPE [--logging-config CONFIG] [--namespace KUBERNETES_NAMESPACE] [--container CONTAINER_NAME] [--level LOGGING_LEVEL] [--message MESSAGE] [--regex-message MESSAGE] [--force-update] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster to create a logging filter for.
--type LOG_TYPE
- The type of logs that you want to apply the filter to. Currently
all
,container
, andhost
are supported. -lc, --logging-config CONFIG
- Optional: The logging configuration ID. If not provided, the filter is applied to all the cluster logging configurations that are passed to the filter. You can view log configurations that match the filter by using the
--show-matching-configs
option with the command. To specify multiple IDs, use multiple options, such as-lc id1 -lc id2
. -n, --namespace KUBERNETES_NAMESPACE
- Optional: The Kubernetes namespace from which you want to filter logs.
--container CONTAINER_NAME
- Optional: The name of the container from which you want to filter out logs. This option applies only when you are using log type
container
. --level LOGGING_LEVEL
- Optional: Filters out logs that are at the specified level and less. Acceptable values in their canonical order are
fatal
,error
,warn/warning
,info
,debug
, andtrace
. As an example, if you filtered logs at theinfo
level,debug
, andtrace
are also filtered. Note: You can use this option only when log messages are in JSON format and contain a level field. Example output{"log": "hello", "level": "info"}
--message MESSAGE
- Optional: Filters out any logs that contain a specified message anywhere in the log. Example: The messages "Hello", "!", and "Hello, World!", would apply to the log "Hello, World!".
--regex-message MESSAGE
- Optional: Filters out any logs that contain a specified message that is written as a regular expression anywhere in the log. Example: The pattern "hello [0-9]" would apply to "hello 1", "hello 2", and "hello 9".
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Examples:
This example filters out all logs that are forwarded from containers with the name test-container
in the default namespace that are at the debug level or less, and have a log message that contains "GET request".
ibmcloud ks logging filter create --cluster example-cluster --type container --namespace default --container test-container --level debug --message "GET request"
This example filters out all the logs that are forwarded, at an info
level or less, from a specific cluster. The output is returned as JSON.
ibmcloud ks logging filter create --cluster example-cluster --type all --level info --output json
ibmcloud ks logging filter get
Virtual Private Cloud Classic infrastructure
View a logging filter configuration.
ibmcloud ks logging filter get --cluster CLUSTER [--id FILTER_ID] [--show-matching-configs] [--show-covering-filters] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster that you want to view filters from.
--id FILTER_ID
- The ID of the log filter that you want to view.
--show-matching-configs
- Optional: Show the logging configurations that match the configuration that you're viewing.
--show-covering-filters
- Optional: Show the logging filters that render previous filters obsolete.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example logging filter get
command
ibmcloud ks logging filter get --cluster mycluster --id 885732 --show-matching-configs
ibmcloud ks logging filter rm
Virtual Private Cloud Classic infrastructure
Delete a logging filter.
ibmcloud ks logging filter rm --cluster CLUSTER [--id FILTER_ID] [--all] [--force-update] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster that you want to delete a filter from.
--id FILTER_ID
- The ID of the log filter to delete.
--all
- Optional: Delete all your log forwarding filters.
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
-q
- Optional: Do not show the message of the day or update reminders.
Example logging filter rm
command
ibmcloud ks logging filter rm --cluster mycluster --id 885732
ibmcloud ks logging filter update
Virtual Private Cloud Classic infrastructure
Update a logging filter.
ibmcloud ks logging filter update --cluster CLUSTER --id FILTER_ID --type LOG_TYPE [--logging-config CONFIG] [--namespace KUBERNETES_NAMESPACE] [--container CONTAINER_NAME] [--level LOGGING_LEVEL] [--message MESSAGE] [--regex-message MESSAGE] [--force-update] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster that you want to update a logging filter for.
--id FILTER_ID
- The ID of the log filter to update.
--type LOG_TYPE
- The type of logs that you want to apply the filter to. Currently
all
,container
, andhost
are supported. -lc, --logging-config CONFIG
- Optional: The logging configuration ID. If not provided, the filter is applied to all the cluster logging configurations that are passed to the filter. You can view log configurations that match the filter by using the
--show-matching-configs
option with the command. To specify multiple IDs, use multiple options, such as-lc id1 -lc id2
. -n, --namespace KUBERNETES_NAMESPACE
- Optional: The Kubernetes namespace from which you want to filter logs.
--container CONTAINER_NAME
- Optional: The name of the container from which you want to filter out logs. This option applies only when you are using log type
container
. --level LOGGING_LEVEL
- Optional: Filters out logs that are at the specified level and less. Acceptable values in their canonical order are
fatal
,error
,warn/warning
,info
,debug
, andtrace
. As an example, if you filtered logs at theinfo
level,debug
, andtrace
are also filtered. Note: You can use this option only when log messages are in JSON format and contain a level field. Example output{"log": "hello", "level": "info"}
--message MESSAGE
- Optional: Filters out any logs that contain a specified message anywhere in the log. Example: The messages "Hello", "!", and "Hello, World!", would apply to the log "Hello, World!".
--regex-message MESSAGE
- Optional: Filters out any logs that contain a specified message that is written as a regular expression anywhere in the log. Example: The pattern "hello [0-9]" would apply to "hello 1", "hello 2", and "hello 9"
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Examples:
This example filters out all logs that are forwarded from containers with the name test-container
in the default namespace that are at the debug level or less, and have a log message that contains "GET request".
ibmcloud ks logging filter update --cluster example-cluster --id 885274 --type container --namespace default --container test-container --level debug --message "GET request"
This example filters out all the logs that are forwarded, at an info
level or less, from a specific cluster. The output is returned as JSON.
ibmcloud ks logging filter update --cluster example-cluster --id 274885 --type all --level info --output json
ibmcloud ks logging refresh
Virtual Private Cloud Classic infrastructure
Refresh the logging configuration for the cluster. This action refreshes the logging token for any logging configuration that is forwarding to the space level in your cluster.
The logging config refresh
alias for this command is deprecated.
ibmcloud ks logging refresh --cluster CLUSTER [--force-update] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--force-update
- Force your Fluentd pods to update to the latest version. Fluentd must be at the latest version to change your logging configurations.
-q
- Optional: Do not show the message of the day or update reminders.
Example logging refresh
command
ibmcloud ks logging refresh --cluster my_cluster
nlb-dns
commands
Create and manage subdomains for network load balancer (NLB) IP addresses and health check monitors for subdomains. For more information, see Registering a load balancer subdomain.
DNS microservice updates are asynchronous and might take several minutes to apply. Note that if you run an ibmcloud ks nlb-dns
command and receive a 200 confirmation message, you might still have to wait for your changes to be implemented.
To check the status of your subdomain, run ibmcloud ks nlb-dns ls
and find the Status
column in the output.
ibmcloud ks nlb-dns add
Classic infrastructure
Add one or more network load balancer (NLB) IP addresses to an existing subdomain that you created with the ibmcloud ks nlb-dns create
command.
For example, in a multizone classic cluster, you might create an NLB in each zone to expose an app. You register the NLB IPs with a subdomain by running ibmcloud ks nlb-dns create classic
. Later, you add another zone to your cluster
and another NLB for that zone. You can use this command to add the new NLB IP to this existing subdomain. When a user accesses your app subdomain, the client accesses one of these IPs at random, and the request is sent to that NLB.
ibmcloud ks nlb-dns add --cluster CLUSTER --ip NLB_IP [--ip NLB2_IP2 --ip NLB3_IP ...] --nlb-host SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--ip NLB_IP
- The NLB IP address(es) that you want to add to the subdomain. To see your NLB IPs, run
kubectl get svc
. To specify multiple IP addresses, use multiple--ip
options. --nlb-host SUBDOMAIN
- The subdomain that you want to add IPs to. To see existing subdomains, run
ibmcloud ks nlb-dns ls
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns add
command
ibmcloud ks nlb-dns add --cluster mycluster --ip 1.1.1.1 --nlb-host mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks nlb-dns create classic
Classic infrastructure
Publicly expose your app by creating a DNS subdomain to register a network load balancer (NLB) IP.
ibmcloud ks nlb-dns create classic --cluster CLUSTER --ip NLB_IP [--ip NLB2_IP --ip NLB3_IP ...] [--secret-namespace NAMESPACE] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--ip IP
- The network load balancer IP address that you want to register. To see your NLB IP addresses, run
kubectl get svc
. To specify multiple IP addresses, use multiple--ip
options. --secret-namespace NAMESPACE
- The Kubernetes namespace where you want to create the Kubernetes secret that holds the SSL certificate information for the NLB. If you don't specify a namespace, the secret is automatically created in the
default
namespace. --type public
- The subdomain type. Currently, only
public
is supported. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns create classic
command
ibmcloud ks nlb-dns create classic --cluster mycluster --ip 1.1.1.1
ibmcloud ks nlb-dns create vpc-gen2
Virtual Private Cloud
Create a DNS record for a Network Load Balancer for VPC or Application Load Balancer for VPC.
When you create a Network Load Balancer for VPC, the load balancer is assigned external IP addresses for each zone in your cluster. When you create an Application Load Balancer for VPC, the load balancer is assigned a hostname. If you want
an app subdomain with TLS termination, you can use the ibmcloud ks nlb-dns create vpc-gen2
command to create a DNS record for the IP addresses or hostname. IBM Cloud takes care of generating and maintaining the wildcard SSL
certificate for the subdomain for you. You can create subdomains for both public and private VPC load balancers.
ibmcloud ks nlb-dns create vpc-gen2 --cluster CLUSTER (--lb-host VPC_ALB_HOSTNAME | --ip VPC_NLB_IP) [--secret-namespace NAMESPACE] [--type (public|private)] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--lb-host VPC_ALB_HOSTNAME
|--ip VPC_NLB_IP
- For VPC application load balancers, the load balancer hostname. To see load balancer hostnames, run
kubectl get svc -o wide
. For VPC network load balancers, the external IP addresses. To specify multiple IP addresses, use multiple--ip
options. To see load balancer IP addresses, runkubectl get svc -o wide
. --secret-namespace NAMESPACE
- The Kubernetes namespace where you want to create the Kubernetes secret that holds the SSL certificate information for the NLB. If you don't specify a namespace, the secret is automatically created in the
default
namespace. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns create vpc-gen2
command
ibmcloud ks nlb-dns create vpc-gen2 --cluster mycluster --lb-host 1234abcd-us-south.lb.appdomain.cloud --type public
ibmcloud ks nlb-dns get
Virtual Private Cloud Classic infrastructure
View the details of a registered NLB host name in a cluster.
ibmcloud ks nlb-dns get --cluster CLUSTER --nlb-subdomain SUBDOMAIN [--output OUTPUT] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-subdomain SUBDOMAIN
- The DNS subdomain where your network load balancer (NLB) IP address is registered. To list NLBs, run
ibmcloud ks nlb-dns ls --cluster mycluster
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns get
command
Virtual Private Cloud Classic infrastructure
ibmcloud ks nlb-dns get --cluster mycluster --nlb-subdomain subDomain1
ibmcloud ks nlb-dns ls
In a classic cluster, list the network load balancer (NLB) IP addresses that are registered to DNS subdomains. In a VPC cluster, list the VPC load balancer hostnames that are registered to DNS subdomains.
ibmcloud ks nlb-dns ls --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns ls
command
ibmcloud ks nlb-dns ls --cluster mycluster
ibmcloud ks nlb-dns monitor configure
Classic infrastructure
Configure and optionally enable a health check monitor for an existing NLB subdomain in a cluster. When you enable a monitor for your subdomain, the monitor health checks the NLB IP in each zone and keeps the DNS lookup results updated based on these health checks.
You can use this command to create and enable a health check monitor, or to update the settings for an existing health check monitor. To create a new monitor, include the --enable
option and the options for all settings that you
want to configure.
To update an existing monitor, you must include all the options for the settings that you want, including existing settings.
ibmcloud ks nlb-dns monitor configure --cluster CLUSTER --nlb-host SUBDOMAIN [--enable] [--description DESCRIPTION] [--type TYPE] [--method METHOD] [--path PATH] [--timeout TIMEOUT] [--retries RETRIES] [--interval INTERVAL] [--port PORT] [--header HEADER] [--expected-body BODY STRING] [--expected-codes HTTP CODES] [--follows-redirects TRUE] [--allows-insecure TRUE] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- The name or ID of the cluster where the subdomain is registered.
--nlb-host SUBDOMAIN
- The subdomain to configure a health check monitor for. To list subdomains, run
ibmcloud ks nlb-dns ls --cluster CLUSTER
. --enable
- Include this option to enable a new health check monitor for a subdomain.
--description DESCRIPTION
- A description of the health monitor.
--type TYPE
- The protocol to use for the health check:
HTTP
,HTTPS
, orTCP
. Default:HTTP
--method METHOD
- The method to use for the health check. Default for
type
HTTP
andHTTPS
:GET
. Default fortype
TCP
:connection_established
. --path PATH
- When
type
isHTTPS
: The endpoint path to health check against. Default:/
--timeout TIMEOUT
- The timeout, in seconds, before the IP is considered unreachable. The health check waits the number of seconds specified in the
interval
parameter before trying to reach the IP again. The value must be an integer in the range 1 - 15. Default:5
--retries RETRIES
- When a timeout occurs, the number of retries to attempt before the unreachable IP is considered unhealthy. Retries are attempted immediately. The value must be an integer in the range 1 - 5. Default:
2
--interval INTERVAL
- The interval, in seconds, between each health check. Short intervals might improve failover time, but increase load on the IPs. The value must be an integer in the range 10 - 3600 and must be greater than
(RETRIES + 1) * TIMEOUT
. Default:60
--port PORT
- The port number to connect to for the health check. When
type
isTCP
, this parameter is required. Whentype
isHTTP
orHTTPS
, define the port only if you use a port other than 80 for HTTP or 443 for HTTPS. Default for TCP:0
. Default for HTTP:80
. Default for HTTPS:443
. --header HEADER
- Required when
type
isHTTP
orHTTPS
: HTTP request headers to send in the health check, such as a Host header. The User-Agent header can't be overridden. This option is valid only for type 'HTTP' or 'HTTPS'. To add more than one header to the requests, specify this option multiple times. This option accepts values in the following format:--header Header-Name=value
. When updating a monitor, the existing headers are replaced by the ones you specify. To delete all existing headers specify the option with an empty value--header ""
. --expected-body BODY STRING
- When
type
isHTTP
orHTTPS
: A case-insensitive substring that the health check looks for in the response body. If this string is not found, the IP is considered unhealthy. --expected-codes HTTP CODES
- When
type
isHTTP
orHTTPS
: HTTP codes that the health check looks for in the response. If the HTTP code is not found, the IP is considered unhealthy. Default:2xx
--allows-insecure TRUE
- When
type
isHTTP
orHTTPS
: Set totrue
to not validate the certificate. --follows-redirects TRUE
- When
type
isHTTP
orHTTPS
: Set totrue
to follow any redirects that are returned by the IP. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns monitor configure
command
ibmcloud ks nlb-dns monitor configure --cluster mycluster --nlb-host mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud --enable --description "Login page monitor" --type HTTPS --method GET --path / --timeout 5 --retries 2 --interval 60 --expected-body "healthy" --expected-codes 2xx --follows-redirects true
ibmcloud ks nlb-dns monitor disable
Classic infrastructure
Disable an existing health check monitor for a subdomain in a cluster.
ibmcloud ks nlb-dns monitor disable --cluster CLUSTER --nlb-host SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-host SUBDOMAIN
- The subdomain that the monitor health checks. To list subdomains, run
ibmcloud ks nlb-dns ls --cluster CLUSTER
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns monitor disable
command
ibmcloud ks nlb-dns monitor disable --cluster mycluster --nlb-host mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks nlb-dns monitor enable
Classic infrastructure
Enable a health check monitor that you configured.
The first time that you create a health check monitor, you must configure and enable it with the ibmcloud ks nlb-dns monitor configure
command. Use the ibmcloud ks nlb-dns monitor enable
command only to enable a monitor
that you configured but did not yet enable, or to re-enable a monitor that you previously disabled.
ibmcloud ks nlb-dns monitor enable --cluster CLUSTER --nlb-host SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-host SUBDOMAIN
- The subdomain that the monitor health checks. To list subdomains, run
ibmcloud ks nlb-dns ls --cluster CLUSTER
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns monitor enable
command
ibmcloud ks nlb-dns monitor enable --cluster mycluster --nlb-host mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks nlb-dns monitor get
Classic infrastructure
View the settings for an existing health check monitor.
ibmcloud ks nlb-dns monitor get --cluster CLUSTER --nlb-host SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-host SUBDOMAIN
- The subdomain that the monitor health checks. To list subdomains, run
ibmcloud ks nlb-dns ls --cluster CLUSTER
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns monitor get
command
ibmcloud ks nlb-dns monitor get --cluster mycluster --nlb-host mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks nlb-dns monitor ls
Classic infrastructure
List the health check monitor settings for each NLB subdomain in a cluster.
ibmcloud ks nlb-dns monitor ls --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns monitor ls
command
ibmcloud ks nlb-dns monitor ls --cluster mycluster
ibmcloud ks nlb-dns replace
Virtual Private Cloud
Replace the load balancer hostname that is registered with a DNS subdomain. For example, if you create a new VPC load balancer for your app, but you don't want to create a new DNS subdomain through which users can access your app, you can replace the hostname of the old load balancer with the hostname of the new load balancer.
ibmcloud ks nlb-dns replace --cluster CLUSTER --lb-host NEW_LB_HOSTNAME --nlb-subdomain SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--lb-host NEW_LB_HOSTNAME
- The hostname of the new VPC load balancer to update the subdomain with. To see VPC load balancer hostnames, run
kubectl get svc -o wide
. nlb-subdomain SUBDOMAIN
- The DNS subdomain that you want to replace the load balancer hostname for. To see existing subdomains, run
ibmcloud ks nlb-dns ls --cluster <cluster>
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns replace
command
ibmcloud ks nlb-dns replace --cluster mycluster --lb-host 1234abcd-us-south.lb.appdomain.cloud nlb-subdomain mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks nlb-dns rm classic
Classic infrastructure
Remove a network load balancer (NLB) IP address from a subdomain. If you remove all IPs from a subdomain, the subdomain still exists but no IPs are associated with it. Note: You must run this command for each IP address that you want to remove.
ibmcloud ks nlb-dns rm classic --cluster CLUSTER --ip IP --nlb-host SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--ip IP
- The NLB IP that you want to remove. To see the IPs registered with each subdomain, run
ibmcloud ks nlb-dns ls --cluster <cluster>
. --nlb-host SUBDOMAIN
- The subdomain that you want to remove an IP from. To see existing subdomains, run
ibmcloud ks nlb-dns ls
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns rm classic
command
ibmcloud ks nlb-dns rm classic --cluster mycluster --ip 1.1.1.1 --nlb-host mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks nlb-dns rm vpc-gen2
Virtual Private Cloud
Remove the load balancer hostname (VPC application load balancers) or IP addresses (VPC network load balancers) from the DNS record for that load balancer.
After you remove the hostname or IP addresses, the DNS subdomain still exists, but no load balancer is registered with it.
ibmcloud ks nlb-dns rm vpc-gen2 --cluster CLUSTER --nlb-subdomain SUBDOMAIN [ --ip IP] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-subdomain SUBDOMAIN
- The subdomain that you want to disassociate from the VPC load balancer hostname. To see existing subdomains, run
ibmcloud ks nlb-dns ls --cluster <cluster>
. --ip IP
- For VPC network load balancers, the IP address that you want to remove. To see the IPs registered with each subdomain, run
ibmcloud ks nlb-dns ls --cluster <cluster>
. Note that you must repeat this command for each IP address that you want to remove. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns rm vpc-gen2
command
ibmcloud ks nlb-dns rm vpc-gen2 --cluster mycluster --nlb-subdomain mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
Experimental: ibmcloud ks nlb-dns secret regenerate
Virtual Private Cloud Classic infrastructure
Regenerate the certificate and secret for an NLB subdomain. Secret regeneration is not disruptive, and traffic continues to flow while the secret regenerates.
If the Let’s Encrypt certificate creation fails during secret regeneration, a 10 minute wait period must pass before the regeneration is automatically attempted again. The regeneration of the secret takes another 5 minutes to complete, making it a total of 15 minutes before the process is completed.
To avoid the Let’s Encrypt rate limit, don't regenerate a secret more than 5 times per day.
ibmcloud ks nlb-dns secret regenerate --cluster CLUSTER --nlb-subdomain SUBDOMAIN [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-subdomain SUBDOMAIN
- The subdomain to regenerate the secret for. To list subdomains, run
ibmcloud ks nlb-dns ls --cluster CLUSTER
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns secret regenerate
command
ibmcloud ks nlb-dns secret regenerate --cluster mycluster --nlb-subdomain mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
Experimental: ibmcloud ks nlb-dns secret rm
Virtual Private Cloud Classic infrastructure
Delete a secret from an NLB subdomain and prevent future renewal of the certificate.
You might delete the secret for an NLB subdomain if you no longer use the subdomain, or if the owner of the secret leaves your organization.
ibmcloud ks nlb-dns secret rm --cluster CLUSTER --nlb-subdomain SUBDOMAIN [-f] [--output json] [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--nlb-subdomain SUBDOMAIN
- The subdomain to delete the secret for. To list subdomains, run
ibmcloud ks nlb-dns ls --cluster CLUSTER
. -f
- Optional: Force the command to run with no user prompts.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example nlb-dns secret rm
command
ibmcloud ks nlb-dns secret rm --cluster mycluster --nlb-subdomain mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud
ibmcloud ks vpc secure-by-default enable
Enable Secure By Default VPC Networking for a VPC cluster using legacy Security Groups.
ibmcloud ks vpc secure-by-default enable --cluster CLUSTER [--disable-outbound-traffic-protection] [-f] [-q]
Command options
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
--disable-outbound-traffic-protection
- Include this option to allow public outbound access from the cluster workers. By default, public outbound access is blocked.
-f
- Force the command to run without user prompts.
-q
- Do not show the message of the day or update reminders.
webhook-create
command
Virtual Private Cloud Classic infrastructure
Register a webhook.
ibmcloud ks webhook-create --cluster CLUSTER --level LEVEL --type slack --url URL [-q]
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--level LEVEL
- Optional: The notification level, such as
Normal
orWarning
.Warning
is the default value. --type slack
- Required: The webhook type. Currently, Slack is supported.
--url URL
- Required: The URL for the webhook.
-q
- Optional: Do not show the message of the day or update reminders.
Example webhook-create
command
ibmcloud ks webhook-create --cluster my_cluster --level Normal --type slack --url http://github.com/mywebhook
api-key
commands
View information about the API key for a cluster or reset it to a new key.
ibmcloud ks api-key info
Virtual Private Cloud Classic infrastructure
View the name and email address for the owner of the IBM Cloud Identity and Access Management (IAM) API key that IBM Cloud Kubernetes Service uses to authenticate certain requests like infrastructure in the region and resource group.
To create a different API key for the resource group and region, use the ibmcloud ks api-key reset
command.
If you manually set IBM Cloud infrastructure credentials by using the ibmcloud ks credential set
command, the API key that is returned in this command is not used for infrastructure permissions.
ibmcloud ks api-key info --cluster CLUSTER [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
-c
,--cluster CLUSTER
- Required: The name or ID of the cluster.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example api-key info
command
ibmcloud ks api-key info --cluster my_cluster
ibmcloud ks api-key reset
Virtual Private Cloud Classic infrastructure
Create an IBM Cloud IAM API key that impersonates the user's permissions to authenticate requests for all clusters in the current resource group and region.
If you use the Block Storage for VPC or cluster autoscaler add-ons in your cluster, you must re-create the add-on controller pods after you reset your API key. For more information, see Block Storage for VPC PVC creation fails after API key reset and Autoscaling fails after API key reset.
Before you use this command, make sure that the user who runs this command has the required IBM Cloud Kubernetes Service and IBM Cloud infrastructure permissions. Target the resource group and region that you want to set the API key for. When the API key is reset, the previous API key that was used, if any, for the region and resource group is now obsolete. You can then delete the old API key from your list of API keys. Before you reset the API key, check whether you have other services that use the existing API key, such as a key management service (KMS) provider or Secrets Manager.
ibmcloud ks api-key reset --region REGION [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--region REGION
- Specify a region in IBM Cloud Kubernetes Service:
jp-osa
,jp-tok
,au-syd
,eu-de
,eu-gb
,us-east
, orus-south
. -q
- Optional: Do not show the message of the day or update reminders.
Example api-key reset
command
ibmcloud ks api-key reset --region us-south
credential
commands
Set and unset credentials that allow you to access the classic IBM Cloud infrastructure portfolio through your IBM Cloud account.
You can manually set infrastructure credentials to a different account only for classic clusters, not for VPC clusters.
ibmcloud ks credential get
Classic infrastructure
If you set up your IBM Cloud account to use different credentials to access the IBM Cloud infrastructure portfolio, get the infrastructure username for the region and resource group that you are currently targeted to.
ibmcloud ks credential get --region REGION [-q] [--output json]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--region REGION
- Specify a region in IBM Cloud Kubernetes Service:
jp-osa
,jp-tok
,au-syd
,eu-de
,eu-gb
,us-east
, orus-south
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example credential get
command
ibmcloud ks credential get --region us-south
ibmcloud ks credential set classic
Classic infrastructure
Set credentials for a resource group and region so that you can access the IBM Cloud infrastructure portfolio through your IBM Cloud account.
If you have an IBM Cloud Pay-As-You-Go account, you have access to the IBM Cloud infrastructure portfolio by default. However, you might want to use a different, existing IBM Cloud infrastructure account to order infrastructure. You can link this infrastructure account to your IBM Cloud account by using this command.
If IBM Cloud infrastructure credentials are manually set for a region and a resource group, these credentials are used to order infrastructure for all clusters within that region in the resource group. These credentials are used to determine infrastructure permissions, even if an IBM Cloud IAM API key exists for the resource group and region. If the user whose credentials are stored does not have the required permissions to order infrastructure, then infrastructure-related actions, such as creating a cluster or reloading a worker node can fail.
You can't set multiple credentials for the same IBM Cloud Kubernetes Service resource group and region.
Before you use this command, make sure that the user whose credentials are used has the required IBM Cloud Kubernetes Service and IBM Cloud infrastructure permissions.
ibmcloud ks credential set classic --infrastructure-api-key API_KEY --infrastructure-username USERNAME --region REGION [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--infrastructure-username USERNAME
- Required: IBM Cloud infrastructure account API username. The infrastructure API username is not the same as the IBMid. To view the infrastructure API username, see Managing classic infrastructure API keys.
--infrastructure-api-key API_KEY
- Required: IBM Cloud infrastructure account API key. To view or generate an infrastructure API key, see Managing classic infrastructure API keys.
--region REGION
- Specify a region in IBM Cloud Kubernetes Service:
jp-osa
,jp-tok
,au-syd
,eu-de
,eu-gb
,us-east
, orus-south
. -q
- Optional: Do not show the message of the day or update reminders.
Example credential set classic
command
ibmcloud ks credential set classic --infrastructure-api-key <api_key> --infrastructure-username dbmanager --region us-south
ibmcloud ks credential unset
Classic infrastructure
Remove the credentials for a resource group and region to remove access to the IBM Cloud infrastructure portfolio through your IBM Cloud account.
After you remove the credentials, the IBM Cloud IAM API key is used to order resources in IBM Cloud infrastructure.
ibmcloud ks credential unset --region REGION [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--region REGION
- Specify a region in IBM Cloud Kubernetes Service:
jp-osa
,jp-tok
,au-syd
,eu-de
,eu-gb
,us-east
, orus-south
. -q
- Optional: Do not show the message of the day or update reminders.
Example credential unset
command
ibmcloud ks credential unset --region us-south
infra-permissions
commands
Check classic IBM Cloud infrastructure permissions that are used in IBM Cloud Kubernetes Service.
The ibmcloud ks infra-permissions
commands check only classic IBM Cloud infrastructure, not VPC permissions.
ibmcloud ks infra-permissions get
Classic infrastructure
Check whether the credentials that allow access to the IBM Cloud infrastructure portfolio for the targeted resource group and region are missing suggested or required infrastructure permissions.
If the infrastructure credentials for the region and resource group are missing any permissions, the output of this command returns a list of required
and suggested
permissions.
- Required: These permissions are needed to successfully order and manage infrastructure resources such as worker nodes. If the infrastructure credentials are missing one of these permissions, common actions such as
worker reload
can fail for all clusters in the region and resource group. - Suggested: These permissions are helpful to include in your infrastructure permissions, and might be necessary in certain use cases. For example, the
Add Compute with Public Network Port
infrastructure permission is suggested because if you want public networking, you need this permission. However, if your use case is a cluster on the private VLAN only, the permission is not needed so it is not consideredrequired
.
For a list of common use cases by permission, see Infrastructure roles.
- What if I see an infrastructure permission that I can't find in the console or Infrastructure roles table?
Support Case
permissions are managed in a different part of the console than infrastructure permissions. See Customizing infrastructure permissions.- Which infrastructure permissions do I assign?
- If your company's policies for permissions are strict, you might need to limit the
suggested
permissions for your cluster's use case. Otherwise, make sure that your infrastructure credentials for the region and resource group include all therequired
andsuggested
permissions.
For most use cases, set up the API key for the region and resource group with the appropriate infrastructure permissions. If you need to use another infrastructure account that differs from your current account, set up manual credentials.
- How do I control what actions the users can perform?
- After infrastructure credentials are set up, you can control what actions your users can perform by assigning them IBM Cloud IAM platform access roles.
ibmcloud ks infra-permissions get --region REGION [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--region REGION
- Required: Specify a region in IBM Cloud Kubernetes Service:
jp-osa
,jp-tok
,au-syd
,eu-de
,eu-gb
,us-east
, orus-south
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example infra-permissions get
command
ibmcloud ks infra-permissions get --region us-south
Example output
Missing Virtual Worker Permissions
Add Server suggested
Cancel Server suggested
View Virtual Server Details required
Missing Physical Worker Permissions
No changes are suggested or required.
Missing Network Permissions
No changes are suggested or required.
Missing Storage Permissions
Add Storage required
Manage Storage required
kms
commands
Enable a key management service (KMS) provider in your cluster to encrypt the etcd component and Kubernetes secrets with a root key that you control.
ibmcloud ks kms crk ls
Virtual Private Cloud Classic infrastructure
List available customer root keys (CRKs) in a key management service instance. Root keys wrap and unwrap the local data encryption keys (DEKs) that the cluster uses to encrypt its secrets. For more information, see Understanding Key Management Service (KMS) providers.
Do not delete root keys in your KMS instance, even if you rotate to use a new key. If you delete a root key that a cluster uses, the cluster becomes unusable, loses all its data, and can't be recovered.
ibmcloud ks kms crk ls --instance-id KMS_INSTANCE_ID [--output json] [-q]
- Minimum required permissions
- Viewer platform access role in IBM Cloud Kubernetes Service
Command options:
--instance-id KMS_INSTANCE_ID
- The ID of the key management service instance that you want to list root keys for. To list available KMS instances, run
ibmcloud ks kms instance ls
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example kms crk ls
command
ibmcloud ks kms crk ls --instance-id 1aa1a111-1111-1111-a111-a1aaaa1a1a1a
ibmcloud ks kms enable
Virtual Private Cloud Classic infrastructure
Encrypt your Kubernetes secrets by enabling a key management service (KMS) provider in your cluster. To rotate a key in a cluster with existing key encryption, rerun this command with a new root key ID.
Do not delete root keys in your KMS instance, even if you rotate to use a new key. If you delete a root key that a cluster uses, the cluster becomes unusable, loses all its data, and can't be recovered. When you rotate a root key, you can't reuse a previous root key for the same cluster.
ibmcloud ks kms enable --cluster CLUSTER_NAME_OR_ID --instance-id KMS_INSTANCE_ID --crk ROOT_KEY_ID [--kms-account-id ID] [--public-endpoint] [-q]
- Minimum required permissions
- Administrator platform access role for the cluster in IBM Cloud Kubernetes Service
Command options:
--container, -c CLUSTER_NAME_OR_ID
- The name or ID of the cluster.
--instance-id KMS_INSTANCE_ID
- The ID of the KMS instance that you want to use to encrypt the secrets in your cluster. To list available KMS instances, run
ibmcloud ks kms instance ls
. --crk ROOT_KEY_ID
- The ID of the customer root key (CRK) in your KMS instance that you want to use to wrap the data encryption keys (DEK) that are stored locally in your cluster. To list available root keys, run
ibmcloud ks kms crk ls --instance-id <kms_instance_id>
. --kms-account-id ID
- Optional: The ID of the account that contains the KMS instance you want to use for local disk or secret encryption.
--public-endpoint
- Optional: Specify this option to use the KMS public cloud service endpoint. If you don't include this option, the private cloud service endpoint is used by default.
-q
- Optional: Do not show the message of the day or update reminders.
Example kms enable
command
ibmcloud ks kms enable -c mycluster --instance-id a11aa11a-bbb2-3333-d444-e5e555e5ee5 --crk 1a111a1a-bb22-3c3c-4d44-55e555e55e55
ibmcloud ks kms instance ls
Virtual Private Cloud Classic infrastructure
List available key management service (KMS) instances in your IBM Cloud account that you can choose to enable in your cluster.
ibmcloud ks kms instance ls [--output json] [-q]
- Minimum required permissions
- Viewer platform access role in IBM Cloud Kubernetes Service
Command options:
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks kms instance ls
quota
commands
ibmcloud ks quota ls
Virtual Private Cloud Classic infrastructure
List all quota and limits for cluster-related resources in your IBM Cloud account.
ibmcloud ks quota ls [--provider PROVIDER] [--output json]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
--provider (classic | vpc-gen2)
- The infrastructure provider type to list quota and limits for.
--output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks quota ls
subnets
command
Virtual Private Cloud Classic infrastructure
List available subnets in all resource groups in your IBM Cloud infrastructure account.
ibmcloud ks subnets [--provider (classic | vpc-gen2)] [--vpc-id <VPC_ID> --zone <VPC_ZONE>] [--location LOCATION] [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
--provider (classic | vpc-gen2)
- The infrastructure provider type to list subnets for. This option is required to list VPC subnets.
--vpc-id VPC_ID
- The ID of the VPC to list subnets for. This option is required when you specify the
vpc-gen2
provider type. To list VPC IDs, runibmcloud ks vpcs
. --zone VPC_ZONE
- The zone to list VPC subnets for. This option is required when you specify a VPC provider type.
-l, --location LOCATION
- Filter output by a specific location. To see supported locations, run
ibmcloud ks locations
. To specify multiple locations, use one option for each location, such as-l dal -l seo
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks subnets -l ams03 -l wdc -l ap
vlan
commands
Classic infrastructure
List public and private VLANs for a zone and view the VLAN spanning status.
ibmcloud ks vlan ls
Classic infrastructure
List the public and private VLANs that are available for a zone in your classic IBM Cloud infrastructure account. To list available VLANs, you must have a paid account.
ibmcloud ks vlan ls --zone ZONE [--all] [--output json] [-q]
Minimum required permissions:
- To view the VLANs that the cluster is connected to in a zone: Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
- To list all available VLANs in a zone: Viewer platform access role for the region in IBM Cloud Kubernetes Service
Command options:
--zone ZONE
- Required: Enter the zone where you want to list your private and public VLANs. To see available zones, run
ibmcloud ks zone ls
. --all
- Lists all available VLANs. By default VLANs are filtered to show only those VLANs that are valid. To be valid, a VLAN must be associated with infrastructure that can host a worker with local disk storage.
--output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example vlan ls
command
ibmcloud ks vlan ls --zone dal10
ibmcloud ks vlan spanning get
Classic infrastructure
View the VLAN spanning status for an IBM Cloud infrastructure account. VLAN spanning enables all devices on an account to communicate with each other through the private network, regardless of its assigned VLAN.
The VLAN spanning option is disabled for clusters that are created in a VRF-enabled account. When VRF is enabled, all VLANs in the account can automatically communicate with each other over the private network. To check whether a VRF is enabled,
use the ibmcloud account show
command. For more information, see Planning your cluster network setup: Worker-to-worker communication.
ibmcloud ks vlan spanning get --region REGION [--output json] [-q]
- Minimum required permissions
- Viewer platform access role for IBM Cloud Kubernetes Service
Command options:
--region REGION
- Specify a region in IBM Cloud Kubernetes Service:
jp-osa
,jp-tok
,au-syd
,eu-de
,eu-gb
,us-east
, orus-south
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example vlan spanning get
command
ibmcloud ks vlan spanning get --region us-south
ibmcloud ks vpc ls
List all VPCs in the targeted resource group. If no resource group is targeted, all VPCs in the account are listed.
ibmcloud ks vpc ls [--output OUTPUT] [--provider PROVIDER] [-q]
Command options
--output OUTPUT
- Prints the command output in the provided format. Accepted values:
json
--provider PROVIDER
- The VPC infrastructure provider type. Supported values are
vpc-classic
andvpc-gen2
. By default, VPCs of all provider types are returned. -q
- Do not show the message of the day or update reminders.
ibmcloud ks vpc outbound-traffic-protection disable
Disable outbound traffic protection for a Secure By Default VPC cluster.
ibmcloud ks vpc outbound-traffic-protection disable --cluster CLUSTER [-f] [-q]
Command options
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
-f
- Force the command to run without user prompts.
-q
- Do not show the message of the day or update reminders.
ibmcloud ks vpc outbound-traffic-protection enable
Enable outbound traffic protection for a Secure By Default VPC cluster.
ibmcloud ks vpc outbound-traffic-protection enable --cluster CLUSTER [-f] [-q]
Command options
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
-f
- Force the command to run without user prompts.
-q
- Do not show the message of the day or update reminders.
flavor
command
Each flavor includes the amount of virtual CPU, memory, and disk space for each worker node in the cluster.
By default, the secondary storage disk directory where all container data is stored, is encrypted with LUKS encryption. If the disable-disk-encrypt
option is included during cluster creation, then the host's container runtime data
is not encrypted. Learn more about the encryption.
You can provision your worker node as a virtual machine on shared or dedicated hardware, or for classic clusters only, as a physical machine on bare metal.
flavor get
command
Virtual Private Cloud Classic infrastructure
Get the information of a flavor for a zone and provider.
ibmcloud ks flavor get --flavor FLAVOR --provider PROVIDER --zone ZONE [--output OUTPUT] [-q]
- Minimum required permissions
- None
Command options:
--flavor FLAVOR
- The flavor you want to get information for. Flavors determine how much virtual CPU, memory, and disk space is available to each worker node.
--provider PROVIDER
- The infrastructure provider for which you want to get flavor information for. Available options are
classic
,vpc-classic
andvpc-gen2
. --zone ZONE
- The zone where you want to get flavor information for. To see available zones for classic clusters, run
ibmcloud ks zone ls
. To see available zones for VPC clusters, runibmcloud ks zone ls --provider vpc-gen2
for Generation 2 compute. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example flavor get
command
Virtual Private Cloud Classic infrastructure
ibmcloud ks flavor get --zone us-south-1 --provider vpc-gen2 --flavor bx2d.48x192.900gb
flavor ls
command
Virtual Private Cloud Classic infrastructure
List available flavors for a zone.
ibmcloud ks flavor ls --zone ZONE [--output OUTPUT] [--provider PROVIDER] [-q] [--show-storage]
- Minimum required permissions
- None
Command options:
--zone ZONE
- The zone where you want to get flavor information for. To see available zones for classic clusters, run
ibmcloud ks zone ls
. To see available zones for VPC clusters, runibmcloud ks zone ls --provider vpc-gen2
for Generation 2 compute. --provider PROVIDER
- Optional: The infrastructure provider for which you want to get flavor information for. Available options are
classic
,vpc-classic
andvpc-gen2
. --show-storage
- Optional: Show additional raw disks that are available for SDS worker node flavors. For more information, see Software-defined storage (SDS) machines. In the tables for each
metro area section, SDS flavors are in the Bare Metal tabs and end with
.ssd
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example flavor ls
command
ibmcloud ks flavor ls --zone us-south-1 --provider vpc-gen2 --show-storage
messages
command
Virtual Private Cloud Classic infrastructure
View current messages from the IBM Cloud Kubernetes Service CLI plug-in for the IBMid user.
ibmcloud ks messages
- Minimum required permissions
- None
Command options: None
locations command
Virtual Private Cloud Classic infrastructure
List the locations that are supported by IBM Cloud Kubernetes Service. For more information about the locations that are returned, see IBM Cloud Kubernetes Service locations.
ibmcloud ks locations [--output json]
- Minimum required permissions
- None
Command options:
--output json
- Optional: Prints the command output in JSON format.
versions
command
Virtual Private Cloud Classic infrastructure
List all the container platform versions that are available for IBM Cloud Kubernetes Service clusters. Update your cluster master and worker nodes to the default version for the latest, stable capabilities.
The kube-versions
alias for this command is deprecated.
ibmcloud ks versions [--show-version (KUBERNETES|OPENSHIFT)] [--output json] [-q]
- Minimum required permissions
- None
Command options:
--show-version (KUBERNETES|OPENSHIFT)
- Show only the versions for the specified container platform. Supported values are
kubernetes
oropenshift
. --output json
- Optional: Prints the command output in JSON format.
-q
- Optional: Do not show the message of the day or update reminders.
Example:
ibmcloud ks versions
api
command
Virtual Private Cloud Classic infrastructure
Target the API endpoint for IBM Cloud Kubernetes Service. If you don't specify an endpoint, you can view information about the current endpoint that is targeted.
Region-specific endpoints are deprecated. Use the global endpoint instead.
If you need to list and work with resources from one region only, you can use the ibmcloud ks api
command to target a regional endpoint instead of the global endpoint.
- Dallas (US South, us-south):
https://us-south.containers.cloud.ibm.com
- Frankfurt (EU Central, eu-de):
https://eu-de.containers.cloud.ibm.com
- London (UK South, eu-gb):
https://eu-gb.containers.cloud.ibm.com
- Osaka (jp-osa):
https://jp-osa.containers.cloud.ibm.com
- São Paulo (br-sao):
https://br-sao.containers.cloud.ibm.com
- Sydney (AP South, au-syd):
https://au-syd.containers.cloud.ibm.com
- Tokyo (AP North, jp-tok):
https://jp-tok.containers.cloud.ibm.com
- Toronto (ca-tor):
https://ca-tor.containers.cloud.ibm.com
- Washington, D.C. (US East, us-east):
https://us-east.containers.cloud.ibm.com
To use the global functionality, you can use the ibmcloud ks api
command again to target the global endpoint: https://containers.cloud.ibm.com
ibmcloud ks api --endpoint ENDPOINT [--insecure] [--skip-ssl-validation] [--api-version VALUE] [-q]
- Minimum required permissions
- None
Command options:
--endpoint ENDPOINT
- The IBM Cloud Kubernetes Service API endpoint. Note: This endpoint is different than the IBM Cloud endpoints. This value is required to set the API endpoint.
--insecure
- Allow an insecure HTTP connection. This option is optional.
--skip-ssl-validation
- Allow insecure SSL certificates. This option is optional.
--api-version VALUE
- Optional: Specify the API version of the service that you want to use.
-q
- Optional: Do not show the message of the day or update reminders.
Example: View information about the current API endpoint that is targeted.
ibmcloud ks api
API Endpoint: https://containers.cloud.ibm.com
API Version: v1
Skip SSL Validation: false
Region: us-south
init
command
Virtual Private Cloud Classic infrastructure
Initialize the IBM Cloud Kubernetes Service plug-in or specify the region where you want to create or access Kubernetes clusters.
Region-specific endpoints are deprecated. Use the global endpoint instead.
If you need to list and work with resources from one region only, you can use the ibmcloud ks init
command to target a regional endpoint instead of the global endpoint.
- Dallas (US South, us-south):
https://us-south.containers.cloud.ibm.com
- Frankfurt (EU Central, eu-de):
https://eu-de.containers.cloud.ibm.com
- London (UK South, eu-gb):
https://eu-gb.containers.cloud.ibm.com
- Osaka (jp-osa):
https://jp-osa.containers.cloud.ibm.com
- São Paulo (br-sao):
https://br-sao.containers.cloud.ibm.com
- Sydney (AP South, au-syd):
https://au-syd.containers.cloud.ibm.com
- Tokyo (AP North, jp-tok):
https://jp-tok.containers.cloud.ibm.com
- Toronto (ca-tor):
https://ca-tor.containers.cloud.ibm.com
- Washington, D.C. (US East, us-east):
https://us-east.containers.cloud.ibm.com
To use the global functionality, you can use the ibmcloud ks init
command again to target the global endpoint: https://containers.cloud.ibm.com
ibmcloud ks init [--host HOST] [--insecure] [-p] [-u] [-q]
- Minimum required permissions
- None
Command options:
--host HOST
- Optional: The IBM Cloud Kubernetes Service API endpoint to use.
--insecure
- Allow an insecure HTTP connection.
-p
- Your IBM Cloud password.
-u
- Your IBM Cloud username.
-q
- Optional: Do not show the message of the day or update reminders.
Examples:
- Example to target the US South regional endpoint:
ibmcloud ks init --host https://us-south.containers.cloud.ibm.com
- Example to target the global endpoint again:
ibmcloud ks init --host https://containers.cloud.ibm.com
script
commands
ibmcloud ks script update
Virtual Private Cloud Classic infrastructure
Rewrite scripts that call kubernetes-service
commands. Legacy-structured commands are replaced with beta-structured commands.
Most command behavior and syntax changes in version 1.0. These changes are not compatible with earlier versions. After you update your scripts, you must continue to use version 1.0
of the plug-in within the script or the environment
where the script is run. Do not change the IKS_BETA_VERSION
environment variable to a different version.
ibmcloud ks script update [--in-place] FILE [FILE ...]
- Minimum required permissions
- None
Command options:
--in-place
- Optional: Rewrite the source file with the updated command structure. If this option is not specified, you can see a summary of the changes to the script file in STDOUT.
FILE [FILE ...]
- The file that contains the scripts that you want to update.
To use this command to prepare your automation scripts for the release of version 1.0 of the IBM Cloud Kubernetes Service plug-in:
- Run the command on a test script without the
--in-place
option.ibmcloud ks script update ./mytestscript.sh
- Review the proposed changes to the script in the difference that is shown in the command line STDOUT. Example output
--- a/script-test-2 +++ b/script-test-2 @@ -1,5 +1,5 @@ -ibmcloud ks logging-config-get --cluster mycluster -ibmcloud ks logging-config-update --cluster mycluster --id myconfig --logsource application --type ibm --app-containers app1,app2,app3 --app-paths /var/log/path/ -ibmcloud ks logging-config-update --cluster mycluster --id myconfig --logsource application --type ibm --app-paths=/var/log/path/,/var/log/other/path/ -ibmcloud ks clusters -s --locations dal09,dal12 --output json -ibmcloud ks subnets --locations sao01 +ibmcloud ks logging config get --cluster mycluster +ibmcloud ks logging config update --cluster mycluster --id myconfig --logsource application --type ibm -C app1 -C app2 -C app3 -p /var/log/path/ +ibmcloud ks logging config update --cluster mycluster --id myconfig --logsource application --type ibm -p /var/log/path/ -p /var/log/other/path/ +ibmcloud ks clusters -s -l dal09 -l dal12 --output json +ibmcloud ks subnets -l sao01
- To rewrite the script with the proposed updates, run the command again with the
--in-place
option.ibmcloud ks script update ./mytestscript.sh --in-place
- Search for and address any commands that are flagged in the script with
# WARNING
messages. For example, some commands are deprecated and don't have a replacement command. - Within the script or the environment where the script is run, set the
IKS_BETA_VERSION
environment variable to1.0
.export IKS_BETA_VERSION=1.0
- Test your automation with the updated script. Note that you might incur charges if your automation includes creating clusters.
- Update all your scripts.
- Update your CLI plug-in to version 1.0.
ibmcloud plugin update kubernetes-service
security-group
commands
Virtual Private Cloud Classic infrastructure
Reset or sync a security group to the default traffic rules.
ibmcloud ks security-group ls
List all security groups associated with a cluster.
ibmcloud ks security-group ls --cluster CLUSTER [--attached-to ATTACHED] [--managed-by MANAGER] [--output OUTPUT] [-q] [--scope SCOPE]
Command options
--attached-to ATTACHED
- Filter the security groups by the components they are attached to. Accepted values:
cluster
,load-balancer
,vpc
,vpe-gateway
,worker-pool
--cluster CLUSTER
,-c CLUSTER
- Specify the cluster name or ID.
--managed-by MANAGER
- Specify
user
to return the security groups created by user. Specifyibm
to return only the security groups managed by IBM. Accepted values:ibm
,user
--output OUTPUT
- Prints the command output in the provided format. Accepted values:
json
-q
- Do not show the message of the day or update reminders.
--scope SCOPE
- Specify
cluster
to return security groups scoped to the cluster. Specifyvpc
to return security groups scoped to the entire VPC. Accepted values:cluster
,vpc
ibmcloud ks security-group reset
Virtual Private Cloud Classic infrastructure
Deletes all existing security group rules and reapplies the default rules.
ibmcloud ks security-group reset --cluster CLUSTER --security-group GROUP [-f] [-q]
- Minimum required permissions
- None
Command options:
--cluster CLUSTER
- Required: Specify the cluster name or ID. To list available clusters, run
ibmcloud ks cluster ls
. --security-group GROUP_ID
- Required: Specify the security group ID.
Example:
ibmcloud ks security-group reset --cluster mycluster --security-group mygroup
ibmcloud ks security-group sync
Virtual Private Cloud Classic infrastructure
Reapplies the default security group rules to add any missing rules. Does not delete preexisting rules.
ibmcloud ks security-group sync --cluster CLUSTER --security-group GROUP [-q]
- Minimum required permissions
- None
Command options:
--cluster CLUSTER
- Required: Specify the cluster name or ID. To list available clusters, run
ibmcloud ks cluster ls
. --security-group GROUP_ID
- Required: Specify the security group ID.
Example:
ibmcloud ks security-group sync --cluster mycluster --security-group mygroup
Beta: storage
commands
Virtual Private Cloud Classic infrastructure
Create, get, list, or remove storage volume attachments.
The storage
commands are available in beta.
ibmcloud ks storage attachment create
Virtual Private Cloud
Attach a storage volume to a worker node in your cluster.
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks storage attachment create --cluster CLUSTER_ID --volume VOLUME --worker WORKER [--output json]
Command options:
--cluster CLUSTER_ID
- Required: Specify the cluster ID. To list available clusters, run
ibmcloud ks cluster ls
. --volume VOLUME
- Required: Specify the volume ID. To list available workers, run
ibmcloud ks storage volume ls
. --worker WORKER
- Required: Specify the worker ID. To list available workers, run
ibmcloud ks worker ls
. --output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks storage attachment create --cluster aa1111aa11aaaaa11aa1 --volume 111111111 --worker kube-aa1111aa11aaaaa11aa1-my_cluster-default-00000110 [--output json]
ibmcloud ks storage attachment get
Virtual Private Cloud
Get the details of a storage volume attachment in your cluster.
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks storage attachment get --cluster CLUSTER_ID --attachment ATTACHMENT --worker WORKER [--output json]
--cluster CLUSTER_ID
- Required: Specify the cluster ID. To list available clusters, run
ibmcloud ks cluster ls
. --attachment ATTACHMENT
- Required: Specify the volume attachment ID. To list available attachments, run
ibmcloud ks storage attachment ls
. --worker WORKER
- Required: Specify the worker ID. To list available workers, run
ibmcloud ks worker ls
. --output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks storage attachment get --cluster aa1111aa11aaaaa11aa1 --attachment 0111-1a111aaa-1111-1111-111a-aaa1a1a11a11 --worker kube-aa1111aa11aaaaa11aa1-my_cluster-default-00000110 [--output json]
ibmcloud ks storage attachment ls
Virtual Private Cloud
List the storage volume attachments for a worker node in your cluster.
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks storage attachment ls --cluster CLUSTER_ID --worker WORKER [--output json]
--cluster CLUSTER_ID
- Required: Specify the cluster ID. To list available clusters, run
ibmcloud ks cluster ls
. --worker WORKER
- Required: Specify the worker ID. To list available workers, run
ibmcloud ks worker ls
. --output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks storage attachment ls --cluster aa1111aa11aaaaa11aa1 --worker kube-aa1111aa11aaaaa11aa1-my_cluster-default-00000110 [--output json]
ibmcloud ks storage attachment rm
Virtual Private Cloud
Remove a storage volume from a worker node in your cluster.
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks storage attachment rm --cluster CLUSTER_ID --attachment ATTACHMENT --worker WORKER [--output json]
Command options:
--cluster CLUSTER_ID
- Required: Specify the cluster ID. To list available clusters, run
ibmcloud ks cluster ls
. --attachment ATTACHMENT
- Required: Specify the volume attachment ID. To list available attachments, run
ibmcloud ks storage attachment ls
. --worker WORKER
- Required: Specify the worker ID. To list available workers, run
ibmcloud ks worker ls
. --output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks storage attachment rm --cluster aa1111aa11aaaaa11aa1 --attachment 0111-1a111aaa-1111-1111-111a-aaa1a1a11a11 --worker kube-aa1111aa11aaaaa11aa1-my_cluster-default-00000110 [--output json]
ibmcloud ks storage volume get
Virtual Private Cloud Classic infrastructure
List storage volumes for your classic clusters.
- Minimum required permissions
- Viewer platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks storage volume get --volume VOLUME
Command options:
--volume VOLUME
- Required: Specify the volume ID. To list available volumes, run
ibmcloud ks storage volume ls
. --output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks storage volume get --volume 111111111
ibmcloud ks storage volume ls
Virtual Private Cloud Classic infrastructure
Get a list of storage volumes.
- Minimum required permissions
- Editor platform access role for the cluster in IBM Cloud Kubernetes Service
ibmcloud ks storage volume ls [--cluster CLUSTER_ID] [--provider PROVIDER] [--zone ZONE] [--output json]
Command options:
--cluster CLUSTER_ID
- Optional: Specify the cluster ID. To list available clusters, run
ibmcloud ks cluster ls
. --provider PROVIDER
- Optional: Specify the provider. Supported values are
classic
andvpc-gen2
. --zone ZONE
- Optional: Specify the zone. To list available zones, run
ibmcloud ks locations
. --output json
- Optional: Prints the command output in JSON format.
Example:
ibmcloud ks storage volume ls --cluster aa1111aa11aaaaa11aa1