Learning path for administrators

Plan your environment

Start by designing a cluster for maximum availability and capacity for your workloads.

1. Environment strategy:

   1. Define your Kubernetes strategy for the cluster, such as deciding how many clusters to create for your environments.
   2. Plan your security strategy, such as ensuring network segmentation and workload isolation.

2. Cluster setup: After you plan your environment, plan the setup for a specific cluster.

   1. Choose a supported infrastructure provider.
   2. Plan your cluster network setup.
      • Understanding VPC cluster network basics.
      • Understanding Classic cluster network basics.
   3. Plan your cluster for high availability.
   4. Plan your worker node setup.

Looking for serverless? Try Code Engine.

Create a cluster

Create a cluster with infrastructure, network, and availability setups that are customized to your use case and cloud environment.

1. Firewall: If you have corporate firewalls, make sure that you open the required ports and IP addresses to work with IBM Cloud Kubernetes Service.
2. CLI and API:
   1. Set up the CLIs that are necessary to create and work with clusters. As you work with your cluster, refer to the command reference and keep track of CLI version updates with the CLI change log.
   2. Optionally set up automated deployments with the API. As you work with your cluster, refer to the IBM Cloud Kubernetes Service API reference and Community Kubernetes API reference.
3. Cluster deployment:
   1. Create the cluster.
   2. After the cluster is ready, access your cluster.
   3. Spread your cluster across availability zones adding worker nodes to Classic clusters or adding worker nodes to VPC clusters.
4. User access:
   1. Make sure that your authorized cluster users can now also access the cluster by planning your user access strategy.
   2. Pick the correct access policy and role for your users.
   3. Understand access roles for individual or groups of users in IBM Cloud IAM.
   4. Choose the scope of user access to cluster instances, Kubernetes namespace, or resource groups.
   5. Allow users to create apps or audit your cluster activity by assigning cluster access. To see specific permissions and actions that you can grant users, see the user access permissions reference.

Need help? Check out Troubleshooting clusters and masters and Troubleshooting worker nodes.

Manage the network

Review the following optional topics to manage the network connectivity of your cluster components and connections to other networks. For example, you might need to connect the workloads in your cluster to workloads in another private network. Or, you might return to this section later if you need to make more portable IP addresses available for load balancer services that expose apps in your cluster.

• Connections to other networks and workloads:
  • Set up VPN connectivity between your classic cluster or VPC cluster and remote network environments, other VPCs, and more.
  • To route responses from your cluster back to your on-premises network in VPN solutions that preserve the request source IP address, add custom static routes to worker nodes for on-premises subnets.
• Subnets, service endpoints, and VLANs:
  • Add or change the available subnets and IP addresses for your classic cluster or VPC cluster.
  • Change the service endpoints that your Kubernetes master is accessible through.
  • Classic clusters: Change the VLAN connections for your worker nodes.

Secure your cluster

Use built-in security features to protect your cluster infrastructure and network communication, isolate your compute resources, and ensure security compliance across your infrastructure components and container deployments.

1. Security strategy: Start by reviewing all security options that are available for your cluster.
2. Network security:
   • Classic clusters:
     1. To isolate networking workloads, you can restrict network traffic to edge worker nodes.
     2. Set up a firewall by using a gateway appliance or Calico network policies.
   • VPC clusters: Control traffic to and from your cluster with VPC security groups.
3. Workload security:
   1. Encrypt sensitive information in the cluster, such as the master's local disk and secrets.
   2. Set up a private image registry for your developers, such as the one provided by Container Registry, to control access to the registry and the image content that can be pushed.
   3. Set pod priority to indicate the relative priority of the pods that make up your cluster's workload.
   4. Authorize who can create and update pods by configuring pod security policies (PSPs).

Logging and monitoring

Set up logging and monitoring to help you troubleshoot issues and improve the health and performance of your Kubernetes clusters and apps.

1. Cluster and app logging: Choose a logging solution, such as IBM® Log Analysis, to monitor container logs as well as user-initiated administrative activities.
2. Audit logging: Forwarding Kubernetes API audit logs to IBM Log Analysis
3. Monitoring: Choose a monitoring solution, such as IBM Cloud® Monitoring, to gain operational visibility into the performance and health of your apps.

Need help? Check out Troubleshooting logging and monitoring.

Add a registry and CI/CD

Set up an image registry and a continuous integration and delivery (CI/CD) pipeline for your cluster.

1. Registry: Choose and set up an image registry so that developers can pull images from the registry in their app deployment YAML files.
2. CI/CD:
   • Review available options for automating app deployment.
   • Set up toolchains with IBM® Continuous Delivery Pipeline for IBM Cloud®.

Add storage

Plan and add highly available persistent storage based on your app requirements, the type of data that you want to store, and how often you want to access this data.

1. Requirements: Determine your requirements for a storage solution.
2. Choose a solution: Using your storage requirements, choose a storage solution by comparing non-persistent, single-zone persistent, or multizone persistent storage.

Need help? Check out the troubleshooting page for your persistent storage solution.

Add integrations

Enhance cluster capabilities by integrating various external services and catalog services with your Kubernetes cluster.

1. Review supported integrations:

   • All supported integrations

   • IBM Cloud Kubernetes Service partners

   • IBM Cloud services and third-party integrations

2. Add services to your cluster:
   • Adding services by using managed add-ons
   • Adding services by using Helm
   • Adding services by using IBM Cloud service binding

Need help? Check out Troubleshooting apps and integrations.

Manage the lifecycle

Manage your cluster and worker nodes through each phase of the cluster lifecycle.

• Autoscaling: Automatically increase or decrease the number of worker nodes based on the sizing needs of your scheduled workloads.
• Updating: Keep your environment up-to-date by frequently updating clusters, worker nodes, and cluster components. While you update, refer to these version reference pages:
  • Kubernetes version information
  • Fluentd and Ingress ALB change log
• Removing: Remove clusters and clean up related resources.

Need help? Check out troubleshooting clusters and masters, worker nodes, or the cluster autoscaler.