IBM Cloud Docs
Your responsibilities with using IBM Cloud Kubernetes Service

Your responsibilities with using IBM Cloud Kubernetes Service

Learn about cluster management responsibilities that you have when you use IBM Cloud® Kubernetes Service. For overall terms of use, see Cloud Services terms.

Overview of shared responsibilities

IBM Cloud Kubernetes Service is a managed service in the IBM Cloud shared responsibility model. Review the following table of who is responsible for particular cloud resources when using IBM Cloud Kubernetes Service. Then, you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by area.

If you use other IBM Cloud products such as Object Storage, responsibilities that are marked as yours in the following table, such as disaster recovery for Data, might be IBM's or shared. Consult those products' documentation for your responsibilities.

Table 1. Responsibilities by resource.
Resource Incident and operations management Change management Identity and access management Security and regulation compliance Disaster Recovery
Data You You You You You
Applications You You You You You
Observability Shared IBM Shared IBM IBM
App networking Shared IBM IBM IBM IBM
Cluster networking Shared IBM IBM IBM IBM
Cluster version IBM Shared IBM IBM IBM
Worker nodes Shared Shared IBM Shared IBM
Master IBM IBM IBM IBM IBM
Service IBM IBM IBM IBM IBM
Virtual storage IBM IBM IBM IBM IBM
Virtual network IBM IBM IBM IBM IBM
Hypervisor IBM IBM IBM IBM IBM
Physical servers and memory IBM IBM IBM IBM IBM
Physical storage IBM IBM IBM IBM IBM
Physical network and devices IBM IBM IBM IBM IBM
Facilities and Data Centers IBM IBM IBM IBM IBM

Tasks for shared responsibilities by area

After reviewing the overview, see what tasks you and IBM share responsibility for each area and resource when you use IBM Cloud Kubernetes Service.

Incident and operations management

You and IBM share responsibilities for the set up and maintenance of your IBM Cloud Kubernetes Service cluster environment for your application workloads. You are responsible for incident and operations management of your application data.

Table 2. Responsibilities for incident and operations management
Resource IBM responsibilities Your responsibilities
Worker nodes
  • Deploy a fully managed, highly available dedicated master in a secured, IBM-owned infrastructure account for each cluster.
  • Provision worker nodes in your IBM Cloud infrastructure account.
  • Ensure that worker nodes successfully provision when the user account and permissions are correctly set up, and sufficient quota exists.
  • Fulfill requests for more infrastructure, such as adding, reloading, updating, and removing worker nodes.
  • Provide tools, such as the cluster autoscaler, to extend your cluster infrastructure.
  • Integrate ordered infrastructure resources to work automatically with your cluster architecture and become available to your deployed apps and workloads.
  • Fulfill automation requests to help recover worker nodes.
  • Use the provided API, CLI, or console tools to adjust compute and storage capacity to meet the needs of your workload.
  • Use the provided API, CLI, or console tools to request that worker nodes are rebooted, reloaded, or replaced, and troubleshoot issues such as when the worker nodes are in an unhealthy state.
Cluster networking
  • Set up cluster management components, such as public or private cloud service endpoints, VLANs, and load balancers.
  • Fulfill requests for more infrastructure, such as attaching worker nodes to existing VLANs or subnets upon resizing a worker pool.
  • Create clusters with subnet IP addresses reserved to use to expose apps externally.
  • Set up a Konnectivity connection between the master and worker nodes when the cluster is created.
  • Provide the ability to set up a VPN connection with on-premises resources such as through the strongSwan IPSec VPN service or the IBM Cloud VPC VPN.
  • Provide the ability to isolate network traffic with edge nodes.
  • Use the provided API, CLI, or console tools to adjust cluster networking configuration to meet the needs of your workload, such as configuring service endpoints, adding VLANs to provide IP addresses for more worker nodes, setting up a VPN connection, or edge node worker pools.
App networking
  • Set up a public application load balancer (ALB) that is multizone, if applicable. Provide the ability to set up private ALBs and public or private network load balancers (NLBs).
  • Support native Kubernetes public and private load balancers and Ingress routes for exposing services externally.
  • Install Calico as the container networking interface, and set up default Calico network policies to control basic cluster traffic.
  • Set up any additional app networking capabilities that are needed, such as private ALBs, public or private NLBs, or additional Calico network policies.
Observability
  • Provide Log Analysis and Monitoring as managed add-ons to enable observability of your cluster and container environments. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons.
  • Provide cluster integration with Activity Tracker and send IBM Cloud Kubernetes Service API events for auditability.

Change management

You and IBM share responsibilities for keeping your clusters at the latest container platform and operating system versions, along with recovering infrastructure resources that might require changes. You are responsible for change management of your application data.

Table 3. Responsibilities for change management
Resource IBM responsibilities Your responsibilities
Worker nodes
  • Provide worker node patch operating system (OS), version, and security updates.
  • Fulfill automation requests to update and recover worker nodes.
  • Use the API, CLI, or console tools to apply the provided worker node updates that include operating system patches; or to request that worker nodes are rebooted, reloaded, or replaced.
Cluster version
  • Provide a suite of tools to automate cluster management, such as the IBM Cloud Kubernetes Service API, CLI plug-in, and console.
  • Automatically apply Kubernetes master patch OS, version, and security updates.
  • Make major and minor updates for master nodes available for you to apply.
  • Provide worker node major, minor, and patch OS, version, and security updates.
  • Fulfill automation requests to update cluster master and worker nodes.
  • Use the API, CLI, or console tools to apply the provided major and minor Kubernetes master updates and major, minor, and patch worker node updates.

Identity and access management

You and IBM share responsibilities for controlling access to your IBM Cloud Kubernetes Service instances. For IBM Cloud® Identity and Access Management responsibilities, consult that product's documentation. You are responsible for identity and access management to your application data.

Table 4. Responsibilities for identity and access management
Resource IBM responsibilities Your responsibilities
Observability
  • Provide the ability to integrate IBM Cloud Activity Tracker with your cluster to audit the actions that users take in the cluster.
  • Set up IBM Cloud Activity Tracker or other capabilities to track user activity in the cluster.

Security and regulation compliance

IBM is responsible for the security and compliance of IBM Cloud Kubernetes Service. Compliance to industry standards varies depending on the infrastructure provider that you use for the cluster, such as classic or VPC. You are responsible for the security and compliance of any workloads that run in the cluster and your application data. For more information, see What standards does the service comply to?.

Table 5. Responsibilities for security and regulation compliance
Resource IBM responsibilities Your responsibilities
General
  • Maintain controls commensurate to various industry compliance standards, such as PCI DSS. Compliance to industry standards varies depending on the infrastructure provider of the cluster, such as classic or VPC.
  • Monitor, isolate, and recover the cluster master.
  • Provide highly available replicas of the Kubernetes master API server, etcd, scheduler, and controller manager components to protect against a master outage.
  • Provide options for cluster network connectivity, such as public and private cloud service endpoints.
  • Provide options for compute isolation, such as dedicated virtual machines or bare metal.
  • Integrate Kubernetes role-based access control (RBAC) with IBM Cloud Identity and Access Management (IAM).
Worker nodes
  • Monitor and report the health of the master and worker nodes in the various interfaces.
  • Automatically apply master security patch updates, and provide worker node security patch updates.
  • Enable certain security settings, such as encrypted disks on worker nodes
  • Disable certain insecure actions for worker nodes, such as not permitting users to SSH into the host.
  • Encrypt communication between the master and worker nodes with TLS.
  • Provide CIS-compliant Linux images for worker node operating systems.
  • Continuously monitor master and worker node images to detect vulnerability and security compliance issues.
  • Provider-managed encryption is enabled by default on all volumes.

As part of your incident and operations management responsibilities for the worker nodes, apply the provided security patch updates.

  • Optionally configure bring your own key encryption for worker node volumes.

Disaster recovery

IBM is responsible for the recovery of IBM Cloud Kubernetes Service components in case of disaster. You are responsible for the recovery of the workloads that run the cluster and your application data. If you integrate with other IBM Cloud services such as file, block, object, cloud database, logging, or audit event services, consult those services' disaster recovery information.

Table 6. Responsibilities for disaster recovery
Resource IBM responsibilities Your responsibilities
General
  • Maintain service availability across worldwide locations so that customers can deploy clusters across zones and regions for higher DR tolerance.
  • Provision clusters with three replicas of master components for high availability.
  • In multizone regions, automatically spread the master replicas across zones.
  • Continuously monitor to work to ensure the reliability and availability of the service environment by site reliability engineers.
  • Update and recover operational IBM Cloud Kubernetes Service and Kubernetes components within the cluster, such as the Ingress application load balancer and file storage plug-in.
  • Back up and recover data in etcd, such as your Kubernetes workload configuration files
  • Provide the optional worker node Autorecovery.
  • Provide the ability to integrate with other IBM Cloud services such as storage providers so that data can be backed up and restored.
  • Set up and maintain disaster recovery capabilities for your apps and data. For example, to prepare your cluster for HA/DR scenarios, follow the guidance in High availability for IBM Cloud Kubernetes Service. Note that persistent storage of data such as application logs and cluster metrics are not set up by default.

Applications and data

You are completely responsible for the applications, workloads, and data that you deploy to IBM Cloud. However, IBM provides various tools to help you set up, manage, secure, integrate and optimize your apps as described in the following table.

Table 7. Applications and data
Resource How IBM helps What you can do
Applications
  • Provision clusters with Kubernetes components installed so that you can access the Kubernetes API to deploy and manage your containerized apps.
  • Provide a number of managed add-ons to extend your app's capabilities, such as Istio or the Diagnostics and Debug Tool. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons.
  • Provide cluster integration with select third-party partnership technologies, such as Log Analysis, Monitoring, and Portworx.
  • Provide automation to enable service binding to other IBM Cloud services.
  • Create clusters with image pull secrets so that your deployments in the default Kubernetes namespace can pull images from IBM Cloud Container Registry.
  • Provide access to Kubernetes APIs that you can use to set up Operators to add community, third-party, and your own services to your cluster. Note that Operators might not work without manual adjustments such as changes in cluster security policies.
  • Provide storage classes and plug-ins to support persistent volumes for use with your apps.
  • Automatically configure security settings to prevent insecure access, such as disabling SSH into the worker node compute hosts.
  • Automatically integrate IBM Cloud IAM service access roles with Kubernetes RBAC roles in the cluster.
  • Generate an API key that is used to access infrastructure permissions for each resource group and region.
Data
  • Maintain platform-level standards so that your data can be stored with controls commensurate to leading international security compliance standards.
  • Provision clusters with Kubernetes components installed so that you can access the Kubernetes API to help manage your app data, such as with secrets and configmaps.
  • Integrate with IBM Cloud services that you can use to store and manage your data, such as IBM Cloud Databases or Object Storage.
  • Integrate with IBM Watson services that you can use to maximize the insights and use of your data with the latest artificial intelligence technology.
  • Maintain responsibility for your data and how your apps consume the data.