Following on from the recent announcement of IBM Cloud Container Service (Kubernetes) support in IBM Cloud Dedicated, we are going to describe the details of integration between Kubernetes and Cloud Foundry in IBM Cloud Dedicated here. As announced there, the IBM Cloud Dedicated customers can now use Kubernetes runtime in their secure Dedicated environment along with their Cloud Foundry application workload and services. We will describe how you can request it, highlight the main features and specifics about the IBM Cloud Container Service in the Dedicated environment.
As an IBM Cloud Dedicated client, you can request the IBM Cloud Container Service (Kubernetes offering) by contacting IBM Support via your administrator. IBM would do the enablement of the Kubernetes service in your environment in a matter of short, few days, and once enabled, the full set of ever expanding capabilities are described here. This will ensure that the Kubernetes worker nodes you create will be deployed in the same single-tenant environment as the rest of your IBM Cloud Dedicated apps and services. Additionally, the worker nodes are deployed on hypervisors dedicated for your account and are secured behind the firewall.
All dedicated deployments of IBM Cloud include the following benefits and features at no additional cost: VPN, private virtual local area network (VLAN), firewall, ability to leverage existing on-premises databases and apps, 24/7 on-site security, dedicated hardware, and standard support.
IBM would configure the following as part of the enablement process:
- Create dedicated VLANs for the Kubernetes worker nodes.
- Configure routing and firewall rules based on your corporate connectivity requirements.
- Enable integration between Kubernetes worker nodes and Cloud Foundry workloads in your IBM Cloud Dedicated.
- Configure your public corporate account for the Dedicated environment so that you can self-serve the Kubernetes clusters in your IBM Cloud Dedicated environment. This enables you to deploy and manage clusters as well as configure access-control for them using the IBM Cloud Identity and Access Management (IAM) features.
Working with Kubernetes Clusters
Firstly, you’ll need your IBMid to access IBM Cloud Container Service in IBM Cloud Dedicated. Your administrator will need to invite your IBMid to the public corporate account for the IBM Cloud Dedicated environment, which is described here in detail. This will give you Editor role by default, which can be changed as described here.
IBM Cloud Dedicated Console
Now, you’ll be able to login to IBM Cloud Dedicated Console via your browser, as you do for any of your Cloud Foundry access, and be able to access your IBM Cloud Container Service in your Dedicated console.
There is a new dual-login option to select on the login page, as shown below in screenshot, so that you can access IBM Cloud Container Service from your Dedicated console. Login using your IBMid, detailed login steps are explained here.
On login, you see the dashboard with your Cloud Foundry applications, services and (new!) Kubernetes clusters as shown in screenshot below.
Now you can go to Catalog, select Containers and you’ll see Containers in Kubernetes Clusters and Containers Registry items.
Clicking the Containers in Kubernetes Clusters item will allow you to create the cluster in your IBM Cloud Dedicated environment, as shown in screenshot below.
Here we should highlight a few specific features of the Create new cluster page which have been customised for your Dedicated environment:
- Free is disabled. Only Standard cluster can be deployed.
- Location is disabled, and is preset to your Dedicated environment already.
- Private VLAN and Public VLAN are disabled, and are preset to the VLANs that were created during the enablement.
- Hardware Isolation is disabled, and is set to Dedicated by default as only Dedicated hosts are permitted in a Dedicated environment.
Also from the Catalog page, it is possible to view and manage your Container Registry images, as shown here.
The Vulnerability Advisor feature of the Container Registry is also available in the console, it automatically scans customer images and containers for best practice violations and package vulnerabilities. Vulnerability Advisor generates a security status report, suggests fixes and best practices, and provides management to restrict non-secure images from running.
IBM Cloud Command-Line Interface
With this update, for the first time you can use IBM Cloud command-line interface (CLI) bx with the Dedicated environment API endpoint and access Kubernetes clusters as well as Cloud Foundry apps and services.
First, login to your Dedicated environment endpoint using bx. Note that you will login using your IBMid, and will be asked to authenticate using your Dedicated user-id and password as well during the process. If the Dedicated environment uses IBMid already, then you’ll not be asked to enter IBMid and password again.
$ bx login -a api.dedicated.bluemix.net -u firstname.lastname@example.org -p password API endpoint: api.dedicated.bluemix.net Public IAM token service is available in the dedicated environment. Login with your public IBMid, or use '--no-iam' to login as a dedicated user only. Authenticating... OK Connected to dedicated user email@example.com Select an account (or press enter to skip): 1. My Dedicated Account (e97a8c01ac694e308ef3ad7795e20d7e) Enter a number> 1 Targeted account My Dedicated Account (e97a8c01ac694e308ef3ad7795e20d7e) API endpoint: https://api.dedicated.bluemix.net (API version: 2.54.0) Region: dedicated:prod:us-south User: firstname.lastname@example.org (public IBMid) <-> email@example.com (dedicated) Account: My Dedicated Account (e97a8c01ac694e308ef3ad7795e20d7e) Org: Space: Tip: If you are managing Cloud Foundry applications and services - Use 'bx target --cf' to target Cloud Foundry org/space interactively, or use 'bx target -o ORG -s SPACE' to target the org/space. - Use 'bx cf' if you want to run the Cloud Foundry CLI with current Bluemix CLI context.
Note that you are given the option to select only your Dedicated account, and since the above example is for a Dedicated environment that uses IBMid authentication itself, the public user id is linked to the dedicated user id automatically since both are IBMids. See Connecting a Dedicated ID to your public IBMid for more information.
Next, install the
container-service plugin using these instructions, and login to the region in which your Dedicated environment’s datacenter is.
$ bx plugin install container-service -r Bluemix
$ bx cs region-set us-south
Now, you should be able to see the Kubernetes clusters in your Dedicated environment, as such:
$ bx cs clusters OK Name ID State Created Workers Location Version Mobile@IBM-kube-test-d a3a0b93c1d5943e3b2ed325d0860e4af normal 6 months ago 4 dal12 1.7.4_1509* Ops-cluster 70b1038c766648eba410d00069f27538 normal 5 months ago 3 dal12 1.5.6_1507* audio-analytics b7eb58aacb5d4f31a6d20db58797dd76 normal 4 months ago 3 dal12 1.7.4_1509* cedp-bi-zone-d bfdb054f4dfc4c19bc73057744dd622a warning 6 months ago 3 dal12 1.5.6_1507* dedicated-demo e45cf53ff43b4074b62d97c8e64ba599 warning 1 month ago 3 dal12 1.7.4_1509* first-team 840c05b57c0f420a9ea79e7166baf1e3 normal 1 month ago 3 dal12 1.8.8_1507 ibm-monitoring bf780cfceac14a32bbdc7013183e44c5 normal 2 weeks ago 1 dal12 1.8.8_1507 mobile-ibm-d2 3d9c3ae2169c482babc13b027c6a65b5 normal 5 months ago 3 dal12 1.7.4_1509* state-test 165052b9085348248e6f3563f14fc7ff normal 2 weeks ago 1 dal12 1.8.8_1507 tamercluster 54d8dd968d9546319f97313d2f137b00 normal 6 months ago 2 dal12 1.5.6_1507*
Note that you can also review your datacenter location and Kubernetes worker VLANs using the following commands:
$ bx cs locations OK Location dal12
$ bx cs vlans OK ID Name Number Type Router Supports Virtual Workers 2079349 421436 DAL12 KB01 995 private bcr01a.dal12 true 2079345 421436 DAL09 KF01 934 public fcr01a.dal12 true
To create a cluster, check the list of machine-types as follows:
$ bx cs machine-types OK Name Cores Memory Network Speed OS Server Type Storage Secondary Storage u2c.2x4 2 4GB 1000Mbps UBUNTU_16_64 virtual 25GB 100GB b2c.4x16 4 16GB 1000Mbps UBUNTU_16_64 virtual 25GB 100GB b2c.16x64 16 64GB 1000Mbps UBUNTU_16_64 virtual 25GB 100GB b2c.32x128 32 128GB 1000Mbps UBUNTU_16_64 virtual 25GB 100GB b2c.56x242 56 242GB 1000Mbps UBUNTU_16_64 virtual 25GB 100GB
You can create a cluster of any machine-type using this command as follows:
$ bx cs cluster-create --name demo --workers 3 --machine-type u2c.2x4
This will create a cluster with worker-nodes which are Dedicated VSIs. Note that you don’t need to specify the location or VLAN parameters to the cluster-create command.
You can also see your Cloud Foundry apps and services by targeting an org and space, and using bx cf commands.
$ bx target -o my-org -s dev Targeted org my-org Targeted space dev API endpoint: https://api.dedicated.bluemix.net (API version: 2.54.0) Region: dedicated:prod:us-south User: firstname.lastname@example.org (public IBMid) <-> email@example.com (dedicated) Account: My Dedicated Account (e97a8c01ac694e308ef3ad7795e20d7e) Org: my-org Space: dev $ bx cf apps Invoking 'cf apps'... Getting apps in org my-org / space dev as firstname.lastname@example.org... OK name requested state instances memory disk urls epms-account-dev stopped 0/1 1G 1G epms-account-dev.w3ibm.mybluemix.net $ bx cf services Invoking 'cf services'... Getting services in org my-org / space dev as email@example.com... OK name service plan bound apps last operation Db2 on Cloud-uq dashDB For Transactions EnterpriseForTransactionsFlex create failed mydb dashDB SMP Small create failed Retrieve and Rank-3m retrieve_and_rank standard create succeeded testService user-provided epms-account-dev
K8S apps with Dedicated Cloud Foundry Services
As mentioned in the Getting Started section above, the Kubernetes cluster worker nodes in the Dedicated environment will have connectivity to all your Dedicated Cloud Foundry applications and services. So you can bind your Cloud Foundry service to your Kubernetes cluster by using the following command:
$ bx cs cluster-service-bind mycluster mynamespace cleardb
Binding service instance to namespace...
Secret name: binding-
IBM Cloud Container Registry
You can also access IBM Cloud Container Registry using the
bx command-line while targeting your Dedicated environment.
$ bx plugin install container-registry -r Bluemix $ bx cr login Logging in to 'registry.ng.bluemix.net'... Logged in to 'registry.ng.bluemix.net'. OK $ bx cr namespace-list Listing namespaces... Namespace audio_analytics OK $ bx cr images --restrict audio_analytics Listing images... REPOSITORY NAMESPACE TAG DIGEST CREATED SIZE VULNERABILITY STATUS registry.ng.bluemix.net/audio_analytics/language-characterizer audio_analytics 0.10 de312abbe643 1 day ago 699 MB OK registry.ng.bluemix.net/audio_analytics/language-characterizer audio_analytics 0.7 b0d88d0f9d1c 1 month ago 501 MB OK registry.ng.bluemix.net/audio_analytics/speaker-characterizer audio_analytics 0.10 b5ca8acc4de2 1 day ago 937 MB OK registry.ng.bluemix.net/audio_analytics/speaker-characterizer audio_analytics 0.6 d7b32dcf2788 1 month ago 739 MB OK registry.ng.bluemix.net/audio_analytics/speaker-characterizer audio_analytics 0.9 79f4dce82998 2 days ago 937 MB OK OK
We hope that our IBM Cloud Dedicated customers find this information exciting and useful. And look out for more articles to take a deep-dive on other aspects of Kubernetes in IBM Cloud Dedicated. We will update this article with links to subsequent articles as they are published.