copyright | lastupdated | ||
---|---|---|---|
|
2018-04-11 |
{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:download: .download}
{: #dedicated}
If you have an {{site.data.keyword.Bluemix_dedicated}} account to use {{site.data.keyword.containerlong}}, you can deploy Kubernetes clusters in a dedicated cloud environment (https://<my-dedicated-cloud-instance>.bluemix.net
) and connect with the preselected {{site.data.keyword.Bluemix}} services that are also running there.
{:shortdesc}
If you do not have an {{site.data.keyword.Bluemix_dedicated_notm}} account, you can get started with {{site.data.keyword.containershort_notm}} in a public {{site.data.keyword.Bluemix_notm}} account.
{: #dedicated_environment}
With an {{site.data.keyword.Bluemix_dedicated_notm}} account, available physical resources are dedicated to your cluster only and are not shared with clusters from other {{site.data.keyword.IBM_notm}} customers. You might choose to set up an {{site.data.keyword.Bluemix_dedicated_notm}} environment when you want isolation for your cluster and you also require such isolation for the other {{site.data.keyword.Bluemix_notm}} services that you use. If you do not have a Dedicated account, you can create clusters with dedicated hardware in {{site.data.keyword.Bluemix_notm}} public.
With {{site.data.keyword.Bluemix_dedicated_notm}}, you can create clusters from the catalog in the Dedicated console or by using the {{site.data.keyword.containershort_notm}} CLI. When you use the Dedicated console, you log in to both your Dedicated and public accounts simultaneously using your IBMid. This dual login lets you access your public clusters using your Dedicated console. When you use the CLI, you log in using your Dedicated endpoint (api.<my-dedicated-cloud-instance>.bluemix.net.
) and target the {{site.data.keyword.containershort_notm}} API endpoint of the public region that is associated with the Dedicated environment.
The most significant differences between {{site.data.keyword.Bluemix_notm}} public and Dedicated are as follows.
- In {{site.data.keyword.Bluemix_dedicated_notm}}, {{site.data.keyword.IBM_notm}} owns and manages the IBM Cloud infrastructure (SoftLayer) account that the worker nodes, VLANs, and subnets are deployed into. In {{site.data.keyword.Bluemix_notm}} public, you own the IBM Cloud infrastructure (SoftLayer) account.
- In {{site.data.keyword.Bluemix_dedicated_notm}}, specifications for the VLANs and subnets in the {{site.data.keyword.IBM_notm}}-managed IBM Cloud infrastructure (SoftLayer) account are determined when the Dedicated environment is enabled. In {{site.data.keyword.Bluemix_notm}} public, specifications for VLANs and subnets are determined when the cluster is created.
{: #dedicated_env_differences}
Area | {{site.data.keyword.Bluemix_notm}} public | {{site.data.keyword.Bluemix_dedicated_notm}} |
---|---|---|
Cluster creation | Create a free cluster or a standard cluster. | Create a standard cluster. |
Cluster hardware and ownership | In standard clusters, the hardware can be shared by other {{site.data.keyword.IBM_notm}} customers or dedicated to you only. The public and private VLANs are owned and managed by you in your IBM Cloud infrastructure (SoftLayer) account. | In clusters on {{site.data.keyword.Bluemix_dedicated_notm}}, the hardware is always dedicated. The public and private VLANs that are available for cluster creation are pre-defined when the {{site.data.keyword.Bluemix_dedicated_notm}} environment is set up, and are owned and managed by IBM for you. The location that is available during cluster creation is also pre-defined for the {{site.data.keyword.Bluemix_notm}} environment. |
Load balancer and Ingress networking | During the provisioning of standard clusters, the following actions occur automatically.
|
When you create your Dedicated account, you make a connectivity decision on how you want to expose and access your cluster services. If you want to use your own enterprise IP ranges (user-manged IPs), you must provide them when you [set up an {{site.data.keyword.Bluemix_dedicated_notm}} environment](/docs/dedicated/index.html#setupdedicated).
|
NodePort networking | Expose a public port on your worker node and use the public IP address of the worker node to publicly access your service in the cluster. | All public IP addresses of the workers nodes are blocked by a firewall. However, for {{site.data.keyword.Bluemix_notm}} services that are added to the cluster, the node port can be accessed via a public IP address or a private IP address. |
Persistent storage | Use [dynamic provisioning](cs_storage.html#create) or [static provisioning](cs_storage.html#existing) of volumes. | Use [dynamic provisioning](cs_storage.html#create) of volumes. [Open a support ticket](cs_troubleshoot_storage.html#ts_getting_help) to request a backup for your volumes, request a restoration from your volumes, and perform other storage functions. |
Image registry URL in {{site.data.keyword.registryshort_notm}} |
|
|
Accessing the registry | See the options in [Using private and public image registries with {{site.data.keyword.containershort_notm}}](cs_images.html). |
|
{: #dedicated_ov_architecture}
Each worker node is set up with an {{site.data.keyword.IBM_notm}}-managed Docker Engine, separate compute resources, networking, and volume service. {:shortdesc}
Built-in security features provide isolation, resource management capabilities, and worker node security compliance. The worker node communicates with the master by using secure TLS certificates and openVPN connection.
Kubernetes architecture and networking in the {{site.data.keyword.Bluemix_dedicated_notm}}
{: #dedicated_setup}
Each {{site.data.keyword.Bluemix_dedicated_notm}} environment has a public, client-owned, corporate account in {{site.data.keyword.Bluemix_notm}}. For users in the Dedicated environment to create clusters, the administrator must add the users to a public corporate account. {:shortdesc}
Before you begin:
- Set up an {{site.data.keyword.Bluemix_dedicated_notm}} environment.
- If your local system or your corporate network controls public internet endpoints by using proxies or firewalls, you must open required ports and IP addresses in your firewall.
- Download the Cloud Foundy CLI and Add the IBM Cloud Admin CLI plug-in.
To allow {{site.data.keyword.Bluemix_dedicated_notm}} users to access clusters:
-
The owner of your public {{site.data.keyword.Bluemix_notm}} account must generate an API key.
-
Log in to the endpoint for your {{site.data.keyword.Bluemix_dedicated_notm}} instance. Enter the {{site.data.keyword.Bluemix_notm}} credentials for the public account owner and select your account when prompted.
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net
{: pre}
Note: If you have a federated ID, use
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net --sso
to log in to the {{site.data.keyword.Bluemix_notm}} CLI. Enter your user name and use the provided URL in your CLI output to retrieve your one-time passcode. You know that you have a federated ID when the login fails without the--sso
and succeeds with the--sso
option. -
Generate an API key for inviting users to the public account. Note the API key value, which the Dedicated account administrator will use in the next step.
bx iam api-key-create <key_name> -d "Key to invite users to <dedicated_account_name>"
{: pre}
-
Note the GUID of the public account organization that you want to invite users to, which the Dedicated account administrator will use in the next step.
bx account orgs
{: pre}
-
-
The owner of your {{site.data.keyword.Bluemix_dedicated_notm}} account can invite single or multiple users to your Public account.
-
Log in to the endpoint for your {{site.data.keyword.Bluemix_dedicated_notm}} instance. Enter the {{site.data.keyword.Bluemix_notm}} credentials for the Dedicated account owner and select your account when prompted.
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net
{: pre}
Note: If you have a federated ID, use
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net --sso
to log in to the {{site.data.keyword.Bluemix_notm}} CLI. Enter your user name and use the provided URL in your CLI output to retrieve your one-time passcode. You know that you have a federated ID when the login fails without the--sso
and succeeds with the--sso
option. -
Invite the users to the public account.
-
To invite a single user:
bx cf bluemix-admin invite-users-to-public -userid=<user_email> -apikey=<public_api_key> -public_org_id=<public_org_id>
{: pre}
Replace <user_IBMid> with the email of the user you want to invite, <public_api_key> with the API key generated in the previous step, and <public_org_id> with the GUID of the public account organization. See Inviting a user from IBM Cloud Dedicated for more information on this command.
-
To invite all users currently in a Dedicated account organization:
bx cf bluemix-admin invite-users-to-public -organization=<dedicated_org_id> -apikey=<public_api_key> -public_org_id=<public_org_id>
Replace <dedicated_org_id> with the Dedicated account organization ID, <public_api_key> with the API key generated in the previous step, and <public_org_id> with the public account organization GUID. See Inviting a user from IBM Cloud Dedicated for more information on this command.
-
-
If an IBMid exists for a user, the user is automatically added to the specified organization in the public account. If an IBMid does not already exist for a user, then an invitation is sent to the user's email address. Once the user accepts the invitation, an IBMid is created for the user, and the user is added to the specified organization in the public account.
-
Verify that the users were added to the account.
bx cf bluemix-admin invite-users-status -apikey=<public_api_key>
{: pre}
Invited users that have an existing IBMid will have a status of
ACTIVE
. Invited users that did not have an existing IBMid will have a status of eitherPENDING
orACTIVE
depending on whether or not they have accepted the invitation to the account yet.
-
-
If any user needs cluster create privileges, you must grant the Administrator role to that user.
-
From the menu bar in the public console, click Manage > Security > Identity and Access, and then click Users.
-
From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.
-
Select Assign access to resources.
-
From the Services list, select IBM Cloud Container Service.
-
From the Region list, select All current regions or a specific region, if you are prompted.
-
Under Select roles, select Administrator.
-
Click Assign.
-
-
Users can now log in to the Dedicated account endpoint to start creating clusters.
-
Log in to the endpoint for your {{site.data.keyword.Bluemix_dedicated_notm}} instance. Enter your IBMid when prompted.
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net
{: pre}
Note: If you have a federated ID, use
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net --sso
to log in to the {{site.data.keyword.Bluemix_notm}} CLI. Enter your user name and use the provided URL in your CLI output to retrieve your one-time passcode. You know that you have a federated ID when the login fails without the--sso
and succeeds with the--sso
option. -
If you are logging in for the first time, provide your Dedicated user ID and password when prompted. This authenticates the Dedicated account and links the Dedicated and public accounts together. Every time you log in after this first time, you only use your IBMid to log in. For more information, see Connecting a dedicated ID to your public IBMid.
Note: You must log in to both your Dedicated account and your public account in order to create clusters. If you only want to log in to your Dedicated account, use the
--no-iam
flag when logging in to the Dedicated endpoint. -
To create or access clusters in the dedicated environment, you must set the region associated with that environment.
bx cs region-set
{: pre}
-
-
If you want to unlink your accounts, you can disconnect your IBMid from your Dedicated user ID. For more information, see Disconnect your dedicated ID from the public IBMid.
bx iam dedicated-id-disconnect
{: pre}
{: #dedicated_administering}
Design your {{site.data.keyword.Bluemix_dedicated_notm}} cluster setup for maximum availability and capacity. {:shortdesc}
{: #dedicated_creating_ui}
-
Open your Dedicated console:
https://<my-dedicated-cloud-instance>.bluemix.net
. -
Select the Also log in to {{site.data.keyword.Bluemix_notm}} Public check box and click Log in.
-
Follow the prompts to log in with your IBMid. If this is your first time to log in to your Dedicated account, then follow the prompts to log in to {{site.data.keyword.Bluemix_dedicated_notm}}.
-
From the catalog, select Containers and click Kubernetes cluster.
-
Configure your cluster details.
-
Enter a Cluster Name. The name must start with a letter, can contain letters, numbers, and hyphen (-), and must be 35 characters or fewer. Note that the cluster name and the region in which the cluster is deployed form the fully qualified domain name for the Ingress subdomain. To ensure that the Ingress subdomain is unique within a region, the cluster name might be truncated and appended with a random value within the Ingress domain name.
-
Select the Location in which to deploy your cluster. The available location was pre-defined when the {{site.data.keyword.Bluemix_dedicated_notm}} environment was set up.
-
Choose the Kubernetes API server version for the cluster master node.
-
Select a type of hardware isolation. Virtual is billed hourly and bare metal is billed monthly.
-
Virtual - Dedicated: Your worker nodes are hosted on infrastructure that is devoted to your account. Your physical resources are completely isolated.
-
Bare Metal: Billed monthly, bare metal servers are provisioned by manual interaction with IBM Cloud infrastructure (SoftLayer), and can take more than one business day to complete. Bare metal is best suited for high-performance applications that need more resources and host control. For clusters that run Kubernetes version 1.9 or later, you can also choose to enable Trusted Compute to verify your worker nodes against tampering. If you don't enable trust during cluster creation but want to later, you can use the
bx cs feature-enable
command. After you enable trust, you cannot disable it later.
Be sure that you want to provision a bare metal machine. Because it is billed monthly, if you cancel it immediately after an order by mistake, you are still charged the full month. {:tip}
-
-
Select a Machine type. The machine type defines the amount of virtual CPU, memory, and disk space that is set up in each worker node and made available to the containers. Available bare metal and virtual machines types vary by the location in which you deploy the cluster. For more information, see the documentation for the
bx cs machine-type
command. After you create your cluster, you can add different machine types by adding a new worker node to the cluster. -
Choose the Number of worker nodes that you need. Select
3
to ensure high availability of your cluster. -
Select a Public VLAN (optional) and Private VLAN (required). The available public and private VLANs are pre-defined when the {{site.data.keyword.Bluemix_dedicated_notm}} environment is set up. Both VLANs communicate between worker nodes but the public VLAN also communicates with the IBM-managed Kubernetes master. You can use the same VLAN for multiple clusters. Note: If worker nodes are set up with a private VLAN only, you must configure an alternative solution for network connectivity. For more information, see VLAN connection for worker nodes.
-
By default, Encrypt local disk is selected. If you choose to clear the check box, then the host's Docker data is not encrypted. Learn more about the encryption.
-
-
Click Create cluster. You can see the progress of the worker node deployment in the Worker nodes tab. When the deploy is done, you can see that your cluster is ready in the Overview tab. Note: Every worker node is assigned a unique worker node ID and domain name that must not be manually changed after the cluster is created. Changing the ID or domain name prevents the Kubernetes master from managing your cluster.
{: #dedicated_creating_cli}
-
Install the {{site.data.keyword.Bluemix_notm}} CLI and the {{site.data.keyword.containershort_notm}} plug-in.
-
Log in to the endpoint for your {{site.data.keyword.Bluemix_dedicated_notm}} instance. Enter your {{site.data.keyword.Bluemix_notm}} credentials and select your account when prompted.
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net
{: pre}
Note: If you have a federated ID, use
bx login -a api.<my-dedicated-cloud-instance>.<region>.bluemix.net --sso
to log in to the {{site.data.keyword.Bluemix_notm}} CLI. Enter your user name and use the provided URL in your CLI output to retrieve your one-time passcode. You know that you have a federated ID when the login fails without the--sso
and succeeds with the--sso
option. -
To target a region, run
bx cs region-set
. -
Create a cluster with the
cluster-create
command. When you create a standard cluster, the hardware of the worker node is billed by hours of usage.Example:
bx cs cluster-create --location <location> --machine-type <machine-type> --name <cluster_name> --workers <number>
{: pre}
Understanding this command's components -
Verify that the creation of the cluster was requested.
bx cs clusters
{: pre}
Note: For virtual machines, it can take a few minutes for the worker node machines to be ordered, and for the cluster to be set up and provisioned in your account. Bare metal physical machines are provisioned by manual interaction with IBM Cloud infrastructure (SoftLayer), and can take more than one business day to complete.
When the provisioning of your cluster is completed, the status of your cluster changes to deployed.
Name ID State Created Workers Location Version my_cluster paf97e8843e29941b49c598f516de72101 deployed 20170201162433 1 mil01 1.8.8
{: screen}
-
Check the status of the worker nodes.
bx cs workers <cluster>
{: pre}
When the worker nodes are ready, the state changes to normal and the status is Ready. When the node status is Ready, you can then access the cluster.
Note: Every worker node is assigned a unique worker node ID and domain name that must not be changed manually after the cluster is created. Changing the ID or domain name prevents the Kubernetes master from managing your cluster.
ID Public IP Private IP Machine Type State Status Location Version kube-mil01-paf97e8843e29941b49c598f516de72101-w1 169.47.223.113 10.171.42.93 free normal Ready mil01 1.8.8
{: screen}
-
Set the cluster that you created as the context for this session. Complete these configuration steps every time that you work with your cluster.
-
Get the command to set the environment variable and download the Kubernetes configuration files.
bx cs cluster-config <cluster_name_or_id>
{: pre}
When the download of the configuration files is finished, a command is displayed that you can use to set the path to the local Kubernetes configuration file as an environment variable.
Example for OS X:
export KUBECONFIG=/Users/<user_name>/.bluemix/plugins/container-service/clusters/<cluster_name>/kube-config-prod-dal10-<cluster_name>.yml
{: screen}
-
Copy and paste the command that is displayed in your terminal to set the
KUBECONFIG
environment variable. -
Verify that the
KUBECONFIG
environment variable is set properly.Example for OS X:
echo $KUBECONFIG
{: pre}
Output:
/Users/<user_name>/.bluemix/plugins/container-service/clusters/<cluster_name>/kube-config-prod-dal10-<cluster_name>.yml
{: screen}
-
-
Access your Kubernetes dashboard with the default port 8001.
-
Set the proxy with the default port number.
kubectl proxy
{: pre}
Starting to serve on 127.0.0.1:8001
{: screen}
-
Open the following URL in a web browser to see the Kubernetes dashboard.
http://localhost:8001/ui
{: codeblock}
-
{: #dedicated_images}
For new namespaces, see the options in Using private and public image registries with {{site.data.keyword.containershort_notm}}. For namespaces that were set up for single and scalable groups, use a token and create a Kubernetes secret for authentication.
{: #dedicated_cluster_subnet}
Change the pool of available portable public IP addresses by adding subnets to your cluster. For more information, see Adding subnets to clusters. Review the following differences for adding subnets to Dedicated clusters.
{: #dedicated_byoip_subnets}
Provide more of your own subnets from an on-premises network that you want to use to access {{site.data.keyword.containershort_notm}}. You can add private IP addresses from those subnets to Ingress and load balancer services in your Kubernetes cluster. User-managed subnets are configured in one of two ways depending on the format of the subnet that you want to use.
Requirements:
- User-managed subnets can be added to private VLANs only.
- The subnet prefix length limit is /24 to /30. For example,
203.0.113.0/24
specifies 253 usable private IP addresses, while203.0.113.0/30
specifies 1 usable private IP address. - The first IP address in the subnet must be used as the gateway for the subnet.
Before you begin: Configure the routing of network traffic into and out of your enterprise network to the {{site.data.keyword.Bluemix_dedicated_notm}} network that will use the user-managed subnet.
-
To use your own subnet, open a support ticket and provide the list of subnet CIDRs that you want to use. Note: The way that the ALB and load balancers are managed for on-premises and internal account connectivity differs depending on the format of the subnet CIDR. See the final step for configuration differences.
-
After {{site.data.keyword.IBM_notm}} provisions the user-managed subnets, make the subnet available to your Kubernetes cluster.
bx cs cluster-user-subnet-add <cluster_name> <subnet_CIDR> <private_VLAN>
{: pre} Replace <cluster_name> with the name or ID of your cluster, <subnet_CIDR> with one of the subnet CIDRs that you provided in the support ticket, and <private_VLAN> with an available private VLAN ID. You can find the ID of an available private VLAN by running
bx cs vlans
. -
Verify that the subnets were added to your cluster. The field User-managed for user-provided subnets is true.
bx cs cluster-get --showResources <cluster_name>
{: pre}
VLANs VLAN ID Subnet CIDR Public User-managed 1555503 192.0.2.0/24 true false 1555505 198.51.100.0/24 false false 1555505 203.0.113.0/24 false true
{: screen}
-
To configure on-premises and internal account connectivity, choose between these options:
- If you used a 10.x.x.x private IP address range for the subnet, use valid IPs from that range to configure on-premises and internal account connectivity with Ingress and a load balancer. For more information, see Planning networking with NodePort, LoadBalancer, or Ingress services.
- If you did not use a 10.x.x.x private IP address range for the subnet, use valid IPs from that range to configure on-premises connectivity with Ingress and a load balancer. For more information, see Planning networking with NodePort, LoadBalancer, or Ingress services. However, you must use an IBM Cloud infrastructure (SoftLayer) portable private subnet to configure internal account connectivity between your cluster and other Cloud Foundry-based services. You can create a portable private subnet with the
bx cs cluster-subnet-add
command. For this scenario, your cluster has both a user-managed subnet for on-premises connectivity and an IBM Cloud infrastructure (SoftLayer) portable private subnet for internal account connectivity.
{: #dedicated_other}
Review the following options for other cluster configurations:
- Managing cluster access
- Updating the Kubernetes master
- Updating worker nodes
- Configuring cluster logging
- Note: Log enablement is not supported from the Dedicated endpoint. You must log in to the public {{site.data.keyword.cloud_notm}} endpoint and target your public org and space in order to enable log forwarding.
- Configuring cluster monitoring
- Note: An
ibm-monitoring
cluster exists within each {{site.data.keyword.Bluemix_dedicated_notm}} account. This cluster continuously monitors the health of the {{site.data.keyword.containerlong_notm}} in the Dedicated environment, checking the stability and connectivity of the environment. Do not remove this cluster from the environment.
- Note: An
- Visualizing Kubernetes cluster resources
- Removing clusters
{: #dedicated_apps}
You can use Kubernetes techniques to deploy apps in {{site.data.keyword.Bluemix_dedicated_notm}} clusters and to ensure that your apps are always up and running. {:shortdesc}
To deploy apps in clusters, you can follow the instructions for deploying apps in {{site.data.keyword.Bluemix_notm}} public clusters. Review the following differences for {{site.data.keyword.Bluemix_dedicated_notm}} clusters.
{: #dedicated_apps_public}
For {{site.data.keyword.Bluemix_dedicated_notm}} environments, public primary IP addresses are blocked by a firewall. To make an app publicly available, use a LoadBalancer service or Ingress instead of a NodePort service. If you require access to a LoadBalancer service or Ingress that portable public IP addresses, supply an enterprise firewall whitelist to IBM at service onboarding time.
{: #dedicated_apps_public_load_balancer}
If you want to use public IP addresses for the load balancer, ensure that an enterprise firewall whitelist was provided to IBM or open a support ticket to configure the firewall whitelist. Then follow the steps in Exposing apps with LoadBalancers.
{: #dedicated_apps_public_ingress}
If you want to use public IP addresses for the application load balancer, ensure that an enterprise firewall whitelist was provided to IBM or open a support ticket to configure the firewall whitelist. Then follow the steps in Exposing apps to the public.
{: #dedicated_apps_volume_claim}
To review options for creating persistent storage, see Persistent data storage. To request a backup for your volumes, a restoration from your volumes, and other storage functions, you must open a support ticket.
-