cs_responsibilities.md

copyright	lastupdated	keywords	subcollection
years 2014, 2021	2021-03-22	kubernetes, iks, responsibilities, incident, operations, change, security, regulation, disaster recovery, management	containers

{:DomainName: data-hd-keyref="APPDomain"} {:DomainName: data-hd-keyref="DomainName"} {:android: data-hd-operatingsystem="android"} {:api: .ph data-hd-interface='api'} {:apikey: data-credential-placeholder='apikey'} {:app_key: data-hd-keyref="app_key"} {:app_name: data-hd-keyref="app_name"} {:app_secret: data-hd-keyref="app_secret"} {:app_url: data-hd-keyref="app_url"} {:authenticated-content: .authenticated-content} {:beta: .beta} {:c#: data-hd-programlang="c#"} {:cli: .ph data-hd-interface='cli'} {:codeblock: .codeblock} {:curl: .ph data-hd-programlang='curl'} {:deprecated: .deprecated} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:fuzzybunny: .ph data-hd-programlang='fuzzybunny'} {:generic: data-hd-operatingsystem="generic"} {:generic: data-hd-programlang="generic"} {:gif: data-image-type='gif'} {:go: .ph data-hd-programlang='go'} {:help: data-hd-content-type='help'} {:hide-dashboard: .hide-dashboard} {:hide-in-docs: .hide-in-docs} {:important: .important} {:ios: data-hd-operatingsystem="ios"} {:java: .ph data-hd-programlang='java'} {:java: data-hd-programlang="java"} {:javascript: .ph data-hd-programlang='javascript'} {:javascript: data-hd-programlang="javascript"} {:new_window: target="_blank"} {:note .note} {:note: .note} {:objectc data-hd-programlang="objectc"} {:org_name: data-hd-keyref="org_name"} {:php: data-hd-programlang="php"} {:pre: .pre} {:preview: .preview} {:python: .ph data-hd-programlang='python'} {:python: data-hd-programlang="python"} {:route: data-hd-keyref="route"} {:row-headers: .row-headers} {:ruby: .ph data-hd-programlang='ruby'} {:ruby: data-hd-programlang="ruby"} {:runtime: architecture="runtime"} {:runtimeIcon: .runtimeIcon} {:runtimeIconList: .runtimeIconList} {:runtimeLink: .runtimeLink} {:runtimeTitle: .runtimeTitle} {:screen: .screen} {:script: data-hd-video='script'} {:service: architecture="service"} {:service_instance_name: data-hd-keyref="service_instance_name"} {:service_name: data-hd-keyref="service_name"} {:shortdesc: .shortdesc} {:space_name: data-hd-keyref="space_name"} {:step: data-tutorial-type='step'} {:subsection: outputclass="subsection"} {:support: data-reuse='support'} {:swift: .ph data-hd-programlang='swift'} {:swift: data-hd-programlang="swift"} {:table: .aria-labeledby="caption"} {:term: .term} {:tip: .tip} {:tooling-url: data-tooling-url-placeholder='tooling-url'} {:troubleshoot: data-hd-content-type='troubleshoot'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:tutorial: data-hd-content-type='tutorial'} {:ui: .ph data-hd-interface='ui'} {:unity: .ph data-hd-programlang='unity'} {:url: data-credential-placeholder='url'} {:user_ID: data-hd-keyref="user_ID"} {:vbnet: .ph data-hd-programlang='vb.net'} {:video: .video}

Your responsibilities with using {{site.data.keyword.containerlong_notm}}

{: #responsibilities_iks} {: help} {: support}

Learn about cluster management responsibilities that you have when you use {{site.data.keyword.containerlong}}. For overall terms of use, see Cloud Services terms. {: shortdesc}

Overview of shared responsibilities

{: #overview-by-resource}

{{site.data.keyword.containerlong_notm}} is a managed service in the {{site.data.keyword.cloud_notm}} shared responsibility model. Review the following table of who is responsible for particular cloud resources when using {{site.data.keyword.containerlong_notm}}. Then, you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by area. {: shortdesc}

If you use other {{site.data.keyword.cloud_notm}} products such as {{site.data.keyword.cos_short}}, responsibilities that are marked as yours in the following table, such as disaster recovery for Data, might be IBM's or shared. Consult those products' documentation for your responsibilities. {: note}

Resource	Incident and operations management	Change management	Identity and access management	Security and regulation compliance	Disaster Recovery
Data	You	You	You	You	You
Applications	You	You	You	You	You
Observability	Shared	IBM	Shared	IBM	IBM
App networking	Shared	IBM	IBM	IBM	IBM
Cluster networking	Shared	IBM	IBM	IBM	IBM
Cluster version	IBM	Shared	IBM	IBM	IBM
Worker nodes	Shared	Shared	IBM	IBM	IBM
Master	IBM	IBM	IBM	IBM	IBM
Service	IBM	IBM	IBM	IBM	IBM
Virtual storage	IBM	IBM	IBM	IBM	IBM
Virtual network	IBM	IBM	IBM	IBM	IBM
Hypervisor	IBM	IBM	IBM	IBM	IBM
Physical servers and memory	IBM	IBM	IBM	IBM	IBM
Physical storage	IBM	IBM	IBM	IBM	IBM
Physical network and devices	IBM	IBM	IBM	IBM	IBM
Facilities and Data Centers	IBM	IBM	IBM	IBM	IBM
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column. The next five columns describe whether you, IBM, or both have shared responsibilities for a particular area."}
{: caption="Table 1. Responsibilities by resource." caption-side="top"}

Tasks for shared responsibilities by area

{: #task-responsibilities}

After reviewing the overview, see what tasks you and IBM share responsibility for each area and resource when you use {{site.data.keyword.containerlong_notm}}. {: shortdesc}

Incident and operations management

{: #incident-and-ops}

You and IBM share responsibilities for the set up and maintenance of your {{site.data.keyword.containerlong_notm}} cluster environment for your application workloads. You are responsible for incident and operations management of your application data. {: shortdesc}

Resource	IBM responsibilities	Your responsibilities
Worker nodes	Deploy a fully managed, highly available dedicated master in a secured, IBM-owned infrastructure account for each cluster. Provision worker nodes in your IBM Cloud infrastructure account. Ensure that worker nodes successfully provision when the user account and permissions are correctly set up, and sufficient quota exists. Fulfill requests for more infrastructure, such as adding, reloading, updating, and removing worker nodes. Provide tools, such as the cluster autoscaler, to extend your cluster infrastructure. Integrate ordered infrastructure resources to work automatically with your cluster architecture and become available to your deployed apps and workloads. Fulfill automation requests to help recover worker nodes.	Use the provided API, CLI, or console tools to adjust compute and storage capacity to meet the needs of your workload. Request that worker nodes are rebooted, reloaded, or replaced, and troubleshoot issues such as when the worker nodes are in an unhealthy state.
Cluster networking	Set up cluster management components, such as public or private cloud service endpoints, VLANs, and load balancers. Fulfill requests for more infrastructure, such as attaching worker nodes to existing VLANs or subnets upon resizing a worker pool. Create clusters with subnet IP addresses reserved to use to expose apps externally. Set up an OpenVPN connection between the master and worker nodes when the cluster is created. Provide the ability to set up a VPN connection with on-premises resources such as through the strongSwan IPSec VPN service or the {{site.data.keyword.vpc_short}} VPN. Provide the ability to isolate network traffic with edge nodes.	Use the provided API, CLI, or console tools to adjust cluster networking configuration to meet the needs of your workload, such as configuring service endpoints, adding VLANs to provide IP addresses for more worker nodes, setting up a VPN connection, or edge node worker pools.
App networking	Set up a public application load balancer (ALB) that is multizone, if applicable. Provide the ability to set up private ALBs and public or private network load balancers (NLBs). Support native Kubernetes public and private load balancers and Ingress routes for exposing services externally. Install Calico as the container networking interface, and set up default Calico network policies to control basic cluster traffic.	Set up any additional app networking capabilities that are needed, such as private ALBs, public or private NLBs, or additional Calico network policies.
Observability	Provide {{site.data.keyword.la_short}} and {{site.data.keyword.mon_short}} as managed add-ons to enable observability of your cluster and container environments. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons. Provide cluster integration with {{site.data.keyword.at_short}} and send {{site.data.keyword.containerlong_notm}} API events for auditability.	Set up and monitor the health of your container logs and cluster metrics. Set up and, if applicable, configure kube-audit logs to be sent to {{site.data.keyword.at_short}}.
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column."}
{: caption="Table 2. Responsibilities for incident and operations management" caption-side="top"}

Change management

{: #change-management}

You and IBM share responsibilities for keeping your clusters at the latest container platform and operating system versions, along with recovering infrastructure resources that might require changes. You are responsible for change management of your application data. {: shortdesc}

Resource	IBM responsibilities	Your responsibilities
Worker nodes	Provide worker node patch operating system (OS), version, and security updates. Fulfill automation requests to update and recover worker nodes.	Use the API, CLI, or console tools to apply the provided worker node updates that include operating system patches; or to request that worker nodes are rebooted, reloaded, or replaced.
Cluster version	Provide a suite of tools to automate cluster management, such as the {{site.data.keyword.containerlong_notm}} API{: external}, CLI plug-in, and console{: external}. Automatically apply Kubernetes master patch OS, version, and security updates. Make major and minor updates for master nodes available for you to apply. Provide worker node major, minor, and patch OS, version, and security updates. Fulfill automation requests to update cluster master and worker nodes.	Use the API, CLI, or console tools to apply the provided major and minor Kubernetes master updates and major, minor, and patch worker node updates.
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column."}
{: caption="Table 3. Responsibilities for change management" caption-side="top"}

Identity and access management

{: #iam-responsibilities}

You and IBM share responsibilities for controlling access to your {{site.data.keyword.containerlong_notm}} instances. For {{site.data.keyword.iamlong}} responsibilities, consult that product's documentation. You are responsible for identity and access management to your application data. {: shortdesc}

Resource	IBM responsibilities	Your responsibilities
Observability	Provide the ability to integrate {{site.data.keyword.at_full_notm}} with your cluster to audit the actions that users take in the cluster.	Set up {{site.data.keyword.at_full_notm}} or other capabilities to track user activity in the cluster.
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column."}
{: caption="Table 4. Responsibilities for identity and access management" caption-side="top"}

Security and regulation compliance

{: #security-compliance}

IBM is responsible for the security and compliance of {{site.data.keyword.containerlong_notm}}. Compliance to industry standards varies depending on the infrastructure provider that you use for the cluster, such as classic or VPC. You are responsible for the security and compliance of any workloads that run in the cluster and your application data. For more information, see What standards does the service comply to?. {: shortdesc}

Resource	IBM responsibilities	Your responsibilities
General	Maintain controls commensurate to various industry compliance standards, such as PCI DSS. Compliance to industry standards varies depending on the infrastructure provider of the cluster, such as classic or VPC. Monitor, isolate, and recover the cluster master. Provide highly available replicas of the Kubernetes master API server, etcd, scheduler, and controller manager components to protect against a master outage. Monitor and report the health of the master and worker nodes in the various interfaces. Automatically apply master security patch updates, and provide worker node security patch updates. Enable certain security settings, such as encrypted disks on worker nodes Disable certain insecure actions for worker nodes, such as not permitting users to SSH into the host. Encrypt communication between the master and worker nodes with TLS. Provide CIS-compliant Linux images for worker node operating systems. Continuously monitor master and worker node images to detect vulnerability and security compliance issues. Provision worker nodes with two local SSD, AES 256-bit encrypted data partitions. Provide options for cluster network connectivity, such as public and private cloud service endpoints. Provide options for compute isolation, such as dedicated virtual machines or bare metal. Integrate Kubernetes role-based access control (RBAC) with {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM).	Set up and maintain security and regulation compliance for your apps and data. For example, choose how to set up your cluster network, protect sensitive information such as with {{site.data.keyword.keymanagementservicelong_notm}} encryption, and configure further security settings to meet your workload's security and compliance needs. If applicable, configure your firewall. As part of your incident and operations management responsibilities for the worker nodes, apply the provided security patch updates.
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column."}
{: caption="Table 5. Responsibilities for security and regulation compliance" caption-side="top"}

Disaster recovery

{: #disaster-recovery}

IBM is responsible for the recovery of {{site.data.keyword.containerlong_notm}} components in case of disaster. You are responsible for the recovery of the workloads that run the cluster and your application data. If you integrate with other {{site.data.keyword.cloud_notm}} services such as file, block, object, cloud database, logging, or audit event services, consult those services' disaster recovery information. {: shortdesc}

Resource	IBM responsibilities	Your responsibilities
General	Maintain service availability across worldwide locations so that customers can deploy clusters across zones and regions for higher DR tolerance. Provision clusters with three replicas of master components for high availability. In multizone regions, automatically spread the master replicas across zones. Continuously monitor to work to ensure the reliability and availability of the service environment by site reliability engineers. Update and recover operational {{site.data.keyword.containerlong_notm}} and Kubernetes components within the cluster, such as the Ingress application load balancer and file storage plug-in. Back up and recover data in etcd, such as your Kubernetes workload configuration files Provide the optional worker node Autorecovery. Provide the ability to integrate with other {{site.data.keyword.cloud_notm}} services such as storage providers so that data can be backed up and restored.	Set up and maintain disaster recovery capabilities for your apps and data. For example, to prepare your cluster for HA/DR scenarios, follow the guidance in High availability for {{site.data.keyword.containerlong_notm}}. Note that persistent storage of data such as application logs and cluster metrics are not set up by default.
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column."}
{: caption="Table 6. Responsibilities for disaster recovery" caption-side="top"}

Applications and data

{: #applications-and-data}

You are completely responsible for the applications, workloads, and data that you deploy to {{site.data.keyword.cloud_notm}}. However, IBM provides various tools to help you set up, manage, secure, integrate and optimize your apps as described in the following table. {: shortdesc}

Resource	How IBM helps	What you can do
Applications	Provision clusters with Kubernetes components installed so that you can access the Kubernetes API to deploy and manage your containerized apps. Provide a number of managed add-ons to extend your app's capabilities, such as Istio or the Diagnostics and Debug Tool. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons. Provide cluster integration with select third-party partnership technologies, such as {{site.data.keyword.la_short}}, {{site.data.keyword.mon_short}}, and Portworx. Provide automation to enable service binding to other {{site.data.keyword.cloud_notm}} services. Create clusters with image pull secrets so that your deployments in the default Kubernetes namespace can pull images from {{site.data.keyword.registrylong_notm}}. Provide access to Kubernetes APIs that you can use to set up Operators to add community, third-party, and your own services to your cluster. Note that Operators might not work without manual adjustments such as changes in cluster security policies. Provide storage classes and plug-ins to support persistent volumes for use with your apps. Automatically configure security settings to prevent insecure access, such as disabling SSH into the worker node compute hosts. Automatically integrate {{site.data.keyword.cloud_notm}} IAM service access roles with Kubernetes RBAC roles in the cluster. Generate an API key that is used to access infrastructure permissions for each resource group and region.	Maintain responsibility for your apps, data, and their complete lifecycle. If you add community, third-party, your own, or other services to your cluster such as by using Operators, you are responsible for these services and for working with the appropriate provider to troubleshoot any issues. Use the provided tools and features to configure and deploy; keep up-to-date; set up resource requests and limits; size your worker pool to have enough resources to run your apps; set up permissions; integrate with other services; externally serve; save, back up, and restore data; and otherwise manage your highly available and resilient workloads.
Data	Maintain platform-level standards so that your data can be stored with controls commensurate to leading international security compliance standards. Provision clusters with Kubernetes components installed so that you can access the Kubernetes API to help manage your app data, such as with secrets and configmaps. Integrate with {{site.data.keyword.cloud_notm}} services that you can use to store and manage your data, such as {{site.data.keyword.cloud_notm}} Databases or {{site.data.keyword.cos_short}}. Integrate with {{site.data.keyword.ibmwatson_notm}} services that you can use to maximize the insights and use of your data with the latest artificial intelligence technology.	Maintain responsibility for your data and how your apps consume the data.
{: summary="The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column."}
{: caption="Table 7. Applications and data" caption-side="top"}