On the main diagram the numbering is out of sync

(1) the simple option is not described in the numbered list below the diagram and the descriptions map to 2,3,4,5

When looking at the details to determine what firewall rules needed IKS, there is no reference on the required configuration for the storage options provided by IBM Cloud.

This includes options under Persistent Storage including

• IBM File Storage for IBM Cloud
• IBM File Storage for IBM Cloud
• IBM Cloud Object Storage

Without the details, its possible someone might see an error like

mount.nfs: Connection timed out

This would likely meaning providing details about the subnet range to add into a Calico policy.

In this link:
https://cloud.ibm.com/docs/containers?topic=containers-helm

helm search commands are missing "repo" flag

This is 3rd issue I'm creating for this doc:
https://cloud.ibm.com/docs/containers?topic=containers-vpn#vpn_configure

Incorrect syntax:
helm install -f config.yaml --name=vpn iks-charts/strongswan

Correct syntax is:
helm install vpn -f config.yaml iks-charts/strongswan

This is turning to a waste of time.....can somebody go through the doc and make sure steps and commands are correct????

https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_secure.md

In this document, and in the picture under section cluster trust, the cloud certificate manager spelling is incorrect. ( manageger)

Hi,
In the StatefulSet description the line that reads: "However, some apps, such as databases, must be stateless." should probably be changed to read "However, some apps, such as databases, maintain state" or something like that.

Concerning: https://console.bluemix.net/docs/containers/cs_tutorials_apps.html#cs_apps_tutorial

I would like to suggest to add the use of the following command to observe what happens to the pods from the command line.
In Lesson 2, point 8 and 9, one could run the following command to observe the evolution of state of the pods:

kubectl get pods -o wide -w

After one or two minutes this is what I see:

kgp -o wide -w
NAME                                     READY     STATUS    RESTARTS   AGE       IP               NODE            NOMINATED NODE
hello-world-deployment-57f758d7d-s59jq   1/1       Running   0          10m       172.30.162.76    10.74.70.5      <none>
hw-demo-deployment-86c64b84cb-f86xp      1/1       Running   1          1m        172.30.162.83    10.74.70.5      <none>
hw-demo-deployment-86c64b84cb-hjrl9      1/1       Running   1          1m        172.30.195.244   10.186.105.70   <none>
hw-demo-deployment-86c64b84cb-xm2vw      1/1       Running   1          1m        172.30.192.21    10.94.95.85     <none>
hw-demo-deployment-86c64b84cb-f86xp   1/1       Running   2         1m        172.30.162.83   10.74.70.5   <none>
hw-demo-deployment-86c64b84cb-hjrl9   1/1       Running   2         1m        172.30.195.244   10.186.105.70   <none>
hw-demo-deployment-86c64b84cb-xm2vw   1/1       Running   2         2m        172.30.192.21   10.94.95.85   <none>
hw-demo-deployment-86c64b84cb-f86xp   1/1       Running   3         2m        172.30.162.83   10.74.70.5   <none>
hw-demo-deployment-86c64b84cb-hjrl9   1/1       Running   3         2m        172.30.195.244   10.186.105.70   <none>
hw-demo-deployment-86c64b84cb-xm2vw   1/1       Running   3         3m        172.30.192.21   10.94.95.85   <none>
hw-demo-deployment-86c64b84cb-f86xp   1/1       Running   4         3m        172.30.162.83   10.74.70.5   <none>

I could be doing something wrong, but it appears the instructions for how to create container registry tokens are outdated. They can be found here.

Assuming you've setup bx and the cr plugin, It appears that steps 1-4 can be reduced to:
bx cr token-add --description "description text" --non-expiring -q

In

https://cloud.ibm.com/docs/containers?topic=containers-getting-started

in
https://cloud.ibm.com/docs/containers?topic=containers-getting-started#classic-cluster-create

it reads:

Make sure that you are assigned the following permissions in IBM Cloud Identity and Access Management. If you are the IBM Cloud account owner, you already have all permissions by default.
Administrator platform role for IBM Cloud Kubernetes Service at the account level.
Writer or Manager service role for IBM Cloud Kubernetes Service.
Administrator platform role for Container Registry at the account level.
Super User role or the minimum required permissions for classic infrastructure.

In the sentence:

Administrator platform role for IBM Cloud Kubernetes Service at the account level.

• what does at the account level mean exactly?

A second question:
Can I assign all the above rights (with the exception of Classic Infrastructure) via an Access Group?

I have been told that the Classic Infrastructure permissions can only be applied to individual users, but what about the other permissions? Can I assign them via an Access group?
Thanks

I wasted over an hour trying to try out a simple tutorial???

UNABLE TO CREATE FREE CLUSTER

keeps indicating about an upgrade

Following the instructions here

https://cloud.ibm.com/docs/containers?topic=containers-object_storage

The helm chart comes with values as below:

# ICP Configuration
provider: icp

# Datacenter name where cluster is deployed (required only for IKS)
dcname: ""

There should be a mention in the docs that this needs to be changed for IKS.

The link to the blog in the short description is broken. https://cloud.ibm.com/docs/containers/cs_hybrid.html#hybrid_iks_icp

The volumeMounts are wrong in the "Example stateful set with anti-affinity rule and delayed block storage creation:". www and wwww should be myvol1 and myvol2 respectively.

Thanks for the example btw. Still debugging why my statefulset isn't working, but this is helping debug it at least. :)

https://docs.newrelic.com/docs/integrations/host-integrations/host-integrations-list/kubernetes-monitoring-integration

Shows that we can integrate to COSCALE which is no longer a service. It was purchased by NewRelic. The old COSCALE links are all dead.

Lastly,

The logging and monitoring section of this page:
https://console.bluemix.net/docs/containers/cs_integrations.html#integrations

Will also need changed. Either COSCALE needs removed or NewRelic needs added.

The installation steps describe below,

https://cloud.ibm.com/docs/containers?topic=containers-ingress_health&locale=en#ingress_monitoring

In the case of Multizone Cluster, 1st attempt is successful but 2nd attempts(another zone's ALB) is resulted in failure
because of conflict of manifest names.

Under "Privately expose apps using a custom domain with TLS", step 6, looks like the formatting is off around "network traffic cannot be forwarded"

https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_annotations.md

I am trying to do something similar to:

myhost.com/app1/foo => app1-service:80/foo
myhost.com/app2/bar => app2-service:80/bar

But this setup gives me 404s:

 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: myingress
 spec:
   rules:
   - host: myhost.com
     http:
       paths:
       - path: /app1
         backend:
           serviceName: app1-service
           servicePort: 80
       - path: /app2
         backend:
           serviceName: app2-service
           servicePort: 80

Some tutorials will suggest I need to add an annotation:

annotations:
  nginx.ingress.kubernetes.io/rewrite-target: /
  // or ingress.kubernetes.io/rewrite-target: / (I don't know)

But how do I add this using IBM Cloud Kubernetes Ingress? ingress.bluemix.net/rewrite-path does not appear to do the same thing as ingress.kubernetes.io/rewrite-target.

Also, do I need to manually deploy an Ingress Controller or does IBM Cloud Kubernetes do it for me? The Kubernetes docs https://kubernetes.io/docs/concepts/services-networking/ingress/ mention :

Before you start using the Ingress resource, You need an Ingress controller to satisfy an Ingress, simply creating the resource will have no effect.

But the IBM Kubernetes docs https://console.bluemix.net/docs/containers/cs_ingress.html#ingress have no mention of this or how to create the Ingress Controller.

The commands to access a cluster of IKS using the command seem to be out of date.

On the front page of your cluster - https://cloud.ibm.com/kubernetes/clusters/

The first command is: curl -sL https://ibm.biz/idt-installer | bash

However, this command downloads and outdated CLI that does not allow you to login to your instance on IBM Cloud. The command needs to be updated for the next command
ibmcloud login -a cloud.ibm.com -r us-south -g default to work.

The command to get your cluster information ibmcloud ks cluster-config --cluster niks-cluster returns 'ks' is not a registered command. See 'ibmcloud help'.

Instead, the command ibmcloud cs cluster-config --cluster niks-cluster is what is needed to retrieve the necessary config.

Hello
We have a need to restrict access to our public ingress in IBM Cloud and are looking too maintain those restrictions withiin the ingress via whitelist-source-range which is available in nginx.ingress.kubernetes.io

See: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

On the page https://cloud.ibm.com/docs/containers?topic=containers-plan_clusters#shared_dedicated_node

the schema Available hardware for worker nodes mentioned Worker Node 1 twice. It should be Worker Node 1 and Worker Node 2.

Lab 0 instructions in this link is wrong:
https://cloud.ibm.com/docs/tutorials?topic=containers-vpc_ks_tutorial

Please update content from git site:
https://github.com/IBM/container-service-getting-started-wt/tree/master/Lab%201

In the Knative tutorial at https://cloud.ibm.com/docs/containers?topic=containers-knative_tutorial#knative_tutorial , step 4 of lesson 2 shows kubectl get svc/kn-helloworld, but the resulting output is not useful.

The example output shows the right output from kubectl get ksvc. Should step 4 be showing kubectl get ksvc?

Pictures at page https://cloud.ibm.com/docs/containers?topic=containers-cs_network_ov#cs_network_ov all get 404.

I have tried the instructions in this page: https://console.bluemix.net/docs/containers/cs_dedicated_tokens.html
but it's not working for me. This is the error I get in the POD - the image pull is failing:

Events:
  Type     Reason                 Age               From                   Message
  ----     ------                 ----              ----                   -------
  Normal   SuccessfulMountVolume  8m                kubelet, xxxxx  MountVolume.SetUp succeeded for volume "test-volume"
  Normal   SuccessfulMountVolume  8m                kubelet, xxxx  MountVolume.SetUp succeeded for volume "default-token-58cxf"
  Normal   Pulling                7m (x4 over 8m)   kubelet, xxxx  pulling image "registry.ng.bluemix.net/<my space>/privileged-image:0.0"
  Warning  Failed                 7m (x4 over 8m)   kubelet, xxxx  Failed to pull image "registry.ng.bluemix.net/<my space>/privileged-image:0.0": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.ng.bluemix.net/v2/<my space>/privileged-image/manifests/0.0: unsupported: The requested authentication method is not supported. Run the `bx cr login` command. To use registry tokens, use `docker login -u token` and your registry token as the password.
  Warning  Failed                 7m (x4 over 8m)   kubelet, xxxxx  Error: ErrImagePull
  Warning  Failed                 6m (x6 over 8m)   kubelet, xxxx  Error: ImagePullBackOff
  Normal   BackOff                3m (x20 over 8m)  kubelet, xxxx  Back-off pulling image "registry.ng.bluemix.net/<my space>/privileged-image:0.0"

This is how I created the secret:

        --docker-server=registry.ng.bluemix.net \
        --docker-username=<here I tried both my email used in the ibmcloud account and the token id> \
        --docker-password=<the token> \
        --docker-email=<an email>

This is the daemonset

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    name: privileged-image
  name: privileged-image
spec:
  template:
    metadata:
      labels:
        name: privileged-image
    spec:
      hostNetwork: true
      hostPID: true
      hostIPC: true
      containers:
      - image: registry.ng.bluemix.net/<my space>/privileged-image:0.0
        securityContext:
          privileged: true
        name: privileged-image
        volumeMounts:
        - mountPath: /host
          name: test-volume
      imagePullSecrets:
      - name: <secret name>
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /

I created the token:

ibmcloud cr token-add --description "<some descr>" --non-expiring -q
<token>

In this link:
https://cloud.ibm.com/docs/containers?topic=containers-helm

For the following step and error:
helm repo add entitled https://raw.githubusercontent.com/IBM/charts/master/repo/entitled
Error: looks like "https://raw.githubusercontent.com/IBM/charts/master/repo/entitled" is not a valid chart repository or cannot be reached: Get https://raw.githubusercontent.com/IBM/charts/master/repo/entitled/index.yaml: dial tcp: lookup raw.githubusercontent.com: no such host

Please add the following step:
IBM/deploy-ibm-cloud-private#80

The commands to set an audit-webhook reference an option of --remoteServer on https://cloud.ibm.com/docs/containers?topic=containers-health#webhook_logdna.

ibmcloud ks cluster master audit-webhook set --cluster <cluster_name_or_ID> --remoteServer <http://172.21.xxx.xxx>

This must have changed because the help for the command shows the option as --remote-server. When I used --remote-server the command did work.

Incorrect Usage: flag provided but not defined: -remoteServer

NAME:
        set - Set the audit webhook configuration for a cluster's Kubernetes API server. The webhook backend forwards API server audit logs to a remote server.

USAGE:
        ibmcloud ks cluster master audit-webhook set --cluster CLUSTER [--ca-cert CERT] [--client-cert CERT] [--client-key KEY] [--remote-server SERVER] [-s]
    
PARAMETERS:
    --cluster value, -c value  Specify the cluster name or ID.
    --remote-server value      The URL or IP address for the remote logging service.
    --ca-cert value            The filepath of the CA cert used to verify the remote logging service.
    --client-cert value        The filepath for the client cert that is used to authenticate against the remote logging service.
    --client-key value         The filepath for the corresponding client key that is used to connect to the remote logging service.
    -s                         Optional: Do not show the message of the day or update reminders.

FAILED
flag provided but not defined: -remoteServer

Looking at docs here: https://cloud.ibm.com/docs/containers?topic=containers-ingress_annotation

I'm trying to figure out what annotation (if any) will enable nginx http2 protocol support on the IKS ALB ingress.

Basically I want the alb nginx config to have:

server {
    listen 443 ssl http2;
    ...

instead of the default:

server {
    listen 443 ssl;
    ...

Background reading: https://www.nginx.com/blog/http2-module-nginx/

In this page, https://console.bluemix.net/docs/containers/cs_dedicated_tokens.html, I think the last command kubectl apply -f mypod.yaml is missing the namespace, which must be the same entered in the previous step where the secret is created:

kubectl --namespace <kubernetes_namespace> create secret docker-registry <secret_name> --docker-server=<registry_url> --docker-username=token --docker-password=<token_value> --docker-email=<docker_email>

https://console.bluemix.net/docs/containers/cs_integrations.html#adding_resource_cluster

Change ic to ibmcloud

The documentation in both annotations gives the impression that Service name is optional

"The configuration is applied to all of the services in the Ingress host unless a service is specified. For example, if a configuration such as serviceName=SERVICE number=2 size=1k is specified, 1k is applied to the service."

In reality the ingress annotation produces the following event:

Failed to apply ingress.bluemix.net/proxy-buffers annotation. Error annotation format error : One of the mandatory fields not valid/missing for annotation ingress.bluemix.net/proxy-buffers

This goes away of the service name is specified

with Helm < 2.10 the instructions work, otherwise if using the latest Helm (2.10) step (b) will cause an error once you execute step (c) uner lesson 1 (e.g. "gateways.networking.istio.io" already exists)

reference issue istio/istio#7688

I was reading through the following piece of documentation:

https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_ingress.md#enabling-the-default-private-application-load-balancer

when I realised there are a couple of commands where bx cs is duplicate. That is, the command appears as bx cs bx cs .... is that correct?

Thanks

In this section To create a mutual authentication secret:, it is unclear what are example.org.csr and example.org.crt

In https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_annotations.md#tcp-ports-for-application-load-balancers-tcp-ports under point 6 of the instructions it reads Update your ALB configuration. but the operation actually creates the Ingress service.

it seems bx cs webhook-create --URL needs to be --url at least on windows. Copying the example as is would not work

We just released a new tutorial using your service. You may want to link to it from the service documentation.

Here is the markdown for the toc:
[Apply end to end security to a cloud application](https://console.bluemix.net/docs/tutorials/cloud-e2e-security.html#apply-end-to-end-security-to-a-cloud-application)

Can you please document when the free tier cluster will be deleted automatically?

In instructions in this link:
https://cloud.ibm.com/docs/containers?topic=containers-helm#public_helm_install
helm init --service-account tiller
is generating the following error
Error: unknown flag: --service-account

This seems not required step in helm v3:
helm/helm#7052

Dead link:

https://cloud.ibm.com/docs/services/Monitoring-with-Sysdig/tutorials?topic=Sysdig-kubernetes_cluster#kubernetes_cluster

A nice best practice from the https://istio.io/docs/concepts/traffic-management/ site - at the top of each page it tells you how long it would take to READ or perform the steps. Can we consider this for the future? (I'm also pinging the platform team to see if this could be a platform wide update).

Hello,
I read https://cloud.ibm.com/docs/containers?topic=containers-cs_ov#differentiation
But, I'm confused about the desciption of IBM Cloud Public as follows.

With IBM Cloud Public on shared or dedicated hardware or on bare metal machines, you can host your apps in clusters on the cloud by using IBM Cloud Kubernetes Service.

I can't differ between "IBM Cloud Public on dedicated hardware or bare metal machines" and " IBM Cloud Dedicated". Let me understand what's different point.

Thanks in advance,
EunKyung.

This tutorial:

https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_tutorials_apps.md

requires login from the command line to Docker hub.

docker build -t registry.us-south.bluemix.net/sysdig-test/hello-world:1 .
Sending build context to Docker daemon  15.36kB
Step 1/6 : FROM node:9.4.0-alpine
Get https://registry-1.docker.io/v2/library/node/manifests/9.4.0-alpine: unauthorized: incorrect username or password

It's implicit but it's probably worth mentioning it especially for beginners.

The command line arguments at Setting up the API key to enable access to the infrastructure portfolio are no longer valid for the current release (as of today) of ibmcloud CLI (version 0.15.1+d1a593d-2019-04-11T08:00:31+00:00).

Looks like the latest version of Istio is 0.8.0 and the install file is istio-demo.yaml instead of istio.yaml.

In https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_annotations.md#tcp-ports-for-application-load-balancers-tcp-ports

Point nr 7 reads:

Open your preferred web browser to access your app. Example: https://<ibmdomain>:<ingressPort>/

If this case the service it's probably not HTTP or HTTPS, so maybe it would be fitting to use an example without HTTP/HTTPS.

One could suggest using curl or telnet to test.

In step 2 of the 'Automatically provisioning unformatted block storage and authorizing your worker nodes to access the storage` section, you mention cloning a specific repo without mention of how to get access to that repo. Running the command yielded the following for me

Cloning into 'ibmcloud-storage-utilities'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
oliver-delgado:pw oliver.delgadoibm.com$ 

Alternatively, if I clone through https (git clone https://github.com/IBM/ibmcloud-storage-utilities.git) then it works fine.

All the images on the page below are hyperlink to open the image, but if you click on any image you get the error message: "Sorry, this content isn’t available."
https://console.bluemix.net/docs/containers/cs_planning.html#cs_planning_apps_storage

Two options to resolve this issue:

1. We remove the hyperlink on each image
2. We fix the link on each image to open the image in a new page

@kKronstainBrown