ibm-cloud-docs / containers Goto Github PK
View Code? Open in Web Editor NEWIBM Bluemix Container Service documentation
Home Page: https://console.bluemix.net/docs/containers/container_index.html
IBM Bluemix Container Service documentation
Home Page: https://console.bluemix.net/docs/containers/container_index.html
When looking at the details to determine what firewall rules needed IKS, there is no reference on the required configuration for the storage options provided by IBM Cloud.
This includes options under Persistent Storage including
Without the details, its possible someone might see an error like
mount.nfs: Connection timed out
This would likely meaning providing details about the subnet range to add into a Calico policy.
In this link:
https://cloud.ibm.com/docs/containers?topic=containers-helm
helm search commands are missing "repo" flag
This is 3rd issue I'm creating for this doc:
https://cloud.ibm.com/docs/containers?topic=containers-vpn#vpn_configure
Incorrect syntax:
helm install -f config.yaml --name=vpn iks-charts/strongswan
Correct syntax is:
helm install vpn -f config.yaml iks-charts/strongswan
This is turning to a waste of time.....can somebody go through the doc and make sure steps and commands are correct????
https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_secure.md
In this document, and in the picture under section cluster trust, the cloud certificate manager spelling is incorrect. ( manageger)
Hi,
In the StatefulSet description the line that reads: "However, some apps, such as databases, must be stateless." should probably be changed to read "However, some apps, such as databases, maintain state" or something like that.
Concerning: https://console.bluemix.net/docs/containers/cs_tutorials_apps.html#cs_apps_tutorial
I would like to suggest to add the use of the following command to observe what happens to the pods from the command line.
In Lesson 2, point 8 and 9, one could run the following command to observe the evolution of state of the pods:
kubectl get pods -o wide -w
After one or two minutes this is what I see:
kgp -o wide -w
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
hello-world-deployment-57f758d7d-s59jq 1/1 Running 0 10m 172.30.162.76 10.74.70.5 <none>
hw-demo-deployment-86c64b84cb-f86xp 1/1 Running 1 1m 172.30.162.83 10.74.70.5 <none>
hw-demo-deployment-86c64b84cb-hjrl9 1/1 Running 1 1m 172.30.195.244 10.186.105.70 <none>
hw-demo-deployment-86c64b84cb-xm2vw 1/1 Running 1 1m 172.30.192.21 10.94.95.85 <none>
hw-demo-deployment-86c64b84cb-f86xp 1/1 Running 2 1m 172.30.162.83 10.74.70.5 <none>
hw-demo-deployment-86c64b84cb-hjrl9 1/1 Running 2 1m 172.30.195.244 10.186.105.70 <none>
hw-demo-deployment-86c64b84cb-xm2vw 1/1 Running 2 2m 172.30.192.21 10.94.95.85 <none>
hw-demo-deployment-86c64b84cb-f86xp 1/1 Running 3 2m 172.30.162.83 10.74.70.5 <none>
hw-demo-deployment-86c64b84cb-hjrl9 1/1 Running 3 2m 172.30.195.244 10.186.105.70 <none>
hw-demo-deployment-86c64b84cb-xm2vw 1/1 Running 3 3m 172.30.192.21 10.94.95.85 <none>
hw-demo-deployment-86c64b84cb-f86xp 1/1 Running 4 3m 172.30.162.83 10.74.70.5 <none>
I could be doing something wrong, but it appears the instructions for how to create container registry tokens are outdated. They can be found here.
Assuming you've setup bx
and the cr
plugin, It appears that steps 1-4 can be reduced to:
bx cr token-add --description "description text" --non-expiring -q
In
https://cloud.ibm.com/docs/containers?topic=containers-getting-started
in
https://cloud.ibm.com/docs/containers?topic=containers-getting-started#classic-cluster-create
it reads:
Make sure that you are assigned the following permissions in IBM Cloud Identity and Access Management. If you are the IBM Cloud account owner, you already have all permissions by default.
Administrator platform role for IBM Cloud Kubernetes Service at the account level.
Writer or Manager service role for IBM Cloud Kubernetes Service.
Administrator platform role for Container Registry at the account level.
Super User role or the minimum required permissions for classic infrastructure.
In the sentence:
Administrator platform role for IBM Cloud Kubernetes Service at the account level.
at the account level
mean exactly?A second question:
Can I assign all the above rights (with the exception of Classic Infrastructure) via an Access Group?
I have been told that the Classic Infrastructure permissions can only be applied to individual users, but what about the other permissions? Can I assign them via an Access group?
Thanks
I wasted over an hour trying to try out a simple tutorial???
UNABLE TO CREATE FREE CLUSTER
keeps indicating about an upgrade
Following the instructions here
https://cloud.ibm.com/docs/containers?topic=containers-object_storage
The helm chart comes with values as below:
# ICP Configuration
provider: icp
# Datacenter name where cluster is deployed (required only for IKS)
dcname: ""
There should be a mention in the docs that this needs to be changed for IKS.
The link to the blog in the short description is broken. https://cloud.ibm.com/docs/containers/cs_hybrid.html#hybrid_iks_icp
The volumeMounts are wrong in the "Example stateful set with anti-affinity rule and delayed block storage creation:". www
and wwww
should be myvol1
and myvol2
respectively.
Thanks for the example btw. Still debugging why my statefulset isn't working, but this is helping debug it at least. :)
Shows that we can integrate to COSCALE which is no longer a service. It was purchased by NewRelic. The old COSCALE links are all dead.
Lastly,
The logging and monitoring section of this page:
https://console.bluemix.net/docs/containers/cs_integrations.html#integrations
Will also need changed. Either COSCALE needs removed or NewRelic needs added.
The installation steps describe below,
https://cloud.ibm.com/docs/containers?topic=containers-ingress_health&locale=en#ingress_monitoring
In the case of Multizone Cluster, 1st attempt is successful but 2nd attempts(another zone's ALB) is resulted in failure
because of conflict of manifest names.
Under "Privately expose apps using a custom domain with TLS", step 6, looks like the formatting is off around "network traffic cannot be forwarded"
https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_annotations.md
I am trying to do something similar to:
myhost.com/app1/foo => app1-service:80/foo
myhost.com/app2/bar => app2-service:80/bar
But this setup gives me 404s:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myingress
spec:
rules:
- host: myhost.com
http:
paths:
- path: /app1
backend:
serviceName: app1-service
servicePort: 80
- path: /app2
backend:
serviceName: app2-service
servicePort: 80
Some tutorials will suggest I need to add an annotation:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
// or ingress.kubernetes.io/rewrite-target: / (I don't know)
But how do I add this using IBM Cloud Kubernetes Ingress? ingress.bluemix.net/rewrite-path
does not appear to do the same thing as ingress.kubernetes.io/rewrite-target
.
Also, do I need to manually deploy an Ingress Controller or does IBM Cloud Kubernetes do it for me? The Kubernetes docs https://kubernetes.io/docs/concepts/services-networking/ingress/ mention :
Before you start using the Ingress resource, You need an Ingress controller to satisfy an Ingress, simply creating the resource will have no effect.
But the IBM Kubernetes docs https://console.bluemix.net/docs/containers/cs_ingress.html#ingress have no mention of this or how to create the Ingress Controller.
The commands to access a cluster of IKS using the command seem to be out of date.
On the front page of your cluster - https://cloud.ibm.com/kubernetes/clusters/
The first command is: curl -sL https://ibm.biz/idt-installer | bash
However, this command downloads and outdated CLI that does not allow you to login to your instance on IBM Cloud. The command needs to be updated for the next command
ibmcloud login -a cloud.ibm.com -r us-south -g default
to work.
The command to get your cluster information ibmcloud ks cluster-config --cluster niks-cluster
returns 'ks' is not a registered command. See 'ibmcloud help'.
Instead, the command ibmcloud cs cluster-config --cluster niks-cluster
is what is needed to retrieve the necessary config.
Hello
We have a need to restrict access to our public ingress in IBM Cloud and are looking too maintain those restrictions withiin the ingress via whitelist-source-range which is available in nginx.ingress.kubernetes.io
On the page https://cloud.ibm.com/docs/containers?topic=containers-plan_clusters#shared_dedicated_node
the schema Available hardware for worker nodes
mentioned Worker Node 1
twice. It should be Worker Node 1 and Worker Node 2.
Lab 0 instructions in this link is wrong:
https://cloud.ibm.com/docs/tutorials?topic=containers-vpc_ks_tutorial
Please update content from git site:
https://github.com/IBM/container-service-getting-started-wt/tree/master/Lab%201
In the Knative tutorial at https://cloud.ibm.com/docs/containers?topic=containers-knative_tutorial#knative_tutorial , step 4 of lesson 2 shows kubectl get svc/kn-helloworld
, but the resulting output is not useful.
The example output shows the right output from kubectl get ksvc
. Should step 4 be showing kubectl get ksvc
?
Pictures at page https://cloud.ibm.com/docs/containers?topic=containers-cs_network_ov#cs_network_ov all get 404.
I have tried the instructions in this page: https://console.bluemix.net/docs/containers/cs_dedicated_tokens.html
but it's not working for me. This is the error I get in the POD - the image pull is failing:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SuccessfulMountVolume 8m kubelet, xxxxx MountVolume.SetUp succeeded for volume "test-volume"
Normal SuccessfulMountVolume 8m kubelet, xxxx MountVolume.SetUp succeeded for volume "default-token-58cxf"
Normal Pulling 7m (x4 over 8m) kubelet, xxxx pulling image "registry.ng.bluemix.net/<my space>/privileged-image:0.0"
Warning Failed 7m (x4 over 8m) kubelet, xxxx Failed to pull image "registry.ng.bluemix.net/<my space>/privileged-image:0.0": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.ng.bluemix.net/v2/<my space>/privileged-image/manifests/0.0: unsupported: The requested authentication method is not supported. Run the `bx cr login` command. To use registry tokens, use `docker login -u token` and your registry token as the password.
Warning Failed 7m (x4 over 8m) kubelet, xxxxx Error: ErrImagePull
Warning Failed 6m (x6 over 8m) kubelet, xxxx Error: ImagePullBackOff
Normal BackOff 3m (x20 over 8m) kubelet, xxxx Back-off pulling image "registry.ng.bluemix.net/<my space>/privileged-image:0.0"
This is how I created the secret:
--docker-server=registry.ng.bluemix.net \
--docker-username=<here I tried both my email used in the ibmcloud account and the token id> \
--docker-password=<the token> \
--docker-email=<an email>
This is the daemonset
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
name: privileged-image
name: privileged-image
spec:
template:
metadata:
labels:
name: privileged-image
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- image: registry.ng.bluemix.net/<my space>/privileged-image:0.0
securityContext:
privileged: true
name: privileged-image
volumeMounts:
- mountPath: /host
name: test-volume
imagePullSecrets:
- name: <secret name>
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /
I created the token:
ibmcloud cr token-add --description "<some descr>" --non-expiring -q
<token>
In this link:
https://cloud.ibm.com/docs/containers?topic=containers-helm
For the following step and error:
helm repo add entitled https://raw.githubusercontent.com/IBM/charts/master/repo/entitled
Error: looks like "https://raw.githubusercontent.com/IBM/charts/master/repo/entitled" is not a valid chart repository or cannot be reached: Get https://raw.githubusercontent.com/IBM/charts/master/repo/entitled/index.yaml: dial tcp: lookup raw.githubusercontent.com: no such host
Please add the following step:
IBM/deploy-ibm-cloud-private#80
The commands to set an audit-webhook reference an option of --remoteServer
on https://cloud.ibm.com/docs/containers?topic=containers-health#webhook_logdna.
ibmcloud ks cluster master audit-webhook set --cluster <cluster_name_or_ID> --remoteServer <http://172.21.xxx.xxx>
This must have changed because the help for the command shows the option as --remote-server
. When I used --remote-server
the command did work.
Incorrect Usage: flag provided but not defined: -remoteServer
NAME:
set - Set the audit webhook configuration for a cluster's Kubernetes API server. The webhook backend forwards API server audit logs to a remote server.
USAGE:
ibmcloud ks cluster master audit-webhook set --cluster CLUSTER [--ca-cert CERT] [--client-cert CERT] [--client-key KEY] [--remote-server SERVER] [-s]
PARAMETERS:
--cluster value, -c value Specify the cluster name or ID.
--remote-server value The URL or IP address for the remote logging service.
--ca-cert value The filepath of the CA cert used to verify the remote logging service.
--client-cert value The filepath for the client cert that is used to authenticate against the remote logging service.
--client-key value The filepath for the corresponding client key that is used to connect to the remote logging service.
-s Optional: Do not show the message of the day or update reminders.
FAILED
flag provided but not defined: -remoteServer
Looking at docs here: https://cloud.ibm.com/docs/containers?topic=containers-ingress_annotation
I'm trying to figure out what annotation (if any) will enable nginx http2
protocol support on the IKS ALB ingress.
Basically I want the alb nginx config to have:
server {
listen 443 ssl http2;
...
instead of the default:
server {
listen 443 ssl;
...
Background reading: https://www.nginx.com/blog/http2-module-nginx/
In this page, https://console.bluemix.net/docs/containers/cs_dedicated_tokens.html, I think the last command kubectl apply -f mypod.yaml
is missing the namespace, which must be the same entered in the previous step where the secret is created:
kubectl --namespace <kubernetes_namespace> create secret docker-registry <secret_name> --docker-server=<registry_url> --docker-username=token --docker-password=<token_value> --docker-email=<docker_email>
https://console.bluemix.net/docs/containers/cs_integrations.html#adding_resource_cluster
Change ic
to ibmcloud
The documentation in both annotations gives the impression that Service name is optional
"The configuration is applied to all of the services in the Ingress host unless a service is specified. For example, if a configuration such as serviceName=SERVICE number=2 size=1k is specified, 1k is applied to the service."
In reality the ingress annotation produces the following event:
Failed to apply ingress.bluemix.net/proxy-buffers annotation. Error annotation format error : One of the mandatory fields not valid/missing for annotation ingress.bluemix.net/proxy-buffers
This goes away of the service name is specified
with Helm < 2.10 the instructions work, otherwise if using the latest Helm (2.10) step (b) will cause an error once you execute step (c) uner lesson 1 (e.g. "gateways.networking.istio.io" already exists)
reference issue istio/istio#7688
I was reading through the following piece of documentation:
when I realised there are a couple of commands where bx cs
is duplicate. That is, the command appears as bx cs bx cs ....
is that correct?
Thanks
In this section To create a mutual authentication secret:
, it is unclear what are example.org.csr and example.org.crt
In https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_annotations.md#tcp-ports-for-application-load-balancers-tcp-ports under point 6 of the instructions it reads Update your ALB configuration.
but the operation actually creates the Ingress service.
it seems bx cs webhook-create --URL needs to be --url at least on windows. Copying the example as is would not work
We just released a new tutorial using your service. You may want to link to it from the service documentation.
Here is the markdown for the toc:
[Apply end to end security to a cloud application](https://console.bluemix.net/docs/tutorials/cloud-e2e-security.html#apply-end-to-end-security-to-a-cloud-application)
Can you please document when the free tier cluster will be deleted automatically?
In instructions in this link:
https://cloud.ibm.com/docs/containers?topic=containers-helm#public_helm_install
helm init --service-account tiller
is generating the following error
Error: unknown flag: --service-account
This seems not required step in helm v3:
helm/helm#7052
A nice best practice from the https://istio.io/docs/concepts/traffic-management/ site - at the top of each page it tells you how long it would take to READ or perform the steps. Can we consider this for the future? (I'm also pinging the platform team to see if this could be a platform wide update).
Hello,
I read https://cloud.ibm.com/docs/containers?topic=containers-cs_ov#differentiation
But, I'm confused about the desciption of IBM Cloud Public as follows.
With IBM Cloud Public on shared or dedicated hardware or on bare metal machines, you can host your apps in clusters on the cloud by using IBM Cloud Kubernetes Service.
I can't differ between "IBM Cloud Public on dedicated hardware or bare metal machines" and " IBM Cloud Dedicated". Let me understand what's different point.
Thanks in advance,
EunKyung.
This tutorial:
https://github.com/IBM-Bluemix-Docs/containers/blob/master/cs_tutorials_apps.md
requires login from the command line to Docker hub.
docker build -t registry.us-south.bluemix.net/sysdig-test/hello-world:1 .
Sending build context to Docker daemon 15.36kB
Step 1/6 : FROM node:9.4.0-alpine
Get https://registry-1.docker.io/v2/library/node/manifests/9.4.0-alpine: unauthorized: incorrect username or password
It's implicit but it's probably worth mentioning it especially for beginners.
The command line arguments at Setting up the API key to enable access to the infrastructure portfolio are no longer valid for the current release (as of today) of ibmcloud CLI (version 0.15.1+d1a593d-2019-04-11T08:00:31+00:00).
Looks like the latest version of Istio is 0.8.0 and the install file is istio-demo.yaml instead of istio.yaml.
Point nr 7 reads:
Open your preferred web browser to access your app. Example: https://<ibmdomain>:<ingressPort>/
If this case the service it's probably not HTTP or HTTPS, so maybe it would be fitting to use an example without HTTP/HTTPS.
One could suggest using curl
or telnet
to test.
In step 2 of the 'Automatically provisioning unformatted block storage and authorizing your worker nodes to access the storage` section, you mention cloning a specific repo without mention of how to get access to that repo. Running the command yielded the following for me
Cloning into 'ibmcloud-storage-utilities'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
oliver-delgado:pw oliver.delgadoibm.com$
Alternatively, if I clone through https (git clone https://github.com/IBM/ibmcloud-storage-utilities.git
) then it works fine.
All the images on the page below are hyperlink to open the image, but if you click on any image you get the error message: "Sorry, this content isn’t available."
https://console.bluemix.net/docs/containers/cs_planning.html#cs_planning_apps_storage
Two options to resolve this issue:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.