Kubernetes as a Service (KUB)

Kubernetes as a Service is an open-source container management platform delivered by Google. it is used to manage, schedule and run containerized applications created by various container engines, such as Docker or rkt.

In a containerized infrastructure, applications are deployed as isolated, independent entities, the so-called containers. Containerization has multiple benefits over the traditional deployment - faster and more efficient installation, environment consistency, portability, security.

One or more containers to be managed as a single application are grouped into 'pods' which will be running on clusters of virtual machines.

Within a cluster, one virtual machine functions as a master node consisting of a stateless API server, scheduler and controller manager. Additionally, the master node includes an etcd key-value store for data storing in the cluster. The master node manages the workload and provides communication within the cluster through the API server. Other virtual machines are worker nodes subordinate to the master.

Kubernetes supports RBAC (Role-Based Access Control) authorization allowing dynamic permission policies configuration using the Kubernetes API. This authorization approach allows achieving higher security and differentiated access for users. Users can be added to groups with access to different functions or to different workspaces. Access can be revoked or modified for a single user without changing the certificate. For more details on RBAC authorization for Kubernetes, refer to the Kubernetes documentation.

Have a Question?

The current page gives the general information on the service and the main workflows. However, while working with the services, our users encounter new questions they need assistance with. The most frequently asked questions on EPAM Cloud Services are gathered on the Cloud Services FAQ page.
Visit the page to check whether we have a ready answer for your question.

General Concepts

The basic concepts used in Kubernetes are as follows:

  • Master - the main VM from which the Kubernetes environment is managed.
  • Node - VM on which containers are deployed and running
  • Cluster - a set of virtual or physical machines on which applications are running
  • Pod - one or several containers to be run as a single application and the related container options
  • Service - the functionality within the Kubernetes environment balancing the load between the pods and providing DNS names
  • Replication Controller - the entity setting the number of pods to be running
  • Networking - the service allowing to configure IP address ranges and the related settings
  • Namespace - a virtual cluster within a physical cluster

EPAM Cloud supports Kubernetes 1.9 version.

For more details on Kubernetes, please visit the Official Kubernetes Website.

Related CLI Commands

The table below provides the list of service-related commands and their descriptions:

Command Short Command Description
or2-manage-service...-s kubernetes -a or2ms...-s kubernetes -a Activates the Kubernetes service in the specified project and region
or2-kubernetes-pods...-cn cluster_name or2kp...-cn cluster_name Lists the Kubernetes pods in the specified cluster
or2-kubernetes-namespaces...-cn cluster_name or2kns...-cn cluster_name Lists the Kubernetes namespaces in the specified cluster
or2-kubernetes-services...-cn cluster_name or2ks...-cn cluster_name Lists the Kubernetes services in the specified cluster
or2-kubernetes-replication-controllers...-cn cluster_name or2krc...-cn cluster_name Lists the Kubernetes replication controllers in the specified cluster
or2-kubernetes-nodes...-cn cluster_name or2kn...-cn cluster_name Lists the Kubernetes nodes in the specified cluster

Further on this page, you can find more details on the Kubernetes service manipulation.

Service Activation and Manipulation

Kubernetes as a Service can only be activated in the OpenStack private regions. For a cluster proper configuration, you need to activate Kubernetes Master and at least one worker (UI Dashboard, Proxy, Addons for DNS).

To activate Kubernetes as a Service, use the or2-manage-service (or2ms) command with the -a/--activate flag and the -s/--service-name parameter with kubernetes value:

or2ms -p project -r region -a -s kubernetes -c cluster_name -k key_name

To start the service as a Kubernetes master, run the command with the -s (--service-name) parameter containing 'kubernetes' or 'kubernetes-master'. To start the service as a Kubernetes worker, run the command with the -s (--service-name) parameter containing 'kubernetes-worker'.

or2ms -p project -r region -a -s kubernetes-worker -c cluster_name -k key_name

You can activate a worker node only if a master node has already been activated in the same cluster.

If you need a new node to be added to your Kubernetes cluster, just repeat the or2-manage-service command.

By default, Kubernetes nodes are LARGE-shaped VMs with CoreOS_1632_64-bit operating system.

To stop the service, use --deactivate and -i instance_id parameters to deactivate nodes one by one, with the Kubernetes Master being deactivated the last.

You can start more than one Kubernetes cluster for the same project and region.

You can find the details on the VMs created during the service activation by calling the or2-describe-instances (or2din) with -S kubernetes parameter. To view the list of the existing Kubernetes nodes and their parameters, use the or2-describe-services (or2dser) command with the -s kubernetes parameter:

or2dser -p project -r region -s kubernetes

Kubernetes Pods Management

To view the list of pods within a particular Kubernetes cluster, use the or2-kubernetes-pods (or2kp) command:

or2kp -p project -r region -cn cluster_name

The command will return the list of all Kubernetes pods within the cluster specified in the command, together with their state and start date.

Kubernetes Namespaces Management

To view the list of all namespaces (virtual clusters) within the particular physical cluster, use the or2-kubernetes-namespaces (or2kns) command:

or2kns -p project -r region -cn cluster_name

The response will contain the list of namespaces and their state.

Kubernetes Services Management

To view the list of services in the particular Kubernetes cluster, run the or2-kubernetes-services (or2ks) command:

or2ks -p project -r region -cn cluster_name

The command returns the list of Kubernetes services in the specified cluster and their types.

Kubernetes Replication Controllers Management

Replication controllers are used to run Kubernetes pods from the so-called pod templates, thus creating the specified number of identical pods. To view the list of replication controllers in the particular Kubernetes cluster, use the or2-kubernetes-replication-controllers (or2krc) command:

or2krc -p project -r region -cn cluster_name

The command returns the list of all replication controllers used in the cluster, the pod template used for replication, the target number of replicas, the number of currently existing replicas and the number of completed replicas.

Kubernetes Nodes Management

To view the list of nodes within the specified Kubernetes cluster, use the or2-kubernetes-nodes (or2kn) command:

or2kn -p project -r region -cn cluster_name

The command response contains the list of nodes, their state, number of pods in each node, the CPU count and the memory size.

Using the Service

When the Kubernetes service is activated, you can use it via the native command line interface, kubectl, which is automatically available on the master virtual machine on which Kubernetes is activated.

For other machines, download the kubectl executable and install it.

For more details on using kubectl, on the available commands, syntax and parameters, refer to the kubectl Overview page of the official Kubernetes website.

kubectl Configuration

Before using Kubernetes via the local kubectl, configure kubectl to work with the cluster using the following kubectl commands:

kubectl config set-cluster default-cluster --server=https://MASTER_PUBLIC_IP --certificate-authority=/etc/kubernetes/ssl/ca.pem

where MASTER_PUBLIC_IP is the public IP of the master node which you are accessing.

kubectl config set-credentials default-admin --certificate-authority=/etc/kubernetes/ssl/ca.pem --client-key=/etc/kubernetes/ssl/admin-key.pem --client-certificate=/etc/kubernetes/ssl/admin.pem kubectl config set-context default-system --cluster=default-cluster --user=default-admin kubectl config use-context default-system

The commands use the SSL credentials stored in the following files:

/etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/admin-key.pem /etc/kubernetes/ssl/admin.pem

These files can be obtained from the master node.

Web UI

The Kubernetes service has a web UI which is automatically available as soon as the service is activated in the cluster. The web UI has most of the functionality supported by the CLI in an intuitive format.

Clicking 'Deploy an App' opens the application deployment wizard helping you to set up your application either by specifying its parameters manually or by uploading a YAML or JSON file containing the application configuration.

When the application is running, you can use the Kubernetes Dashboard to monitor its performance, debug errors and delete applications.

Heapster, a cluster-wide aggregator of monitoring and event data, enables Container Cluster Monitoring and Performance Analysis for Kubernetes. With Heapster gathering and interpreting various signals like compute resource usage, lifecycle events etc., you can monitor the respective information on the Kubernetes Dashboard.

Kubernetes supports basic authentication using login and password. With service activation, a login and password are generated to be used for accessing the Web UI.

The login and password for each Kubernetes node can be retrieved by means of the or2-describe-services (or2dser) command:

Container Images

During Docker container management Kubernetes refers to the Docker repository where Docker container images are stored. In the current implementation, Kubernetes supports image retrieval from the public Docker registry available at Docker Image Library as well as from the private Docker registry.

To use an image from the private Docker registry to create a Kubernetes pod, perform the following actions:


  • 1. Docker service activated in one of the OpenStack private regions.
  • 2. Docker private registry activated in one of the OpenStack private regions.
  • 3. Kubernetes Master activated in one of the OpenStack private regions.

In the example below, a Kubernetes pod will be created on the basis of a Jenkins image from the Docker private registry. Use the same sequence with other images.

1. On the Docker VM, pull the latest Jenkins image and push it to your private Docker registry:

$ docker pull jenkins $ docker login -e Name_Surname@epam.com -u eo -p 12345 ecs000******.epam.com:5000
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

where ecs000******.epam.com:5000 is the URL of the Docker private registry

$ docker images
jenkins latest 5cd2a48c61ac 3 days ago 714.5 MB
$ docker tag 5cd2a48c61ac ecs000******.epam.com:5000/myjenkins:1.1 $ docker push ecs000******.epam.com:5000/myjenkins:1.1

2. On the Kubernetes VM, run the following commands:

$ docker login -e Name_Surname@epam.com -u eo -p 12345 ecs000******.epam.com:5000
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
$ echo $(cat ~/.docker/config.json)
{ "auths": { "ecs000******.epam.com:5000": { "auth": "ZW86UGw4aWhXa3BpYW8w", "email": "Name_Surname@epam.com" } } }
$ cat ~/.docker/config.json | base64
ewoJImF1dGhzIjogewoJCSJlY3MwMDBiMzAwOTV0Ni5lcGFtLmNvbTo1MDAwIjogewoJCQkiYXV0 aCI6ICJaVzg2VUd3NGFXaFhhM0JwWVc4dyIsCgkJCSJlbWFpbCI6ICJSb21hbl9SYXN0aWVoYWll dkBlcGFtLmNvbSIKCQl9Cgl9Cn0=

3. Create a Kubernetes secret containing credentials of your private Docker registry:

$ cat > /tmp/docker-registry-secret.yaml <<EOF
apiVersion: v1
kind: Secret
name: ecs000******-key
type: kubernetes.io/dockerconfigjson
$ kubectl create -f /tmp/docker-registry-secret.yaml secret "ecs000******-key" created

4. Create a Kubernetes pod using the image from your private Docker registry and specifying the secret you have just created:

$ cat > /tmp/myjenkins-pod.yaml <<EOF
apiVersion: v1
kind: Pod
name: myjenkins
- name: myjenkins
image: ecs000******.epam.com:5000/myjenkins:1.1
imagePullPolicy: Always
command: [ "echo", "SUCCESS" ]
- name: ecs000******-key
$ kubectl create -f /tmp/myjenkins-pod.yaml pod "myjenkins" created


If the Kubernetes service is not performing as expected, you can try to identify the root cause of the issue and, in certain cases, debug it yourself. The first step is to determine whether the issue concerns your application or your cluster.

If the application is not performing correctly, run the following kubectl commands on your master VM to diagnose the application:

Command Description
kubectl get pods Lists the pods included in your application with their statuses
kubectl get services Lists the services running in your Kubernetes environment
kubectl get replicationControllers Lists the replication controllers and the containers they have started
kubectl describe pods $ {pod_name} Displays the status of a particular pod

If pods or replication controllers are not performing properly, the cause may be insufficient resources. This can be resolved by adding more nodes to the cluster or terminating the pods which are no longer needed.

If the issue occurred in the Kubernetes services, check whether the service exists and if it is correctly configured.

Otherwise, contact the Level 3 Support Team.

If the issue is within the cluster, run the following kubectl commands on your master VM to diagnose the nodes:

Command Description
kubectl get nodes Lists the nodes in the cluster with their statuses

Contact the Level 3 Support Team for assistance with node issues.


The Kubernetes service is available in the OpenStack private regions, and is billed according to the VM billing in those regions. The default parameters of a Kubernetes VM are:

  • - Image: The last stable version of CoreOs_64-bit
  • - Shape: Large

You can find the information about the last stable version of CoreOS_64-bit on the CoreOS official website.

Therefore, the approximate monthly cost in case of 100% and 24/7 load is about $61.28 in EPAM-BY2 region (as of August 7, 2018). The price can vary depending on the region and the usage pattern.
To get more detailed estimations, please, use our Cost Estimator tool.


More information on the Kubernetes Service can be found in the EPAM Cloud Services Guide. For detailed description of the Maestro CLI commands used to manage the Kubernetes Service, refer to the Maestro CLI User Guide.