IBM Cloud Docs
Your responsibilities

Your responsibilities

Learn about the management responsibilities and terms and conditions that you have when you use IBM Cloud Satellite®. For a high-level view of the service types in IBM Cloud and the breakdown of responsibilities between you as the customer and IBM for each type, see Shared responsibilities for IBM Cloud offerings.

Review the following sections for the specific responsibilities for you and for IBM when you use IBM Cloud Satellite. For the overall terms of use, see IBM Cloud Terms and Notices. For responsibilities that you have for other IBM Cloud services that you use with Satellite, refer to the documentation of those services, such as Red Hat OpenShift on IBM Cloud responsibilities.

Overview of shared responsibilities

IBM Cloud Satellite is a managed service in the IBM Cloud shared responsibility model. Review the following table of who is responsible for particular cloud resources when using IBM Cloud Satellite.

Table 1. Overview of shared responsibilities.
Resource Incident and operations management Change management Identity and access management Security and regulation compliance Disaster Recovery
Data You You You You You
Application You You You You You
Satellite Location Shared Shared Shared Shared Shared
Satellite Host Shared Shared Shared Shared Shared
Satellite Config Shared Shared Shared Shared Shared
Satellite Link Shared Shared Shared Shared You
Satellite Connector Shared Shared Shared Shared Shared
Satellite Connector Agent Container Platform You You You You You
Satellite Connector Agent Image Shared You Shared Shared You
Satellite Connector Agent Windows Platform You You You You You
Satellite Connector Agent for Windows Service Shared You Shared Shared You
Satellite Storage Shared Shared You Shared Shared
Satellite-enabled services Shared Shared Shared Shared Shared
Operating System You Shared You Shared You
Virtual and bare metal servers You You You You You
Virtual storage You You You You You
Virtual network You You You You You
Hypervisor You You You You You
Physical servers and memory You You You You You
Physical storage You You You You You
Physical network and devices You You You You You
Facilities and data centers You You You You You

Tasks for shared responsibilities by area

After reviewing the overview, see what tasks you and IBM share responsibility for each area and resource when you use IBM Cloud Satellite.

Incident and operations management

Incident and operations management includes tasks such as monitoring, event management, high availability, problem determination, recovery, and full state backup and recovery.

Table 2. Responsibilities for incident and operations
Task IBM responsibilities Your responsibilities
General
  • Provide 24x7 customer support for Satellite locations.
  • Provide customer support plans to help resolve problems that you might encounter.
  • Procure the underlying compute, network, and storage infrastructure in your own environments that Satellite uses to extend IBM Cloud to these environments.
Satellite Location
  • Provide an interface to initiate operational activities, such as to create and delete locations.
  • Set up a highly available location control plane that is fully managed for you in an IBM Cloud multizone metro.
  • Monitor the health of the location, automatically resolve issues when possible, and alert IBM site reliability engineers when manual intervention is required.
  • Automatically forward location events to your IBM Cloud Activity Tracker instance.
  • Use the provided tools to create a location, add hosts to the location, assign hosts with sufficient compute resources for the control plane worker components, and debug any issues that might happen in the location.
Satellite Host
  • Provide an interface to initiate operational activities, such as to attach and remove hosts to a location.
  • Set up a location-specific control plane that runs on your user-provided hosts with three replicas for high availability.
  • Generate a script that users can run on select hosts to attach them to a Satellite location.
  • Assign hosts as worker nodes to Red Hat OpenShift clusters that you designate.
  • Monitor the health of hosts that are attached to a location, automatically resolve issues when possible, and alert IBM site reliability engineers when manual intervention is required.
  • Automatically forward host events to your IBM Cloud Activity Tracker instance.
  • Add and assign hosts that meet the host and provider-specific requirements to Satellite locations as needed to support your application workloads.
  • Assign hosts with enough compute resources to support the location control plane. When you need more capacity, you must increase the control plane evenly across zones and in multiples of 3, such as 6, 9, or 12 hosts.
  • Establish initial network configuration so that hosts can connect to Satellite locations, such as allowing connectivity through firewalls or virtual private networks (VPNs).
  • In the on-prem or other user-provided environment, set up hosts in a highly available architecture, such as in three separate zones.
  • Use the provided tools to manage hosts and debug any issues that might happen in the hosts.
Satellite Config
  • Provide a highly available configuration management service that you can use to manage the deployment of Kubernetes resources across clusters that are registered with the location.
  • Provide an interface to initiate operational activities, such as to create and delete configurations.
  • Provide a kubectl command that users can run in a Red Hat OpenShift cluster to register the cluster to Satellite Config.
  • Provide the ability to create Kubernetes resource configurations, upload new versions, and subscribe a subset of cluster to a version, including to a previous version.
  • Store app configuration files in a highly available, back-end data store (etcd).
  • Automatically forward configuration events to your IBM Cloud Activity Tracker instance.
  • Use the provided tools to set up clusters, upload your Kubernetes configuration file content as versions in the configuration, and subscribe your clusters to the configuration. Keep in mind that you are responsible for the apps that run in your clusters, but you can use Satellite Config to help you consistently deploy and update your apps.
Satellite Link
  • Set up the Satellite Link tunnel client in the Satellite location to connect the control plane nodes to the management plane.
  • Provide an interface to allow connections between your Satellite location and IBM Cloud or any publicly accessible endpoint.
  • Provide the ability to enable and disable connections between your location and an endpoint.
  • Automatically collect incoming and outgoing network traffic for an endpoint.
  • Provide a dashboard to review endpoint metrics, and automatically send endpoint logs to your IBM Log Analysis instance.
  • Automatically forward link events to your IBM Cloud Activity Tracker instance.
  • Use the provided tools to create and manage Satellite location endpoints.
  • Ensure that the Satellite Link tunnel client in the Satellite control plane is enabled to allow network traffic between your location and endpoints outside your location.
  • Enable any connections that you need to successfully run the apps in your location and debug any connection issues for your endpoints.
Satellite Storage
  • Provide an interface to initiate operational activities, such as creating storage configurations and assign configurations to clusters that are attached to a location.
  • Provide a set of storage templates to automatically install storage driver components in an attached cluster and provide storage classes to manage app storage.
  • Select the storage type that best meets your app requirements for data types, data access frequency, performance, durability, resiliency, availability, scalability, and encryption.
  • Procure any physical or virtual storage instances in your on-premises data center or in public cloud providers that cannot be automatically provisioned by using the installed storage driver.
  • Use the provided tools to create storage configurations and to assign configurations to an attached cluster.
  • Use the Red Hat OpenShift CLI to provision persistent volumes and persistent volume claims to fulfill storage requirements for your apps.
  • Debug any issues that occur when using storage for your apps.
Satellite-enabled IBM Cloud service
  • Provide the ability to deploy a select group of IBM Cloud services such as Red Hat OpenShift clusters to a Satellite location.
  • Review each service's documentation for additional responsibilities that IBM maintains.
  • Use the provided tools to set up additional services as needed.
  • Provide enough hosts for the services to use as compute capacity, per the service documentation.
  • Review each service's documentation for additional responsibilities that you fulfill when you use these services.
Satellite Connector
  • Provide an interface to initiate operational activities, such as to create and delete connectors.
  • Automatically forward connector events to your IBM Cloud Activity Tracker instance.
 Use the provided tools to create a connector.
Satellite Connector Agent Image
  • Test and publish updates to the Satellite Connector Agent Image in the IBM Cloud Container Registry.
  • Monitor and update the software inside the container image for CVE.
 You are responsible for updating the Satellite Connector Agent Image to new versions published to the IBM Cloud Container Registry.
Satellite Connector Agent for Windows Service
  • Test and publish updates to the Satellite Connector Agent for Windows Service as .zip file in the IBM Cloud.
  • Monitor and update the software inside the .zip file.
 You are responsible for updating the Satellite Connector Agent for Windows Service to new versions published to the IBM Cloud, retrieved by using the CLI. For more information, see Running the agent on Windows.

Change management

Change management includes tasks such as deployment, configuration, operating system upgrades, security patching, configuration changes, deletion, and version updates.

Table 3. Responsibilities for change management
Task IBM responsibilities Your responsibilities
Satellite Location
  • Provide an interface to initiate change management activities, such as to delete locations.
  • Update the hosts that are assigned to the location control plane, and ensure the control plane has enough compute resources to run.
  • Before you delete any locations, remove all associated hosts and clusters. Save any backup information that you want to keep about the location before you delete the location.
Satellite Host
  • Provide an interface to initiate change management activities.
  • Monitor the health of hosts and report back status with actions that you must complete, such as reloading a host operating system.
  • Disable the ability to SSH into hosts after you attach the hosts to a location, to enhance security.
  • Make major, minor, and fix pack version updates of the container platform available for you to apply.
  • Make minor, and fix pack version updates of the operating system software available for you to apply.
  • Review the status of your hosts and take any actions required to resolve host infrastructure issues, such as operating system reloads or updates.
  • Before you update or delete any hosts, make sure that you have enough additional hosts in the cluster or location control plane to continue running any components that you must run. Save any backup information that you want to keep about the hosts before you update or delete.
  • To reuse a host after removal from a cluster, you must remove the host from the location. Then, perform a complete operating system reload in your infrastructure provider, reattach the host to your location, and reassign the host to a cluster.
  • Apply available updates to your worker node or control plane hosts. If the version update fails, you must remove your host, reload and troubleshoot any issues with the host, and reattach the host until the update is applied.
Satellite Config
  • Provide an interface to initiate change management activities, such as to update configurations or subscriptions.
  • Automatically initiate the roll out of changes to a configuration to subscribed clusters.
  • Automatically delete Kubernetes resources that run in subscribed clusters when you delete a configuration.
  • Use the provided Satellite Config and Red Hat OpenShift tools to manage all changes to your apps. You are completely responsible for your app lifecycle, including any downtime that might occur when you update an app version, depending on your update rollout strategy.
Satellite Link
  • Maintain Satellite Link tunnel client versions.
Satellite Storage
  • Provide an interface to initiate a change management operation, such as deleting storage configurations or removing a cluster from a storage configuration.
  • Provide version updates for IBM-provided storage templates.
  • Use the tools to delete storage configurations and cluster assignments. Note that if you remove these configurations, the storage drivers are uninstalled in the assigned clusters. Your PVCs, PVs, and data are not deleted. However, you might not be able to access your data until storage drivers are re-installed and storage configurations are restored in your cluster.
  • Apply IBM-provided storage template version updates to ensure compliance and support for installed storage drivers.
Satellite-enabled services
  • Review each service's documentation for additional responsibilities that IBM maintains. For example, with Red Hat OpenShift on IBM Cloud clusters, IBM provides patch version updates for the masters automatically and for the worker nodes that you initiate.
  • Review each service's documentation for additional responsibilities that you fulfill when you use these services.
Satellite Connector Provide an interface to initiate change management activities, such as to delete connectors. Before you delete any connectors, save and back up all the endpoints you have created for the connector.
Satellite Connector Agent for Windows Service Provide an interface for the Satellite Connector Agent for Windows Service to connect to a Satellite Connector by leveraging IBM IAM credentials. Maintain and rotate the IAM credentials needed by the agent image.

Identity and access management

Identity and access management includes tasks such as authentication, authorization, access control policies, and approving, granting, and revoking access. For more information, see Managing access for Satellite.

Table 4. Responsibilities for identity and access management.
Task IBM responsibilities Your responsibilities
Satellite Location
  • Provide an interface to assign access control to locations via IAM.
Satellite Host
  • Disable the ability to SSH into hosts after you assign the hosts to a location control plane or cluster, to enhance security.
  • Add and assign hosts to a cluster. After assigning the host, SSH access is disabled and access to the host is controlled via IBM Cloud IAM access.
Satellite Config
  • Provide an interface to assign access control to configurations via IAM.
  • Use the provided tools to manage authentication, authorization, and access control policies to use Satellite configurations and subscriptions to create, update, and delete Kubernetes resources. Note that access in IAM to Satellite Config does not give users access to the clusters, nor the ability to log in and manage the Kubernetes resources from the cluster. Users with access to a cluster might log in and manually change the Kubernetes resources.
Satellite Link
  • Provide an interface to assign access control to endpoints via IAM.
Satellite Storage N/A
  • Decide and configure read and write access to storage for your apps by using persistent volumes and persistent volume claims.
Satellite-enabled services
  • Review each service's documentation for additional responsibilities that IBM maintains.
  • Review each service's documentation for additional responsibilities that you fulfill when you use these services.
Satellite Connector Provide an interface to assign access control to connectors through IAM. Use the provided tools to manage authentication, authorization, and access control policies.
Satellite Connector Agent Image Provide an interface for the Satellite Connector Agent image to connect to a Satellite Connector by leveraging IBM IAM credentials. Maintain and rotate the IAM credentials needed by the agent image.

Security and regulation compliance

Security and regulation compliance includes tasks such as security controls implementation and compliance certification.

Table 5. Responsibilities for security and regulation compliance.
Task IBM responsibilities Your responsibilities
General
  • Provide platform-level compliance to certain standards. For more information, see IBM Cloud compliance.
  • Provide tools to manage billing, usage, and identity and access control (IAM).
  • Set default security settings for Satellite components. These settings do not guarantee security, and might be modified by the user.
  • Identify government, industry, and proprietary corporate standards that are required for the environment.
  • Review the physical premises that host the underlying infrastructure for security controls to protect the data center.
Satellite Location
  • Maintain security and regulation compliance for the IBM Cloud-managed location control plane.
  • Update the managed master components.
  • Provide patch updates for the control plane components that run in the location worker nodes.
  • Provide the ability to control access to locations through IBM Cloud IAM.
  • You are responsible for keeping your host infrastructure secure and compliant, including applying worker node patch updates to the hosts that run the location control plane.
Satellite Host
  • Provide patch updates for the hosts that run as worker nodes in Satellite clusters.
  • Disable the ability to SSH into hosts after you assign the hosts to a location control plane or clusters, to enhance security.
  • You are responsible for keeping your host infrastructure secure and compliant, including applying worker node patch updates.
  • You are responsible to encrypt the boot disk and any additional disks that you add to your hosts to keep data secure and meet regulatory requirements.
Satellite Config
  • Deploy apps consistently across clusters and locations.
  • Provide the ability to control access to configurations through IBM Cloud IAM.
  • Create your Kubernetes configuration files by following the security standards that you want to comply to, such as by using security context constraints. You are responsible for the security and compliance of your apps.
Satellite Link
  • Establish a secure connection between IBM Cloud and Satellite locations by using the Satellite Link tunnel client.
  • Provide the ability to control access to endpoints through IBM Cloud IAM.
  • Provide the ability to monitor network traffic between your location and endpoints outside of your location.
Satellite Storage
  • Provide security updates and patches for IBM-provided storage templates.
  • Apply provided security and version updates for IBM-provided storage templates to keep your installed storage drivers compliant and supported.
  • Implement mechanisms to back up your data to meet data retention requirements.
  • Maintain responsibility for your data and how your apps consume the data.
  • Ensure that your data is stored highly available by using snapshots, data replication, data synchronization, or other high availability mechanisms.
Satellite-enabled services
  • Review each service's documentation for additional responsibilities that IBM maintains.
  • Review each service's documentation for additional responsibilities that you fulfill when you use these services.
Satellite Connector
  • Update the managed master components.
  • Provide the ability to control access to connectors through IBM IAM.
 You are responsible for keeping your container platform infrastructure secure and compliant.
Satellite Connector Agent Image
  • Test and publish updates to the Satellite Connector Agent Image in the IBM Container Registry.
  • Monitor and update the software inside the container image for CVE.
 You are responsible for updating the Satellite Connector Agent Image to new versions published to the IBM Container Registry.
Satellite Connector Agent for Windows Service
  • Test and publish updates to the Satellite Connector Agent for Windows Service as a .zip file in the IBM.
  • Monitor and update the software inside the .zip file.
 You are responsible for updating the Satellite Connector Agent for Windows Service to new versions published to the IBM Cloud, retrieved using the CLI. For more information, see Running the agent on Windows.

Disaster recovery

Disaster recovery includes tasks such as providing dependencies on disaster recovery sites, provision disaster recovery environments, data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.

Table 6. Responsibilities for disaster recovery.
Task IBM responsibilities Your responsibilities
Satellite Location
  • Back up location information to recover Satellite location control plane components to an IBM-managed bucket in your IBM Cloud Object Storage instance.
  • Monitor the health of the location, automatically resolve issues when possible, and alert IBM site reliability engineers when manual intervention is required.
  • Define the disaster recovery requirements for the environment.
  • Provide access to the backup in your IBM Cloud Object Storage instance if you need to recover a location.
Satellite Host
  • Back up information for hosts that are assigned to the location control plane to an IBM-managed IBM Cloud Object Storage instance.
  • Back up information for hosts that are assigned to Satellite clusters to an IBM Cloud Object Storage instance in your account.
  • Maintain, repair, or replace hardware as needed.
Satellite Config
  • Back up information about saved Satellite configurations in etcd.
  • When service is restored, automatically deploy configuration files to available clusters.
Satellite Link N/A
  • Reinstate any necessary endpoints to your resources after recovering from a disaster.
Satellite Storage
  • Back up information about storage configurations and assigned clusters.
  • Ensure that your data is stored highly available by using snapshots, data replication, data synchronization, or other high availability mechanisms.
  • Back up your data to meet compliance and regulatory requirements for data retention.
  • Use the provided tools from your storage provider or in your on-prem data center to monitor physical storage instances and replace defective instances as necessary.
Satellite-enabled services
  • Review each service's documentation for additional responsibilities that IBM maintains.
  • Review each service's documentation for additional responsibilities that you fulfill when you use these services.