OKE Administrator Tasks
Learn about the set of tasks you perform to enable the OKE service on Compute Cloud@Customer.
Perform the one-time administrative tasks on this page to configure OKE on Compute Cloud@Customer.
After you complete these tasks, it can take up to 15 minutes for the IAM changes to synchronize on the Compute Cloud@Customer infrastructure.
Ensure Platform Images with OKE are Available
Compute Cloud@Customer includes platform images that have OKE installed on them. Ensure that you have access to them. See Listing Images and Viewing Details. OKE enabled images have OKE
in the image name. Examples:
-
uln-pca-Oracle-Linux8-OKE-1.26.6-20240210.oci
-
uln-pca-Oracle-Linux8-OKE-1.27.7-20240209.oci
-
uln-pca-Oracle-Linux8-OKE-1.28.3-20240210.oci
Next Step:
Create a Users Group and Policies that Authorize Members to use OKE
Create a Users Group and Policies that Authorize Members to use OKE
-
Create a user group that contains the users who will manage OKE resources. See the following topics based on the type of IAM you have in your tenancy:
-
Create the policies that authorize group members to use OKE.
Include the
manage cluster-family
authorization in the policy. The following shows example policies for the OKE user group. Depending on your organization, for example if you have a separate team that manages network resources, some of the followingmanage
authorizations could beread
oruse
authorizations. Or, you might need to add authorizations. You might need to create more than one user group to authorize OKE work in different compartments.allow group <group-name> to read all-resources in tenancy allow group <group-name> to manage cluster-family in compartment <compartment-name> allow group <group-name> to manage instance-family in compartment <compartment-name> allow group <group-name> to manage virtual-network-family in compartment <compartment-name> allow group <group-name> to manage volume-family in compartment <compartment-name>
For more information about policies, see these resources:
Next Step:
Create an OraclePCA-OKE.cluster_id Defined Tag
This defined tag is required to create and update an OKE cluster or node pool. See Creating the OraclePCA-OKE.cluster_id Tag.
Create a Dynamic Group
Create a dynamic group to authorize member instances to manage OKE resources.
If your tenancy uses IAM with Identity Domains, use the following steps.
If your tenancy uses IAM without Identity Domains, instead, see Managing Dynamic Groups, and follow the steps under Using the Console, To create a dynamic group.
- In the OCI Oracle Cloud Console, open the navigation menu and click Identity & Security. Under Identity, click Domains .
- Select the identity domain you want to work in.
- In the left panel, click Dynamic groups.
- Click Create Dynamic Group.
- Enter the following information:
- Name: Enter a unique name for the group. The name must be unique across all groups in your tenancy (dynamic groups and user groups). You can't change this later. Avoid entering confidential information.
- Description: Enter a description.
Enter the following Matching Rule, exactly as shown, to define the group:
tag.OraclePCA-OKE.cluster_id.value
All nodes that have this tag are members of the dynamic group.
Next Step: Create a Policy for the Dynamic Group
Create a Policy for the Dynamic Group
- Click Create Dynamic Group.
- Open the navigation menu, and click Identity & Security. Under Identity, click Policies.
-
Click Create Policy.
For a full description of the ways you can enter policies, see Creating a Policy.
-
In the Create Policy panel, enter the following information:
- Name: Enter a name for the policy.
- Description: Enter a description.
- Compartment: Select the compartment for the policy.
-
Policy Builder: Define the policies for the dynamic
group:
- Click the slider to Show manual editor.
-
Specify the following policy rules (replace dynamic-group-name with the name you created):
allow dynamic-group <dynamic-group-name> to use instance-family in tenancy allow dynamic-group <dynamic-group-name> to use virtual-network-family in tenancy allow dynamic-group <dynamic-group-name> to manage load-balancers in tenancy allow dynamic-group <dynamic-group-name> to manage volume-family in tenancy Allow dynamic-group <dynamic-group-name> to manage file-family in tenancy
- Click Create.
The OKE service is now ready for OKE users to manage OKE resources. To get started, see Cluster Administrator Tasks.
Next Step:
Create the OraclePCA Tag Namesapce and Key Definitions
The OraclePCA tag namespace and keys that are used when creating a cluster. See Creating OraclePCA Tags For OKE.
Certificate Authority Bundle Administration
After upgrade, patching, or any other outage, or if the automated Certificate Authority bundle update fails, you might want to update the CA bundle manually on the management node. See Certificate Authority Bundles.