Oracle Cloud Infrastructure Documentation

OKE Administrator Tasks

Learn about the set of tasks you perform to enable the OKE service on Compute Cloud@Customer.

Perform the one-time administrative tasks on this page to configure OKE on Compute Cloud@Customer.

Note

After you complete these tasks, it can take up to 15 minutes for the IAM changes to synchronize on the Compute Cloud@Customer infrastructure.

Ensure Platform Images with OKE are Available

Compute Cloud@Customer includes platform images that have OKE installed on them. Ensure that you have access to them. See Listing Images and Viewing Details. OKE enabled images have OKE in the image name. Examples:

  • uln-pca-Oracle-Linux8-OKE-1.26.6-20240210.oci
  • uln-pca-Oracle-Linux8-OKE-1.27.7-20240209.oci
  • uln-pca-Oracle-Linux8-OKE-1.28.3-20240210.oci

Next Step:

Create a Users Group and Policies that Authorize Members to use OKE

Create a Users Group and Policies that Authorize Members to use OKE

  1. Create a user group that contains the users who will manage OKE resources. See the following topics based on the type of IAM you have in your tenancy:

  2. Create the policies that authorize group members to use OKE.

    Include the manage cluster-family authorization in the policy. The following shows example policies for the OKE user group. Depending on your organization, for example if you have a separate team that manages network resources, some of the following manage authorizations could be read or use authorizations. Or, you might need to add authorizations. You might need to create more than one user group to authorize OKE work in different compartments.

    allow group <group-name> to read all-resources in tenancy
allow group <group-name> to manage cluster-family in compartment <compartment-name>
allow group <group-name> to manage instance-family in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
allow group <group-name> to manage volume-family in compartment <compartment-name>

For more information about policies, see these resources:

Next Step:

Create an OraclePCA-OKE.cluster_id Defined Tag

Create an OraclePCA-OKE.cluster_id Defined Tag

This defined tag is required to create and update an OKE cluster or node pool. See Creating the OraclePCA-OKE.cluster_id Tag.

Create a Dynamic Group

Create a dynamic group to authorize member instances to manage OKE resources.

If your tenancy uses IAM with Identity Domains, use the following steps.

If your tenancy uses IAM without Identity Domains, instead, see Managing Dynamic Groups, and follow the steps under Using the Console, To create a dynamic group.

  1. In the OCI Oracle Cloud Console, open the navigation menu and click Identity & Security. Under Identity, click Domains .
  2. Select the identity domain you want to work in.
  3. In the left panel, click Dynamic groups.
  4. Click Create Dynamic Group.
  5. Enter the following information:
    • Name: Enter a unique name for the group. The name must be unique across all groups in your tenancy (dynamic groups and user groups). You can't change this later. Avoid entering confidential information.
    • Description: Enter a description.

    Enter the following Matching Rule, exactly as shown, to define the group:

    tag.OraclePCA-OKE.cluster_id.value

    All nodes that have this tag are members of the dynamic group.

Next Step: Create a Policy for the Dynamic Group

Create a Policy for the Dynamic Group

  1. Click Create Dynamic Group.
  2. Open the navigation menu, and click Identity & Security. Under Identity, click Policies.

  3. Click Create Policy.

    For a full description of the ways you can enter policies, see Creating a Policy.

  4. In the Create Policy panel, enter the following information:

    • Name: Enter a name for the policy.
    • Description: Enter a description.
    • Compartment: Select the compartment for the policy.
    • Policy Builder: Define the policies for the dynamic group:
      1. Click the slider to Show manual editor.

      2. Specify the following policy rules (replace dynamic-group-name with the name you created):

        allow dynamic-group <dynamic-group-name> to use instance-family in tenancy
allow dynamic-group <dynamic-group-name> to use virtual-network-family in tenancy
allow dynamic-group <dynamic-group-name> to manage load-balancers in tenancy
allow dynamic-group <dynamic-group-name> to manage volume-family in tenancy
Allow dynamic-group <dynamic-group-name> to manage file-family in tenancy
      3. Click Create.

The OKE service is now ready for OKE users to manage OKE resources. To get started, see Cluster Administrator Tasks.

Next Step:

Create the OraclePCA Tag Namesapce and Key Definitions

Create the OraclePCA Tag Namesapce and Key Definitions

The OraclePCA tag namespace and keys that are used when creating a cluster. See Creating OraclePCA Tags For OKE.

Certificate Authority Bundle Administration

After upgrade, patching, or any other outage, or if the automated Certificate Authority bundle update fails, you might want to update the CA bundle manually on the management node. See Certificate Authority Bundles.