Oracle Cloud Infrastructure Documentation

Creating a Control Plane Subnet (VCN-Native Pod)

Create the following resources in the order listed:

  1. Control plane security list

  2. Control plane subnet

Create a Control Plane Security List

Create a security list. See Creating a Security List. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input for the control plane subnet security list. The kubernetes_api_port is the port used to access the Kubernetes API: port 6443. See also Workload Cluster Network Ports (VCN-Native Pod).

Console property

CLI property

  • Name: kmi-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: kmi-seclist

One egress security rule:

  • Stateless: uncheck the box

  • Egress CIDR: 0.0.0.0/0

  • IP Protocol: All protocols

  • Description: "Allow all outgoing traffic."

One egress security rule:

--egress-security-rules

  • isStateless: false

  • destination: 0.0.0.0/0

  • destinationType: CIDR_BLOCK

  • protocol: all

  • description: "Allow all outgoing traffic."

Eleven ingress security rules:

Eleven ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: clear the box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow clients to communicate with Kubernetes API."

 Ingress Rule 1

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow clients to communicate with Kubernetes API."
Ingress Rule 2

  • Stateless: clear the box

  • Ingress CIDR: kmilb_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow the load balancer to communicate with Kubernetes control plane APIs."

 Ingress Rule 2

  • isStateless: false

  • source: kmilb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow the load balancer to communicate with Kubernetes control plane APIs."
Ingress Rule 3

  • Stateless: clear the box

  • Ingress CIDR: kmilb_cidr

  • IP Protocol: TCP

    • Destination Port Range: 12250

  • Description: "Allow Kubernetes worker to Kubernetes API endpoint communication via the control plane load balancer."

 Ingress Rule 3

  • isStateless: false

  • source: kmilb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 12250

    • min: 12250

  • description: "Allow Kubernetes worker to Kubernetes API endpoint communication via the control plane load balancer."
Ingress Rule 4

  • Stateless: clear the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow worker nodes to access the Kubernetes API."

 Ingress Rule 4

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow worker nodes to access the Kubernetes API."
Ingress Rule 5

  • Stateless: clear the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 12250

  • Description: "Allow Kubernetes worker to Kubernetes API endpoint communication."

 Ingress Rule 5

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 12250

    • min: 12250

  • description: "Allow Kubernetes worker to Kubernetes API endpoint communication."
Ingress Rule 6

  • Stateless: clear the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow the control plane to reach itself."

 Ingress Rule 6

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow the control plane to reach itself."
Ingress Rule 7

  • Stateless: clear the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 2379-2381

  • Description: "Allow the control plane to reach etcd services and metrics. Ports 2379 and 2380 are used by Kubernetes to communicate with the etcd server. Port 2381 is used by Kubernetes to collect metrics from etcd."

 Ingress Rule 7

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 2381

    • min: 2379

  • description: "Allow the control plane to reach etcd services and metrics. Ports 2379 and 2380 are used by Kubernetes to communicate with the etcd server. Port 2381 is used by Kubernetes to collect metrics from etcd."
Ingress Rule 8

  • Stateless: clear the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10250

  • Description: "Allow Kubernetes API endpoint to control plane node communication."

 Ingress Rule 8

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10250

    • min: 10250

  • description: "Allow Kubernetes API endpoint to control plane node communication."
Ingress Rule 9

  • Stateless: clear the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10257-10260

  • Description: "Allow inbound connection for Kubernetes components."

 Ingress Rule 9

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10260

    • min: 10257

  • description: "Allow inbound connection for Kubernetes components."
Ingress Rule 10

  • Stateless: clear the box

  • Ingress CIDR: pod_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow pods to communicate with Kubernetes APIs."

 Ingress Rule 10

  • isStateless: false

  • source: pod_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow pods to communicate with Kubernetes APIs."
Ingress Rule 11

  • Stateless: clear the box

  • Ingress CIDR: pod_cidr

  • IP Protocol: TCP

    • Destination Port Range: 12250

  • Description: "Allow Kubernetes pods to Kubernetes API endpoint communication."

 Ingress Rule 11

  • isStateless: false

  • source: pod_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 12250

    • min: 12250

  • description: "Allow Kubernetes pods to Kubernetes API endpoint communication."

Create the Control Plane Subnet

Create a subnet. See Creating a Subnet. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

Use the following input to create the control plane subnet. Use the OCID of the VCN that was created in Creating a VCN (VCN-Native Pod). Create the control plane subnet in the same compartment where you created the VCN.

Create either a NAT private control plane subnet or a VCN private control plane subnet. Create a NAT private control plane subnet to communicate outside the VCN.

Important

The name of this subnet must be exactly "control-plane".

Create a Data Center Private Control Plane Subnet

Console property

CLI property

  • Name: control-plane

  • CIDR Block: kmi_cidr

  • Route Table: Select "nat_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmi

  • Security Lists: Select "kmi-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane

  • --cidr-block: kmi_cidr

  • --dns-label: kmi

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "nat_private" route table

  • --security-list-ids: OCIDs of the "kmi-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the NAT private route table.

Create a VCN Private Control Plane Subnet

Console property

CLI property

  • Name: control-plane

  • CIDR Block: kmi_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmi

  • Security Lists: Select "kmi-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane

  • --cidr-block: kmi_cidr

  • --dns-label: kmi

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "kmi-seclist" security list and the "Default Security List for oketest-vcn" security list