Support for security rule management in NSGs

You can now include an annotation to specify the use of network security groups (NSGs) to manage some or all of the security rules that control access to the load balancers and network load balancers provisioned for Kubernetes services of type LoadBalancer. Oracle recommends that security rules are managed in NSGs rather than in security lists.

The oci-cloud-controller-manager can manage all required security rules for ingress to the load balancer or network load balancer service, in an NSG that it creates for the purpose. This NSG is known as the frontend NSG.

If you also want the oci-cloud-controller-manager to manage security rules for ingress traffic to the worker nodes in the backend set, along with egress traffic from the load balancer or network load balancer service, you have to specify the OCID of an existing NSG to use for this purpose. This NSG is known as the backend NSG. The oci-cloud-controller-manager only adds egress rules to the frontend NSG if you specify a backend NSG.

The following new annotations enable you to specify the use of NSGs to manage security rules, and the OCID of an existing NSG to use as the backend NSG, respectively:

  • oci.oraclecloud.com/security-rule-management-mode: "NSG"
  • oci.oraclecloud.com/oci-backend-network-security-group: "<nsg-ocid>"

For more information, see Using the oci.oraclecloud.com/security-rule-management-mode annotation to manage security rules in NSGs and security lists.