Oracle Cloud Infrastructure Documentation

Creating an OKE Control Plane Load Balancer Subnet (Flannel Overlay)

On Compute Cloud@Customer, part of configuring OKE requires creating a control plane security list and a control plane load balancer subnet.

Create the following resources in the order listed:

  1. Create a Control Plane Load Balancer Security List.
  2. Create the Control Plane Load Balancer Subnet.

Create a Control Plane Load Balancer Security List

To create a security list, use the instructions in Creating a Security List. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

The control plane load balancer accepts traffic on port 6443, which is also called kubernetes_api_port in these instructions. Adjust this security list to only accept connections from where you expect the network to run. Port 6443 must accept connections from the cluster control plane instances and worker instances.

For this example, use the following input for the control plane load balancer subnet security list.

Compute Cloud@Customer Console property

CLI property

  • Name: kmilb-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: kmilb-seclist

Three ingress security rules:

Three ingress security rules:

--ingress-security-rules

Ingress Rule 1:

  • Stateless: clear the check box

  • Ingress CIDR: 253.255.0.0/16

    This value is required. Do not change this CIDR value.

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 1:

  • isStateless: false

  • source: 253.255.0.0/16

    This value is required. Do not change this CIDR value.

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 2:

  • Stateless: clear the check box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 2:

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 3:

  • Stateless: clear the check box

  • Ingress CIDR: vcn_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 3:

  • isStateless: false

  • source: vcn_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow inbound connections to the control plane load balancer."

Create the Control Plane Load Balancer Subnet

To create a subnet, use the instructions in Creating a Subnet. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

For this example, use the following input to create the control plane load balancer subnet. Use the OCID of the VCN that was created in Creating a VCN (Flannel Overlay). Create the control plane load balancer subnet in the same compartment where you created the VCN.

Create either a private or a public control plane load balancer subnet. Create a public control plane load balancer subnet to use with a public cluster. Create a private control plane load balancer subnet to use with a private cluster.

See Private Clusters for information about using Local Peering Gateways to connect a private cluster to other instances on the Compute Cloud@Customer and using Dynamic Routing Gateways to connect a private cluster to the on-premises IP address space. To create a private control plane load balancer subnet, specify one of the following route tables (see Creating a VCN (Flannel Overlay)):

  • vcn_private

  • lpg_rt

  • drg_rt

Create a Public Control Plane Load Balancer Subnet

Compute Cloud@Customer Console property

CLI property

  • Name: control-plane-endpoint

  • CIDR Block: kmilb_cidr

  • Route Table: Select "public" from the list

  • Public Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmilb

  • Security Lists: Select "kmilb-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane-endpoint

  • --cidr-block: kmilb_cidr

  • --dns-label: kmilb

  • --prohibit-public-ip-on-vnic: false

  • --route-table-id: OCID of the "public" route table

  • --security-list-ids: OCIDs of the "kmilb-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the public route table. Depending on your needs, you could specify the LPG route table or the DRG route table instead.

Create a Private Control Plane Load Balancer Subnet

Compute Cloud@Customer Console property

CLI property

  • Name: control-plane-endpoint

  • CIDR Block: kmilb_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmilb

  • Security Lists: Select "kmilb-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane-endpoint

  • --cidr-block: kmilb_cidr

  • --dns-label: kmilb

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "kmilb-seclist" security list and the "Default Security List for oketest-vcn" security list

What's Next:

Creating an OKE Cluster