Oracle Cloud Infrastructure Documentation

Creating an OKE Control Plane Subnet (Flannel Overlay)

On Compute Cloud@Customer, part of configuring OKE requires creating external and internal access security lists and a control plane subnet.

Create the following resources in the order listed:

  1. Create a Control Plane Security List
  2. Create the Control Plane Subnet

Create a Control Plane Security List

To create a security list, use the instructions in Creating a Security List. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

For this example, use the following input for the control plane subnet security list. Use this configuration as a guide when you create these resources. You can change the values of properties such as CIDR blocks and IP addresses. You should not change the values of properties such as the network protocol, the stateful setting, or the private/public setting.

Compute Cloud@Customer Console property

CLI property

  • Name: kmi-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: kmi-seclist

Six ingress security rules:

Six ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: clear the check box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow inbound connections to the Kubernetes API server."

 Ingress Rule 1

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow inbound connections to the Kubernetes API server."
Ingress Rule 2

  • Stateless: clear the check box

  • Ingress CIDR: kmilb_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow inbound connections from the control plane load balancer."

 Ingress Rule 2

  • isStateless: false

  • source: kmilb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow inbound connections from the control plane load balancer."
Ingress Rule 3

  • Stateless: clear the check box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 1024-65535

  • Description: "Allow inbound connections from worker nodes to the control plane."

 Ingress Rule 3

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 65535

    • min: 1024

  • description: "Allow inbound connections from worker nodes to the control plane."
Ingress Rule 4

  • Stateless: clear the check box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 1024-65535

  • Description: "Allow inbound connections within the control plane."

 Ingress Rule 4

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 65535

    • min: 1024

  • description: "Allow inbound connections within the control plane."

Create the Control Plane Subnet

To create a subnet, use the instructions in Creating a Subnet. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

Use the following input to create the control plane subnet. Use the OCID of the VCN that was created in Creating a VCN (Flannel Overlay). Create the control plane subnet in the same compartment where you created the VCN.

Create either a NAT private control plane subnet or a VCN private control plane subnet. Create a NAT private control plane subnet to communicate outside the VCN.

Important

The name of this subnet must be exactly control-plane.

Create a NAT Private Control Plane Subnet

Compute Cloud@Customer Console property

CLI property

  • Name: control-plane

  • CIDR Block: kmi_cidr

  • Route Table: Select "nat_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmi

  • Security Lists: Select "kmi-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane

  • --cidr-block: kmi_cidr

  • --dns-label: kmi

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "nat_private" route table

  • --security-list-ids: OCIDs of the "kmi-seclist" security list and the "Default Security List for oketest-vcn" security list
Create a VCN Private Control Plane Subnet

Compute Cloud@Customer Console property

CLI property

  • Name: control-plane

  • CIDR Block: kmi_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmi

  • Security Lists: Select "kmi-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane

  • --cidr-block: kmi_cidr

  • --dns-label: kmi

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "kmi-seclist" security list and the "Default Security List for oketest-vcn" security list

What's Next:

Creating an OKE Control Plane Load Balancer Subnet (Flannel Overlay)