Creating a Worker Subnet (VCN-Native Pod)

On Compute Cloud@Customer,

Create the following resources in the order listed:

Worker security list
Worker subnet

Create a Worker Security List

Create a security list. See Creating a Security List.. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

This security list defines traffic that is allowed to contact worker nodes directly.

For this example, use the following input for the worker subnet security list.


Console property	CLI property
Name: worker-seclist	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `worker-seclist`
One egress security rule: Stateless: uncheck the box Egress CIDR: 0.0.0.0/0 IP Protocol: All protocols Description: "Allow all outgoing traffic."	One egress security rule: `--egress-security-rules` `isStateless`: `false` `destination`: `0.0.0.0/0` `destinationType`: `CIDR_BLOCK` `protocol`: `all` `description`: "Allow all outgoing traffic."
Ten ingress security rules:	Ten ingress security rules: `--ingress-security-rules`
Ingress Rule 1 Stateless: uncheck the box Ingress CIDR: `kmi_cidr` IP Protocol: TCP Destination Port Range: 22 Description: "Allow SSH connection from the control plane subnet."	Ingress Rule 1 `isStateless`: `false` `source`: `kmi_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `22` `min`: `22` `description`: "Allow SSH connection from the control plane subnet."
Ingress Rule 2 Stateless: uncheck the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 22 Description: "Allow SSH connection from the worker subnet."	Ingress Rule 2 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `22` `min`: `22` `description`: "Allow SSH connection from the worker subnet."
Ingress Rule 3 Stateless: uncheck the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 10250 Description: "Allow Kubernetes API endpoint to worker node communication."	Ingress Rule 3 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10250` `min`: `10250` `description`: "Allow Kubernetes API endpoint to worker node communication."
Ingress Rule 4 Stateless: uncheck the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 10256 Description: "Allow Load Balancer or Network Load Balancer to communicate with `kube-proxy` on worker nodes."	Ingress Rule 4 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10256` `min`: `10256` `description`: "Allow Load Balancer or Network Load Balancer to communicate with `kube-proxy` on worker nodes."
Ingress Rule 5 Stateless: uncheck the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 30000-32767 Description: "Allow traffic to worker nodes."	Ingress Rule 5 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `32767` `min`: `30000` `description`: "Allow traffic to worker nodes."
Ingress Rule 6 Stateless: uncheck the box Ingress CIDR: `workerlb_cidr` IP Protocol: TCP Destination Port Range: 10256 Description: "Allow Load Balancer or Network Load Balancer to communicate with `kube-proxy` on worker nodes."	Ingress Rule 6 `isStateless`: `false` `source`: `workerlb_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10256` `min`: `10256` `description`: "Allow Load Balancer or Network Load Balancer to communicate with `kube-proxy` on worker nodes."
Ingress Rule 7 Stateless: uncheck the box Ingress CIDR: `workerlb_cidr` IP Protocol: TCP Destination Port Range: 30000-32767 Description: "Allow worker nodes to receive connections through Network Load Balancer."	Ingress Rule 7 `isStateless`: `false` `source`: `workerlb_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `32767` `min`: `30000` `description`: "Allow worker nodes to receive connections through Network Load Balancer."
Ingress Rule 8 Stateless: uncheck the box Ingress CIDR: `kmi_cidr` IP Protocol: TCP Destination Port Range: 10250 Description: "Allow Kubernetes API endpoint to worker node communication."	Ingress Rule 8 `isStateless`: `false` `source`: `kmi_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10250` `min`: `10250` `description`: "Allow Kubernetes API endpoint to worker node communication."
Ingress Rule 9 Stateless: uncheck the box Ingress CIDR: `kmi_cidr` IP Protocol: TCP Destination Port Range: 10256 Description: "Allow Load Balancer or Network Load Balancer to communicate with `kube-proxy` on worker nodes."	Ingress Rule9 `isStateless`: `false` `source`: `kmi_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10256` `min`: `10256` `description`: "Allow Load Balancer or Network Load Balancer to communicate with `kube-proxy` on worker nodes."
Ingress Rule 10 Stateless: uncheck the box Ingress CIDR: `pod_cidr` IP Protocol: TCP Destination Port Range: 30000-32767 Description: "Allow worker nodes to receive connections through the pod subnet."	Ingress Rule 10 `isStateless`: `false` `source`: `pod_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `32767` `min`: `30000` `description`: "Allow worker nodes to receive connections through the pod subnet."

Create the Worker Subnet

Create a subnet. See Creating a Subnet. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the worker subnet. Use the OCID of the VCN that was created in Creating a VCN (VCN-Native Pod). Create the worker subnet in the same compartment where you created the VCN.

Create either a NAT private worker subnet or a VCN private worker subnet. Create a NAT private worker subnet to communicate outside the VCN.

Create a NAT Private Worker Subnet
Console property	CLI property
Name: worker CIDR Block: `worker_cidr` Route Table: Select "nat_private" from the list Private Subnet: check the box DNS Hostnames: Use DNS Hostnames in this Subnet: check the box DNS Label: worker Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `worker` `--cidr-block`: `worker_cidr` `--dns-label`: `worker` `--prohibit-public-ip-on-vnic`: `true` `--route-table-id`: OCID of the "nat_private" route table `--security-list-ids`: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the NAT private route table.

Create a VCN Private Worker Subnet
Console property	CLI property
Name: worker CIDR Block: `worker_cidr` Route Table: Select "vcn_private" from the list Private Subnet: check the box DNS Hostnames: Use DNS Hostnames in this Subnet: check the box DNS Label: worker Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `worker` `--cidr-block`: `worker_cidr` `--dns-label`: `worker` `--prohibit-public-ip-on-vnic`: `true` `--route-table-id`: OCID of the "vcn_private" route table `--security-list-ids`: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

Oracle Cloud Infrastructure Documentation

Creating a Worker Subnet (VCN-Native Pod)

Create a Worker Security List

Create the Worker Subnet