Policies for Kubernetes Engine (OKE)

Shows how to allow Disaster Recovery (DR) to manage Kubernetes Engine (OKE) that is part of the application stack.

Policy for Object storage bucket access from OKE:

This policy lets Full Stack DR service access the Object storage bucket to upload configuration backup. The policy for Object storage bucket access from OKE cluster is dependent on the cluster type.

Managed Nodepool:

Create a dynamic group <cluster1_dg> with

All {instance.compartment.id = '<compartment_ocid>'}

Create a policy:

Allow dynamic-group cluster1_dg to manage object-family in compartment <compartment>
Allow dynamic-group cluster1_dg to manage cluster-family in compartment <compartment>

Virtual Nodepool:

Create the following policies:

Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader',
request.principal.cluster_id = '<Cluster_OCID>'}
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator',
request.principal.cluster_id = '<Cluster_OCID>'}

These policies give pods running in brie namespace with service account brie-reader or brie-creator to read and write to Object storage bucket.

Policy for container instance:

This policy lets runtime container instances created by Full Stack DR service access the OKE cluster and Object storage bucket. Create a dynamic group <bastion1_dg> with

All {resource.type='computecontainerinstance'}

Create a policy:

Allow dynamic-group bastion1_dg to manage object-family in compartment <compartment>
Allow dynamic-group bastion1_dg to manage cluster-family in compartment <compartment>

Policy for jump host

If you are using jump host, then this policy lets Full Stack DR access the OKE cluster and the Object storage buckets.

If jump host and cluster are in the same compartment, then you can avoid steps to create new dynamic group and policy to provide access to Object storage bucket.

Create a dynamic group <bastion1_dg> with

All {instance.compartment.id = '<compartment_ocid>'}

Create a policy:

Allow dynamic-group bastion1_dg to manage cluster-family in compartment <compartment>Allow dynamic-group bastion1_dg to manage cluster in compartment
    <compartment>

Related Topics

Policy Configuration for Cluster Creation and Deployment

Parent topic: Policies for Other Services Managed by Full Stack Disaster Recovery

Oracle Cloud Infrastructure Documentation