Oracle Cloud Infrastructure Documentation

Example Network Resource Configuration

Before you can use Container Engine for Kubernetes to create and deploy clusters in the regions in a tenancy:

  • The tenancy's root compartment must include a policy to allow Container Engine for Kubernetes to perform operations in the tenancy. See Create Policy for Container Engine for Kubernetes (Required).
  • Within the tenancy, there must already be a compartment to contain the necessary network resources (VCN, subnets, internet gateway, route table, security lists). If such a compartment does not exist already, you will have to create it. Note that the network resources can reside in the root compartment. However, if you expect multiple teams to create clusters, best practice is to create a separate compartment for each team.
  • Within the compartment, network resources (VCN, subnets, internet gateway, route table, security lists) must be appropriately configured in each region in which you want to create and deploy clusters. When creating a new cluster, you can have Container Engine for Kubernetes automatically create and configure new network resources for the new cluster, or you can specify existing network resources. If you specify existing network resources, you or somebody else must have already configured those resources appropriately. See Network Resource Configuration for Cluster Creation and Deployment.

This topic gives an example of how you might configure network resources for cluster creation and deployment.

For an introductory tutorial, see Creating a Cluster with Oracle Cloud Infrastructure Container Engine for Kubernetes and Deploying a Sample App.

Example Network Resource Configuration

Resource Example
VCN

Created manually, and defined as follows:

  • Name: acme-dev-vcn
  • CIDR Block: 10.0.0.0/16
  • DNS Resolution: Selected
Internet Gateway

Created manually, and defined as follows:

  • Name: gateway-0
Route Table

Created manually, and defined as follows:

  • Name: routetable-0

A route rule defined as follows:

  • Destination CIDR block: 0.0.0.0/0
  • Target Type: Internet Gateway
  • Target Internet Gateway: gateway-0
DHCP Options

Created automatically and defined as follows:

  • DNS Type set to Internet and VCN Resolver
Security Lists

Two created (in addition to the default security list) manually, named, and defined as follows:

  • Security List Name: workers
  • Security List Name: loadbalancers

For details of the ingress rules and egress rules defined for the workers security list and the loadbalancers security list, see Example Security List Configurations.

Subnets

Three worker subnets created manually, named, and defined as follows:

  • Name: workers-1 with the following properties:

    • Availability Domain: AD1
    • CIDR Block: 10.0.10.0/24
    • Route Table: routetable-0

    • Subnet access: Public

    • DNS Resolution: Selected

    • DHCP Options: Default
    • Security List: workers
  • Name: workers-2 with the following properties:

    • Availability Domain: AD2
    • CIDR Block: 10.0.11.0/24
    • Route Table: routetable-0

    • Subnet access: Public

    • DNS Resolution: Selected
    • DHCP Options: Default

    • Security List: workers
  • Name: workers-3 with the following properties:

    • Availability Domain: AD3
    • CIDR Block: 10.0.12.0/24
    • Route Table: routetable-0

    • Subnet access: Public

    • DNS Resolution: Selected
    • DHCP Options: Default

    • Security List: workers

Two load balancer subnets created, named, and defined as follows:

  • Name: loadbalancers-1 with the following properties:

    • Availability Domain: AD1
    • CIDR Block: 10.0.20.0/24
    • Route Table: routetable-0

    • Subnet access: Public

    • DNS Resolution: Selected
    • DHCP Options: Default

    • Security List: loadbalancers
  • Name: loadbalancers-2 with the following properties:

    • Availability Domain: AD2
    • CIDR Block: 10.0.21.0/24
    • Route Table: routetable-0

    • Subnet access: Public

    • DNS Resolution: Selected
    • DHCP Options: Default

    • Security List: loadbalancers

Example Security List Configurations

In the example VCN, two security lists have been created (in addition to the default security list) to control access to and from the worker node subnets and load balancer subnets. The two security lists are named 'workers' and 'loadbalancers' respectively.

The workers security list has the following ingress and egress rules for worker node subnets:

Example Ingress Rules in a Security List for a Worker Node Subnet:
Example Egress Rules in a Security List for a Worker Node Subnet:

The loadbalancers security list has the following ingress and egress rules for load balancer subnets:

Example Ingress Rules in a Security List for a Load Balancer Subnet:
Example Egress Rules in a Security List for a Load Balancer Subnet: