Before you can use Container Engine for Kubernetes to create a Kubernetes cluster, you need to take care of the Prerequisites and there are quite a few of them:
Within the root compartment of your tenancy, a policy statement (allow service OKE to manage all-resources in tenancy) must be defined to give Container Engine for Kubernetes access to resources in the tenancy.
VCN must have five subnets defined:
- Three subnets in which to deploy worker nodes. Each worker node subnet must be in a different availability domain. The worker node subnets must have different security lists to the load balancer subnets.
- Two subnets to host load balancers. Each load balancer subnet must be in different availability domain. The load balancer subnets must have different security lists to the worker node subnets.
Security List Requirement
The VCN must have security lists defined for the worker node subnets and the load balancer subnets. The security list for the worker node subnets must have:
- Stateless ingress and egress rules that allow all traffic between the different worker node subnets.
- Stateless ingress and egress rules that allow all traffic between worker node subnets and load balancer subnets.
- An egress rule that allows all outbound traffic to the internet
Ingress rules to allow the Container Engine for Kubernetes service to access worker nodes on port 22 from 220.127.116.11/16 and 18.104.22.168/17.
Create Policy for Container Engine for Kubernetes
- Sign in to the console, on the Home page click Identity, then select Policies.
- Select the tenancy’s root compartment from the list on the left. Tenancy-name (root).
- Click Create Policy and enter the following:
- Name: Enter a unique name for your policy such as “oke-service”
- Description: Enter a description (for example, “oke-service-policy”)
- Policy Versioning: Select Keep Policy Current
- Statement: Enter the following policy statement:
allow service OKE to manage all-resources in tenancy
- Click Create.
Example Security Rules Configuration
Example Ingress Rules in a Security List for a Worker Node Subnet: