@@ -27,23 +27,301 @@ spec:
2727 compartmentId : " ${OCI_COMPARTMENT_ID}"
2828 networkSpec :
2929 vcn :
30+ cidr : 10.0.0.0/16
3031 subnets :
31- - cidr : 10.0.0.0/30
32+ - cidr : 10.0.0.8/29
3233 name : control-plane-endpoint
3334 role : control-plane-endpoint
3435 type : private
35- - cidr : 10.0.2.0/24
36+ - cidr : 10.0.0.32/27
3637 name : service-lb
3738 role : service-lb
3839 type : public
39- - cidr : 10.0.1 .0/24
40+ - cidr : 10.0.64 .0/20
4041 name : worker
4142 role : worker
4243 type : private
43- - cidr : 10.0.4 .0/24
44+ - cidr : 10.0.128 .0/18
4445 name : pod
4546 role : pod
4647 type : private
48+ networkSecurityGroups :
49+ - egressRules :
50+ - egressRule :
51+ description : Allow Kubernetes API endpoint to communicate with OKE.
52+ destinationType : SERVICE_CIDR_BLOCK
53+ isStateless : false
54+ protocol : " 6"
55+ - egressRule :
56+ description : Path Discovery.
57+ destinationType : SERVICE_CIDR_BLOCK
58+ icmpOptions :
59+ code : 4
60+ type : 3
61+ isStateless : false
62+ protocol : " 1"
63+ - egressRule :
64+ description : Allow Kubernetes API endpoint to communicate with worker
65+ nodes.
66+ destination : 10.0.64.0/20
67+ destinationType : CIDR_BLOCK
68+ isStateless : false
69+ protocol : " 6"
70+ tcpOptions :
71+ destinationPortRange :
72+ max : 10250
73+ min : 10250
74+ - egressRule :
75+ description : Path Discovery.
76+ destination : 10.0.64.0/20
77+ destinationType : CIDR_BLOCK
78+ icmpOptions :
79+ code : 4
80+ type : 3
81+ isStateless : false
82+ protocol : " 1"
83+ - egressRule :
84+ description : Allow Kubernetes API endpoint to communicate with pods (when
85+ using VCN-native pod networking).
86+ destination : 10.0.128.0/18
87+ destinationType : CIDR_BLOCK
88+ isStateless : false
89+ protocol : all
90+ ingressRules :
91+ - ingressRule :
92+ description : Kubernetes worker to Kubernetes API endpoint communication.
93+ isStateless : false
94+ protocol : " 6"
95+ source : 10.0.64.0/20
96+ sourceType : CIDR_BLOCK
97+ tcpOptions :
98+ destinationPortRange :
99+ max : 6443
100+ min : 6443
101+ - ingressRule :
102+ description : Kubernetes worker to Kubernetes API endpoint communication.
103+ isStateless : false
104+ protocol : " 6"
105+ source : 10.0.64.0/20
106+ sourceType : CIDR_BLOCK
107+ tcpOptions :
108+ destinationPortRange :
109+ max : 12250
110+ min : 12250
111+ - ingressRule :
112+ description : Path Discovery.
113+ icmpOptions :
114+ code : 4
115+ type : 3
116+ isStateless : false
117+ protocol : " 1"
118+ source : 10.0.64.0/20
119+ sourceType : CIDR_BLOCK
120+ - ingressRule :
121+ description : Pod to Kubernetes API endpoint communication (when using
122+ VCN-native pod networking).
123+ isStateless : false
124+ protocol : " 6"
125+ source : 10.0.128.0/18
126+ sourceType : CIDR_BLOCK
127+ tcpOptions :
128+ destinationPortRange :
129+ max : 6443
130+ min : 6443
131+ - ingressRule :
132+ description : Pod to Kubernetes API endpoint communication (when using
133+ VCN-native pod networking).
134+ isStateless : false
135+ protocol : " 6"
136+ source : 10.0.128.0/18
137+ sourceType : CIDR_BLOCK
138+ tcpOptions :
139+ destinationPortRange :
140+ max : 12250
141+ min : 12250
142+ - ingressRule :
143+ description : External access to Kubernetes API endpoint.
144+ isStateless : false
145+ protocol : " 6"
146+ source : 0.0.0.0/0
147+ sourceType : CIDR_BLOCK
148+ tcpOptions :
149+ destinationPortRange :
150+ max : 6443
151+ min : 6443
152+ name : control-plane-endpoint
153+ role : control-plane-endpoint
154+ - egressRules :
155+ - egressRule :
156+ description : Allow worker nodes to communicate with OKE.
157+ destinationType : SERVICE_CIDR_BLOCK
158+ isStateless : false
159+ protocol : " 6"
160+ - egressRule :
161+ description : Allow worker nodes to access pods.
162+ destination : 10.0.128.0/18
163+ destinationType : CIDR_BLOCK
164+ isStateless : false
165+ protocol : all
166+ - egressRule :
167+ description : Path Discovery.
168+ destination : 0.0.0.0/0
169+ destinationType : CIDR_BLOCK
170+ icmpOptions :
171+ code : 4
172+ type : 3
173+ isStateless : false
174+ protocol : " 1"
175+ - egressRule :
176+ description : Kubernetes worker to Kubernetes API endpoint communication.
177+ destination : 10.0.0.8/29
178+ destinationType : CIDR_BLOCK
179+ isStateless : false
180+ protocol : " 6"
181+ tcpOptions :
182+ destinationPortRange :
183+ max : 6443
184+ min : 6443
185+ - egressRule :
186+ description : Kubernetes worker to Kubernetes API endpoint communication.
187+ destination : 10.0.0.8/29
188+ destinationType : CIDR_BLOCK
189+ isStateless : false
190+ protocol : " 6"
191+ tcpOptions :
192+ destinationPortRange :
193+ max : 12250
194+ min : 12250
195+ ingressRules :
196+ - ingressRule :
197+ description : Allow Kubernetes API endpoint to communicate with worker
198+ nodes.
199+ isStateless : false
200+ protocol : " 6"
201+ source : 10.0.0.8/29
202+ sourceType : CIDR_BLOCK
203+ tcpOptions :
204+ destinationPortRange :
205+ max : 10250
206+ min : 10250
207+ - ingressRule :
208+ description : Path Discovery.
209+ icmpOptions :
210+ code : 4
211+ type : 3
212+ isStateless : false
213+ protocol : " 1"
214+ source : 0.0.0.0/0
215+ sourceType : CIDR_BLOCK
216+ - ingressRule :
217+ description : Load Balancer to Worker nodes node ports.
218+ isStateless : false
219+ protocol : " 6"
220+ source : 10.0.0.32/27
221+ sourceType : CIDR_BLOCK
222+ tcpOptions :
223+ destinationPortRange :
224+ max : 32767
225+ min : 30000
226+ name : worker
227+ role : worker
228+ - egressRules :
229+ - egressRule :
230+ description : Load Balancer to Worker nodes node ports.
231+ destination : 10.0.64.0/20
232+ destinationType : CIDR_BLOCK
233+ isStateless : false
234+ protocol : " 6"
235+ tcpOptions :
236+ destinationPortRange :
237+ max : 32767
238+ min : 30000
239+ ingressRules :
240+ - ingressRule :
241+ description : Accept http traffic on port 80
242+ isStateless : false
243+ protocol : " 6"
244+ source : 0.0.0.0/0
245+ sourceType : CIDR_BLOCK
246+ tcpOptions :
247+ destinationPortRange :
248+ max : 80
249+ min : 80
250+ - ingressRule :
251+ description : Accept https traffic on port 443
252+ isStateless : false
253+ protocol : " 6"
254+ source : 0.0.0.0/0
255+ sourceType : CIDR_BLOCK
256+ tcpOptions :
257+ destinationPortRange :
258+ max : 443
259+ min : 443
260+ name : service-lb
261+ role : service-lb
262+ - egressRules :
263+ - egressRule :
264+ description : Allow worker nodes to communicate with OCI Services.
265+ destinationType : SERVICE_CIDR_BLOCK
266+ isStateless : false
267+ protocol : " 6"
268+ - egressRule :
269+ description : Path Discovery.
270+ destinationType : SERVICE_CIDR_BLOCK
271+ icmpOptions :
272+ code : 4
273+ type : 3
274+ isStateless : false
275+ protocol : " 1"
276+ - egressRule :
277+ description : Allow pods to communicate with other pods.
278+ destination : 10.0.128.0/18
279+ destinationType : CIDR_BLOCK
280+ isStateless : false
281+ protocol : all
282+ - egressRule :
283+ description : Pod to Kubernetes API endpoint communication (when using
284+ VCN-native pod networking).
285+ destination : 10.0.0.8/29
286+ destinationType : CIDR_BLOCK
287+ isStateless : false
288+ protocol : " 6"
289+ tcpOptions :
290+ destinationPortRange :
291+ max : 6443
292+ min : 6443
293+ - egressRule :
294+ description : Pod to Kubernetes API endpoint communication (when using
295+ VCN-native pod networking).
296+ destination : 10.0.0.8/29
297+ destinationType : CIDR_BLOCK
298+ isStateless : false
299+ protocol : " 6"
300+ tcpOptions :
301+ destinationPortRange :
302+ max : 12250
303+ min : 12250
304+ ingressRules :
305+ - ingressRule :
306+ description : Allow worker nodes to access pods.
307+ isStateless : false
308+ protocol : all
309+ source : 10.0.64.0/20
310+ sourceType : CIDR_BLOCK
311+ - ingressRule :
312+ description : Allow Kubernetes API endpoint to communicate with pods.
313+ isStateless : false
314+ protocol : all
315+ source : 10.0.0.8/29
316+ sourceType : CIDR_BLOCK
317+ - ingressRule :
318+ description : Allow pods to communicate with other pods.
319+ isStateless : false
320+ protocol : all
321+ source : 10.0.128.0/18
322+ sourceType : CIDR_BLOCK
323+ name : pod
324+ role : pod
47325---
48326kind : OCIManagedControlPlane
49327apiVersion : infrastructure.cluster.x-k8s.io/v1beta1
0 commit comments