Oracle Cloud Infrastructure Documentation

Creating a Control Plane Load Balancer Subnet (VCN-Native Pod)

Create the following resources in the order listed:

  1. Control plane load balancer security list

  2. Control plane load balancer subnet

Create a Control Plane Load Balancer Security List

Create a security list. See Creating a Security List. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

The control plane load balancer accepts traffic on port 6443, which is also called kubernetes_api_port in this guide. Adjust this security list to only accept connections from where you expect the network to run. Port 6443 must accept connections from the cluster control plane instances and worker instances.

For this example, use the following input for the control plane load balancer subnet security list.

Console property

CLI property

  • Name: kmilb-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: kmilb-seclist

One egress security rule:

  • Stateless: uncheck the box

  • Egress CIDR: 0.0.0.0/0

  • IP Protocol: All protocols

  • Description: "Allow all outgoing traffic."

One egress security rule:

--egress-security-rules

  • isStateless: false

  • destination: 0.0.0.0/0

  • destinationType: CIDR_BLOCK

  • protocol: all

  • description: "Allow all outgoing traffic."

Six ingress security rules:

Six ingress security rules:

--ingress-security-rules

Ingress Rule 1:

  • Stateless: uncheck the box

  • Ingress CIDR: 253.255.0.0/16

    This value is required. Do not change this CIDR value.

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow a Kubernetes container to communicate with Kubernetes APIs."

Ingress Rule 1:

  • isStateless: false

  • source: 253.255.0.0/16

    This value is required. Do not change this CIDR value.

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow a Kubernetes container to communicate with Kubernetes APIs."

Ingress Rule 2:

  • Stateless: uncheck the box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow clients to connect with the Kubernetes cluster."

Ingress Rule 2:

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow clients to connect with the Kubernetes cluster."

Ingress Rule 3:

  • Stateless: uncheck the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow the control plane to reach itself via the load balancer."

Ingress Rule 3:

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow the control plane to reach itself via the load balancer."

Ingress Rule 4:

  • Stateless: uncheck the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: kubernetes_api_port

  • Description: "Allow worker nodes to connect with the cluster via the control plane load balancer."

Ingress Rule 4:

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: kubernetes_api_port

    • min: kubernetes_api_port

  • description: "Allow worker nodes to connect with the cluster via the control plane load balancer."

Ingress Rule 5:

  • Stateless: uncheck the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 12250

  • Description: "Allow Kubernetes worker to Kubernetes API endpoint communication via the load balancer."

Ingress Rule 5:

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 12250

    • min: 12250

  • description: "Allow Kubernetes worker to Kubernetes API endpoint communication via the load balancer."

Ingress Rule 6:

  • Stateless: uncheck the box

  • Ingress CIDR: pod_cidr

  • IP Protocol: TCP

    • Destination Port Range: 12250

  • Description: "Allow Kubernetes pods to Kubernetes API endpoint communication via the load balancer."

Ingress Rule 6:

  • isStateless: false

  • source: pod_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 12250

    • min: 12250

  • description: "Allow Kubernetes pods to Kubernetes API endpoint communication via the load balancer."

Create the Control Plane Load Balancer Subnet

Create a subnet. See Creating a Subnet. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the control plane load balancer subnet. Use the OCID of the VCN that was created in Creating a VCN (VCN-Native Pod). Create the control plane load balancer subnet in the same compartment where you created the VCN.

Create either a private or a public control plane load balancer subnet. Create a public control plane load balancer subnet to use with a public cluster. Create a private control plane load balancer subnet to use with a private cluster.

See Private Clusters for information about using Local Peering Gateways to connect a private cluster to other instances on the Compute Cloud@Customer and using Dynamic Routing Gateways to connect a private cluster to the on-premises IP address space. To create a private control plane load balancer subnet, specify one of the following route tables:

  • vcn_private

  • lpg_rt

  • drg_rt

Create a Public Control Plane Load Balancer Subnet

Console property

CLI property

  • Name: control-plane-endpoint

  • CIDR Block: kmilb_cidr

  • Route Table: Select "public" from the list

  • Public Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmilb

  • Security Lists: Select "kmilb-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane-endpoint

  • --cidr-block: kmilb_cidr

  • --dns-label: kmilb

  • --prohibit-public-ip-on-vnic: false

  • --route-table-id: OCID of the "public" route table

  • --security-list-ids: OCIDs of the "kmilb-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the public route table. Depending on your needs, you could specify the LPG route table or the DRG route table instead.

Create a Private Control Plane Load Balancer Subnet

Console property

CLI property

  • Name: control-plane-endpoint

  • CIDR Block: kmilb_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: kmilb

  • Security Lists: Select "kmilb-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: control-plane-endpoint

  • --cidr-block: kmilb_cidr

  • --dns-label: kmilb

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "kmilb-seclist" security list and the "Default Security List for oketest-vcn" security list