Creating a Pod Subnet (VCN-Native Pod)

The instructions in this topic create a pod subnet named "pod" in the VCN that provides the private IP addresses for pods running on the control plane nodes. The number of IP addresses in this subnet should be equal to or greater than the number of IP addresses in the control plane subnet. The pod subnet must be a private subnet.

The pod subnet supports communication between pods and direct access to individual pods using private pod IP addresses. The pod subnet must be private. The pod subnet enables pods to communicate with other pods on the same worker node, with pods on other worker nodes, with OCI services (through a service gateway) and with the internet (through a NAT gateway).

Create the following resources in the order listed:

Pod security list
Pod subnet

Create a Pod Security List

Create a security list. See Creating a Security List. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

The security rules shown in the following table define traffic that is allowed to contact pods directly. Use these security rules as part of network security groups (NSGs) or in security lists. We recommend using NSGs.

The security rules apply to all pods in all the worker nodes connected to the pod subnet specified for a node pool.

Route incoming requests to pods based on routing policies specified by routing rules and route tables. See the route tables defined in Creating a VCN (VCN-Native Pod).

For this example, use the following input for the pod subnet security list.


Console property	CLI property
Name: pod-seclist	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `pod-seclist`
One egress security rule: Stateless: uncheck the box Egress CIDR: 0.0.0.0/0 IP Protocol: All protocols Description: "Allow all outgoing traffic."	One egress security rule: `--egress-security-rules` `isStateless`: `false` `destination`: `0.0.0.0/0` `destinationType`: `CIDR_BLOCK` `protocol`: `all` `description`: "Allow all outgoing traffic."
Six ingress security rules:	Six ingress security rules: `--ingress-security-rules`
Ingress Rule 1 Stateless: uncheck the box Ingress CIDR: `vcn_cidr` IP Protocol: TCP Destination Port Range: 22 Description: "Allow SSH connection to the pod subnet from all subnets in the VCN."	Ingress Rule 1 `isStateless`: `false` `source`: `vcn_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `22` `min`: `22` `description`: "Allow SSH connection to the pod subnet from all subnets in the VCN."
Ingress Rule 2 Stateless: uncheck the box Ingress CIDR: `workerlb_cidr` IP Protocol: TCP Destination Port Range: 10256 Description: "Allow the worker load balancer to contact the pods."	Ingress Rule 2 `isStateless`: `false` `source`: `workerlb_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10256` `min`: `10256` `description`: "Allow the worker load balancer to contact the pods."
Ingress Rule 3 Stateless: uncheck the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 10250 Description: "Allow Kubernetes API endpoint to pod (via worker node) communication."	Ingress Rule 3 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10250` `min`: `10250` `description`: "Allow Kubernetes API endpoint to pod (via worker node) communication."
Ingress Rule 4 Stateless: uncheck the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 10256 Description: "Allow Load Balancer or Network Load Balancer to communicate with the `kube-proxy` pod (via the worker subnet)."	Ingress Rule 4 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10256` `min`: `10256` `description`: "Allow Load Balancer or Network Load Balancer to communicate with the `kube-proxy` pod (via the worker subnet)."
Ingress Rule 5 Stateless: clear the box Ingress CIDR: `worker_cidr` IP Protocol: TCP Destination Port Range: 80 Description: "Allow the worker node to contact the pods." This ingress is optional. This port is open for an end user application. This rule could be different based on what applications are deployed.	Ingress Rule 5 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `80` `min`: `80` `description`: "Allow the worker node to contact the pods." This ingress is optional. This port is open for an end user application. This rule could be different based on what applications are deployed.
Ingress Rule 6 Stateless: clear the box Ingress CIDR: `pod_cidr` IP Protocol: All protocols Description: "Allow the pod CIDR to communicate with itself."	Ingress Rule 6 `isStateless`: `false` `source`: `pod_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `all` `description`: "Allow the pod CIDR to communicate with itself."

Create the Pod Subnet

Create a subnet. See Creating a Subnet. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the pod subnet. Use the OCID of the VCN that was created in Creating a VCN (VCN-Native Pod). Create the pod subnet in the same compartment where you created the VCN.

Important

The name of this subnet must be exactly "pod".


Console property	CLI property
Name: pod CIDR Block: `pod_cidr` Route Table: Select "nat_private" from the list Private Subnet: check the box DNS Hostnames: Use DNS Hostnames in this Subnet: check the box DNS Label: pod Security Lists: Select "pod-seclist" and "Default Security List for oketest-vcn" from the list	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `pod` `--cidr-block`: `pod_cidr` `--dns-label`: `pod` `--prohibit-public-ip-on-vnic`: `true` `--route-table-id`: OCID of the "nat_private" route table `--security-list-ids`: OCIDs of the "pod-seclist" security list and the "Default Security List for oketest-vcn" security list

Oracle Cloud Infrastructure Documentation

Creating a Pod Subnet (VCN-Native Pod)

Create a Pod Security List

Create the Pod Subnet