Oracle Cloud Infrastructure Documentation

Creating a Worker Subnet (Flannel Overlay)

On Compute Cloud@Customer, part of configuring OKE requires external and internal access security lists and a worker subnet.

Create the following resources in the order listed:

  1. Create a Worker Security List.
  2. Create the Worker Subnet.

Create a Worker Security List

To create a security list, use the instructions in Creating a Security List. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

This security list defines traffic that's allowed to contact worker nodes directly.

For this example, use the following input for the worker subnet security list.

Compute Cloud@Customer Console

CLI property

  • Name: worker-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: worker-seclist

Seven ingress security rules:

Seven ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: clear the check box

  • Ingress CIDR: vcn_cidr

  • IP Protocol: TCP

    • Destination Port Range: 22

  • Description: "Allow intra-VCN ssh."

Ingress Rule 1

  • isStateless: false

  • source: vcn_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 22

    • min: 22

  • description: "Allow intra-VCN ssh."

Ingress Rule 2

  • Stateless: clear the check box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: 30000-32767

  • Description: "Allow clients to contact the node port range."

Ingress Rule 2

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 32767

    • min: 30000

  • description: "Allow clients to contact the node port range."

Ingress Rule 3

  • Stateless: clear the check box

  • Ingress CIDR: workerlb_cidr

  • IP Protocol: TCP

    • Destination Port Range: 30000-32767

  • Description: "Allow the worker load balancer to contact the worker nodes."

Ingress Rule 3

  • isStateless: false

  • source: workerlb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 32767

    • min: 30000

  • description: "Allow the worker load balancer to contact the worker nodes."

Ingress Rule 4

  • Stateless: clear the check box

  • Ingress CIDR: workerlb_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10256

  • Description: "Allow the worker load balancer to contact the worker nodes."

Ingress Rule 4

  • isStateless: false

  • source: workerlb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10256

    • min: 10256

  • description: "Allow the worker load balancer to contact the worker nodes."

Ingress Rule 5

  • Stateless: clear the check box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 22-65535

  • Description: "Allow the control plane to contact the worker nodes."

Ingress Rule 5

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 65535

    • min: 22

  • description: "Allow the control plane to contact the worker nodes."

Create the Worker Subnet

To create a subnet, use the instructions in Creating a Subnet. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

For this example, use the following input for the worker subnet security list. Use the OCID of the VCN that was created in Creating a VCN (Flannel Overlay). Create the worker subnet in the same compartment where you created the VCN.

Create either a NAT private worker subnet or a VCN private worker subnet. Create a NAT private worker subnet to communicate outside the VCN.

Create a NAT Private Worker Subnet

Compute Cloud@Customer Console property

CLI property

  • Name: worker

  • CIDR Block: worker_cidr

  • Route Table: Select "nat_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: worker

  • Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: worker

  • --cidr-block: worker_cidr

  • --dns-label: worker

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "nat_private" route table

  • --security-list-ids: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the NAT private route table.

Create a VCN Private Worker Subnet

Compute Cloud@Customer Console property

CLI property

  • Name: worker

  • CIDR Block: worker_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: worker

  • Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: worker

  • --cidr-block: worker_cidr

  • --dns-label: worker

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

What's Next:

Creating a Worker Load Balancer Subnet (Flannel Overlay)