From 68ad6af20193caee39e73cdfc466102864b3f750 Mon Sep 17 00:00:00 2001 From: Shyam Radhakrishnan Date: Fri, 3 Mar 2023 09:51:11 +0530 Subject: [PATCH] Fix private managed template to have correct seclist and Subnect CIDR --- .../cluster-template-managed-private.yaml | 284 +++++++++++++++++- 1 file changed, 281 insertions(+), 3 deletions(-) diff --git a/templates/cluster-template-managed-private.yaml b/templates/cluster-template-managed-private.yaml index 6639c065..7ad03f19 100644 --- a/templates/cluster-template-managed-private.yaml +++ b/templates/cluster-template-managed-private.yaml @@ -27,16 +27,17 @@ spec: compartmentId: "${OCI_COMPARTMENT_ID}" networkSpec: vcn: + cidr: 10.0.0.0/16 subnets: - - cidr: 10.0.0.0/30 + - cidr: 10.0.0.8/29 name: control-plane-endpoint role: control-plane-endpoint type: private - - cidr: 10.0.2.0/24 + - cidr: 10.0.0.32/27 name: service-lb role: service-lb type: public - - cidr: 10.0.1.0/24 + - cidr: 10.0.64.0/20 name: worker role: worker type: private @@ -44,6 +45,283 @@ spec: name: pod role: pod type: private + networkSecurityGroups: + - egressRules: + - egressRule: + description: Allow Kubernetes API endpoint to communicate with OKE. + destinationType: SERVICE_CIDR_BLOCK + isStateless: false + protocol: "6" + - egressRule: + description: Path Discovery. + destinationType: SERVICE_CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Allow Kubernetes API endpoint to communicate with worker + nodes. + destination: 10.0.64.0/20 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - egressRule: + description: Path Discovery. + destination: 10.0.64.0/20 + destinationType: CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Allow Kubernetes API endpoint to communicate with pods (when + using VCN-native pod networking). + destination: 10.0.4.0/24 + destinationType: CIDR_BLOCK + isStateless: false + protocol: all + ingressRules: + - ingressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + isStateless: false + protocol: "6" + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + isStateless: false + protocol: "6" + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + - ingressRule: + description: Path Discovery. + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + - ingressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + isStateless: false + protocol: "6" + source: 10.0.4.0/24 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + isStateless: false + protocol: "6" + source: 10.0.4.0/24 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + - ingressRule: + description: External access to Kubernetes API endpoint. + isStateless: false + protocol: "6" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + name: control-plane-endpoint + role: control-plane-endpoint + - egressRules: + - egressRule: + description: Allow worker nodes to communicate with OKE. + destinationType: SERVICE_CIDR_BLOCK + isStateless: false + protocol: "6" + - egressRule: + description: Allow worker nodes to access pods. + destination: 10.0.4.0/24 + destinationType: CIDR_BLOCK + isStateless: false + protocol: all + - egressRule: + description: Path Discovery. + destination: 0.0.0.0/0 + destinationType: CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - egressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + ingressRules: + - ingressRule: + description: Allow Kubernetes API endpoint to communicate with worker + nodes. + isStateless: false + protocol: "6" + source: 10.0.0.8/29 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - ingressRule: + description: Path Discovery. + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + - ingressRule: + description: Load Balancer to Worker nodes node ports. + isStateless: false + protocol: "6" + source: 10.0.0.32/27 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 32767 + min: 30000 + name: worker + role: worker + - egressRules: + - egressRule: + description: Load Balancer to Worker nodes node ports. + destination: 10.0.64.0/20 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 32767 + min: 30000 + ingressRules: + - ingressRule: + description: Accept http traffic on port 80 + isStateless: false + protocol: "6" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 80 + min: 80 + - ingressRule: + description: Accept https traffic on port 443 + isStateless: false + protocol: "6" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 443 + min: 443 + name: service-lb + role: service-lb + - egressRules: + - egressRule: + description: Allow worker nodes to communicate with OCI Services. + destinationType: SERVICE_CIDR_BLOCK + isStateless: false + protocol: "6" + - egressRule: + description: Path Discovery. + destinationType: SERVICE_CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Allow pods to communicate with other pods. + destination: 10.0.4.0/24 + destinationType: CIDR_BLOCK + isStateless: false + protocol: all + - egressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - egressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + ingressRules: + - ingressRule: + description: Allow worker nodes to access pods. + isStateless: false + protocol: all + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + - ingressRule: + description: Allow Kubernetes API endpoint to communicate with pods. + isStateless: false + protocol: all + source: 10.0.0.8/29 + sourceType: CIDR_BLOCK + - ingressRule: + description: Allow pods to communicate with other pods. + isStateless: false + protocol: all + source: 10.0.4.0/24 + sourceType: CIDR_BLOCK + name: pod + role: pod --- kind: OCIManagedControlPlane apiVersion: infrastructure.cluster.x-k8s.io/v1beta1