Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix private managed template to have correct seclist and Subnect CIDR #221

Merged
merged 1 commit into from
Mar 6, 2023
Merged

Fix private managed template to have correct seclist and Subnect CIDR #221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion exp/api/v1beta1/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ package v1beta1

const (
PodDefaultName = "pod"
PodDefaultCIDR = "10.0.4.0/24"
PodDefaultCIDR = "10.0.128.0/18"
)
286 changes: 282 additions & 4 deletions templates/cluster-template-managed-private.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,301 @@ spec:
compartmentId: "${OCI_COMPARTMENT_ID}"
networkSpec:
vcn:
cidr: 10.0.0.0/16
subnets:
- cidr: 10.0.0.0/30
- cidr: 10.0.0.8/29
name: control-plane-endpoint
role: control-plane-endpoint
type: private
- cidr: 10.0.2.0/24
- cidr: 10.0.0.32/27
name: service-lb
role: service-lb
type: public
- cidr: 10.0.1.0/24
- cidr: 10.0.64.0/20
name: worker
role: worker
type: private
- cidr: 10.0.4.0/24
- cidr: 10.0.128.0/18
name: pod
role: pod
type: private
networkSecurityGroups:
- egressRules:
- egressRule:
description: Allow Kubernetes API endpoint to communicate with OKE.
destinationType: SERVICE_CIDR_BLOCK
isStateless: false
protocol: "6"
- egressRule:
description: Path Discovery.
destinationType: SERVICE_CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Allow Kubernetes API endpoint to communicate with worker
nodes.
destination: 10.0.64.0/20
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- egressRule:
description: Path Discovery.
destination: 10.0.64.0/20
destinationType: CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Allow Kubernetes API endpoint to communicate with pods (when
using VCN-native pod networking).
destination: 10.0.128.0/18
destinationType: CIDR_BLOCK
isStateless: false
protocol: all
ingressRules:
- ingressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
isStateless: false
protocol: "6"
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
isStateless: false
protocol: "6"
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
- ingressRule:
description: Path Discovery.
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
- ingressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
isStateless: false
protocol: "6"
source: 10.0.128.0/18
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
isStateless: false
protocol: "6"
source: 10.0.128.0/18
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
- ingressRule:
description: External access to Kubernetes API endpoint.
isStateless: false
protocol: "6"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
name: control-plane-endpoint
role: control-plane-endpoint
- egressRules:
- egressRule:
description: Allow worker nodes to communicate with OKE.
destinationType: SERVICE_CIDR_BLOCK
isStateless: false
protocol: "6"
- egressRule:
description: Allow worker nodes to access pods.
destination: 10.0.128.0/18
destinationType: CIDR_BLOCK
isStateless: false
protocol: all
- egressRule:
description: Path Discovery.
destination: 0.0.0.0/0
destinationType: CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- egressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
ingressRules:
- ingressRule:
description: Allow Kubernetes API endpoint to communicate with worker
nodes.
isStateless: false
protocol: "6"
source: 10.0.0.8/29
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- ingressRule:
description: Path Discovery.
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
- ingressRule:
description: Load Balancer to Worker nodes node ports.
isStateless: false
protocol: "6"
source: 10.0.0.32/27
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 32767
min: 30000
name: worker
role: worker
- egressRules:
- egressRule:
description: Load Balancer to Worker nodes node ports.
destination: 10.0.64.0/20
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 32767
min: 30000
ingressRules:
- ingressRule:
description: Accept http traffic on port 80
isStateless: false
protocol: "6"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 80
min: 80
- ingressRule:
description: Accept https traffic on port 443
isStateless: false
protocol: "6"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 443
min: 443
name: service-lb
role: service-lb
- egressRules:
- egressRule:
description: Allow worker nodes to communicate with OCI Services.
destinationType: SERVICE_CIDR_BLOCK
isStateless: false
protocol: "6"
- egressRule:
description: Path Discovery.
destinationType: SERVICE_CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Allow pods to communicate with other pods.
destination: 10.0.128.0/18
destinationType: CIDR_BLOCK
isStateless: false
protocol: all
- egressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- egressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
ingressRules:
- ingressRule:
description: Allow worker nodes to access pods.
isStateless: false
protocol: all
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
- ingressRule:
description: Allow Kubernetes API endpoint to communicate with pods.
isStateless: false
protocol: all
source: 10.0.0.8/29
sourceType: CIDR_BLOCK
- ingressRule:
description: Allow pods to communicate with other pods.
isStateless: false
protocol: all
source: 10.0.128.0/18
sourceType: CIDR_BLOCK
name: pod
role: pod
---
kind: OCIManagedControlPlane
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
Expand Down