Skip to content

Commit

Permalink
Fix private managed template to have correct seclist and Subnect CIDR (
Browse files Browse the repository at this point in the history
  • Loading branch information
shyamradhakrishnan authored Mar 6, 2023
1 parent 101cf16 commit c38f63e
Show file tree
Hide file tree
Showing 2 changed files with 283 additions and 5 deletions.
2 changes: 1 addition & 1 deletion exp/api/v1beta1/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ package v1beta1

const (
PodDefaultName = "pod"
PodDefaultCIDR = "10.0.4.0/24"
PodDefaultCIDR = "10.0.128.0/18"
)
286 changes: 282 additions & 4 deletions templates/cluster-template-managed-private.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,301 @@ spec:
compartmentId: "${OCI_COMPARTMENT_ID}"
networkSpec:
vcn:
cidr: 10.0.0.0/16
subnets:
- cidr: 10.0.0.0/30
- cidr: 10.0.0.8/29
name: control-plane-endpoint
role: control-plane-endpoint
type: private
- cidr: 10.0.2.0/24
- cidr: 10.0.0.32/27
name: service-lb
role: service-lb
type: public
- cidr: 10.0.1.0/24
- cidr: 10.0.64.0/20
name: worker
role: worker
type: private
- cidr: 10.0.4.0/24
- cidr: 10.0.128.0/18
name: pod
role: pod
type: private
networkSecurityGroups:
- egressRules:
- egressRule:
description: Allow Kubernetes API endpoint to communicate with OKE.
destinationType: SERVICE_CIDR_BLOCK
isStateless: false
protocol: "6"
- egressRule:
description: Path Discovery.
destinationType: SERVICE_CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Allow Kubernetes API endpoint to communicate with worker
nodes.
destination: 10.0.64.0/20
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- egressRule:
description: Path Discovery.
destination: 10.0.64.0/20
destinationType: CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Allow Kubernetes API endpoint to communicate with pods (when
using VCN-native pod networking).
destination: 10.0.128.0/18
destinationType: CIDR_BLOCK
isStateless: false
protocol: all
ingressRules:
- ingressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
isStateless: false
protocol: "6"
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
isStateless: false
protocol: "6"
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
- ingressRule:
description: Path Discovery.
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
- ingressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
isStateless: false
protocol: "6"
source: 10.0.128.0/18
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
isStateless: false
protocol: "6"
source: 10.0.128.0/18
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
- ingressRule:
description: External access to Kubernetes API endpoint.
isStateless: false
protocol: "6"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
name: control-plane-endpoint
role: control-plane-endpoint
- egressRules:
- egressRule:
description: Allow worker nodes to communicate with OKE.
destinationType: SERVICE_CIDR_BLOCK
isStateless: false
protocol: "6"
- egressRule:
description: Allow worker nodes to access pods.
destination: 10.0.128.0/18
destinationType: CIDR_BLOCK
isStateless: false
protocol: all
- egressRule:
description: Path Discovery.
destination: 0.0.0.0/0
destinationType: CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- egressRule:
description: Kubernetes worker to Kubernetes API endpoint communication.
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
ingressRules:
- ingressRule:
description: Allow Kubernetes API endpoint to communicate with worker
nodes.
isStateless: false
protocol: "6"
source: 10.0.0.8/29
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- ingressRule:
description: Path Discovery.
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
- ingressRule:
description: Load Balancer to Worker nodes node ports.
isStateless: false
protocol: "6"
source: 10.0.0.32/27
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 32767
min: 30000
name: worker
role: worker
- egressRules:
- egressRule:
description: Load Balancer to Worker nodes node ports.
destination: 10.0.64.0/20
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 32767
min: 30000
ingressRules:
- ingressRule:
description: Accept http traffic on port 80
isStateless: false
protocol: "6"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 80
min: 80
- ingressRule:
description: Accept https traffic on port 443
isStateless: false
protocol: "6"
source: 0.0.0.0/0
sourceType: CIDR_BLOCK
tcpOptions:
destinationPortRange:
max: 443
min: 443
name: service-lb
role: service-lb
- egressRules:
- egressRule:
description: Allow worker nodes to communicate with OCI Services.
destinationType: SERVICE_CIDR_BLOCK
isStateless: false
protocol: "6"
- egressRule:
description: Path Discovery.
destinationType: SERVICE_CIDR_BLOCK
icmpOptions:
code: 4
type: 3
isStateless: false
protocol: "1"
- egressRule:
description: Allow pods to communicate with other pods.
destination: 10.0.128.0/18
destinationType: CIDR_BLOCK
isStateless: false
protocol: all
- egressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- egressRule:
description: Pod to Kubernetes API endpoint communication (when using
VCN-native pod networking).
destination: 10.0.0.8/29
destinationType: CIDR_BLOCK
isStateless: false
protocol: "6"
tcpOptions:
destinationPortRange:
max: 12250
min: 12250
ingressRules:
- ingressRule:
description: Allow worker nodes to access pods.
isStateless: false
protocol: all
source: 10.0.64.0/20
sourceType: CIDR_BLOCK
- ingressRule:
description: Allow Kubernetes API endpoint to communicate with pods.
isStateless: false
protocol: all
source: 10.0.0.8/29
sourceType: CIDR_BLOCK
- ingressRule:
description: Allow pods to communicate with other pods.
isStateless: false
protocol: all
source: 10.0.128.0/18
sourceType: CIDR_BLOCK
name: pod
role: pod
---
kind: OCIManagedControlPlane
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
Expand Down

0 comments on commit c38f63e

Please sign in to comment.