diff --git a/exp/api/v1beta1/constants.go b/exp/api/v1beta1/constants.go index 9232a32c..93830eae 100644 --- a/exp/api/v1beta1/constants.go +++ b/exp/api/v1beta1/constants.go @@ -18,5 +18,5 @@ package v1beta1 const ( PodDefaultName = "pod" - PodDefaultCIDR = "10.0.4.0/24" + PodDefaultCIDR = "10.0.128.0/18" ) diff --git a/templates/cluster-template-managed-private.yaml b/templates/cluster-template-managed-private.yaml index 6639c065..605baa53 100644 --- a/templates/cluster-template-managed-private.yaml +++ b/templates/cluster-template-managed-private.yaml @@ -27,23 +27,301 @@ spec: compartmentId: "${OCI_COMPARTMENT_ID}" networkSpec: vcn: + cidr: 10.0.0.0/16 subnets: - - cidr: 10.0.0.0/30 + - cidr: 10.0.0.8/29 name: control-plane-endpoint role: control-plane-endpoint type: private - - cidr: 10.0.2.0/24 + - cidr: 10.0.0.32/27 name: service-lb role: service-lb type: public - - cidr: 10.0.1.0/24 + - cidr: 10.0.64.0/20 name: worker role: worker type: private - - cidr: 10.0.4.0/24 + - cidr: 10.0.128.0/18 name: pod role: pod type: private + networkSecurityGroups: + - egressRules: + - egressRule: + description: Allow Kubernetes API endpoint to communicate with OKE. + destinationType: SERVICE_CIDR_BLOCK + isStateless: false + protocol: "6" + - egressRule: + description: Path Discovery. + destinationType: SERVICE_CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Allow Kubernetes API endpoint to communicate with worker + nodes. + destination: 10.0.64.0/20 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - egressRule: + description: Path Discovery. + destination: 10.0.64.0/20 + destinationType: CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Allow Kubernetes API endpoint to communicate with pods (when + using VCN-native pod networking). + destination: 10.0.128.0/18 + destinationType: CIDR_BLOCK + isStateless: false + protocol: all + ingressRules: + - ingressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + isStateless: false + protocol: "6" + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + isStateless: false + protocol: "6" + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + - ingressRule: + description: Path Discovery. + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + - ingressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + isStateless: false + protocol: "6" + source: 10.0.128.0/18 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + isStateless: false + protocol: "6" + source: 10.0.128.0/18 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + - ingressRule: + description: External access to Kubernetes API endpoint. + isStateless: false + protocol: "6" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + name: control-plane-endpoint + role: control-plane-endpoint + - egressRules: + - egressRule: + description: Allow worker nodes to communicate with OKE. + destinationType: SERVICE_CIDR_BLOCK + isStateless: false + protocol: "6" + - egressRule: + description: Allow worker nodes to access pods. + destination: 10.0.128.0/18 + destinationType: CIDR_BLOCK + isStateless: false + protocol: all + - egressRule: + description: Path Discovery. + destination: 0.0.0.0/0 + destinationType: CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - egressRule: + description: Kubernetes worker to Kubernetes API endpoint communication. + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + ingressRules: + - ingressRule: + description: Allow Kubernetes API endpoint to communicate with worker + nodes. + isStateless: false + protocol: "6" + source: 10.0.0.8/29 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - ingressRule: + description: Path Discovery. + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + - ingressRule: + description: Load Balancer to Worker nodes node ports. + isStateless: false + protocol: "6" + source: 10.0.0.32/27 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 32767 + min: 30000 + name: worker + role: worker + - egressRules: + - egressRule: + description: Load Balancer to Worker nodes node ports. + destination: 10.0.64.0/20 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 32767 + min: 30000 + ingressRules: + - ingressRule: + description: Accept http traffic on port 80 + isStateless: false + protocol: "6" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 80 + min: 80 + - ingressRule: + description: Accept https traffic on port 443 + isStateless: false + protocol: "6" + source: 0.0.0.0/0 + sourceType: CIDR_BLOCK + tcpOptions: + destinationPortRange: + max: 443 + min: 443 + name: service-lb + role: service-lb + - egressRules: + - egressRule: + description: Allow worker nodes to communicate with OCI Services. + destinationType: SERVICE_CIDR_BLOCK + isStateless: false + protocol: "6" + - egressRule: + description: Path Discovery. + destinationType: SERVICE_CIDR_BLOCK + icmpOptions: + code: 4 + type: 3 + isStateless: false + protocol: "1" + - egressRule: + description: Allow pods to communicate with other pods. + destination: 10.0.128.0/18 + destinationType: CIDR_BLOCK + isStateless: false + protocol: all + - egressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - egressRule: + description: Pod to Kubernetes API endpoint communication (when using + VCN-native pod networking). + destination: 10.0.0.8/29 + destinationType: CIDR_BLOCK + isStateless: false + protocol: "6" + tcpOptions: + destinationPortRange: + max: 12250 + min: 12250 + ingressRules: + - ingressRule: + description: Allow worker nodes to access pods. + isStateless: false + protocol: all + source: 10.0.64.0/20 + sourceType: CIDR_BLOCK + - ingressRule: + description: Allow Kubernetes API endpoint to communicate with pods. + isStateless: false + protocol: all + source: 10.0.0.8/29 + sourceType: CIDR_BLOCK + - ingressRule: + description: Allow pods to communicate with other pods. + isStateless: false + protocol: all + source: 10.0.128.0/18 + sourceType: CIDR_BLOCK + name: pod + role: pod --- kind: OCIManagedControlPlane apiVersion: infrastructure.cluster.x-k8s.io/v1beta1