From d0888533ee7275d3922510ee49b2ded839ab0fc1 Mon Sep 17 00:00:00 2001 From: Joe Kratzat Date: Tue, 7 Feb 2023 14:01:24 -0500 Subject: [PATCH] Add NSG rules for VXLAN to windows template --- .../cluster-template-windows-calico.yaml | 286 ++++++++++++++++++ 1 file changed, 286 insertions(+) diff --git a/templates/cluster-template-windows-calico.yaml b/templates/cluster-template-windows-calico.yaml index a036fd61..b7b5e24b 100644 --- a/templates/cluster-template-windows-calico.yaml +++ b/templates/cluster-template-windows-calico.yaml @@ -36,6 +36,292 @@ metadata: name: "${CLUSTER_NAME}" spec: compartmentId: "${OCI_COMPARTMENT_ID}" + networkSpec: + vcn: + name: ${CLUSTER_NAME} + cidr: "10.0.0.0/16" + networkSecurityGroups: + - name: control-plane-endpoint + role: control-plane-endpoint + egressRules: + - egressRule: + isStateless: false + destination: "10.0.0.0/29" + protocol: "6" + destinationType: "CIDR_BLOCK" + description: "Kubernetes API traffic to Control Plane" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + ingressRules: + - ingressRule: + isStateless: false + source: "0.0.0.0/0" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "External access to Kubernetes API endpoint" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + isStateless: false + source: "10.0.0.0/16" + protocol: "1" + sourceType: "CIDR_BLOCK" + description: "Path discovery" + icmpOptions: + code: 4 + type: 3 + - name: control-plane + role: control-plane + egressRules: + - egressRule: + isStateless: false + destination: "0.0.0.0/0" + protocol: "all" + destinationType: "CIDR_BLOCK" + description: "Control Plane access to Internet" + ingressRules: + - ingressRule: + isStateless: false + source: "10.0.0.8/29" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Kubernetes API endpoint to Control Plane(apiserver port)" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Control plane node to Control Plane(apiserver port) communication" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + isStateless: false + source: "10.0.64.0/20" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Worker Node to Control Plane(apiserver port) communication" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "etcd client communication" + tcpOptions: + destinationPortRange: + max: 2379 + min: 2379 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "etcd peer" + tcpOptions: + destinationPortRange: + max: 2380 + min: 2380 + - ingressRule: + isStateless: false + source: "10.0.0.0/16" + protocol: "1" + sourceType: "CIDR_BLOCK" + description: "Path discovery" + icmpOptions: + code: 4 + type: 3 + - ingressRule: + isStateless: false + source: "0.0.0.0/0" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Inbound SSH traffic to Control Plane" + tcpOptions: + destinationPortRange: + max: 22 + min: 22 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Control Plane to Control Plane Kubelet Communication" + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - ingressRule: + isStateless: false + source: "10.0.64.0/20" + protocol: "17" + sourceType: "CIDR_BLOCK" + description: "Calico VXLAN" + udpOptions: + destinationPortRange: + max: 4789 + min: 4789 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "17" + sourceType: "CIDR_BLOCK" + description: "Calico VXLAN" + udpOptions: + destinationPortRange: + max: 4789 + min: 4789 + - name: worker + role: worker + egressRules: + - egressRule: + isStateless: false + destination: "0.0.0.0/0" + protocol: "all" + destinationType: "CIDR_BLOCK" + description: "Worker node access to Internet" + ingressRules: + - ingressRule: + isStateless: false + source: "0.0.0.0/0" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Inbound SSH traffic to worker node" + tcpOptions: + destinationPortRange: + max: 22 + min: 22 + - ingressRule: + isStateless: false + source: "10.0.0.0/16" + protocol: "1" + sourceType: "CIDR_BLOCK" + description: "Path discovery" + icmpOptions: + code: 4 + type: 3 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Control Plane to worker node Kubelet Communication" + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - ingressRule: + isStateless: false + source: "10.0.64.0/20" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Worker node to worker node Kubelet Communication" + tcpOptions: + destinationPortRange: + max: 10250 + min: 10250 + - ingressRule: + isStateless: false + source: "10.0.64.0/20" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Worker node to default NodePort ingress communication" + tcpOptions: + destinationPortRange: + max: 32767 + min: 30000 + - ingressRule: + isStateless: false + source: "10.0.64.0/20" + protocol: "17" + sourceType: "CIDR_BLOCK" + description: "Calico VXLAN" + udpOptions: + destinationPortRange: + max: 4789 + min: 4789 + - ingressRule: + isStateless: false + source: "10.0.0.0/29" + protocol: "17" + sourceType: "CIDR_BLOCK" + description: "Calico VXLAN" + udpOptions: + destinationPortRange: + max: 4789 + min: 4789 + - name: service-lb + role: service-lb + egressRules: + - egressRule: + isStateless: false + destination: "10.0.64.0/20" + protocol: "6" + destinationType: "CIDR_BLOCK" + description: "Service LoadBalancer to default NodePort egress communication" + tcpOptions: + destinationPortRange: + max: 32767 + min: 30000 + ingressRules: + - ingressRule: + isStateless: false + source: "10.0.0.0/16" + protocol: "1" + sourceType: "CIDR_BLOCK" + description: "Path discovery" + icmpOptions: + code: 4 + type: 3 + - ingressRule: + isStateless: false + source: "0.0.0.0/0" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Accept http traffic on port 80" + tcpOptions: + destinationPortRange: + max: 80 + min: 80 + - ingressRule: + isStateless: false + source: "0.0.0.0/0" + protocol: "6" + sourceType: "CIDR_BLOCK" + description: "Accept http traffic on port 443" + tcpOptions: + destinationPortRange: + max: 443 + min: 443 + subnets: + - name: control-plane-endpoint + role: control-plane-endpoint + cidr: "10.0.0.8/29" + type: public + - name: control-plane + role: control-plane + cidr: "10.0.0.0/29" + type: private + - name: service-lb + role: service-lb + cidr: "10.0.0.32/27" + type: public + - name: worker + role: worker + cidr: "10.0.64.0/20" + type: private --- kind: KubeadmControlPlane apiVersion: controlplane.cluster.x-k8s.io/v1beta1