Skip to content

oke-rm-1.1.2 #1841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 20, 2025
Merged

oke-rm-1.1.2 #1841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
790ab8c
oke-rm-1.1.2
alcampag Jun 20, 2025
98f24dd
Merge branch 'main' into oke-rm
martatolosa Jun 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions app-dev/devops-and-containers/oke/oke-rm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
* By default, everything is private, but there is the possibility to create public subnets
* Be careful when modifying the default values, as inputs are not validated

[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.1/infra.zip)
[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/infra.zip)

## Step 2: Create the OKE control plane

This stack is used to create the OKE control plane ONLY.

[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.1/oke.zip)
[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/oke.zip)

Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
you must add these policies:
Expand Down
Binary file modified app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ resource "oci_core_security_list" "bastion_security_list" {
vcn_id = local.vcn_id
display_name = "bastion-sec-list"
ingress_security_rules {
protocol = "6"
protocol = local.tcp_protocol
source_type = "CIDR_BLOCK"
source = "0.0.0.0/0"
description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet"
Expand Down
30 changes: 15 additions & 15 deletions app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ resource "oci_core_network_security_group" "cp_nsg" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -23,7 +23,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.cp_nsg.id
stateless = false
Expand All @@ -39,7 +39,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "CIDR_BLOCK"
source = var.bastion_subnet_cidr
stateless = false
Expand All @@ -57,7 +57,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.pod_nsg.0.id
stateless = false
Expand All @@ -74,7 +74,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.pod_nsg.0.id
stateless = false
Expand All @@ -91,7 +91,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -107,7 +107,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "1"
protocol = local.icmp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -121,7 +121,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "CIDR_BLOCK"
source = var.cp_allowed_source_cidr
stateless = false
Expand All @@ -137,7 +137,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8"
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -153,7 +153,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.pod_nsg.0.id
stateless = false
Expand All @@ -165,7 +165,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "SERVICE_CIDR_BLOCK"
destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
stateless = false
Expand All @@ -176,7 +176,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -193,7 +193,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.cp_nsg.id
stateless = false
Expand All @@ -209,7 +209,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "1"
protocol = local.icmp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -223,7 +223,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" {
resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.cp_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "CIDR_BLOCK"
destination = var.cp_egress_cidr
stateless = false
Expand Down
10 changes: 5 additions & 5 deletions app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ resource "oci_core_network_security_group" "fss_nsg" {
resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.fss_nsg.id
protocol = "17" # UDP
protocol = local.udp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -23,7 +23,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" {
resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.fss_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -39,7 +39,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" {
resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.fss_nsg.id
protocol = "17" # UDP
protocol = local.udp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -55,7 +55,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" {
resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.fss_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -71,7 +71,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" {
resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.fss_nsg.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand Down
48 changes: 20 additions & 28 deletions app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ resource "oci_core_network_security_group" "oke_lb_nsg" {
resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = true
description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort - stateless Egress"
stateless = false
description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort"
tcp_options {
destination_port_range {
max = 32767
Expand All @@ -20,16 +20,17 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
}
}

resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_ingress" {
direction = "INGRESS"

resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
protocol = "6"
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.worker_nsg.id
stateless = true
description = "Allow TCP traffic from worker nodes to load balancer for services of type NodePort - stateless Ingress"
tcp_options {
source_port_range {
protocol = local.udp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = false
description = "Allow UDP traffic from load balancer to worker nodes for services of type NodePort"
udp_options {
destination_port_range {
max = 32767
min = 30000
}
Expand All @@ -39,7 +40,7 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand All @@ -52,32 +53,23 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
}
}


# OCI Native Ingress does not support UDP, hence no UDP egress rule
resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.pod_nsg.0.id
stateless = true
description = "LB to pods, OCI Native Ingress - stateless egress"
count = local.is_npn ? 1 : 0
}

resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_ingress" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
protocol = "6"
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.pod_nsg.0.id
stateless = true
description = "LB to pods, OCI Native Ingress - stateless ingress"
stateless = false
description = "LB to pods, OCI Native Ingress"
count = local.is_npn ? 1 : 0
}

resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
protocol = "1"
protocol = local.icmp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.worker_nsg.id
stateless = false
Expand Down
5 changes: 5 additions & 0 deletions app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,9 @@ locals {
nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id
cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat
create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat))


tcp_protocol = "6"
icmp_protocol = "1"
udp_protocol = "17"
}
25 changes: 7 additions & 18 deletions app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3"
resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
protocol = "1"
protocol = local.icmp_protocol
source_type = "CIDR_BLOCK"
source = "0.0.0.0/0"
stateless = false
Expand All @@ -56,11 +56,11 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4"
resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_ingress" {
direction = "INGRESS"
network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
protocol = "6"
protocol = local.tcp_protocol
source_type = "NETWORK_SECURITY_GROUP"
source = oci_core_network_security_group.oke_lb_nsg.id
stateless = true
description = "LBs to pods, - stateless ingress"
stateless = false
description = "LBs to pods"
count = local.is_npn ? 1 : 0
}

Expand Down Expand Up @@ -101,7 +101,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3"
resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.cp_nsg.id
stateless = false
Expand All @@ -118,7 +118,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4"
resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
protocol = "6"
protocol = local.tcp_protocol
destination_type = "SERVICE_CIDR_BLOCK"
destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
stateless = false
Expand All @@ -129,7 +129,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5"
resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
protocol = "1"
protocol = local.icmp_protocol
destination_type = "CIDR_BLOCK"
destination = "0.0.0.0/0"
stateless = false
Expand All @@ -139,15 +139,4 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6"
code = 4
}
count = local.is_npn ? 1 : 0
}

resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_egress" {
direction = "EGRESS"
network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
protocol = "6"
destination_type = "NETWORK_SECURITY_GROUP"
destination = oci_core_network_security_group.oke_lb_nsg.id
stateless = true
description = "Pods to LBs, - stateless egress"
count = local.is_npn ? 1 : 0
}
Loading