Terraform-Beispielskripte für Netzwerkressourcen (Flannel Overlay)
Auf Compute Cloud@Customer können Sie Terraform-Skripte verwenden, um die Erstellung von OKE-Netzwerkressourcen für Flannel Overlay-Netzwerke zu automatisieren.
Die folgenden Terraform-Skripte erstellen die Netzwerkressourcen, die von Kubernetes Engine (OKE) benötigt werden, wenn Sie Flannel Overlay-Netzwerke verwenden. In den nachfolgenden Abschnitten in diesem Thema werden weitere Möglichkeiten zum Definieren derselben Netzwerkressourcen gezeigt.
Die meisten in diesen Skripten gezeigten Werte, wie Ressourcenanzeigenamen und CIDRs, sind Beispiele. Einige Ports müssen wie dargestellt angegeben werden (siehe Workload Cluster Network Ports (Flannel Overlay)), und das OKE-Control-Plane-Subnetz muss den Namen control-plane
aufweisen. Kommentare zu CIDR-Werten finden Sie unter Workload-Clusternetzwerk-CIDR-Bereiche (Flannel Overlay).
Beispiele für Terraform-Skripte
- variables.tf
- terraform.tfvars
- provider.tf
- main.tf
- oke_vcn.tf
- oke_worker_seclist.tf
- oke_worker_subnet.tf
- oke_kmi_seclist.tf
- oke_kmi_subnet.tf
variables.tf
Diese Datei erstellt mehrere Variablen, die zur Konfiguration von OKE-Netzwerkressourcen verwendet werden, wenn Sie Flannel Overlay-Netzwerke verwenden. Vielen dieser Variablen sind in dieser Datei keine Werte zugewiesen. Einem Port und fünf CIDRs werden Werte zugewiesen. kubernetes_api_port
, Port 6443, ist der Port, der für den Zugriff auf die Kubernetes-API verwendet wird. Siehe auch Workload-Clusternetzwerkports (Flannel-Overlay). Die fünf in dieser Datei definierten CIDRs gelten für das OKE-VCN, das Worker-Subnetz, das Worker-Load-Balancer-Subnetz, das Control-Plane-Subnetz und das Control-Plane-Load-Balancer-Subnetz.
variable "oci_config_file_profile" {
type = string
default = "DEFAULT"
}
variable "tenancy_ocid" {
description = "tenancy OCID"
type = string
nullable = false
}
variable "compartment_id" {
description = "compartment OCID"
type = string
nullable = false
}
variable "vcn_name" {
description = "VCN name"
nullable = false
}
variable "kube_client_cidr" {
description = "CIDR of Kubernetes API clients"
type = string
nullable = false
}
variable "public_ip_cidr" {
description = "Public IP CIDR"
type = string
nullable = false
}
variable "kubernetes_api_port" {
description = "Port used for Kubernetes API"
type = string
default = "6443"
}
variable "vcn_cidr" {
default = "172.31.252.0/23"
}
# Subnet for KMIs where kube-apiserver and other control
# plane applications run, max 9 nodes
variable "kmi_cidr" {
description = "Kubernetes control plane subnet CIDR"
default = "172.31.252.224/28"
}
# Subnet for KMI load balancer
variable "kmilb_cidr" {
description = "Kubernetes control plane LB subnet CIDR"
default = "172.31.252.240/28"
}
# Subnet for worker nodes, max 128 nodes
variable "worker_cidr" {
description = "Kubernetes worker subnet CIDR"
default = "172.31.253.0/24"
}
# Subnet for worker load balancer (for use by CCM)
variable "workerlb_cidr" {
description = "Kubernetes worker LB subnet CIDR"
default = "172.31.252.0/25"
}
# Flag to Enable private endpoint
variable "enable_private_endpoint" {
description = "Flag to create private control plane endpoint/service-lb"
type = bool
default = false
nullable = false
}
terraform.tfvars
Diese Datei weist einigen Variablen Werte zu, die in variables.tf
erstellt wurden.
# name of the profile to use from $HOME/.oci/config
oci_config_file_profile = "DEFAULT"
# tenancy ocid from the above profile
tenancy_ocid = "tenancy_OCID"
# compartment in which to build the OKE cluster
compartment_id = "compartment_OCID"
# display-name for the OKE VCN
vcn_name = "oketest"
provider.tf
Diese Datei ist für die Verwendung des OCI-Providers erforderlich. Die Datei initialisiert das OCI-Modul mit der OCI-Profilkonfigurationsdatei.
provider "oci" {
config_file_profile = var.oci_config_file_profile
tenancy_ocid = var.tenancy_ocid
}
main.tf
Diese Datei gibt den zu verwendenden Provider an (oracle/oci
), definiert mehrere Sicherheitslistenregeln und initialisiert die erforderlichen lokalen Variablen.
Die Version des von Ihnen verwendeten OCI-Providers muss mindestens v4.50.0, aber nicht höher als v6.36.0 sein.
terraform {
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.50.0, <= 6.36.0"
# If necessary, you can pin a specific version here
#version = "4.71.0"
}
}
required_version = ">= 1.1"
}
locals {
kube_internal_cidr = "253.255.0.0/16"
worker_lb_ingress_rules = [
{
source = var.kube_client_cidr
port_min = 80
port_max = 80
},
{
source = var.kube_client_cidr
port_min = 443
port_max = 443
}
]
worker_ingress_rules = [
{
source = var.kube_client_cidr
port_min = 30000
port_max = 32767
},
{
source = var.vcn_cidr
port_min = 22
port_max = 22
},
{
source = var.workerlb_cidr
port_min = 30000
port_max = 32767
},
{
source = var.workerlb_cidr
port_min = 10256
port_max = 10256
},
{
source = var.kmi_cidr
port_min = 22
port_max = 65535
},
]
kmi_lb_ingress_rules = [
{
source = local.kube_internal_cidr
port_min = var.kubernetes_api_port
port_max = var.kubernetes_api_port
},
{
source = var.kube_client_cidr
port_min = var.kubernetes_api_port
port_max = var.kubernetes_api_port
},
{
source = var.vcn_cidr
port_min = var.kubernetes_api_port
port_max = var.kubernetes_api_port
},
]
kmi_ingress_rules = [
{
source = var.kube_client_cidr
port_min = var.kubernetes_api_port
port_max = var.kubernetes_api_port
},
{
source = var.kmilb_cidr
port_min = var.kubernetes_api_port
port_max = var.kubernetes_api_port
},
{
source = var.worker_cidr
port_min = 1024
port_max = 65535
},
{
source = var.kmi_cidr
port_min = 1024
port_max = 65535
},
]
worker_ingress_udp_rules = [
{
source = var.worker_cidr
port_min = 8285
port_max = 8472
},
{
source = var.kmi_cidr
port_min = 8285
port_max = 8472
},
]
kmi_ingress_udp_rules = [
{
source = var.worker_cidr
port_min = 8285
port_max = 8472
},
{
source = var.kmi_cidr
port_min = 8285
port_max = 8472
},
]
}
oke_vcn.tf
Diese Datei definiert ein VCN, ein NAT-Gateway, ein Internetgateway, eine private Routentabelle und eine öffentliche Routentabelle. Die private Routentabelle ist die Standardroutentabelle für das VCN.
resource "oci_core_vcn" "oke_vcn" {
cidr_block = var.vcn_cidr
dns_label = var.vcn_name
compartment_id = var.compartment_id
display_name = "${var.vcn_name}-vcn"
}
resource "oci_core_nat_gateway" "vcn_ngs" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
count = var.enable_private_endpoint ? 0:1
display_name = "VCN nat g6s"
}
resource "oci_core_internet_gateway" "vcn_igs" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
count = var.enable_private_endpoint ? 0:1
display_name = "VCN i6t g6s"
enabled = true
}
resource "oci_core_default_route_table" "default_private" {
manage_default_resource_id = oci_core_vcn.oke_vcn.default_route_table_id
display_name = "Default - private"
count = var.enable_private_endpoint ? 1:0
}
resource "oci_core_default_route_table" "private" {
count = var.enable_private_endpoint ? 0:1
manage_default_resource_id = oci_core_vcn.oke_vcn.default_route_table_id
display_name = "Default - private"
route_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_nat_gateway.vcn_ngs[0].id
}
}
resource "oci_core_route_table" "public" {
count = var.enable_private_endpoint ? 0:1
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
display_name = "public"
route_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_internet_gateway.vcn_igs[0].id
}
}
oke_worker_seclist.tf
Diese Datei definiert die Sicherheitslisten für das Worker-Subnetz und das Worker-Load-Balancer-Subnetz. Die Regeln für diese Sicherheitslisten wurden in anderen Terraform-Dateien in diesem Set definiert.
resource "oci_core_security_list" "workerlb" {
display_name = "${var.vcn_name}-workerlb"
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
dynamic "ingress_security_rules" {
iterator = port
for_each = local.worker_lb_ingress_rules
content {
source = port.value.source
source_type = "CIDR_BLOCK"
protocol = "6"
tcp_options {
min = port.value.port_min
max = port.value.port_max
}
}
}
}
resource "oci_core_security_list" "worker" {
display_name = "${var.vcn_name}-worker"
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
dynamic "ingress_security_rules" {
iterator = port
for_each = local.worker_ingress_rules
content {
source = port.value.source
source_type = "CIDR_BLOCK"
protocol = "6"
tcp_options {
min = port.value.port_min
max = port.value.port_max
}
}
}
dynamic "ingress_security_rules" {
iterator = port
for_each = local.worker_ingress_udp_rules
content {
source = port.value.source
source_type = "CIDR_BLOCK"
protocol = "17"
udp_options {
min = port.value.port_min
max = port.value.port_max
}
}
}
}
oke_worker_subnet.tf
Diese Datei definiert die Worker- und Worker-Load-Balancer-Subnetze. Das Worker Load Balancer-Subnetz heißt service-lb
.
resource "oci_core_subnet" "worker" {
cidr_block = var.worker_cidr
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
display_name = "worker"
dns_label = "worker"
prohibit_public_ip_on_vnic = true
security_list_ids = [
oci_core_default_security_list.oke_vcn.id,
oci_core_security_list.worker.id
]
}
resource "oci_core_subnet" "worker_lb" {
cidr_block = var.workerlb_cidr
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
display_name = "service-lb"
dns_label = "servicelb"
prohibit_public_ip_on_vnic = var.enable_private_endpoint
route_table_id = var.enable_private_endpoint==false ? oci_core_route_table.public[0].id : oci_core_vcn.oke_vcn.default_route_table_id
security_list_ids = [
oci_core_default_security_list.oke_vcn.id,
oci_core_security_list.workerlb.id
]
}
oke_kmi_seclist.tf
Diese Datei definiert die Sicherheitslisten für die Control-Plane- und Control-Plane-Load-Balancer-Subnetze. Diese Datei definiert auch Aktualisierungen an der Standardsicherheitsliste für das VCN.
resource "oci_core_default_security_list" "oke_vcn" {
manage_default_resource_id = oci_core_vcn.oke_vcn.default_security_list_id
egress_security_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
protocol = "all"
}
dynamic "ingress_security_rules" {
iterator = icmp_type
for_each = [3, 8, 11]
content {
# ping from VCN; unreachable/TTL from anywhere
source = (icmp_type.value == "8" ? var.vcn_cidr : "0.0.0.0/0")
source_type = "CIDR_BLOCK"
protocol = "1"
icmp_options {
type = icmp_type.value
}
}
}
}
resource "oci_core_security_list" "kmilb" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
display_name = "${var.vcn_name}-kmilb"
dynamic "ingress_security_rules" {
iterator = port
for_each = local.kmi_lb_ingress_rules
content {
source = port.value.source
source_type = "CIDR_BLOCK"
protocol = "6"
tcp_options {
min = port.value.port_min
max = port.value.port_max
}
}
}
dynamic "ingress_security_rules" {
for_each = var.enable_private_endpoint ? [] : [0]
content {
source = var.public_ip_cidr
source_type = "CIDR_BLOCK"
protocol = "6"
tcp_options {
min = var.kubernetes_api_port
max = var.kubernetes_api_port
}
}
}
}
resource "oci_core_security_list" "kmi" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.oke_vcn.id
display_name = "${var.vcn_name}-kmi"
dynamic "ingress_security_rules" {
iterator = port
for_each = local.kmi_ingress_rules
content {
source = port.value.source
source_type = "CIDR_BLOCK"
protocol = "6"
tcp_options {
min = port.value.port_min
max = port.value.port_max
}
}
}
dynamic "ingress_security_rules" {
iterator = port
for_each = local.kmi_ingress_udp_rules
content {
source = port.value.source
source_type = "CIDR_BLOCK"
protocol = "17"
udp_options {
min = port.value.port_min
max = port.value.port_max
}
}
}
}
oke_kmi_subnet.tf
Diese Datei definiert die Control-Plane- und Control-Plane-Load-Balancer-Subnetze.
Der Name des Subnetzes kmi
muss genau control-plane
sein.
resource "oci_core_subnet" "kmi" {
cidr_block = var.kmi_cidr
compartment_id = var.compartment_id
display_name = "control-plane"
dns_label = "kmi"
vcn_id = oci_core_vcn.oke_vcn.id
prohibit_public_ip_on_vnic = true
security_list_ids = [
oci_core_default_security_list.oke_vcn.id,
oci_core_security_list.kmi.id
]
}
resource "oci_core_subnet" "kmi_lb" {
cidr_block = var.kmilb_cidr
compartment_id = var.compartment_id
dns_label = "kmilb"
vcn_id = oci_core_vcn.oke_vcn.id
display_name = "control-plane-endpoint"
prohibit_public_ip_on_vnic = var.enable_private_endpoint
route_table_id = var.enable_private_endpoint==false ? oci_core_route_table.public[0].id : oci_core_default_route_table.default_private[0].id
security_list_ids = [
oci_core_default_security_list.oke_vcn.id,
oci_core_security_list.kmilb.id
]
}