Preparing for Container Engine for Kubernetes
Before you can use Container Engine for Kubernetes to create a Kubernetes cluster:
- You must have access to an Oracle Cloud Infrastructure tenancy. The tenancy must be subscribed to one or more of the regions in which Container Engine for Kubernetes is available (see Availability by Region).
Your tenancy must have sufficient quota on different types of resource (see Service Limits). More specifically:
- Compute instance quota: To create a Kubernetes cluster, at least one compute instance (node) must be available in the tenancy. However, you'll probably want more than this minimum. For example, to create a highly available cluster in a region with three availability domains (ADs), at least three compute instances must be available (one in each availability domain).
- Block volume quota: If you intend to create Kubernetes persistent volumes, sufficient block volume quota must be available in each availability domain to meet the persistent volume claim. Persistent volume claims must request a minimum of 50 gigabytes. See Creating a Persistent Volume Claim.
- Load balancer quota: If you intend to create a load balancer to distribute traffic between the nodes running a service in a Kubernetes cluster, sufficient load balancer quota must be available in the region. See Creating Load Balancers to Distribute Traffic Between Cluster Nodes.
- Within your tenancy, there must already be a compartment to contain the necessary network resources (such as a VCN, subnets, internet gateway, route table, security lists). If such a compartment does not exist already, you will have to create it. Note that the network resources can reside in the root compartment. However, if you expect multiple teams to create clusters, best practice is to create a separate compartment for each team.
Within the compartment, network resources (such as a VCN, subnets, internet gateway, route table, security lists) must be appropriately configured in each region in which you want to create and deploy clusters. For example, to create a highly available cluster in a region with three availability domains, the VCN must include:
- For worker nodes: a regional subnet (recommended), or three AD-specific subnets (one in each of the availability domains).
- For load balancers: optionally (but usually) an additional regional subnet (recommended), or an additional two AD-specific subnets (each in a different availability domain).
Best practice is to use regional subnets to make failover across availability domains simpler to implement.
When creating a new cluster, you can have Container Engine for Kubernetes automatically create and configure new network resources for the new cluster, or you can specify existing network resources. If you specify existing network resources, you or somebody else must have already configured those resources appropriately. See Network Resource Configuration for Cluster Creation and Deployment.
To create and/or manage clusters, you must belong to one of the following:
- The tenancy's Administrators group
A group to which a policy grants the appropriate Container Engine for Kubernetes permissions. If you are creating or modifying clusters using the Console, or want Container Engine for Kubernetes to automatically create and configure new network resources for a new cluster, policies must also grant the group the following permissions:
- VCN_READ and VCN_CREATE
- SUBNET_READ and SUBNET_CREATE
If you want to create a service gateway to enable applications deployed on a cluster to pull images from Oracle Cloud Infrastructure Registry (or to use other Oracle Cloud Infrastructure resources) without exposing data to the public internet, a policy must also grant the group the SERVICE_GATEWAY_CREATE permission.
To perform operations on a cluster:
- You must be able to run the Kubernetes command line tool kubectl. You can use the kubectl installation included in Cloud Shell, or you can use a local installation of kubectl (see Accessing a Cluster Using Kubectl).
- You must have set up your own copy of the cluster's kubeconfig configuration file (see Setting Up Cluster Access). Note that you must set up your own kubeconfig file. You cannot access a cluster using a kubeconfig file that a different user set up.
- You must have appropriate permissions to access the cluster (see About Access Control and Container Engine for Kubernetes).
Availability by Region
Container Engine for Kubernetes is available in all the Oracle Cloud Infrastructure regions listed at Regions and Availability Domains. Refer to that topic to see region identifiers, region keys, and availability domain names.
In some cases, you might have to use shortened versions of availability domain names. For
example, when defining a persistent volume claim (PVC), to request storage in a
particular availability domain by specifying the value of the
failure-domain.beta.kubernetes.io/zone Kubernetes label. To find
out how to construct shortened versions of availability domain names, see failure-domain.beta.kubernetes.io/zone.