Oracle Cloud Infrastructure Documentation

Creating a Worker Subnet (VCN-Native Pod)

On Compute Cloud@Customer,

Create the following resources in the order listed:

  1. Worker security list

  2. Worker subnet

Create a Worker Security List

Create a security list. See Creating a Security List.. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

This security list defines traffic that is allowed to contact worker nodes directly.

For this example, use the following input for the worker subnet security list.

Console property

CLI property

  • Name: worker-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: worker-seclist

One egress security rule:

  • Stateless: uncheck the box

  • Egress CIDR: 0.0.0.0/0

  • IP Protocol: All protocols

  • Description: "Allow all outgoing traffic."

One egress security rule:

--egress-security-rules

  • isStateless: false

  • destination: 0.0.0.0/0

  • destinationType: CIDR_BLOCK

  • protocol: all

  • description: "Allow all outgoing traffic."

Thirteen ingress security rules:

Thirteen ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: uncheck the box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: 30000-32767

  • Description: "Allow worker nodes to receive connections through the pod subnet."

Ingress Rule 1

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 32767

    • min: 30000

  • description: "Allow worker nodes to receive connections through the pod subnet."

Ingress Rule 2

  • Stateless: uncheck the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 22

  • Description: "Allow SSH connection from the control plane subnet."

Ingress Rule 2

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 22

    • min: 22

  • description: "Allow SSH connection from the control plane subnet."

Ingress Rule 3

  • Stateless: uncheck the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 22

  • Description: "Allow SSH connection from the worker subnet."

Ingress Rule 3

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 22

    • min: 22

  • description: "Allow SSH connection from the worker subnet."

Ingress Rule 4

  • Stateless: uncheck the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10250

  • Description: "Allow Kubernetes API endpoint to worker node communication."

Ingress Rule 4

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10250

    • min: 10250

  • description: "Allow Kubernetes API endpoint to worker node communication."

Ingress Rule 5

  • Stateless: uncheck the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10256

  • Description: "Allow Load Balancer or Network Load Balancer to communicate with kube-proxy on worker nodes."

Ingress Rule 5

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10256

    • min: 10256

  • description: "Allow Load Balancer or Network Load Balancer to communicate with kube-proxy on worker nodes."

Ingress Rule 6

  • Stateless: uncheck the box

  • Ingress CIDR: worker_cidr

  • IP Protocol: TCP

    • Destination Port Range: 30000-32767

  • Description: "Allow traffic to worker nodes."

Ingress Rule 6

  • isStateless: false

  • source: worker_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 32767

    • min: 30000

  • description: "Allow traffic to worker nodes."

Ingress Rule 7

  • Stateless: uncheck the box

  • Ingress CIDR: workerlb_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10256

  • Description: "Allow Load Balancer or Network Load Balancer to communicate with kube-proxy on worker nodes."

Ingress Rule 7

  • isStateless: false

  • source: workerlb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10256

    • min: 10256

  • description: "Allow Load Balancer or Network Load Balancer to communicate with kube-proxy on worker nodes."

Ingress Rule 8

  • Stateless: uncheck the box

  • Ingress CIDR: workerlb_cidr

  • IP Protocol: TCP

    • Destination Port Range: 30000-32767

  • Description: "Allow worker nodes to receive connections through Network Load Balancer."

Ingress Rule 8

  • isStateless: false

  • source: workerlb_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 32767

    • min: 30000

  • description: "Allow worker nodes to receive connections through Network Load Balancer."

Ingress Rule 9

  • Stateless: uncheck the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10250

  • Description: "Allow Kubernetes API endpoint to worker node communication."

Ingress Rule 9

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10250

    • min: 10250

  • description: "Allow Kubernetes API endpoint to worker node communication."

Ingress Rule 10

  • Stateless: uncheck the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: TCP

    • Destination Port Range: 10256

  • Description: "Allow Load Balancer or Network Load Balancer to communicate with kube-proxy on worker nodes."

Ingress Rule 10

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 10256

    • min: 10256

  • description: "Allow Load Balancer or Network Load Balancer to communicate with kube-proxy on worker nodes."

Ingress Rule 11

  • Stateless: uncheck the box

  • Ingress CIDR: pod_cidr

  • IP Protocol: TCP

    • Destination Port Range: 30000-32767

  • Description: "Allow worker nodes to receive connections through the pod subnet."

Ingress Rule 11

  • isStateless: false

  • source: pod_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 32767

    • min: 30000

  • description: "Allow worker nodes to receive connections through the pod subnet."

Ingress Rule 12

  • Stateless: uncheck the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: ICMP

    • Parameter Type: 8: Echo

  • Description: "Test the reachability of a network pod from kmi_cidr by sending a request."

Ingress Rule 12

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 8

  • description: "Test the reachability of a network pod from kmi_cidr by sending a request."

Ingress Rule 13

  • Stateless: uncheck the box

  • Ingress CIDR: kmi_cidr

  • IP Protocol: ICMP

    • Parameter Type: 0: Echo Reply

  • Description: "If the destination pod is reachable from kmi_cidr, respond with an ICMP Echo Reply."

Ingress Rule 13

  • isStateless: false

  • source: kmi_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 1

  • icmpOptions

    • type: 0

  • description: "If the destination pod is reachable from kmi_cidr, respond with an ICMP Echo Reply."

Create the Worker Subnet

Create a subnet. See Creating a Subnet. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the worker subnet. Use the OCID of the VCN that was created in Creating a VCN (VCN-Native Pod). Create the worker subnet in the same compartment where you created the VCN.

Create either a NAT private worker subnet or a VCN private worker subnet. Create a NAT private worker subnet to communicate outside the VCN.

Create a NAT Private Worker Subnet

Console property

CLI property

  • Name: worker

  • CIDR Block: worker_cidr

  • Route Table: Select "nat_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: worker

  • Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: worker

  • --cidr-block: worker_cidr

  • --dns-label: worker

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "nat_private" route table

  • --security-list-ids: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the NAT private route table.

Create a VCN Private Worker Subnet

Console property

CLI property

  • Name: worker

  • CIDR Block: worker_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: worker

  • Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: worker

  • --cidr-block: worker_cidr

  • --dns-label: worker

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list