OKE Cluster Management with Administration Network

When OKE is used on a system that is configured with a separate administration network, the data center firewall must be configured to allow traffic between the OKE service and the OKE clusters deployed by Compute Enclave users.

Figure 4-1 Example of System Configured with a Separate Administration Network

Diagram showing packet flow when a system is configured with a separate administration network.

The OKE service runs on the management nodes in the administration network, while the OKE clusters are deployed in the data network. The management interface of an OKE cluster is port 6443 on its load balancer public IP address. This address is assigned from the data center IP range you reserved and configured as public IPs during initial appliance setup.

Because of the network segregation, traffic from the OKE service must exit the appliance through the administration network, and reenter through the data network to reach the OKE cluster. The data center network infrastructure must allow traffic in both directions. Without the necessary firewall and routing rules, users cannot deploy OKE clusters.

See Workload Cluster Network Ports for Flannel Overlay Networking and Workload Cluster Network Ports for VCN-Native Pod Networking for how to configure ports for OKE. If you are using a separate administration network, see also the table Access Configuration With Administration Network in Port Matrix in the Oracle Private Cloud Appliance Security Guide.