Creating an OKE Control Plane Load Balancer Subnet

Create the following resources in the order listed:

Control plane load balancer security list
Control plane load balancer subnet

Create a Control Plane Load Balancer Security List

To create a security list, use the instructions in "Creating a Security List" in Controlling Traffic with Security Lists in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

The control plane load balancer accepts traffic on port 6443, which is also called kubernetes_api_port in this guide. Adjust this security list to only accept connections from where you expect the network to run. Port 6443 must accept connections from the cluster control plane instances and worker instances.

For this example, use the following input for the control plane load balancer subnet security list.

Compute Web UI property OCI CLI property

Compute Web UI property	OCI CLI property
Name: kmilb-seclist	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: kmilb-seclist
Three ingress security rules:	Three ingress security rules: `--ingress-security-rules`
Ingress Rule 1: Stateless: uncheck the box Ingress CIDR: `253.255.0.0/16` This value is required. Do not change this CIDR value. IP Protocol: TCP Destination Port Range: `kubernetes_api_port` Description: "Allow inbound connections to the control plane load balancer."	Ingress Rule 1: `isStateless`: `false` `source`: `253.255.0.0/16` This value is required. Do not change this CIDR value. `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `kubernetes_api_port` `min`: `kubernetes_api_port` `description`: "Allow inbound connections to the control plane load balancer."
Ingress Rule 2: Stateless: uncheck the box Ingress CIDR: `kube_client_cidr` IP Protocol: TCP Destination Port Range: `kubernetes_api_port` Description: "Allow inbound connections to the control plane load balancer."	Ingress Rule 2: `isStateless`: `false` `source`: `kube_client_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `kubernetes_api_port` `min`: `kubernetes_api_port` `description`: "Allow inbound connections to the control plane load balancer."
Ingress Rule 3: Stateless: uncheck the box Ingress CIDR: `vcn_cidr` IP Protocol: TCP Destination Port Range: `kubernetes_api_port` Description: "Allow inbound connections to the control plane load balancer."	Ingress Rule 3: `isStateless`: `false` `source`: `vcn_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `kubernetes_api_port` `min`: `kubernetes_api_port` `description`: "Allow inbound connections to the control plane load balancer."

Name: kmilb-seclist

--vcn-id: ocid1.vcn.oke_vcn_id
--display-name: kmilb-seclist

Three ingress security rules:

--ingress-security-rules

Ingress Rule 1:

Stateless: uncheck the box
Ingress CIDR: 253.255.0.0/16

This value is required. Do not change this CIDR value.
IP Protocol: TCP
- Destination Port Range: kubernetes_api_port
Description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 1:

isStateless: false
source: 253.255.0.0/16

This value is required. Do not change this CIDR value.
sourceType: CIDR_BLOCK
protocol: 6
tcpOptions

destinationPortRange
- max: kubernetes_api_port
- min: kubernetes_api_port
description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 2:

Stateless: uncheck the box
Ingress CIDR: kube_client_cidr
IP Protocol: TCP
- Destination Port Range: kubernetes_api_port
Description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 2:

isStateless: false
source: kube_client_cidr
sourceType: CIDR_BLOCK
protocol: 6
tcpOptions

destinationPortRange
- max: kubernetes_api_port
- min: kubernetes_api_port
description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 3:

Stateless: uncheck the box
Ingress CIDR: vcn_cidr
IP Protocol: TCP
- Destination Port Range: kubernetes_api_port
Description: "Allow inbound connections to the control plane load balancer."

Ingress Rule 3:

isStateless: false
source: vcn_cidr
sourceType: CIDR_BLOCK
protocol: 6
tcpOptions

destinationPortRange
- max: kubernetes_api_port
- min: kubernetes_api_port
description: "Allow inbound connections to the control plane load balancer."

Create the Control Plane Load Balancer Subnet

To create a subnet, use the instructions in Creating a Subnet in the Oracle Private Cloud Appliance User Guide. For Terraform input, see Example Terraform Scripts for Network Resources.

For this example, use the following input to create the control plane load balancer subnet. Use the OCID of the VCN that was created in Creating an OKE VCN. Create the control plane load balancer subnet in the same compartment where you created the VCN.

Compute Web UI property	OCI CLI property
Name: control-plane-endpoint CIDR Block: `kmilb_cidr` Route Table: Select "public" from the list Public Subnet: check the box DNS Hostnames: Use DNS Hostnames in this Subnet: check the box DNS Label: kmilb Security Lists: Select "kmilb-seclist" and "Default Security List for oketest-vcn" from the list	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `control-plane-endpoint` `--cidr-block`: `kmilb_cidr` `--dns-label`: `kmilb` `--prohibit-public-ip-on-vnic`: `false` `--route-table-id`: OCID of the "public" route table `--security-list-ids`: OCIDs of the "kmilb-seclist" security list and the "Default Security List for oketest-vcn" security list