The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
This section describes the additional configuration required when
you update Oracle Linux Cloud Native Environment from Release 1.1.x to
1.1.10. Although Release 1.1.0 is an errata update, there is
functionality that has changed in this release related to the
deployment of Kubernetes modules and a new
Kubernetes service to validate externalIPs
. For
information on the changes in the Kubernetes module
related to externalIPs
, see
Getting Started.
Kubernetes clusters that are updated to Release 1.1.10 are able to
use the new feature to restrict externalIPs
in
Kubernetes services. Updated clusters have a new configuration
option set,
--restrict-service-externalip=false
.
It is recommended to upgrade existing clusters to turn this feature on.
To enable this feature for an existing updated cluster, you need
modify the Kubernetes module for the cluster with
the required information to deploy the
externalip-validation-webhook-service
service.
Any new Kubernetes modules you create in Release
1.1.10 onwards have the setting of
--restrict-service-externalip=true
, which
means new clusters must be configured with the
externalIP
feature by default, unless you
specify --restrict-service-externalip=false
when creating the module.
To deploy the service on an updated cluster:
The
externalip-validation-webhook-service
Kubernetes service requires X.509 certificates be set up prior to updating the Kubernetes module. You can use certificates generated by Vault, your own certificates, or generate certificates using thegen-certs-helper.sh
script. For information on setting up these certificates, see Getting Started.On the operator node, use the olcnectl module update command to update the Kubernetes module to turn on this feature and provide the required certificate information. The
--restrict-service-externalip=true
option enables this feature. The other options set the location of the certificates. For example:$
olcnectl --api-server 127.0.0.1:8091 module update \ --environment-name myenvironment \ --name mycluster \ --restrict-service-externalip=true \ --restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \ --restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \ --restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key
The
externalip-validation-webhook-service
Kubernetes service is deployed to the cluster.