The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
Chapter 5 Updating to Release 1.2.2 and 1.1.10
This section describes the additional configuration required when
you update Oracle Cloud Native Environment from Release 1.2.0 to Release 1.2.2, and from
Release 1.1.x to 1.1.10. Although these are
errata updates, there is functionality that has changed in these
releases related to the deployment of
Kubernetes modules and a new Kubernetes service to
validate externalIPs. For information on the
changes in the Kubernetes module related to
externalIPs, see Container Orchestration.
Kubernetes clusters that are updated to Releases 1.2.2 and 1.1.10
are able to use the new feature to restrict
externalIPs in Kubernetes services. Updated
clusters have a new configuration option set,
--restrict-service-externalip=false.
It is recommended to upgrade existing clusters to turn this feature on.
To enable this feature for an existing updated cluster, you need
modify the Kubernetes module for the cluster with the
required information to deploy the
externalip-validation-webhook-service service.
Any new Kubernetes modules you create in Release
1.2.2 and 1.1.10 onwards have the setting of
--restrict-service-externalip=true, which means
new clusters must be configured with the
externalIP feature by default, unless you
specify --restrict-service-externalip=false
when creating the module.
-
The
externalip-validation-webhook-serviceKubernetes service requires X.509 certificates be set up prior to updating the Kubernetes module. You can use certificates generated by Vault, your own certificates, or generate certificates using thegen-certs-helper.shscript. For information on setting up these certificates, see Getting Started. -
On the operator node, use the olcnectl module update command to update the Kubernetes module to turn on this feature and provide the required certificate information. The
--restrict-service-externalip=trueoption enables this feature. The other options set the location of the certificates. For example:olcnectl module update \ --environment-name myenvironment \ --name mycluster \ --restrict-service-externalip=true \ --restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \ --restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \ --restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key
The
externalip-validation-webhook-serviceKubernetes service is deployed to the cluster.