github.com/verrazzano/verrazzano@v1.7.0/cluster-operator/controllers/quickcreate/ociocne/template/cluster/cluster.goyaml (about) 1 # Copyright (c) 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 apiVersion: cluster.x-k8s.io/v1beta1 5 kind: Cluster 6 metadata: 7 labels: 8 cluster.x-k8s.io/cluster-name: {{.Name}} 9 name: {{.Name}} 10 namespace: {{.Namespace}} 11 spec: 12 clusterNetwork: 13 pods: 14 cidrBlocks: 15 - {{.KubernetesBase.ClusterNetwork.PodCIDR}} 16 serviceDomain: cluster.local 17 services: 18 cidrBlocks: 19 - {{.KubernetesBase.ClusterNetwork.ServiceCIDR}} 20 controlPlaneRef: 21 apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 22 kind: OCNEControlPlane 23 name: {{.Name}}-control-plane 24 namespace: {{.Namespace}} 25 infrastructureRef: 26 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 27 kind: OCICluster 28 name: {{.Name}} 29 namespace: {{.Namespace}} 30 --- 31 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 32 kind: OCICluster 33 metadata: 34 labels: 35 cluster.x-k8s.io/cluster-name: {{.Name}} 36 name: {{.Name}} 37 namespace: {{.Namespace}} 38 spec: 39 identityRef: 40 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 41 kind: OCIClusterIdentity 42 name: {{.IdentityRef.Name}} 43 namespace: {{.IdentityRef.Namespace}} 44 compartmentId: {{.OCI.Compartment}} 45 {{- if .Network.CreateVCN }} 46 networkSpec: 47 vcn: 48 name: {{.Name}} 49 cidr: 10.0.0.0/16 50 networkSecurityGroup: 51 list: 52 - egressRules: 53 - egressRule: 54 description: Kubernetes API traffic to Control Plane 55 destination: 10.0.0.0/29 56 destinationType: CIDR_BLOCK 57 isStateless: false 58 protocol: "6" 59 tcpOptions: 60 destinationPortRange: 61 max: 6443 62 min: 6443 63 ingressRules: 64 - ingressRule: 65 description: External access to Kubernetes API endpoint 66 isStateless: false 67 protocol: "6" 68 source: 0.0.0.0/0 69 sourceType: CIDR_BLOCK 70 tcpOptions: 71 destinationPortRange: 72 max: 6443 73 min: 6443 74 - ingressRule: 75 description: ICMP Path discovery 76 icmpOptions: 77 code: 4 78 type: 3 79 isStateless: false 80 protocol: "1" 81 source: 10.0.0.0/16 82 sourceType: CIDR_BLOCK 83 name: ocne-control-plane-endpoint 84 role: control-plane-endpoint 85 - egressRules: 86 - egressRule: 87 description: Control Plane access to Internet 88 destination: 0.0.0.0/0 89 destinationType: CIDR_BLOCK 90 isStateless: false 91 protocol: all 92 ingressRules: 93 - ingressRule: 94 description: Inbound East-West traffic 95 source: 10.0.0.0/16 96 sourceType: CIDR_BLOCK 97 isStateless: false 98 protocol: all 99 - ingressRule: 100 description: Kubernetes API endpoint to Control Plane(apiserver port) 101 communication 102 isStateless: false 103 protocol: "6" 104 source: 10.0.0.8/29 105 sourceType: CIDR_BLOCK 106 tcpOptions: 107 destinationPortRange: 108 max: 6443 109 min: 6443 110 - ingressRule: 111 description: Control plane node to Control Plane(apiserver port) communication 112 isStateless: false 113 protocol: "6" 114 source: 10.0.0.0/29 115 sourceType: CIDR_BLOCK 116 tcpOptions: 117 destinationPortRange: 118 max: 6443 119 min: 6443 120 - ingressRule: 121 description: Worker Node to Control Plane(apiserver port) communication 122 isStateless: false 123 protocol: "6" 124 source: 10.0.64.0/20 125 sourceType: CIDR_BLOCK 126 tcpOptions: 127 destinationPortRange: 128 max: 6443 129 min: 6443 130 - ingressRule: 131 description: etcd client communication 132 isStateless: false 133 protocol: "6" 134 source: 10.0.0.0/29 135 sourceType: CIDR_BLOCK 136 tcpOptions: 137 destinationPortRange: 138 max: 2379 139 min: 2379 140 - ingressRule: 141 description: etcd peer 142 isStateless: false 143 protocol: "6" 144 source: 10.0.0.0/29 145 sourceType: CIDR_BLOCK 146 tcpOptions: 147 destinationPortRange: 148 max: 2380 149 min: 2380 150 - ingressRule: 151 description: Calico networking (BGP) 152 isStateless: false 153 protocol: "6" 154 source: 10.0.0.0/29 155 sourceType: CIDR_BLOCK 156 tcpOptions: 157 destinationPortRange: 158 max: 179 159 min: 179 160 - ingressRule: 161 description: Calico networking (BGP) 162 isStateless: false 163 protocol: "6" 164 source: 10.0.64.0/20 165 sourceType: CIDR_BLOCK 166 tcpOptions: 167 destinationPortRange: 168 max: 179 169 min: 179 170 - ingressRule: 171 description: Calico networking with IP-in-IP enabled 172 isStateless: false 173 protocol: "4" 174 source: 10.0.0.0/29 175 sourceType: CIDR_BLOCK 176 - ingressRule: 177 description: Calico networking with IP-in-IP enabled 178 isStateless: false 179 protocol: "4" 180 source: 10.0.64.0/20 181 sourceType: CIDR_BLOCK 182 - ingressRule: 183 description: Path discovery 184 icmpOptions: 185 code: 4 186 type: 3 187 isStateless: false 188 protocol: "1" 189 source: 10.0.0.0/16 190 sourceType: CIDR_BLOCK 191 - ingressRule: 192 description: Inbound SSH traffic to Control Plane 193 isStateless: false 194 protocol: "6" 195 source: 0.0.0.0/0 196 sourceType: CIDR_BLOCK 197 tcpOptions: 198 destinationPortRange: 199 max: 22 200 min: 22 201 - ingressRule: 202 description: Control Plane to Control Plane Kubelet Communication 203 isStateless: false 204 protocol: "6" 205 source: 10.0.0.0/29 206 sourceType: CIDR_BLOCK 207 tcpOptions: 208 destinationPortRange: 209 max: 10250 210 min: 10250 211 name: ocne-control-plane 212 role: control-plane 213 - egressRules: 214 - egressRule: 215 description: Worker node access to Internet 216 destination: 0.0.0.0/0 217 destinationType: CIDR_BLOCK 218 isStateless: false 219 protocol: all 220 ingressRules: 221 - ingressRule: 222 description: Inbound East-West traffic 223 source: 10.0.0.0/16 224 sourceType: CIDR_BLOCK 225 isStateless: false 226 protocol: all 227 - ingressRule: 228 description: Inbound SSH traffic to worker node 229 isStateless: false 230 protocol: "6" 231 source: 0.0.0.0/0 232 sourceType: CIDR_BLOCK 233 tcpOptions: 234 destinationPortRange: 235 max: 22 236 min: 22 237 - ingressRule: 238 description: Path discovery 239 icmpOptions: 240 code: 4 241 type: 3 242 isStateless: false 243 protocol: "1" 244 source: 10.0.0.0/16 245 sourceType: CIDR_BLOCK 246 - ingressRule: 247 description: Control Plane to worker node Kubelet Communication 248 isStateless: false 249 protocol: "6" 250 source: 10.0.0.0/29 251 sourceType: CIDR_BLOCK 252 tcpOptions: 253 destinationPortRange: 254 max: 10250 255 min: 10250 256 - ingressRule: 257 description: Worker node to worker node Kubelet Communication 258 isStateless: false 259 protocol: "6" 260 source: 10.0.64.0/20 261 sourceType: CIDR_BLOCK 262 tcpOptions: 263 destinationPortRange: 264 max: 10250 265 min: 10250 266 - ingressRule: 267 description: Calico networking (BGP) 268 isStateless: false 269 protocol: "6" 270 source: 10.0.0.0/29 271 sourceType: CIDR_BLOCK 272 tcpOptions: 273 destinationPortRange: 274 max: 179 275 min: 179 276 - ingressRule: 277 description: Calico networking (BGP) 278 isStateless: false 279 protocol: "6" 280 source: 10.0.64.0/20 281 sourceType: CIDR_BLOCK 282 tcpOptions: 283 destinationPortRange: 284 max: 179 285 min: 179 286 - ingressRule: 287 description: Calico networking with IP-in-IP enabled 288 isStateless: false 289 protocol: "4" 290 source: 10.0.0.0/29 291 sourceType: CIDR_BLOCK 292 - ingressRule: 293 description: Calico networking with IP-in-IP enabled 294 isStateless: false 295 protocol: "4" 296 source: 10.0.64.0/20 297 sourceType: CIDR_BLOCK 298 - ingressRule: 299 description: Worker node to default NodePort ingress communication 300 isStateless: false 301 protocol: "6" 302 source: 10.0.64.0/20 303 sourceType: CIDR_BLOCK 304 tcpOptions: 305 destinationPortRange: 306 max: 32767 307 min: 30000 308 name: ocne-worker 309 role: worker 310 - egressRules: 311 - egressRule: 312 description: Service LoadBalancer to default NodePort egress communication 313 destination: 10.0.64.0/20 314 destinationType: CIDR_BLOCK 315 isStateless: false 316 protocol: "6" 317 tcpOptions: 318 destinationPortRange: 319 max: 32767 320 min: 30000 321 ingressRules: 322 - ingressRule: 323 description: Path discovery 324 icmpOptions: 325 code: 4 326 type: 3 327 isStateless: false 328 protocol: "1" 329 source: 10.0.0.0/16 330 sourceType: CIDR_BLOCK 331 - ingressRule: 332 description: Accept http traffic on port 80 333 isStateless: false 334 protocol: "6" 335 source: 0.0.0.0/0 336 sourceType: CIDR_BLOCK 337 tcpOptions: 338 destinationPortRange: 339 max: 80 340 min: 80 341 - ingressRule: 342 description: Accept https traffic on port 443 343 isStateless: false 344 protocol: "6" 345 source: 0.0.0.0/0 346 sourceType: CIDR_BLOCK 347 tcpOptions: 348 destinationPortRange: 349 max: 443 350 min: 443 351 name: ocne-service-lb 352 role: service-lb 353 subnets: 354 - cidr: 10.0.0.8/29 355 name: ocne-control-plane-endpoint 356 role: control-plane-endpoint 357 type: public 358 - cidr: 10.0.0.0/29 359 name: ocne-control-plane 360 role: control-plane 361 type: private 362 - cidr: 10.0.0.32/27 363 name: ocne-service-lb 364 role: service-lb 365 type: public 366 - cidr: 10.0.64.0/20 367 name: ocne-worker 368 role: worker 369 type: private 370 {{- else }} # Existing VCN 371 networkSpec: 372 skipNetworkManagement: true 373 vcn: 374 id: {{.Network.VCN}} 375 {{- if .Network.Subnets }} 376 subnets: 377 {{- range .ExistingSubnets }} 378 - id: {{.ID}} 379 role: {{.Role}} 380 name: {{.Name}} 381 cidr: {{.CIDR}} 382 type: {{.Type}} 383 {{- end }} 384 {{- end }} 385 {{- end }}