github.com/verrazzano/verrazzano@v1.7.0/cluster-operator/controllers/quickcreate/oke/template/cluster/cluster.goyaml (about) 1 # Copyright (c) 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 apiVersion: cluster.x-k8s.io/v1beta1 5 kind: Cluster 6 metadata: 7 labels: 8 cluster.x-k8s.io/cluster-name: {{.Name}} 9 name: {{.Name}} 10 namespace: {{.Namespace}} 11 spec: 12 clusterNetwork: 13 pods: 14 cidrBlocks: 15 - {{.Kubernetes.ClusterNetwork.PodCIDR}} 16 serviceDomain: cluster.local 17 services: 18 cidrBlocks: 19 - {{.Kubernetes.ClusterNetwork.ServiceCIDR}} 20 controlPlaneRef: 21 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 22 kind: OCIManagedControlPlane 23 name: {{.Name}} 24 namespace: {{.Namespace}} 25 infrastructureRef: 26 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 27 kind: OCIManagedCluster 28 name: {{.Name}} 29 namespace: {{.Namespace}} 30 --- 31 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 32 kind: OCIManagedCluster 33 metadata: 34 labels: 35 cluster.x-k8s.io/cluster-name: {{.Name}} 36 name: {{.Name}} 37 namespace: {{.Namespace}} 38 spec: 39 identityRef: 40 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 41 kind: OCIClusterIdentity 42 name: {{.IdentityRef.Name}} 43 namespace: {{.IdentityRef.Namespace}} 44 compartmentId: {{.OKE.Compartment}} 45 {{- if and .Network.CreateVCN (eq .OKE.Network.CNIType "FLANNEL_OVERLAY") }} 46 networkSpec: 47 vcn: 48 name: {{.Name}} 49 cidr: 10.0.0.0/16 50 subnets: 51 - cidr: 10.0.0.8/29 52 name: control-plane-endpoint 53 role: control-plane-endpoint 54 type: public 55 - cidr: 10.0.0.32/27 56 name: service-lb 57 role: service-lb 58 type: public 59 securityList: 60 name: service-lb-security-list 61 egressRules: 62 - description: Load Balancer to Worker nodes node ports. 63 destination: 10.0.64.0/20 64 destinationType: CIDR_BLOCK 65 isStateless: false 66 protocol: "6" 67 tcpOptions: 68 destinationPortRange: 69 max: 32767 70 min: 30000 71 ingressRules: 72 - description: Accept http traffic on port 80 73 isStateless: false 74 protocol: "6" 75 source: 0.0.0.0/0 76 sourceType: CIDR_BLOCK 77 tcpOptions: 78 destinationPortRange: 79 max: 80 80 min: 80 81 - description: Accept https traffic on port 443 82 isStateless: false 83 protocol: "6" 84 source: 0.0.0.0/0 85 sourceType: CIDR_BLOCK 86 tcpOptions: 87 destinationPortRange: 88 max: 443 89 min: 443 90 - cidr: 10.0.64.0/20 91 name: worker 92 role: worker 93 type: private 94 networkSecurityGroup: 95 list: 96 - egressRules: 97 - egressRule: 98 description: Allow Kubernetes API endpoint to communicate with OKE. 99 destination: all-iad-services-in-oracle-services-network 100 destinationType: SERVICE_CIDR_BLOCK 101 isStateless: false 102 protocol: "6" 103 - egressRule: 104 description: Path Discovery. 105 destination: all-iad-services-in-oracle-services-network 106 destinationType: SERVICE_CIDR_BLOCK 107 icmpOptions: 108 code: 4 109 type: 3 110 isStateless: false 111 protocol: "1" 112 - egressRule: 113 description: Allow Kubernetes API endpoint to communicate with worker 114 nodes. 115 destination: 10.0.64.0/20 116 destinationType: CIDR_BLOCK 117 isStateless: false 118 protocol: "6" 119 tcpOptions: 120 destinationPortRange: 121 max: 10250 122 min: 10250 123 - egressRule: 124 description: Path Discovery. 125 destination: 10.0.64.0/20 126 destinationType: CIDR_BLOCK 127 icmpOptions: 128 code: 4 129 type: 3 130 isStateless: false 131 protocol: "1" 132 ingressRules: 133 - ingressRule: 134 description: Kubernetes worker to Kubernetes API endpoint communication. 135 isStateless: false 136 protocol: "6" 137 source: 10.0.64.0/20 138 sourceType: CIDR_BLOCK 139 tcpOptions: 140 destinationPortRange: 141 max: 6443 142 min: 6443 143 - ingressRule: 144 description: Kubernetes worker to Kubernetes API endpoint communication. 145 isStateless: false 146 protocol: "6" 147 source: 10.0.64.0/20 148 sourceType: CIDR_BLOCK 149 tcpOptions: 150 destinationPortRange: 151 max: 12250 152 min: 12250 153 - ingressRule: 154 description: Path Discovery. 155 icmpOptions: 156 code: 4 157 type: 3 158 isStateless: false 159 protocol: "1" 160 source: 10.0.64.0/20 161 sourceType: CIDR_BLOCK 162 - ingressRule: 163 description: External access to Kubernetes API endpoint. 164 isStateless: false 165 protocol: "6" 166 source: 0.0.0.0/0 167 sourceType: CIDR_BLOCK 168 tcpOptions: 169 destinationPortRange: 170 max: 6443 171 min: 6443 172 name: control-plane-endpoint 173 role: control-plane-endpoint 174 - egressRules: 175 - egressRule: 176 description: Allow pods on one worker node to communicate with pods on other worker nodes. 177 destination: "10.0.64.0/20" 178 destinationType: CIDR_BLOCK 179 isStateless: false 180 protocol: "all" 181 - egressRule: 182 description: Allow worker nodes to communicate with OKE. 183 destination: all-iad-services-in-oracle-services-network 184 destinationType: SERVICE_CIDR_BLOCK 185 isStateless: false 186 protocol: "6" 187 - egressRule: 188 description: Path Discovery. 189 destination: 0.0.0.0/0 190 destinationType: CIDR_BLOCK 191 icmpOptions: 192 code: 4 193 type: 3 194 isStateless: false 195 protocol: "1" 196 - egressRule: 197 description: Kubernetes worker to Kubernetes API endpoint communication. 198 destination: 10.0.0.8/29 199 destinationType: CIDR_BLOCK 200 isStateless: false 201 protocol: "6" 202 tcpOptions: 203 destinationPortRange: 204 max: 6443 205 min: 6443 206 - egressRule: 207 description: Kubernetes worker to Kubernetes API endpoint communication. 208 destination: 10.0.0.8/29 209 destinationType: CIDR_BLOCK 210 isStateless: false 211 protocol: "6" 212 tcpOptions: 213 destinationPortRange: 214 max: 12250 215 min: 12250 216 ingressRules: 217 - ingressRule: 218 description: Allow pods on one worker node to communicate with pods on other worker nodes. 219 isStateless: false 220 protocol: "all" 221 source: 10.0.64.0/20 222 sourceType: CIDR_BLOCK 223 - ingressRule: 224 description: Allow Kubernetes API endpoint to communicate with worker nodes. 225 isStateless: false 226 protocol: "6" 227 source: 10.0.0.8/29 228 sourceType: CIDR_BLOCK 229 - ingressRule: 230 description: Path Discovery. 231 icmpOptions: 232 code: 4 233 type: 3 234 isStateless: false 235 protocol: "1" 236 source: 0.0.0.0/0 237 sourceType: CIDR_BLOCK 238 - ingressRule: 239 description: Load Balancer to Worker nodes node ports. 240 isStateless: false 241 protocol: "6" 242 source: 10.0.0.32/27 243 sourceType: CIDR_BLOCK 244 tcpOptions: 245 destinationPortRange: 246 max: 32767 247 min: 30000 248 name: worker 249 role: worker 250 - egressRules: 251 - egressRule: 252 description: Load Balancer to Worker nodes node ports. 253 destination: 10.0.64.0/20 254 destinationType: CIDR_BLOCK 255 isStateless: false 256 protocol: "6" 257 tcpOptions: 258 destinationPortRange: 259 max: 32767 260 min: 30000 261 ingressRules: 262 - ingressRule: 263 description: Accept http traffic on port 80 264 isStateless: false 265 protocol: "6" 266 source: 0.0.0.0/0 267 sourceType: CIDR_BLOCK 268 tcpOptions: 269 destinationPortRange: 270 max: 80 271 min: 80 272 - ingressRule: 273 description: Accept https traffic on port 443 274 isStateless: false 275 protocol: "6" 276 source: 0.0.0.0/0 277 sourceType: CIDR_BLOCK 278 tcpOptions: 279 destinationPortRange: 280 max: 443 281 min: 443 282 name: service-lb 283 role: service-lb 284 {{- end }} 285 {{- if and .Network.CreateVCN (eq .OKE.Network.CNIType "OCI_VCN_IP_NATIVE") }} 286 networkSpec: 287 vcn: 288 name: {{.Name}} 289 cidr: 10.0.0.0/16 290 subnets: 291 - cidr: 10.0.0.8/29 292 name: control-plane-endpoint 293 role: control-plane-endpoint 294 type: public 295 - cidr: 10.0.0.32/27 296 name: service-lb 297 role: service-lb 298 type: public 299 securityList: 300 name: service-lb-security-list 301 egressRules: 302 - description: Load Balancer to Worker nodes node ports. 303 destination: 10.0.64.0/20 304 destinationType: CIDR_BLOCK 305 isStateless: false 306 protocol: "6" 307 tcpOptions: 308 destinationPortRange: 309 max: 32767 310 min: 30000 311 ingressRules: 312 - description: Accept http traffic on port 80 313 isStateless: false 314 protocol: "6" 315 source: 0.0.0.0/0 316 sourceType: CIDR_BLOCK 317 tcpOptions: 318 destinationPortRange: 319 max: 80 320 min: 80 321 - description: Accept https traffic on port 443 322 isStateless: false 323 protocol: "6" 324 source: 0.0.0.0/0 325 sourceType: CIDR_BLOCK 326 tcpOptions: 327 destinationPortRange: 328 max: 443 329 min: 443 330 - cidr: 10.0.64.0/20 331 name: worker 332 role: worker 333 type: private 334 - cidr: 10.0.128.0/18 335 name: pod 336 role: pod 337 type: private 338 {{- end }} 339 {{- if not .Network.CreateVCN }} # Existing VCN 340 networkSpec: 341 skipNetworkManagement: true 342 vcn: 343 id: {{.Network.VCN}} 344 {{- if .Network.Subnets }} 345 subnets: 346 {{- range .ExistingSubnets }} 347 - id: {{.ID}} 348 role: {{.Role}} 349 name: {{.Name}} 350 cidr: {{.CIDR}} 351 type: {{.Type}} 352 {{- end }} 353 {{- end }} 354 {{- end }} 355 --- 356 kind: OCIManagedControlPlane 357 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 358 metadata: 359 name: {{.Name}} 360 namespace: {{.Namespace}} 361 spec: 362 version: {{.Kubernetes.Version}} 363 clusterType: "ENHANCED_CLUSTER" 364 clusterPodNetworkOptions: 365 - cniType: {{.OKE.Network.CNIType}}