Creating a Worker Subnet (Flannel Overlay)

Learn how to create a worker subnet for Flannel Overlay networking on Private Cloud Appliance.

Create the following resources in the order listed:

Create a Worker Security List

To create a security list, use the instructions in Creating a Security List. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

This security list defines traffic that's allowed to contact worker nodes directly.

For this example, use the following input for the worker subnet security list.


Compute Web UI	OCI CLI property
Name: worker-seclist	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `worker-seclist`
Seven ingress security rules:	Seven ingress security rules: `--ingress-security-rules`
Ingress Rule 1 Stateless: clear the box Ingress CIDR: `vcn_cidr` IP Protocol: TCP Destination Port Range: 22 Description: "Allow intra-VCN `ssh`."	Ingress Rule 1 `isStateless`: `false` `source`: `vcn_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `22` `min`: `22` `description`: "Allow intra-VCN `ssh`."
Ingress Rule 2 Stateless: clear the check box Ingress CIDR: `kube_client_cidr` IP Protocol: TCP Destination Port Range: 30000-32767 Description: "Allow clients to contact the node port range."	Ingress Rule 2 `isStateless`: `false` `source`: `kube_client_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `32767` `min`: `30000` `description`: "Allow clients to contact the node port range."
Ingress Rule 3 Stateless: clear the box Ingress CIDR: `workerlb_cidr` IP Protocol: TCP Destination Port Range: 30000-32767 Description: "Allow the worker load balancer to contact the worker nodes."	Ingress Rule 3 `isStateless`: `false` `source`: `workerlb_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `32767` `min`: `30000` `description`: "Allow the worker load balancer to contact the worker nodes."
Ingress Rule 4 Stateless: clear the box Ingress CIDR: `workerlb_cidr` IP Protocol: TCP Destination Port Range: 10256 Description: "Allow the worker load balancer to contact the worker nodes."	Ingress Rule 4 `isStateless`: `false` `source`: `workerlb_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `10256` `min`: `10256` `description`: "Allow the worker load balancer to contact the worker nodes."
Ingress Rule 5 Stateless: clear the box Ingress CIDR: `kmi_cidr` IP Protocol: TCP Destination Port Range: 22-65535 Description: "Allow the control plane to contact the worker nodes."	Ingress Rule 5 `isStateless`: `false` `source`: `kmi_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `6` `tcpOptions` `destinationPortRange` `max`: `65535` `min`: `22` `description`: "Allow the control plane to contact the worker nodes."
Ingress Rule 6 Stateless: clear the box Ingress CIDR: `worker_cidr` IP Protocol: UDP Destination Port Range: 8285-8472 Description: "Allow flannel traffic."	Ingress Rule 6 `isStateless`: `false` `source`: `worker_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `17` `udpOptions` `destinationPortRange` `max`: `8472` `min`: `8285` `description`: "Allow flannel traffic."
Ingress Rule 7 Stateless: clear the box Ingress CIDR: `kmi_cidr` IP Protocol: UDP Destination Port Range: 8285-8472 Description: "Allow flannel traffic."	Ingress Rule 7 `isStateless`: `false` `source`: `kmi_cidr` `sourceType`: `CIDR_BLOCK` `protocol`: `17` `udpOptions` `destinationPortRange` `max`: `8472` `min`: `8285` `description`: "Allow flannel traffic."

Create the Worker Subnet

To create a subnet, use the instructions in Creating a Subnet. For Terraform input, see Example Terraform Scripts for Network Resources (Flannel Overlay).

For this example, use the following input for the worker subnet security list. Use the OCID of the VCN that was created in Example Terraform Scripts for Network Resources (Flannel Overlay). Create the worker subnet in the same compartment where you created the VCN.

Create either a NAT private worker subnet or a VCN private worker subnet. Create a NAT private worker subnet to communicate outside the VCN.

Create a NAT Private Worker Subnet
Compute Web UI property	OCI CLI property
Name: worker CIDR Block: `worker_cidr` Route Table: Select "nat_private" from the list Private Subnet: check the box DNS Hostnames: Use DNS Hostnames in this Subnet: check the box DNS Label: worker Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `worker` `--cidr-block`: `worker_cidr` `--dns-label`: `worker` `--prohibit-public-ip-on-vnic`: `true` `--route-table-id`: OCID of the "nat_private" route table `--security-list-ids`: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the NAT private route table.

Create a VCN Private Worker Subnet
Compute Web UI property	OCI CLI property
Name: worker CIDR Block: `worker_cidr` Route Table: Select "vcn_private" from the list Private Subnet: check the box DNS Hostnames: Use DNS Hostnames in this Subnet: check the box DNS Label: worker Security Lists: Select "worker-seclist" and "Default Security List for oketest-vcn" from the list	`--vcn-id`: `ocid1.vcn.oke_vcn_id` `--display-name`: `worker` `--cidr-block`: `worker_cidr` `--dns-label`: `worker` `--prohibit-public-ip-on-vnic`: `true` `--route-table-id`: OCID of the "vcn_private" route table `--security-list-ids`: OCIDs of the "worker-seclist" security list and the "Default Security List for oketest-vcn" security list

What's Next:

Creating a Worker Load Balancer Subnet (Flannel Overlay)

Oracle Cloud Infrastructure Documentation

Creating a Worker Subnet (Flannel Overlay)

Create a Worker Security List

Create the Worker Subnet