You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 6, 2025. It is now read-only.
Copy file name to clipboardExpand all lines: ingress.md
+46-1Lines changed: 46 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,6 +13,7 @@ ALLOW any-user to manage vcns in compartment <network-compartment-name> where re
13
13
ALLOW any-user to manage virtual-network-family in compartment <network-compartment-name> where request.principal.type = 'cluster'
14
14
```
15
15
Note that these policies are necessary even if the network compartment and the cluster compartment are the same!
16
+
16
17
These policies can also be further restricted by specifying the OKE cluster id.
17
18
18
19
## Configuring the Service of type LoadBalancer
@@ -219,7 +220,33 @@ ports:
219
220
```
220
221
Where 10.0.0.0/16 is the CIDR block of the VCN where the OKE cluster has been provisioned and where the Load Balancer is located.
221
222
222
-
## Change the default Load Balancer policy
223
+
## Select only the necessary worker nodes to be included in the Load Balancer
224
+
225
+
By default, OKE will include all the worker nodes in a cluster as backend set of the Load Balancer. If nodes increase a lot, having many nodes in the backend set
226
+
may slow down the Load Balancer.
227
+
We can restrict the nodes to be included in the backend set by using labels and the annotation **oci.oraclecloud.com/node-label-selector**:
See the [documentation](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic-Selecting_worker_nodes_to_include_in_backend_sets) for more examples.
248
+
249
+
## Change the default Load Balancer policy if needed
223
250
224
251
The default Load Balancer policy is ROUND_ROBIN. If your applications require long connection times, better change the policy to LEAST_CONNECTIONS:
If you expect to have multiple environments in the same OKE cluster, it's better to create multiple IngressClasses for every environment, each with its own ingress controller and Load Balancer.
370
+
371
+
To better manage costs, do not forget to add cost-tracking tags to the Load Balancer! See [here](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengtaggingclusterresources_tagging-oke-resources_load-balancer-tags.htm#contengtaggingclusterresources_tagging_oke_resources_load_balancer_tags) for more information.
372
+
373
+
NOTE: Remember that to apply tags additional policies may be needed, see [here](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengtaggingclusterresources_iam-tag-namespace-policy.htm#contengtaggingclusterresources_iam-tag-namespace-policy).
374
+
375
+
This guide shows how to configure an ingress controller with a Load Balancer configured with TLS passthrough. SSL/TLS termination will happen at the Ingress level.
376
+
377
+
Usually, this is preferable as the Ingress controller is directly integrated with cert-manager and is capable to handle multiple certificates.
378
+
379
+
If you only have one certificate, you can also terminate TLS at the Load Balancer level and there are some additional [annotations](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancers-subtopic.htm#creatinglbhttps).
380
+
336
381
## Enable API Gateway features (requires an enterprise license)
337
382
338
383
Generally speaking, all the major Ingress controllers (Nginx, Traefik, Kong) are open source, but many useful features require an enterprise license.
0 commit comments