allow traffic between pods and lbs

robo-cap · hyder · commit bdd121274da9 · 2026-02-12T17:52:14.000+11:00
diff --git a/examples/cluster/vars-cluster-basic.auto.tfvars b/examples/cluster/vars-cluster-basic.auto.tfvars
@@ -2,4 +2,4 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 cluster_name       = "oke-example"
-kubernetes_version = "v1.32.1"
+kubernetes_version = "v1.34.1"
diff --git a/examples/cluster/vars-cluster-enhanced.auto.tfvars b/examples/cluster/vars-cluster-enhanced.auto.tfvars
@@ -9,7 +9,7 @@ cluster_type                      = "enhanced" // *basic/enhanced
 cni_type                          = "flannel"  // *flannel/npn
 assign_public_ip_to_control_plane = true       // true/*false
 image_signing_keys                = []
-kubernetes_version                = "v1.32.1"
+kubernetes_version                = "v1.34.1"
 pods_cidr                         = "10.244.0.0/16"
 services_cidr                     = "10.96.0.0/16"
 use_signed_images                 = false // true/*false
diff --git a/examples/cluster/vars-cluster-oidc-auth-multiple.auto.tfvars b/examples/cluster/vars-cluster-oidc-auth-multiple.auto.tfvars
@@ -9,7 +9,7 @@ cluster_type                      = "enhanced" // *basic/enhanced
 cni_type                          = "flannel"  // *flannel/npn
 assign_public_ip_to_control_plane = true       // true/*false
 image_signing_keys                = []
-kubernetes_version                = "v1.32.1"
+kubernetes_version                = "v1.34.1"
 pods_cidr                         = "10.244.0.0/16"
 services_cidr                     = "10.96.0.0/16"
 use_signed_images                 = false // true/*false
diff --git a/examples/cluster/vars-cluster-oidc-auth-single.auto.tfvars b/examples/cluster/vars-cluster-oidc-auth-single.auto.tfvars
@@ -9,7 +9,7 @@ cluster_type                      = "enhanced" // *basic/enhanced
 cni_type                          = "flannel"  // *flannel/npn
 assign_public_ip_to_control_plane = true       // true/*false
 image_signing_keys                = []
-kubernetes_version                = "v1.32.1"
+kubernetes_version                = "v1.34.2"
 pods_cidr                         = "10.244.0.0/16"
 services_cidr                     = "10.96.0.0/16"
 use_signed_images                 = false // true/*false
diff --git a/examples/cluster/vars-cluster-oidc-discovery.auto.tfvars b/examples/cluster/vars-cluster-oidc-discovery.auto.tfvars
@@ -9,7 +9,7 @@ cluster_type                      = "enhanced" // *basic/enhanced
 cni_type                          = "flannel"  // *flannel/npn
 assign_public_ip_to_control_plane = true       // true/*false
 image_signing_keys                = []
-kubernetes_version                = "v1.32.1"
+kubernetes_version                = "v1.34.2"
 pods_cidr                         = "10.244.0.0/16"
 services_cidr                     = "10.96.0.0/16"
 use_signed_images                 = false // true/*false
diff --git a/modules/cluster/cluster.tf b/modules/cluster/cluster.tf
@@ -103,7 +103,7 @@ resource "oci_containerengine_cluster" "k8s_cluster" {
   }
 
   lifecycle {
-    ignore_changes = [defined_tags]
+    ignore_changes = [defined_tags, options["kubernetes_network_config"]]
 
     precondition {
       condition     = !var.use_signed_images || length(var.image_signing_keys) > 0
diff --git a/modules/network/nsg-loadbalancers-int.tf b/modules/network/nsg-loadbalancers-int.tf
@@ -30,6 +30,13 @@ locals {
         protocol = local.tcp_protocol, port = local.health_check_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
       },
     },
+    
+    local.pod_nsg_enabled ? {
+      "Allow all egress from internal load balancers to pods" : {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.pod_nsg_id, destination_type = local.rule_type_nsg,
+      },
+    } : {},
+    
     var.enable_ipv6 ? {
       "Allow ICMPv6 egress from internal load balancers to worker nodes for path discovery" : {
         protocol = local.icmpv6_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
@@ -55,17 +62,27 @@ locals {
         protocol = local.udp_protocol, source_port_min = local.node_port_min, source_port_max = local.node_port_max, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
       },
 
-      "Allow TCP egress from internal load balancers to workers for health checks" : {
-        protocol = local.tcp_protocol, destination_port_min = local.health_check_port, destination_port_max = local.health_check_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg, stateless = true
+      "Allow TCP egress from internal load balancers to pods for health checks" : {
+        protocol = local.tcp_protocol, destination_port_min = local.health_check_port, destination_port_max = local.health_check_port, destination = local.pod_nsg_id, destination_type = local.rule_type_nsg, stateless = true
       },
-      "Allow TCP egress to internal load balancers from workers for health checks" : {
-        protocol = local.tcp_protocol, source_port_min = local.health_check_port, source_port_max = local.health_check_port, source = local.worker_nsg_id, source_type = local.rule_type_nsg, stateless = true
+      "Allow TCP egress to internal load balancers from pods for health checks" : {
+        protocol = local.tcp_protocol, source_port_min = local.health_check_port, source_port_max = local.health_check_port, source = local.pod_nsg_id, source_type = local.rule_type_nsg, stateless = true
       },
 
       "Allow ICMP egress from internal load balancers to worker nodes for path discovery" : {
         protocol = local.icmp_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
       },
     },
+
+    local.pod_nsg_enabled ? {
+      "Allow all egress from internal load balancers to pods" : {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.pod_nsg_id, destination_type = local.rule_type_nsg, stateless = true
+      },
+      "Allow all ingress from pods to internal load balancers" : {
+        protocol = local.all_protocols, port = local.all_ports, source = local.pod_nsg_id, source_type = local.rule_type_nsg, stateless = true
+      },
+    } : {},
+
     var.enable_ipv6 ? {
       "Allow ICMPv6 egress from internal load balancers to worker nodes for path discovery" : {
         protocol = local.icmpv6_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
diff --git a/modules/network/nsg-loadbalancers-pub.tf b/modules/network/nsg-loadbalancers-pub.tf
@@ -31,6 +31,13 @@ locals {
         protocol = local.icmp_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
       },
     },
+
+    local.pod_nsg_enabled ? {
+      "Allow all egress from public load balancers to pods" : {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.pod_nsg_id, destination_type = local.rule_type_nsg,
+      },
+    } : {},
+
     var.enable_ipv6 ? {
       "Allow ICMPv6 egress from public load balancers to worker nodes for path discovery" : {
         protocol = local.icmpv6_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
@@ -67,6 +74,16 @@ locals {
         protocol = local.icmp_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
       },
     },
+
+    local.pod_nsg_enabled ? {
+      "Allow all egress from public load balancers to pods" : {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.pod_nsg_id, destination_type = local.rule_type_nsg, stateless = true
+      },
+      "Allow all ingress from pods to public load balancers" : {
+        protocol = local.all_protocols, port = local.all_ports, source = local.pod_nsg_id, source_type = local.rule_type_nsg, stateless = true
+      },
+    } : {},
+
     var.enable_ipv6 ? {
       "Allow ICMPv6 egress from public load balancers to worker nodes for path discovery" : {
         protocol = local.icmpv6_protocol, port = local.all_ports, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
diff --git a/modules/network/nsg-pods.tf b/modules/network/nsg-pods.tf
@@ -48,9 +48,27 @@ locals {
       }
       "Allow ICMP ingress to pods for path discovery" = {
         protocol = local.icmp_protocol, port = local.all_ports, source = local.anywhere, source_type = local.rule_type_cidr,
-      }
+      },
     },
 
+    local.int_lb_nsg_enabled ? {
+      "Allow ALL egress from pods to internal_lb" = {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.int_lb_nsg_id, destination_type = local.rule_type_nsg,
+      }
+      "Allow ALL ingress from internal_lb to pods" = {
+        protocol = local.all_protocols, port = local.all_ports, source = local.int_lb_nsg_id, source_type = local.rule_type_nsg,
+      }
+    } : {},
+
+    local.pub_lb_nsg_enabled ? {
+      "Allow ALL egress from pods to pub_lb" = {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.pub_lb_nsg_id, destination_type = local.rule_type_nsg,
+      }
+      "Allow ALL ingress from pub_lb to pods" = {
+        protocol = local.all_protocols, port = local.all_ports, source = local.pub_lb_nsg_id, source_type = local.rule_type_nsg,
+      }
+    }: {},
+
     var.enable_ipv6 ? {
       "Allow ICMPv6 ingress to pods for path discovery" : {
         protocol = local.icmpv6_protocol, port = local.all_ports, source = local.anywhere_ipv6, source_type = local.rule_type_cidr,
@@ -114,6 +132,24 @@ locals {
       }
     },
 
+    local.int_lb_nsg_enabled ? {
+      "Allow ALL egress from pods to internal_lb" = {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.int_lb_nsg_id, destination_type = local.rule_type_nsg, stateless = true
+      }
+      "Allow ALL egress from pods to internal_lb" = {
+        protocol = local.all_protocols, port = local.all_ports, source = local.int_lb_nsg_id, source_type = local.rule_type_nsg, stateless = true
+      }
+    } : {},
+
+    local.pub_lb_nsg_enabled ? {
+      "Allow ALL egress from pods to pub_lb" = {
+        protocol = local.all_protocols, port = local.all_ports, destination = local.pub_lb_nsg_id, destination_type = local.rule_type_nsg, stateless = true
+      }
+      "Allow ALL egress from pods to pub_lb" = {
+        protocol = local.all_protocols, port = local.all_ports, source = local.pub_lb_nsg_id, source_type = local.rule_type_nsg, stateless = true
+      }
+    }: {},
+    
     var.enable_ipv6 ? {
       "Allow ICMPv6 ingress to pods for path discovery" : {
         protocol = local.icmpv6_protocol, port = local.all_ports, source = local.anywhere_ipv6, source_type = local.rule_type_cidr,
diff --git a/variables-cluster.tf b/variables-cluster.tf
@@ -82,7 +82,7 @@ variable "services_cidr" {
 }
 
 variable "kubernetes_version" {
-  default     = "v1.26.2"
+  default     = "v1.34.2"
   description = "The version of kubernetes to use when provisioning OKE or to upgrade an existing OKE cluster to."
   type        = string
 }

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ resource "oci_containerengine_cluster" "k8s_cluster" {`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`lifecycle {`
`106`		`- ignore_changes = [defined_tags]`
	`106`	`+ ignore_changes = [defined_tags, options["kubernetes_network_config"]]`
`107`	`107`
`108`	`108`	`precondition {`
`109`	`109`	`condition = !var.use_signed_images \|\| length(var.image_signing_keys) > 0`
Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ variable "services_cidr" {`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`variable "kubernetes_version" {`
`85`		`- default = "v1.26.2"`
	`85`	`+ default = "v1.34.2"`
`86`	`86`	`description = "The version of kubernetes to use when provisioning OKE or to upgrade an existing OKE cluster to."`
`87`	`87`	`type = string`
`88`	`88`	`}`