IaC Bazaar
Oracle CloudPlan-validated

OKE Managed Kubernetes Cluster

Enhanced OKE cluster with managed + virtual node pools, private API endpoint, NSGs, addons and OIDC — flagship OCI workload platform.

terraformOracle Cloud#oci

Compare Managed Kubernetes across clouds →

oci-oketerraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

oci-oke

Enhanced OKE cluster with managed + virtual node pools, private API endpoint, NSGs, addons and OIDC — flagship OCI workload platform. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

  • Kubernetes API endpoint is private (endpoint_public_ip_enabled = false)
  • Kubernetes dashboard, Tiller and PodSecurityPolicy admission all disabled
  • In-transit encryption for persistent volumes on by default per node pool
  • Optional KMS key for etcd secret encryption and image-signature enforcement
  • Nodes are cordoned & drained on scale-down (eviction grace, no force-delete)

Usage

module "oke" {
  source = "./oci-oke"

  compartment_id     = "ocid1.compartment.oc1..xxxx"
  name               = "prod"
  kubernetes_version = "v1.33.1"
  vcn_id             = module.vcn.vcn_id
  endpoint_subnet_id = module.vcn.subnet_ids["cp"]

  service_lb_subnet_ids = [module.vcn.subnet_ids["lb"]]

  node_pools = {
    default = {
      size           = 3
      image_id       = "ocid1.image.oc1.iad.xxxx" # OKE worker image for your k8s version
      pod_subnet_ids = [module.vcn.subnet_ids["pods"]]
      placements = [
        { availability_domain = "Uocm:US-ASHBURN-AD-1", subnet_id = module.vcn.subnet_ids["workers"] },
      ]
    }
  }

  addons = {
    CertManager = {}
  }
}

Inputs

NameTypeDefaultDescription
compartment_idstringCompartment OCID (required)
namestringCluster display name (required)
kubernetes_versionstringControl-plane version, e.g. v1.33.1 (required)
vcn_idstringVCN OCID (required)
cluster_typestringENHANCED_CLUSTERBASIC_CLUSTER or ENHANCED_CLUSTER
cni_typestringOCI_VCN_IP_NATIVEPod networking; FLANNEL_OVERLAY for overlay
endpoint_subnet_idstringAPI endpoint subnet (required)
endpoint_nsg_idslist(string)[]NSGs on the API endpoint
endpoint_public_ip_enabledboolfalsePublic IP on the API endpoint
service_lb_subnet_idslist(string)[]Subnets for LoadBalancer services
pods_cidrstring10.244.0.0/16Pod CIDR (flannel)
services_cidrstring10.96.0.0/16ClusterIP service CIDR
kms_key_idstringnullVault key for etcd secret encryption
image_signing_key_idslist(string)[]Vault keys enabling image-signature policy
oidc_discovery_enabledbooltrueOIDC discovery endpoint (enhanced only)
node_poolsmap(object){}Managed pools: size, shape, ocpus, memory_gb, image_id, placements, pod_subnet_ids, nsg_ids, labels, eviction settings…
virtual_node_poolsmap(object){}Serverless pools: size, pod_shape, pod_subnet_id, placements, taints, labels
addonsmap(object){}Addons keyed by name: version, configurations
freeform_tagsmap(string){}Freeform tags on all resources

Outputs

cluster_id, cluster_endpoints, kubeconfig (sensitive), node_pool_ids, virtual_node_pool_ids, addon_ids.

Notes

  • CNI choice: OCI_VCN_IP_NATIVE (default) gives pods routable VCN IPs — every node pool then needs pod_subnet_ids. FLANNEL_OVERLAY needs no pod subnets and is the simpler starting point.
  • Virtual node pools, addons and OIDC discovery require cluster_type = ENHANCED_CLUSTER (preconditions enforce this); enhanced clusters carry a per-cluster hourly fee.
  • image_id must be an OKE worker image matching your Kubernetes version (look it up per region/version — it is deliberately not guessed here).
  • Worker subnets are usually private; pair with oci-vcn for NAT/service gateway egress and reach the private API via bastion/VPN.

Requirements

  • Terraform or OpenTofu >= 1.6
  • Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).