OKE Managed Kubernetes Cluster

oci-oke

Enhanced OKE cluster with managed + virtual node pools, private API endpoint, NSGs, addons and OIDC — flagship OCI workload platform. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

• Kubernetes API endpoint is private (endpoint_public_ip_enabled = false)
• Kubernetes dashboard, Tiller and PodSecurityPolicy admission all disabled
• In-transit encryption for persistent volumes on by default per node pool
• Optional KMS key for etcd secret encryption and image-signature enforcement
• Nodes are cordoned & drained on scale-down (eviction grace, no force-delete)

Usage

module "oke" {
  source = "./oci-oke"

  compartment_id     = "ocid1.compartment.oc1..xxxx"
  name               = "prod"
  kubernetes_version = "v1.33.1"
  vcn_id             = module.vcn.vcn_id
  endpoint_subnet_id = module.vcn.subnet_ids["cp"]

  service_lb_subnet_ids = [module.vcn.subnet_ids["lb"]]

  node_pools = {
    default = {
      size           = 3
      image_id       = "ocid1.image.oc1.iad.xxxx" # OKE worker image for your k8s version
      pod_subnet_ids = [module.vcn.subnet_ids["pods"]]
      placements = [
        { availability_domain = "Uocm:US-ASHBURN-AD-1", subnet_id = module.vcn.subnet_ids["workers"] },
      ]
    }
  }

  addons = {
    CertManager = {}
  }
}

Inputs

Name	Type	Default	Description
compartment_id	string	—	Compartment OCID (required)
name	string	—	Cluster display name (required)
kubernetes_version	string	—	Control-plane version, e.g. v1.33.1 (required)
vcn_id	string	—	VCN OCID (required)
cluster_type	string	ENHANCED_CLUSTER	BASIC_CLUSTER or ENHANCED_CLUSTER
cni_type	string	OCI_VCN_IP_NATIVE	Pod networking; FLANNEL_OVERLAY for overlay
endpoint_subnet_id	string	—	API endpoint subnet (required)
endpoint_nsg_ids	list(string)	[]	NSGs on the API endpoint
endpoint_public_ip_enabled	bool	false	Public IP on the API endpoint
service_lb_subnet_ids	list(string)	[]	Subnets for LoadBalancer services
pods_cidr	string	10.244.0.0/16	Pod CIDR (flannel)
services_cidr	string	10.96.0.0/16	ClusterIP service CIDR
kms_key_id	string	null	Vault key for etcd secret encryption
image_signing_key_ids	list(string)	[]	Vault keys enabling image-signature policy
oidc_discovery_enabled	bool	true	OIDC discovery endpoint (enhanced only)
node_pools	map(object)	{}	Managed pools: size, shape, ocpus, memory_gb, image_id, placements, pod_subnet_ids, nsg_ids, labels, eviction settings…
virtual_node_pools	map(object)	{}	Serverless pools: size, pod_shape, pod_subnet_id, placements, taints, labels
addons	map(object)	{}	Addons keyed by name: version, configurations
freeform_tags	map(string)	{}	Freeform tags on all resources

Outputs

cluster_id, cluster_endpoints, kubeconfig (sensitive), node_pool_ids, virtual_node_pool_ids, addon_ids.

Notes

• CNI choice: OCI_VCN_IP_NATIVE (default) gives pods routable VCN IPs — every node pool then needs pod_subnet_ids. FLANNEL_OVERLAY needs no pod subnets and is the simpler starting point.
• Virtual node pools, addons and OIDC discovery require cluster_type = ENHANCED_CLUSTER (preconditions enforce this); enhanced clusters carry a per-cluster hourly fee.
• image_id must be an OKE worker image matching your Kubernetes version (look it up per region/version — it is deliberately not guessed here).
• Worker subnets are usually private; pair with oci-vcn for NAT/service gateway egress and reach the private API via bastion/VPN.

Requirements

• Terraform or OpenTofu >= 1.6
• Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).