Only authorized individuals and systems can access your clusters. Controlling network access is the first line of defense against unauthorized actors. Kubernetes clusters managed by OKE have the following components that you directly interact with:
- The Kubernetes API endpoint, the main entry point to deploy applications, check state, or perform other cluster operations
- The worker nodes that run your containerized applications
- The load balancers exposing your containerized applications
Each component requires specific network flows enabled by security rules. Let’s consider a typical Kubernetes cluster. The Kubernetes API endpoint is accessed by developers, administrators, or continuous integration and delivery (CI/CD) systems by HTTPS protocol. The administrator can access the cluster worker nodes by Secure Shell (SSH) for troubleshooting purposes. Finally, a broader audience, such as the internet, can access applications running in the cluster through an application-specific port and protocol.
Subnets are commonly created for each type of cluster component and assigned a security list containing the required security rules to each subnet. However, carving out multiple subnets and assigning security rules to each cluster represents considerable work for network administrators, who would rather manage fewer subnets and let the cluster administrator harden their clusters.
OKE supports network security groups (NSGs) for all cluster components. An NSG consists of a set of ingress and egress security rules that apply to virtual network interface cards (VNICs) in your virtual cloud network (VCN). You can now separate your VCN’s subnet architecture from your cluster components’ security requirements.