Support and Shared Responsibilities

Kubernetes Components

Kubernetes Engine manages the following Kubernetes components of the data plane:

• kubelet
• kube-proxy
• CNI plugin (kube-flannel or VCN Native pod networking)
• CSI volume plugin
• CoreDNS
• Additional add-ons running in the kube-system namespace (more specifically, just those add-ons installed by Kubernetes Engine, and those add-ons for which installation instructions have been included in the Kubernetes Engine documentation).

These components run in the Kubernetes data plane, and you therefore have access to them. You and Oracle share responsibility for ensuring that the components are functioning properly. Oracle hardens the above components to comply with Center for Internet Security (CIS) and Security Technical Implementation Guide (STIG) benchmarks. However, if you modify or remove any of the components, Oracle will consider the cluster unsupported.

Worker Nodes

Worker nodes in user tenancies (managed nodes and self-managed nodes) are part of the data plane, and you and Oracle share responsibility for them. Furthermore, worker nodes execute private code, and store sensitive data. As a result, Kubernetes Engine and Oracle Support do not have access to worker nodes. Therefore, you have a responsibility to assist in the maintenance of worker nodes. For example, without your assistance, Oracle Support cannot sign in to worker nodes, execute commands on worker nodes, or view logs for worker nodes.

It is Oracle's responsibility to:

• Provide Oracle-supported OS images for worker nodes, and to promptly provide patches to those images as necessary. Note that Oracle does not does not automatically patch worker nodes, and does not provide patches for custom images.
• Enhance Kubernetes Engine to support new Kubernetes versions.
• Enable you to upgrade existing worker nodes from older (but still supported) Kubernetes versions to more recent versions.
• Support the upgrade of worker nodes from non-supported Kubernetes versions of Kubernetes to supported versions (even though Oracle does not provide support for clusters running non-supported versions).

It is your responsibility to:

• Regularly update the OS image running on worker nodes by changing their node pool's Image property, and removing worker nodes running older images (see Creating Worker Nodes with Updated Properties). Note this applies to the host-level operating system running on the nodes beneath containers, rather than the operating system running in containers themselves.
• Regularly upgrade worker nodes to Kubernetes versions supported by Kubernetes Engine (see Upgrading Clusters to Newer Kubernetes Versions).
• Harden the host operating system and any non-Kubernetes data plane software to meet compliance and security requirements (for example, CIS or STIG benchmarks).
• Maintain workloads, including application code, build files, container images, data, Role-based access control (RBAC)/IAM policies, and containers and pods.
• Setup and maintain required cluster networking , including VCNs, subnets, gateways, and so on (see Network Resource Configuration for Cluster Creation and Deployment).
• Monitor the cluster and applications, and respond to any alerts and incidents.
• Provide Oracle with environment details when requested for troubleshooting purposes.

Areas covered by Oracle Support

Oracle provides support via My Oracle Support (MOS) for the following areas:

• Connectivity to the Kubernetes API server.
• Management, uptime, quality of service, and operations of all Kubernetes components that Kubernetes Engine provides and supports.
• Any integration points in the OCI cloud-controller-manager provider for Kubernetes. These integration points include integration with other OCI services (such as load balancers, persistent volumes, and networking).
• Issues related to networking (such as kube-proxy, CoreDNS, or other network access and functionality issues). Note that changes to the Kubernetes data plane components are not supported.

• Failures associated with other OCI services that are outside Kubernetes Engine (for these cases, raise a MOS support ticket for the service that is failing). Examples include, but are not limited to:

  • Block volumes failing to attach to a worker node.
  • Load balancers dropping network packets.
• Configuration of OCI resources other than those used by Kubernetes Engine.
• Limits and Quota for services beyond Kubernetes Engine, such as compute, load balancers, and block volumes.

Areas not covered by Oracle Support

Oracle does not provide support for the following areas:

• Questions about how to use Kubernetes. For example, advice on how to create manifest files, how to deploy images, how to structure applications for Kubernetes.
• Third-party open-source projects that are not provided as part of the Kubernetes control plane, or not deployed with clusters created by Kubernetes Engine. These projects might include Istio, Helm, Envoy, and others. If Oracle provides documentation on how to install such a project, Oracle will provide best effort support.
• Third-party closed-source software. This software can include security scanning tools and networking devices or software.
• Versions of Kubernetes beyond those listed in Supported Versions of Kubernetes. If you request support for a cluster running an unsupported version of Kubernetes, you will be asked to upgrade the cluster to a supported version of Kubernetes. To learn more about which versions of Kubernetes are currently supported, refer to Supported Versions of Kubernetes.
• Upstream Kubernetes bugs.
• Kubernetes Alpha features.