Required IAM Policies for Using Virtual Nodes

Find out about the IAM policies to create to use virtual nodes with Kubernetes Engine (OKE).

Before you can use virtual nodes, you always have to set up at least one IAM policy, which is required in all circumstances by both tenancy administrators and non-administrator users. To enable non-administrator users to use virtual nodes, you must also set up an additional policy:

  • Required in all circumstances, for both tenancy administrators and also for non-administrator users: To create and use clusters with virtual nodes and virtual node pools, you must endorse the Kubernetes Engine service to allow virtual nodes to create container instances in the Kubernetes Engine service tenancy with a VNIC connected to a subnet of a VCN in your tenancy. Create a policy in the root compartment with the following policy statements, exactly as shown below:

    define tenancy ske as ocid1.tenancy.oc1..aaaaaaaacrvwsphodcje6wfbc3xsixhzcan5zihki6bvc7xkwqds4tqhzbaq
     
    define compartment ske_compartment as ocid1.compartment.oc1..aaaaaaaa2bou6r766wmrh5zt3vhu2rwdya7ahn4dfdtwzowb662cmtdc5fea
     
    endorse any-user to associate compute-container-instances in compartment ske_compartment of tenancy ske with subnets in tenancy where ALL {request.principal.type='virtualnode',request.operation='CreateContainerInstance',request.principal.subnet=2.subnet.id}
     
    endorse any-user to associate compute-container-instances in compartment ske_compartment of tenancy ske with vnics in tenancy where ALL {request.principal.type='virtualnode',request.operation='CreateContainerInstance',request.principal.subnet=2.subnet.id}
     
    endorse any-user to associate compute-container-instances in compartment ske_compartment of tenancy ske with network-security-group in tenancy where ALL {request.principal.type='virtualnode',request.operation='CreateContainerInstance'}
  • Also required for non-administrator users: To create and use clusters with virtual nodes and virtual node pools, you must give users the required permissions. To grant these permissions, create an IAM policy with the following policy statements:

    allow group <group-name> to manage cluster-virtualnode-pools in compartment <compartment-name>
    allow group <group-name> to read virtual-network-family in compartment <compartment-name>
    allow group <group-name> to manage vnics in compartment <compartment-name>

    Note that if a group is not in the default identity domain, prefix the group name with the identity domain name, in the format group '<identity-domain-name>'/'group-name'. You can also specify a group using its OCID, in the format group id <group-ocid>.