Oracle Container Engine for Kubernetes (OKE) officially supports the use of network security groups (NSGs) for node pools and service load balancers. With NSGs, you can define security rules for your node pools and service load balancers independent of subnet placement. Prior to OKE support for NSG, defining such security rules would require security lists, which are tightly linked to the subnets in your VCN.

For more information on network security groups and security lists, see Network Security Groups and Security Lists.

This blog explores the benefits of using NSGs over security lists to control traffic for your cluster, and how to assign network security groups when creating node pools and service load balancers.

NSGs versus security lists

Network security groups allow you to define security rules that apply to a group of virtual network interface cards (VNICs) of your choosing. Security lists allow you to define a set of security rules that apply to all the VNICs in a subnet.

With the help of NSGs, you can now create an entire OKE cluster within a single subnet, simplifying subnet management altogether. When using security lists, you typically have three separate subnets with different security lists to control inbound and outbound traffic for your K8s API endpoint, worker nodes, and load balancers because these resources have varying security requirements.

To transition from security lists to NSGs, simply create network security groups with identical security rules to your existing security lists. For example network resource configurations, see Example Network Resource Configurations.

Creating and updating node pools with NSGs

You can create or update a node pool with network security groups through the Oracle Cloud Console. Under Developer Services, select Containers & Artifacts and Kubernetes Cluster (OKE). You can “use network security groups to control traffic.” Turn on this option and select up to five network security groups.

To assign NSGs to your node pool, your NSGs must have been created under your node pool’s VCN.

A screenshot of the NSG control configuration.

You can specify up to five NSG OCIDs when creating or updating a node pool through the OCI CLI by using the following commands:

oci ce node-pool create [OPTIONS] --nsg-ids ’["ocid1.network...","ocid1.network...","ocid1.network..."]’
oci ce node-pool update [OPTIONS] --nsg-ids ’["ocid1.network...","ocid1.network...","ocid1.network..."]’

To inspect a node pool’s NSGs using the OCI CLI, you can perform a get request on your node pool. The response includes the OCIDs of the NSGs associated with your node pool.

Creating service load balancers with NSGs

To create a service load balancer with NSGs, specify the NSG OCIDs with the “oci.oraclecloud.com/oci-network-security-groups” annotation in the load balancer manifest file, as shown in the following example:

kind: Service
apiVersion: v1
metadata:
    name: nginx-service
    annotations:
      oci.oraclecloud.com/oci-network-security-groups: "ocid1.networksecuritygroup.oc1.iad...1,ocid1.networksecuritygroup.oc1.iad...2,ocid1.networksecuritygroup.oc1.iad...3"
spec:
    selector:
      app: nginx
    type: LoadBalancer
    ports:
    - name: https
      port: 443
      targetPort: 80

After successfully creating your service load balancer, you can “kubectl describe” it to validate the NSG annotation.

kubectl describe svc nginx-service
Name:             nginx-service
Namespace:        default
Labels:           <none>
Annotations:      kubectl.kubernetes.io/last-applied-configuration:
                    {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"oci.oraclecloud.com/oci-network-security-groups":"ocid1.networksecuritygro...

For more information about NSG support for service load balancers, see Specifying Load Balancer Network Security Groups.

Conclusion

OKE support for NSG can help you simplify subnet architecture and facilitate the management of your cluster’s network traffic. Depending on your needs, you can use the following configurations:

  • Multiple subnets with dedicated security lists

  • A single subnet in which resources are members of a dedicated network security group

  • A combination of security lists and NSGs with separate subnets

The security rules that apply to a given VNIC are the union of the security rules in the security lists associated with the VNIC’s subnet and the security rules in all NSGs that the VNIC is in. For more information, see Comparison of Security Lists and Network Security Groups.

If you are interested in learning more about recently released security features for OKE, please see nine features to secure your workloads.