Skip to content

Commit

Permalink
add oke
Browse files Browse the repository at this point in the history 
Co-authored-by: Paola Juárez Gómez  <[email protected]>
  • Loading branch information
@hrvolapeter @paolajuarezgomez
hrvolapeter and paolajuarezgomez committed Nov 11, 2024
1 parent 8b1ab65 commit 9266907
Show file tree
Hide file tree
Showing 17 changed files with 2,302 additions and 1 deletion.
1 change: 1 addition & 0 deletions CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
/workload-extensions/ocvs/ @hrvolapeter
/workload-extensions/ebs/ @rphibbert
/workload-extensions/oke/ @paolajuarezgomez
/addons/oci-hub-models/ @vavardan
/addons/oci-sovereign-controls/ @vavardan @hrvolapeter @paolajuarezgomez
Binary file added commons/images/icon_oke.jpg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
334 changes: 334 additions & 0 deletions workload-extensions/oke/1_foundation/README.md
View file

Large diffs are not rendered by default.

196 changes: 196 additions & 0 deletions workload-extensions/oke/1_foundation/identity.auto.tfvars.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
{
"compartments_configuration": {
"enable_delete": "true",
"compartments": {
"CMP-LZP-PLATFORM-PROD-KEY": {
"name": "cmp-lzp-p-platform-oke",
"description": "Platform compartment for oke Prod related resources",
"parent_id": "CMP-LZP-P-PLATFORM-KEY",
"defined_tags": null,
"freeform_tags": null
},
"CMP-LZP-PLATFORM-PP-KEY": {
"name": "cmp-lzp-pp-platform-oke",
"description": "Platform compartment for oke Dev related resources",
"parent_id": "CMP-LZP-PP-PLATFORM-KEY",
"defined_tags": null,
"freeform_tags": null
},
"CMP-LZP-PLATFORM-MGT-KEY": {
"name": "cmp-lzp-m-platform-oke",
"description": "Platform compartment for shared oke mgt related resources",
"parent_id": "CMP-LZP-PLATFORM-KEY",
"defined_tags": null,
"freeform_tags": null
}
}
},
"groups_configuration": {
"default_defined_tags": null,
"default_freeform_tags": null,
"groups": {
"grp-lzp-p-platform-oke-admins": {
"name": "grp-lzp-p-platform-oke-admins",
"description": "Group responsible for administrating oke dev cluster"
},
"grp-lzp-p-platform-oke-viewer-role": {
"name": "grp-lzp-p-platform-oke-viewer-role",
"description": "OKE viewer role group"
},
"grp-lzp-p-platform-oke-admin-role": {
"name": "grp-lzp-p-platform-oke-admin-role",
"description": "OKE admin role group"
},
"grp-lzp-pp-platform-oke-admins": {
"name": "grp-lzn-pp-platform-oke-admins",
"description": "Group responsible for administrating oke dev cluster"
},
"grp-lzp-p-platform-oke-viewer-role": {
"name": "grp-lzp-p-platform-oke-viewer-role",
"description": "Group for prod rbal viewer role"
},
"grp-lzp-p-platform-oke-admin-role": {
"name": "grp-lzp-p-platform-oke-admin-role",
"description": "Group for prod rbal admin role"
},
"grp-lzp-pp-platform-oke-viewer-role": {
"name": "grp-lzp-pp-platform-oke-viewer-role",
"description": "Group for dev rbal viewer role"
},
"grp-lzp-pp-platform-oke-admin-role": {
"name": "grp-lzp-pp-platform-oke-admin-role",
"description": "Group for dev rbal admin role"
},
"grp-lzp-m-platform-oke-admins": {
"name": "grp-lzp-m-platform-oke-admins",
"description": "Group responsible for administrating oke mgt cluster"
}
}
},
"dynamic_groups_configuration": {
"default_defined_tags": null,
"default_freeform_tags": null,
"dynamic_groups": {
"DG-LZP-SEC-FUN": {
"name": "dg-lzp-sec-fun-dynamic-group",
"description": "dynamic group for security functions execution.",
"matching_rule": "ALL {resource.type = 'fnfun', resource.compartment.id = 'CMP-LZP-SECURITY-KEY'}"
},
"DG-LZP-PLATFORM-OKE-PROD": {
"name": "dg-lzp-p-platform-oke",
"description": "dynamic group authenticated all instance in Prod OKE cluster with OCI through InstancePrincipal.",
"matching_rule": "ALL {instance.compartment.id = 'CMP-LZP-PLATFORM-PROD-KEY'}"
}
}
},
"policies_configuration": {
"supplied_policies": {
"PCY-ROOT-OKE-ADMINS": {
"name": "pcy-root-oke-hybrid",
"description": "policy needed to use the OCI VCN-Native Pod Networking CNI plugin on top a LZ deployment, where a cluster's related resources are in a different compartment to the cluster itself",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow any-user to manage instances in tenancy where all { request.principal.type = 'cluster'}",
"allow any-user to use private-ips in tenancy where all { request.principal.type = 'cluster'}",
"allow any-user to use network-security-groups in tenancy where all { request.principal.type = 'cluster'}"
]
},
"PCY-P-OKE-SECRETS": {
"name": "pcy-root-oke-secrets",
"description": "policy to allow applications running on the cluster to be authenticated with OCI through InstancePrincipal ",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow dynamic-group dg-lzp-prod-platform-oke to use secret-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security"
]
},
"PCY-P-PLATFORM-OKE-ADMINS": {
"name": "pcy-p-platform-oke-admins",
"description": "policy for grp-p-platform-oke-admins",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-p-platform-oke-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to manage cluster-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to inspect compartments in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
"Allow group grp-lzp-p-platform-oke-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
"Allow group grp-lzp-p-platform-oke-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
"Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
"Allow group grp-lzp-p-platform-oke-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
"Allow group grp-lzp-p-platform-oke-admins to read metrics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke"

]
},
"PCY-PP-PLATFORM-OKE-ADMINS": {
"name": "pcy-pp-platform-oke-admins",
"description": "policy for grp-pp-platform-oke-admins",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-pp-platform-oke-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
"Allow group grp-lzp-pp-platform-oke-admins to manage cluster-family in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
"Allow group grp-lzp-pp-platform-oke-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
"Allow group grp-lzp-pp-platform-oke-admins to inspect compartments in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
"Allow group grp-lzp-pp-platform-oke-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
"Allow group grp-lzp-pp-platform-oke-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
"Allow group grp-lzp-pp-platform-oke-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
"Allow group grp-lzp-pp-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
"Allow group grp-lzp-pp-platform-oke-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
"Allow group grp-lzp-pp-platform-oke-admins to read metrics in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke"

]
},
"PCY-M-PLATFORM-OKE-ADMINS": {
"name": "pcy-m-platform-oke-admins",
"description": "policy for grp-m-platform-oke-admins",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-m-platform-oke-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
"Allow group grp-lzp-m-platform-oke-admins to manage cluster-family in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
"Allow group grp-lzp-m-platform-oke-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
"Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
"Allow group grp-lzp-m-platform-oke-admins to inspect compartments in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
"Allow group grp-lzp-m-platform-oke-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network",
"Allow group grp-lzp-m-platform-oke-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-network",
"Allow group grp-lzp-m-platform-oke-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-network",
"Allow group grp-lzp-m-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-network",
"Allow group grp-lzp-m-platform-oke-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-network",
"Allow group grp-lzp-m-platform-oke-admins to read metrics in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke"
]
},
"PCY-P-PLATFORM-OKE-RBAC-ADMIN-ROLE": {
"name": "pcy-p-platform-oke-rbac-admin-roles",
"description": "policy for grp-lzp-p-platform-oke-admin-role",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-p-platform-oke-admin-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke"
]
},
"PCY-P-PLATFORM-OKE-RBAC-VIEWER-ROLE": {
"name": "pcy-p-platform-oke-rbac-viewer-roles",
"description": "policy for grp-lzp-p-platform-oke-viewer-role",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-p-platform-oke-viewer-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke"
]
},
"PCY-PP-PLATFORM-OKE-RBAC-ADMIN-ROLE": {
"name": "pcy-pp-platform-oke-rbac-admin-roles",
"description": "policy for grp-lzp-pp-platform-oke-admin-role",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-p-platform-oke-admin-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke"
]
},
"PCY-PP-PLATFORM-OKE-RBAC-VIEWER-ROLE": {
"name": "pcy-pp-platform-oke-rbac-viewer-roles",
"description": "policy for grp-lzp-pp-platform-oke-viewer-role",
"compartment_id": "TENANCY-ROOT",
"statements": [
"Allow group grp-lzp-p-platform-oke-viewer-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke"
]
}
}
}
}
Loading

0 comments on commit 9266907

Please sign in to comment.