diff --git a/CODEOWNERS b/CODEOWNERS
index cb3be78f..b1fe1ec9 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,4 +1,5 @@
/workload-extensions/ocvs/ @hrvolapeter
/workload-extensions/ebs/ @rphibbert
+/workload-extensions/oke/ @paolajuarezgomez
/addons/oci-hub-models/ @vavardan
/addons/oci-sovereign-controls/ @vavardan @hrvolapeter @paolajuarezgomez
diff --git a/commons/images/icon_oke.jpg b/commons/images/icon_oke.jpg
new file mode 100644
index 00000000..59c50075
Binary files /dev/null and b/commons/images/icon_oke.jpg differ
diff --git a/workload-extensions/oke/1_foundation/README.md b/workload-extensions/oke/1_foundation/README.md
new file mode 100644
index 00000000..c7ad8255
--- /dev/null
+++ b/workload-extensions/oke/1_foundation/README.md
@@ -0,0 +1,334 @@
+# Foundations set-up
+
+## **Table of Contents**
+
+- [**1. Summary**](#1-summary)
+- [**2. Setup IAM Configuration**](#2-setup-iam-configuration)
+ - [**2.1. Compartments**](#21-compartments)
+ - [**2.2 Groups**](#22-groups)
+ - [**3.4 Dynamic groups**](#34-dynamic-groups)
+ - [**2.3 Policies**](#23-policies)
+- [**3. Setup Network Configuration**](#3-setup-network-configuration)
+ - [**3.1 VCNs**](#31-vcns)
+ - [**3.2 Subnets**](#32-subnets)
+ - [**3.3 Route Tables (RTs)**](#33-route-tables-rts)
+ - [**3.4 Security Lists (SLs)**](#34-security-lists-sls)
+ - [**3.5 Gateways**](#35-gateways)
+ - [**3.5.1 Dynamic Routing Gateway (DRGs) Attachments**](#351-dynamic-routing-gateway-drgs-attachments)
+ - [**3.5.2 Service Gateway (SGs)**](#352-service-gateway-sgs)
+- [**4. Deploy**](#4-deploy)
+
+
+## **1. Summary**
+
+| | |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------- |
+| **NAME** | OKE Landing Zone Extension set-up |
+| **OBJECTIVE** | Provision Identity and Network |
+| **TARGET RESOURCES** | - **Security**: Compartments, Groups, Policies- **Network**: Spoke VCNs, Route tables, Security Lists |
+| **PREREQUISITES** | The [One-OE](../../../blueprints/one-oe/) Blueprint deployed as a foundation. We recommend saving the stack outputs in the same bucket or GitHub repository where the one-off JSON files are stored. The saved file can then be used as a reference for future operations. |
+| **CONFIGURATION FILES** | - [identity.auto.tfvars.json](./identity.auto.tfvars.json) - [network.auto.tfvars.json](./network.auto.tfvars.json) |
+| **DEPLOYMENT** | Use [Oracle Resource Manager (ORM)](/commons/content/orm.md) or [Terraform CLI](/commons/content/terraform.md). |
+
+
+
+## **2. Setup IAM Configuration**
+
+For configuring and running the One-OE Landing Zone OKE extension Identity Layer use the following JSON file: [identity.auto.tfvars.json](./identity.auto.tfvars.json) You can customize this configuration to fit your exact OCI IAM topology.
+
+This configuration file covers three categories of resources described in the next sections.
+
+### **2.1. Compartments**
+
+
+The OKE LZ extension provisions three **compartments**: two dedicated to managing environments, such as PROD and PRE-PROD, and a third compartment for management purposes.
+
+New OKE compartments will be added as platform in each One-OE LZ environment, following the example shown in the next diagram:
+
+
+
+The following diagram covers deployment with 2 Landing zone environments.
+
+
+
+For simplicity, we will use single landing zone environment option in this template.
+
+> [!NOTE]
+> For extended documentation regarding compartment definition please refer to the [Identity & Access Management CIS Terraform module compartment example](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/blob/main/compartments/examples/vision/input.auto.tfvars.template).
+
+
+
+**JSON FILE REQUIRED CHANGES**
+If ONE-OE is used as the baseline Landing Zone with output saving enabled, running this OKE extension with the added dependencies will automatically match the keys with the correct OCIDs. No changes to the JSON file are needed. Therefore, you can skip this section.
+
+If you are using the CIS Landing Zone or another OCI Landing Zone option, this configuration file requires modification to reference the OCIDs of the existing deployed resources. Locate the values indicated below and replace them with the correct OCIDs.
+
+| Resource | Section | Replace with OCIDs | Description |
+| ------------------------- | ------| --------------------------------- | ---------------------------------- |
+| cmp-lzp-p-platform | compartments| CMP-LZP-P-PLATFORM-KEY | The Prod platforms compartment OCID in Prod Env |
+| cmp-lzp-d-platform | compartments| CMP-LZP-PP-PLATFORM-KEY| The Pre-prod platforms compartment OCID in Preprod Env |
+| cmp-lzp-platform |compartments | CMP-LZP-PLATFORM-KEY| The Shared platforms compartment OCID |
+
+
+
+### **2.2 Groups**
+
+The OKE extension will deploy IAM groups to manage resources in OKE compartments and provide fine-grained access to specific OKE resources.
+
+As part of the deployment the following groups are created in the [Default Identity Domain](https://docs.oracle.com/en-us/iaas/Content/Identity/domains/overview.htm):
+
+
+| ID | NAME | TYPE | OBJECTIVES |
+| ------ | -------------------------- | ------------------------------------------- |---|
+| GRP.00 | grp-lzp-m-platform-oke-admins | IAM |Group for managing mgt OKE-related resources |
+| GRP.01 | grp-lzp-p-platform-oke-admins | IAM| Group for managing Prod OKE-related resources |
+| GRP.02 | grp-lznp-pp-platform-oke-admins | IAM | Group for managing Pre-prod OKE-related resources |
+| GRP.03 | grp-lzp-p-platform-oke-viewer-role | IAM + OKE RBAC |Group for managing Prod OKE-related resources |
+| GRP.04 | grp-lzp-p-platform-oke-admin-role | IAM + OKE RBAC |Group for managing Prod OKE-related resources |
+| GRP.05 | grp-lzp-pp-platform-oke-viewer-role | IAM + OKE RBAC |Group for managing Pre-prod OKE-related resources |
+| GRP.06 | grp-lzp-pp-platform-oke-admin-role | IAM + OKE RBAC |Group for managing Pre-prod OKE-related resources |
+
+
+
+In our pattern we define two different types of groups:
+
+1. **IAM groups** to manage resources in OKE compartments.
+2. **IAM groups with OKE RBAC** to grant fine-grained access control to OKE specific resources. In addition to IAM, the Kubernetes RBAC Authorizer can enforce additional fine-grained access controls via Kubernetes RBAC roles and clusterroles. A Kubernetes RBAC role is a collection of permissions. For example, a role might include read permission on pods and list permission for pods. A Kubernetes RBAC clusterrole is just like a role, applies across the whole cluster. A Kubernetes RBAC rolebinding maps a role to a user or group, granting that role's permissions to the user or group for resources in a namespace. Similarly, a Kubernetes RBAC clusterrolebinding maps a clusterrole to a user or group, granting that clusterrole's permissions across the entire cluster. IAM and the Kubernetes RBAC Authorizer work together to enable users who have been successfully authorized by at least one of them to complete the requested Kubernetes operation.
+
+In our case as an example we have created the recommended groups for the prod oke cluster and pre-prod oke cluster. These are the steps for prod :
+
+1. Create a new group in OCI IAM (e.g grp-lzp-p-platform-oke-viewer-role, which is already included in the blueprint)
+2. Configure an OCI policy to grant access to the group to access the OKE clusters. (e.g pcy-p-platform-oke-rbal-viewer-role, which is already included in the blueprint)
+3. Create Roles and Role Bindings in OKE RBAC to authorize our user to access OKE resources. In a text editor, create the following manifest (for example, called pod-reader-group.yaml) to define the role and a role binding to enable the new IAM group to list pods in the kube-system namespace:
+
+```
+cat > pod-reader-group.yaml << EOF
+ kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: pod-reader-ks
+ namespace: kube-system
+rules:
+- apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["get", "watch", "list"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: pod-reader-ks-role-binding
+ namespace: kube-system
+subjects:
+- kind: group
+ name:
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: Role
+ name: pod-reader-ks
+ apiGroup: rbac.authorization.k8s.io
+
+EOF
+```
+4. Create the new role and rolebinding by applying configuration file to the Kubernetes.
+ ```kubectl apply -f pod-reader-group.yml```
+
+To check all the steps for managing RBAC visit [documentation](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengaboutaccesscontrol.htm#About_Access_Control_and_Container_Engine_for_Kubernetes). There are blogs further covering the steps [Kubernetes RBAC Explained — With Examples](https://medium.com/system-weakness/kubernetes-rbac-explained-with-examples-40e1c5e44c32) or [Demystifying Kubernetes RBAC](https://medium.com/@extio/demystifying-kubernetes-rbac-a-deep-dive-into-role-based-access-control-b3fc5969794a)
+
+> [!NOTE]
+> For extended documentation regarding group definition please refer to the [Identity & Access Management CIS Terraform module groups example](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/blob/main/groups/examples/vision/input.auto.tfvars.template).
+
+### **3.4 Dynamic groups**
+
+The OKE LZ Extension includes the following dynamic groups as examples:
+
+* **dg-lzp-prod-platform-oke** for authenticating all instances of the Prod OKE cluster against OCI. See [OCI documentation](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm) for details.
+* **dg-lzp-sec-fun-dynamic-group** to enable a function to access another Oracle Cloud Infrastructure resource. To read more about this go [here](https://docs.oracle.com/en-us/iaas/Content/Functions/Tasks/functionsaccessingociresources.htm).
+
+TODO:
+- why is there Oracle Function as example in OKE?
+
+> [!NOTE]
+> For extended documentation regarding dynamic groups please refer to the [Identity & Access Management CIS Terraform module dynamic groups example](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/blob/main/dynamic-groups/examples/vision/input.auto.tfvars.template).
+
+>**_JSON FILE REQUIRED Dynamic Groups CHANGES_**
+>**NOTE:**
+>Run the dynamic groups as defined. The matching rules have associated OCIDs that cannot be referenced using the dependencies feature. After the first apply job, you need to update the CMP-LZP-SECURITY-KEY and CMP-LZP-PLATFORM-KEY attributes with the correct OCIDs, and then run a second apply job.
+
+
+### **2.3 Policies**
+
+As part of the deployment the following policies are created:
+| Policy | Description | Manage resources | Use resources | Inspect resources |
+| -------------------------- | ------------------------------------------------------- | ---------------------------- | ------------------------------- | ----------------- |
+| pcy-p-platform-oke-admins | Grants group **grp-lzp-p-platform-oke-admins** permissions. | OKE, Computes, VCN | NSG, Subnets, VNICs, IPs | compartments |
+| pcy-pp-platform-oke-admins | Grants group **grp-lzp-pp-platform-oke-admins** permissions. | OKE, Computes, VCN | NSG, Subnets, VNICs, IPs | compartments |
+| pcy-m-platform-oke-admins | Grants group **grp-lzp-m-platform-oke-admins** permissions. | OKE, Computes, VCN | NSG, Subnets, VNICs, IPs | compartments |
+| pcy-p-platform-oke-rbac-admin-role | Grants group **pcy-p-platform-oke-rbac-admin-role** permissions. | - | OKE | - |
+| pcy-p-platform-oke-rbac-view-role | Grants group **pcy-p-platform-oke-rbac-view-role** permissions. | - | OKE | - |
+| pcy-pp-platform-oke-rbac-admin-role | Grants group **pcy-pp-platform-oke-rbac-admin-role** permissions. | - | OKE | - |
+| pcy-pp-platform-oke-rbac-view-role | Grants group **pcy-pp-platform-oke-rbac-view-role** permissions. | - | OKE | - |
+| pcy-root-oke-hybrid | The **pcy-p-platform-oke-hybrid** policy is an example of an additional IAM policy required when a cluster and its related resources reside in separate compartments.To use the OCI VCN-Native Pod Networking CNI plugin on top a LZ deployment, where a cluster's related resources (such as node pools, VCN, and VCN resources) are in a different compartment to the cluster itself, you must include this [policy](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm). If you are deploying the flannel option this specific policy is not needed.| instances | private-ips ,network-security-groups | - |
+| pcy-p-oke-secrets| The **pcy-p-oke-secrets** is an example of a recommended policy to allow applications running on the cluster to be authenticated with OCI through InstancePrincipal, for example to grant access to secrets. To read more about his check this [article](https://vaibhav-sonavane.medium.com/use-instance-principal-to-access-secrets-6c4aee1bfea4) or the [official documentation](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm?source=post_page-----6c4aee1bfea4--------------------------------)| - | - | - |
+
+
+For a detailed review of OKE policies, please refer to the official OKE documentation [here](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#Policy_Configuration_for_Cluster_Creation_and_Deployment).
+
+Additional policies may be required for using [Capacity Reservations](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengmakingcapacityreservations.htm) or if you choose to [manage the master encryption key yourself](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengencryptingdata.htm). These policies are not included in this example, make sure to add them if they apply to your use case.
+
+> [!NOTE]
+>For extended documentation regarding policies refer to the [Identity & Access Management CIS Terraform module policies examples](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/policies/examples) and [policy resource documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/policies)
+
+
+>**_JSON FILE REQUIRED Policies CHANGES_**
+>**NOTE:**
+>Policies contain compartment paths. The paths can change based on the modification in the previous [Compartments](#21-compartments) section. The paths need to be updated following the OCI [Policies and Compartment hierarchy](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policies.htm#hierarchy).
+
+
+## **3. Setup Network Configuration**
+
+The OKE Cluster requires specific subnets. You can review all these requirements in the [OKE documentation](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm)
+
+
+
+For configuring and running the One-OELZ OKE extension Network layer use the following JSON file: [network.auto.tfvars.json](./network.auto.tfvars.json)
+
+>**_JSON FILE REQUIRED CHANGES_**
+>If ONE-OE is used as the baseline Landing Zone with output saving enabled, running this OKE extension with the added dependencies will automatically match the keys with the correct OCIDs. Therefore, you can skip this section. If you are using the CIS Landing Zone or another core Landing Zone, this configuration file requires modification to reference the OCIDs of the existing deployed resources. Locate the values indicated below and replace them with the correct OCIDs.
+
+>| Resource | Replace with OCIDs | Description |
+>| ------------------------ | -------------------------------- | -------------------------------------------------------------- |
+>| Prod Network Compartment | CMP-LZP-P-NETWORK-KEY | The OCID of the Prod Network Compartment |
+>| Pre-prod Network Compartment | CMP-LZP-PP-NETWORK-KEY | The OCID of the Pre-prod Network Compartment |
+>| Mgt Network Compartment | CMP-LZP-NETWORK-KEY | The OCID of the Network Compartment |
+>| Hub DRG | DRG-FRA-LZP-HUB-KEY | The OCID of the DRG in Hub deployed by One-OE LZ |
+>| Hub DRG Route Table | OCID-DRG-HUB-ROUTE-TABLE | The OCID of Route table in DRG |
+
+
+Our OKE LZ extension will deploy the necessary core resources for both the Production and Pre-production environments included in the ONE-OE blueprint. This example is based on the OCI VCN-Native Pod Networking CNI scenario. Some adjustments would be required for a Flannel setup.
+
+
+
+The network layer covers the following resources:
+1. Spoke management VCN for OKE management purposes.
+2. Spokes VNCs for each environment - one Spoke Pre-prod OKE VCN and one Spoke Prod OKE VCN
+3. Subnets - OKE required subnets; like cp,workers,pods,lb,database,fss and bastion subnet.
+4. Service Gateway - Service Gateway for access OCI services
+5. Nat Gateway
+6. Security List - allowing all ingress/egress
+7. Route Tables.
+8. DRG Attachments - Connect spokes with the central Hub
+9. Route tables ONE-OE Hub VCN updates (Covered in OP 3)
+
+
+For customization of the pre-defined setup please refer to the [Networking documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking) for documentation and examples.
+
+
+### **3.1 VCNs**
+
+The following table describes the deployed VCNs.
+
+| ID | NAME | OBJECTIVES |
+| ------ | -------------- | ---------------------------------- |
+| VCN.01 | vcn-fra-lzp-m-platform-oke | Spoke VCN dedicated to Mgt OKE set-up |
+| VCN.02 | vcn-fra-lzp-p-platform-oke | Spoke VCN dedicated to Prod OKE set-up |
+| VCN.03 | vcn-fra-lzp-pp-platform-oke | Spoke VCN dedicated to Preprod OKE set-up |
+
+
+### **3.2 Subnets**
+
+The following table describes the deployed Subnets added for each environment OKE platform:
+
+| ID | NAME | OBJECTIVES |
+| ----- | ---------------- | ------------------------- |
+| SN.00 | sn-fra-lzp-p-platform-oke-lb | OKE private Prod lb subnet |
+| SN.01 | sn-fra-lzp-p-platform-oke-cp | OKE Prod control plane subnet |
+| SN.02 | sn-fra-lzp-p-platform-oke-workers | OKE Prod workers subnet |
+| SN.03 | sn-fra-lzp-p-platform-oke-pods| OKE Prod pods subnet |
+| SN.04 | sn-fra-lzp-p-platform-oke-db| db Prod subnet |
+| SN.05 | sn-fra-lzp-p-platform-oke-bastion| Prod bastion subnet |
+| SN.06 | sn-fra-lzp-p-platform-oke-fss| Prod fss subnet |
+| SN.07 | sn-fra-lzp-pp-platform-oke-lb | OKE PreProd private lb subnet |
+| SN.08 | sn-fra-lzp-pp-platform-oke-cp | OKE PreProd control plane subnet |
+| SN.09 | sn-fra-lzp-pp-platform-oke-workers | OKE PreProd workers subnet |
+| SN.10 | sn-fra-lzp-pp-platform-oke-pods| OKE PreProd pods subnet |
+| SN.11 | sn-fra-lzp-pp-platform-oke-db| db PreProd subnet |
+| SN.12 | sn-fra-lzp-pp-platform-oke-bastion| PreProd bastion subnet |
+| SN.13 | sn-fra-lzp-pp-platform-oke-fss| fss PreProd subnet |
+
+### **3.3 Route Tables (RTs)**
+
+The following table describes the deployed Route Tables:
+
+| ID | NAME | OBJECTIVES |
+| ----- | ------------------ | ------------------------------------- |
+| RT.00 | rt-fra-lzp-p-lb | OKE Load Balancer Prod subnet route table |
+| RT.01 | rt-fra-lzp-p-cp | OKE Control Plane Prod subnet route table |
+| RT.02 | rt-fra-lzp-p-pods | OKE Pods Prod subnet route table |
+| RT.03 | rt-fra-lzp-p-workers | OKE Workers Prod subnet route table |
+| RT.04 | rt-fra-lzp-p-generic | OKE Generic Prod subnet route table |
+| RT.00 | rt-fra-lzp-pp-lb | OKE Load Balancer PreProd subnet route table |
+| RT.01 | rt-fra-lzp-pp-cp | OKE Control Plane PreProd subnet route table |
+| RT.02 | rt-fra-lzp-pp-pods | OKE Pods PreProd subnet route table |
+| RT.03 | rt-fra-lzp-pp-workers | OKE Workers PreProd subnet route table |
+| RT.04 | rt-fra-lzp-pp-generic | OKE Generic PreProd subnet route table |
+
+
+### **3.4 Security Lists (SLs)**
+The following table describes the deployed Security Lists (SLs):
+
+| ID | NAME | OBJECTIVES |
+| ----- | ------------------- | --------------------------------------- |
+| SL.00 | sl-lzp-p-platform-pods | OKE Prod pods subnet security list |
+| SL.01 | sl-lzp-p-platform-workers| OKE Prod Workers subnet security list |
+| SL.02 | sl-lzp-d-platform-lb | OKE Prod Load Balancer subnet security list |
+| SL.03 | sl-lzp-p-platform-cp | OKE Prod Control Plane subnet security list |
+| SL.04 | sl-lzp-pp-platform-pods | OKE Pre-prod pods subnet security list |
+| SL.05 | sl-lzp-pp-platform-workers| OKE Pre-prod Workers subnet security list |
+| SL.06 | sl-lzp-pp-platform-lb | OKE Pre-prod Load Balancer subnet security list |
+| SL.07 | sl-lzp-pp-platform-cp | OKE Pre-prod Control Plane subnet security list |
+
+
+### **3.5 Gateways**
+
+
+#### **3.5.1 Dynamic Routing Gateway (DRGs) Attachments**
+
+The following tables describe the deployed DRG Attachments.
+
+| ID | NAME | OBJECTIVES |
+| ------- | ------------------------- | -------------------------------------------- |
+| DRGA.00 | drgatt-vcn-fra-lzp-p-platform-oke | DRG Attachment for the OKE Prod spoke to the hub |
+| DRGA.00 | drgatt-vcn-fra-lzp-pp-platform-oke | DRG Attachment for the OKE Preprod spoke to the hub
+| DRGA.00 | drgatt-vcn-fra-lzp-m-platform-oke | DRG Attachment for the OKE Mgt spoke to the hub
+
+
+#### **3.5.2 Service Gateway (SGs)**
+
+
+The following table describes the proposed Service Gateways added for each environment OKE platform:
+
+| ID | NAME | OBJECTIVES |
+| ----- | ------------- | -------------------- |
+| SG.00 | sg-fra-p-ocvs | SG in OKE Prod VCN. |
+| SG.00 | sg-fra-pp-ocvs | SG in OKE Pre-prod VCN. |
+| SG.00 | sg-fra-m-ocvs | SG in OKE Mgt VCN. |
+
+
+
+## **4. Deploy**
+
+
+Use the link above to deploy using [Oracle Resource Manager (ORM)](/../../../commons/content/orm.md) or use [Terraform CLI](../../../commons/content/terraform.md)
+
+You can now proceed with [Step 2](../2_oke/).
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/oke/1_foundation/identity.auto.tfvars.json b/workload-extensions/oke/1_foundation/identity.auto.tfvars.json
new file mode 100644
index 00000000..76ffe963
--- /dev/null
+++ b/workload-extensions/oke/1_foundation/identity.auto.tfvars.json
@@ -0,0 +1,196 @@
+{
+ "compartments_configuration": {
+ "enable_delete": "true",
+ "compartments": {
+ "CMP-LZP-PLATFORM-PROD-KEY": {
+ "name": "cmp-lzp-p-platform-oke",
+ "description": "Platform compartment for oke Prod related resources",
+ "parent_id": "CMP-LZP-P-PLATFORM-KEY",
+ "defined_tags": null,
+ "freeform_tags": null
+ },
+ "CMP-LZP-PLATFORM-PP-KEY": {
+ "name": "cmp-lzp-pp-platform-oke",
+ "description": "Platform compartment for oke Dev related resources",
+ "parent_id": "CMP-LZP-PP-PLATFORM-KEY",
+ "defined_tags": null,
+ "freeform_tags": null
+ },
+ "CMP-LZP-PLATFORM-MGT-KEY": {
+ "name": "cmp-lzp-m-platform-oke",
+ "description": "Platform compartment for shared oke mgt related resources",
+ "parent_id": "CMP-LZP-PLATFORM-KEY",
+ "defined_tags": null,
+ "freeform_tags": null
+ }
+ }
+ },
+ "groups_configuration": {
+ "default_defined_tags": null,
+ "default_freeform_tags": null,
+ "groups": {
+ "grp-lzp-p-platform-oke-admins": {
+ "name": "grp-lzp-p-platform-oke-admins",
+ "description": "Group responsible for administrating oke dev cluster"
+ },
+ "grp-lzp-p-platform-oke-viewer-role": {
+ "name": "grp-lzp-p-platform-oke-viewer-role",
+ "description": "OKE viewer role group"
+ },
+ "grp-lzp-p-platform-oke-admin-role": {
+ "name": "grp-lzp-p-platform-oke-admin-role",
+ "description": "OKE admin role group"
+ },
+ "grp-lzp-pp-platform-oke-admins": {
+ "name": "grp-lzn-pp-platform-oke-admins",
+ "description": "Group responsible for administrating oke dev cluster"
+ },
+ "grp-lzp-p-platform-oke-viewer-role": {
+ "name": "grp-lzp-p-platform-oke-viewer-role",
+ "description": "Group for prod rbal viewer role"
+ },
+ "grp-lzp-p-platform-oke-admin-role": {
+ "name": "grp-lzp-p-platform-oke-admin-role",
+ "description": "Group for prod rbal admin role"
+ },
+ "grp-lzp-pp-platform-oke-viewer-role": {
+ "name": "grp-lzp-pp-platform-oke-viewer-role",
+ "description": "Group for dev rbal viewer role"
+ },
+ "grp-lzp-pp-platform-oke-admin-role": {
+ "name": "grp-lzp-pp-platform-oke-admin-role",
+ "description": "Group for dev rbal admin role"
+ },
+ "grp-lzp-m-platform-oke-admins": {
+ "name": "grp-lzp-m-platform-oke-admins",
+ "description": "Group responsible for administrating oke mgt cluster"
+ }
+ }
+ },
+ "dynamic_groups_configuration": {
+ "default_defined_tags": null,
+ "default_freeform_tags": null,
+ "dynamic_groups": {
+ "DG-LZP-SEC-FUN": {
+ "name": "dg-lzp-sec-fun-dynamic-group",
+ "description": "dynamic group for security functions execution.",
+ "matching_rule": "ALL {resource.type = 'fnfun', resource.compartment.id = 'CMP-LZP-SECURITY-KEY'}"
+ },
+ "DG-LZP-PLATFORM-OKE-PROD": {
+ "name": "dg-lzp-p-platform-oke",
+ "description": "dynamic group authenticated all instance in Prod OKE cluster with OCI through InstancePrincipal.",
+ "matching_rule": "ALL {instance.compartment.id = 'CMP-LZP-PLATFORM-PROD-KEY'}"
+ }
+ }
+ },
+ "policies_configuration": {
+ "supplied_policies": {
+ "PCY-ROOT-OKE-ADMINS": {
+ "name": "pcy-root-oke-hybrid",
+ "description": "policy needed to use the OCI VCN-Native Pod Networking CNI plugin on top a LZ deployment, where a cluster's related resources are in a different compartment to the cluster itself",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "allow any-user to manage instances in tenancy where all { request.principal.type = 'cluster'}",
+ "allow any-user to use private-ips in tenancy where all { request.principal.type = 'cluster'}",
+ "allow any-user to use network-security-groups in tenancy where all { request.principal.type = 'cluster'}"
+ ]
+ },
+ "PCY-P-OKE-SECRETS": {
+ "name": "pcy-root-oke-secrets",
+ "description": "policy to allow applications running on the cluster to be authenticated with OCI through InstancePrincipal ",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "allow dynamic-group dg-lzp-prod-platform-oke to use secret-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security"
+ ]
+ },
+ "PCY-P-PLATFORM-OKE-ADMINS": {
+ "name": "pcy-p-platform-oke-admins",
+ "description": "policy for grp-p-platform-oke-admins",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-p-platform-oke-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to manage cluster-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to inspect compartments in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
+ "Allow group grp-lzp-p-platform-oke-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
+ "Allow group grp-lzp-p-platform-oke-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
+ "Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
+ "Allow group grp-lzp-p-platform-oke-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network",
+ "Allow group grp-lzp-p-platform-oke-admins to read metrics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke"
+
+ ]
+ },
+ "PCY-PP-PLATFORM-OKE-ADMINS": {
+ "name": "pcy-pp-platform-oke-admins",
+ "description": "policy for grp-pp-platform-oke-admins",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-pp-platform-oke-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
+ "Allow group grp-lzp-pp-platform-oke-admins to manage cluster-family in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
+ "Allow group grp-lzp-pp-platform-oke-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
+ "Allow group grp-lzp-pp-platform-oke-admins to inspect compartments in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke",
+ "Allow group grp-lzp-pp-platform-oke-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
+ "Allow group grp-lzp-pp-platform-oke-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
+ "Allow group grp-lzp-pp-platform-oke-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
+ "Allow group grp-lzp-pp-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
+ "Allow group grp-lzp-pp-platform-oke-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-network",
+ "Allow group grp-lzp-pp-platform-oke-admins to read metrics in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke"
+
+ ]
+ },
+ "PCY-M-PLATFORM-OKE-ADMINS": {
+ "name": "pcy-m-platform-oke-admins",
+ "description": "policy for grp-m-platform-oke-admins",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-m-platform-oke-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
+ "Allow group grp-lzp-m-platform-oke-admins to manage cluster-family in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
+ "Allow group grp-lzp-m-platform-oke-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
+ "Allow group grp-lzp-p-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
+ "Allow group grp-lzp-m-platform-oke-admins to inspect compartments in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke",
+ "Allow group grp-lzp-m-platform-oke-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network",
+ "Allow group grp-lzp-m-platform-oke-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-network",
+ "Allow group grp-lzp-m-platform-oke-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-network",
+ "Allow group grp-lzp-m-platform-oke-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-network",
+ "Allow group grp-lzp-m-platform-oke-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-network",
+ "Allow group grp-lzp-m-platform-oke-admins to read metrics in compartment cmp-landingzone-p:cmp-lzp-platform:cmp-lzp-m-platform-oke"
+ ]
+ },
+ "PCY-P-PLATFORM-OKE-RBAC-ADMIN-ROLE": {
+ "name": "pcy-p-platform-oke-rbac-admin-roles",
+ "description": "policy for grp-lzp-p-platform-oke-admin-role",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-p-platform-oke-admin-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke"
+ ]
+ },
+ "PCY-P-PLATFORM-OKE-RBAC-VIEWER-ROLE": {
+ "name": "pcy-p-platform-oke-rbac-viewer-roles",
+ "description": "policy for grp-lzp-p-platform-oke-viewer-role",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-p-platform-oke-viewer-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-platform:cmp-lzp-p-platform-oke"
+ ]
+ },
+ "PCY-PP-PLATFORM-OKE-RBAC-ADMIN-ROLE": {
+ "name": "pcy-pp-platform-oke-rbac-admin-roles",
+ "description": "policy for grp-lzp-pp-platform-oke-admin-role",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-p-platform-oke-admin-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke"
+ ]
+ },
+ "PCY-PP-PLATFORM-OKE-RBAC-VIEWER-ROLE": {
+ "name": "pcy-pp-platform-oke-rbac-viewer-roles",
+ "description": "policy for grp-lzp-pp-platform-oke-viewer-role",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "Allow group grp-lzp-p-platform-oke-viewer-role to use cluster in compartment cmp-landingzone-p:cmp-lzp-dev:cmp-lzp-pp-platform:cmp-lzp-pp-platform-oke"
+ ]
+ }
+ }
+ }
+}
diff --git a/workload-extensions/oke/1_foundation/network.auto.tfvars.json b/workload-extensions/oke/1_foundation/network.auto.tfvars.json
new file mode 100644
index 00000000..ff9cddce
--- /dev/null
+++ b/workload-extensions/oke/1_foundation/network.auto.tfvars.json
@@ -0,0 +1,1543 @@
+{
+ "network_configuration": {
+ "default_enable_cis_checks": false,
+ "network_configuration_categories": {
+ "spokes": {
+ "vcns": {
+ "VCN-PROD-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "block_nat_traffic": false,
+ "cidr_blocks": [
+ "10.0.40.0/21"
+ ],
+ "display_name": "vcn-fra-lzp-p-platform-oke",
+ "dns_label": "vcnfralzppoke",
+ "is_attach_drg": false,
+ "is_create_igw": false,
+ "is_ipv6enabled": false,
+ "is_oracle_gua_allocation_enabled": false,
+ "security_lists": {
+ "SECLIST-PROD-PODS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "sl-01-lzp-p-platform-pods",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ },
+ "SECLIST-PROD-WORKERS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "sl-02-lzp-p-platform-workers",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ },
+ "SECLIST-PROD-PRIV-LB-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "sl-03-lzp-d-platform-lb",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ },
+ "SECLIST-PROD-CP-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "sl-04-lzp-p-platform-cp",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ }
+ },
+ "network_security_groups": {
+ "NSG-PROD-CP": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name" : "nsg-prod-cp",
+ "egress_rules": {
+ "nsg_pods": {
+ "description": "Allow TCP egress from OKE control plane to pods",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-PODS",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_workers_12250": {
+ "description": "Allow TCP egress for path discovery to worker nodes",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_workers_10250": {
+ "description": "Allow TCP egress for path discovery to worker nodes",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "dst_port_min": "10250",
+ "dst_port_max": "10250",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_workers_icmp": {
+ "description": "Allow ICMP egress from OKE control plane to worker nodes",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "protocol": "ICMP",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow TCP egress for Kubernetes control plane inter-communication",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_service": {
+ "description": "Allow TCP egress from OKE control plane to OCI services",
+ "dst": "all-services",
+ "dst_type": "SERVICE_CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ "nsg_pods_12250": {
+ "description": "Allow TCP ingress from pods to kube-apiserver",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-PODS",
+ "protocol": "TCP",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "stateless": false
+ },
+ "nsg_pods_6443": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-PODS",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_workers_6443": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_workers_12250": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_workers_icmp": {
+ "description": "Allow ICMP ingress for path discovery from worker nodes",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-WORKERS",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow TCP ingress to kube-apiserver from 0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "src": "0.0.0.0/0",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ }
+
+ }
+ },
+ "NSG-PROD-PRIV-LB": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "nsg-prod-lb",
+ "egress_rules": {
+ "nsg_workers": {
+ "description": "Allow TCP egress from public load balancers to workers nodes for NodePort traffic",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "30000",
+ "dst_port_max": "32767",
+ "stateless": false
+ },
+ "nsg_workers_30000_32767": {
+ "description": "Allow TCP egress from public load balancers to worker nodes for health checks",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "10256",
+ "dst_port_max": "10256",
+ "stateless": false
+ },
+ "nsg_workers_ICMP": {
+ "description": "Allow ICMP egress from public load balancers to worker nodes for path discovery",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ }
+ },
+ "NSG-PROD-WORKERS": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "nsg-prod-workers",
+ "egress_rules": {
+ "anywhere": {
+ "description": "Allow ALL egress from workers to internet",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_pods": {
+ "description": "Allow ALL egress from workers to other pods",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-PODS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL egress from workers for cross-node pod communication when using NodePorts or hostNetwork: true",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow TCP egress from workers to Kubernetes API server",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_cp_10250": {
+ "description": "Allow TCP egress from workers to OKE control plane",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-CP",
+ "protocol": "TCP",
+ "dst_port_min": "10250",
+ "dst_port_max": "10250",
+ "stateless": false
+ },
+ "nsg_cp_12250": {
+ "description": "Allow TCP ingress to workers for health check from OKE control plane",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-CP",
+ "protocol": "TCP",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP egress from workers for path discovery",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "stateless": false
+ },
+ "nsg_service": {
+ "description": "Allow TCP egress from workers to OCI Services",
+ "dst": "all-services",
+ "dst_type": "SERVICE_CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ "nsg_pods": {
+ "description": "Allow ALL ingress to workers from other pods",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-PODS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-WORKERS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_cp": {
+ "description": "Allow ALL ingress to workers from Kubernetes control plane for webhooks served by workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-CP",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_cp_10256": {
+ "description": "Allow TCP ingress to workers for a health check from OKE control plane",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-PRIV-LB",
+ "protocol": "TCP",
+ "dst_port_min": "10256",
+ "dst_port_max": "10256",
+ "stateless": false
+ },
+ "nsg_pub_lb_30000_30000": {
+ "description": "Allow TCP ingress to workers from public load balancers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-PRIV-LB",
+ "protocol": "TCP",
+ "dst_port_min": "30000",
+ "dst_port_max": "32767",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP ingress to pods for path discovery",
+ "src_type": "CIDR_BLOCK",
+ "src": "0.0.0.0/0",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ }
+ }
+ },
+ "NSG-PROD-PODS": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "nsg-prod-pods",
+ "egress_rules": {
+ "anywhere": {
+ "description": "Allow ALL egress from pods to internet",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_pods": {
+ "description": "Allow ALL egress from pods to other pods",
+ "dst_type":"NETWORK_SECURITY_GROUP",
+ "dst":"NSG-PROD-PODS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL egress from pods for cross-node pod communication when using NodePorts or hostNetwork: true",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-WORKERS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow TCP egress from pods to Kubernetes API server",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-PROD-CP",
+ "protocol": "TCP",
+ "dst_port_min" : "6443",
+ "dst_port_max" : "6443",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP egress from pods for path discovery",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code":"4",
+ "stateless": false
+ },
+ "nsg_service": {
+ "description": "Allow TCP egress from pods to OCI Services",
+ "dst": "all-services",
+ "dst_type": "SERVICE_CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ "nsg_pods": {
+ "description": "Allow ALL ingress to pods from other pods",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-PODS",
+ "protocol": "ALL",
+ "dst_port_min" :"80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL ingress to pods for cross-node pod communication when using NodePorts or hostNetwork: true",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-WORKERS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_cp": {
+ "description": "Allow ALL ingress to pods from Kubernetes control plane for webhooks served by pods",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-PROD-CP",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP ingress to pods for path discovery",
+ "src_type": "CIDR_BLOCK",
+ "src": "0.0.0.0/0",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ }
+
+ }
+ }
+ },
+ "route_tables": {
+ "RT-PROD-WORKERS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": " rt-fra-fdz-p-workers",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-PROD-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-PROD-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ },
+ "RT-PROD-PODS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": " rt-fra-fdz-p-pods",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-PROD-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-PROD-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ },
+ "RT-PROD-CP-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": " rt-fra-fdz-p-cp",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-PROD-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-PROD-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ },
+ "RT-PROD-PRIV-LB-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "rt-fra-fdz-p-lb",
+ "route_rules": {
+ "drg": {
+ "description": "Route to Hub Dynamic Routing Gateway",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK",
+ "network_entity_key": "DRG-FRA-LZP-HUB-KEY"
+ }
+ }
+ },
+ "RT-PROD-GENERIC-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "rt-fra-fdz-p-generic",
+ "route_rules": {
+ "nat_route": {
+ "description": "Route for IPSec VPN",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK",
+ "network_entity_key": "NAT-PROD-KEY"
+ },
+ "sgw_route": {
+ "network_entity_key": "SGW-PROD-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ }
+ }
+ }
+ },
+ "subnets": {
+ "SN-PROD-PODS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.40.0/23",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-p-platform-oke-pods",
+ "dns_label": "snpplatokepods",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-PROD-PODS-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-PODS-KEY"
+ ]
+ },
+ "SN-PROD-WORKERS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.42.0/23",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-p-platform-oke-workers",
+ "dns_label": "snpplatokework",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-PROD-WORKERS-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-WORKERS-KEY"
+ ]
+ },
+ "SN-PROD-PRIV-LB-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.45.0/24",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-p-platform-oke-lb",
+ "dns_label": "snpplatmokelb",
+ "prohibit_internet_ingress": false,
+ "prohibit_public_ip_on_vnic": false,
+ "route_table_key": "RT-PROD-PRIV-LB-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-PRIV-LB-KEY"
+ ]
+ },
+ "SN-PROD-DATABASE-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.44.0/24",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-p-platform-oke-db",
+ "dns_label": "snpplatokedb",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-PROD-GENERIC-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-CP-KEY"
+ ]
+ },
+ "SN-PROD-BASTION-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.46.128/25",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": " sn-fra-lzp-p-platform-oke-bastion",
+ "dns_label": "snpplatfokebast",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-PROD-GENERIC-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-CP-KEY"
+ ]
+ },
+ "SN-PROD-FSS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.47.0/25",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-p-platform-oke-fss",
+ "dns_label": "snpplatfokefss",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-PROD-GENERIC-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-CP-KEY"
+ ]
+ },
+ "SN-PROD-CP-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.46.0/25",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-p-platform-oke-cp",
+ "dns_label": "snpplatokecp",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-PROD-CP-KEY",
+ "security_list_keys": [
+ "SECLIST-PROD-CP-KEY"
+ ]
+ }
+ },
+ "vcn_specific_gateways": {
+ "service_gateways": {
+ "SGW-PROD-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "sg-fra-lzp-prod",
+ "services": "all-services"
+ }
+ },
+ "nat_gateways": {
+ "NAT-PROD-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "display_name": "nt-fra-lzp-prod",
+ "services": "nt-fra-lzp-prod"
+ }
+ }
+ }
+ },
+ "VCN-DEV-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "block_nat_traffic": false,
+ "cidr_blocks": [
+ "10.0.56.0/21"
+ ],
+ "display_name": "vcn-fra-lzp-d-platform-oke",
+ "dns_label": "vcnfralzpdoke",
+ "is_attach_drg": false,
+ "is_create_igw": false,
+ "is_ipv6enabled": false,
+ "is_oracle_gua_allocation_enabled": false,
+ "security_lists": {
+ "SECLIST-DEV-PODS-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "sl-01-lzp-d-platform-pods",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ },
+ "SECLIST-DEV-WORKERS-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "sl-02-lzp-d-platform-workers",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ },
+ "SECLIST-DEV-PRIV-LB-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "sl-03-lzp-d-platform-lb",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ },
+ "SECLIST-DEV-CP-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "sl-04-lzp-d-platform-cp",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ }
+ },
+ "network_security_groups": {
+ "NSG-DEV-CP": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "nsg-dev-cp",
+ "egress_rules": {
+ "nsg_pods": {
+ "description": "Allow TCP egress from OKE control plane to pods",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-PODS",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_workers_12250": {
+ "description": "Allow TCP egress for path discovery to worker nodes",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_workers_10250": {
+ "description": "Allow TCP egress for path discovery to worker nodes",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "dst_port_min": "10250",
+ "dst_port_max": "10250",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_workers_icmp": {
+ "description": "Allow ICMP egress from OKE control plane to worker nodes",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "protocol": "ICMP",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow TCP egress for Kubernetes control plane inter-communication",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_service": {
+ "description": "Allow TCP egress from OKE control plane to OCI services",
+ "dst": "all-services",
+ "dst_type": "SERVICE_CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ "nsg_pods_12250": {
+ "description": "Allow TCP ingress from pods to kube-apiserver",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-PODS",
+ "protocol": "TCP",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "stateless": false
+ },
+ "nsg_pods_6443": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-PODS",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_workers_6443": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_workers_12250": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_workers_icmp": {
+ "description": "Allow ICMP ingress for path discovery from worker nodes",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-WORKERS",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow TCP ingress to kube-apiserver from 0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "src": "0.0.0.0/0",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ }
+ }
+ },
+ "NSG-DEV-PRIV-LB": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "nsg-dev-lb",
+ "egress_rules": {
+ "nsg_workers": {
+ "description": "Allow TCP egress from public load balancers to workers nodes for NodePort traffic",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "30000",
+ "dst_port_max": "32767",
+ "stateless": false
+ },
+ "nsg_workers_30000_32767": {
+ "description": "Allow TCP egress from public load balancers to worker nodes for health checks",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "protocol": "TCP",
+ "dst_port_min": "10256",
+ "dst_port_max": "10256",
+ "stateless": false
+ },
+ "nsg_workers_ICMP": {
+ "description": "Allow ICMP egress from public load balancers to worker nodes for path discovery",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {}
+ },
+ "NSG-DEV-WORKERS": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "nsg-dev-workers",
+ "egress_rules": {
+ "anywhere": {
+ "description": "Allow ALL egress from workers to internet",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_pods": {
+ "description": "Allow ALL egress from workers to other pods",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-PODS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL egress from workers for cross-node pod communication when using NodePorts or hostNetwork: true",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow TCP egress from workers to Kubernetes API server",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_cp_10250": {
+ "description": "Allow TCP egress from workers to OKE control plane",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-CP",
+ "protocol": "TCP",
+ "dst_port_min": "10250",
+ "dst_port_max": "10250",
+ "stateless": false
+ },
+ "nsg_cp_12250": {
+ "description": "Allow TCP ingress to workers for health check from OKE control plane",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-CP",
+ "protocol": "TCP",
+ "dst_port_min": "12250",
+ "dst_port_max": "12250",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP egress from workers for path discovery",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "stateless": false
+ },
+ "nsg_service": {
+ "description": "Allow TCP egress from workers to OCI Services",
+ "dst": "all-services",
+ "dst_type": "SERVICE_CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ "nsg_pods": {
+ "description": "Allow ALL ingress to workers from other pods",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-PODS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL ingress to workers from other workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-WORKERS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_cp": {
+ "description": "Allow ALL ingress to workers from Kubernetes control plane for webhooks served by workers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-CP",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_cp_10256": {
+ "description": "Allow TCP ingress to workers for health check from OKE control plane",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-PRIV-LB",
+ "protocol": "TCP",
+ "dst_port_min": "10256",
+ "dst_port_max": "10256",
+ "stateless": false
+ },
+ "nsg_pub_lb_30000_30000": {
+ "description": "Allow TCP ingress to workers from public load balancers",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-PRIV-LB",
+ "protocol": "TCP",
+ "dst_port_min": "30000",
+ "dst_port_max": "32767",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP ingress to pods for path discovery",
+ "src_type": "CIDR_BLOCK",
+ "src": "0.0.0.0/0",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ }
+ }
+ },
+ "NSG-DEV-PODS": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "nsg-dev-pods",
+ "egress_rules": {
+ "anywhere": {
+ "description": "Allow ALL egress from pods to internet",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ },
+ "nsg_pods": {
+ "description": "Allow ALL egress from pods to other pods",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-PODS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL egress from pods for cross-node pod communication when using NodePorts or hostNetwork: true",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-WORKERS",
+ "protocol": "ALL",
+ "stateless": false
+ },
+ "nsg_cp_6443": {
+ "description": "Allow TCP egress from pods to Kubernetes API server",
+ "dst_type": "NETWORK_SECURITY_GROUP",
+ "dst": "NSG-DEV-CP",
+ "protocol": "TCP",
+ "dst_port_min": "6443",
+ "dst_port_max": "6443",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP egress from pods for path discovery",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "stateless": false
+ },
+ "nsg_service": {
+ "description": "Allow TCP egress from pods to OCI Services",
+ "dst": "all-services",
+ "dst_type": "SERVICE_CIDR_BLOCK",
+ "protocol": "TCP",
+ "stateless": false
+ }
+ },
+ "ingress_rules": {
+ "nsg_pods": {
+ "description": "Allow ALL ingress to pods from other pods",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-PODS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_workers": {
+ "description": "Allow ALL ingress to pods for cross-node pod communication when using NodePorts or hostNetwork: true",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-WORKERS",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_cp": {
+ "description": "Allow ALL ingress to pods from Kubernetes control plane for webhooks served by pods",
+ "src_type": "NETWORK_SECURITY_GROUP",
+ "src": "NSG-DEV-CP",
+ "protocol": "ALL",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ },
+ "nsg_icmp": {
+ "description": "Allow ICMP ingress to pods for path discovery",
+ "src_type": "CIDR_BLOCK",
+ "src": "0.0.0.0/0",
+ "protocol": "ICMP",
+ "icmp_type": "3",
+ "icmp_code": "4",
+ "dst_port_min": "80",
+ "dst_port_max": "80",
+ "stateless": false
+ }
+ }
+ }
+ },
+ "route_tables": {
+ "RT-DEV-WORKERS-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": " rt-fra-fdz-d-workers",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-DEV-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-DEV-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ },
+ "RT-DEV-PODS-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": " rt-fra-fdz-d-pods",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-DEV-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-DEV-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ },
+ "RT-DEV-CP-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": " rt-fra-fdz-d-cp",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-DEV-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-DEV-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ },
+ "RT-DEV-PRIV-LB-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "rt-fra-fdz-d-lb",
+ "route_rules": {
+ "drg": {
+ "description": "Route to Hub Dynamic Routing Gateway",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK",
+ "network_entity_key": "DRG-FRA-LZP-HUB-KEY"
+ }
+ }
+ },
+ "RT-DEV-GENERIC-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "rt-fra-fdz-d-generic",
+ "route_rules": {
+ "nat_route": {
+ "description": "Route for IPSec VPN",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK",
+ "network_entity_key": "NAT-DEV-KEY"
+ },
+ "sgw_route": {
+ "network_entity_key": "SGW-DEV-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ }
+ }
+ }
+ },
+ "subnets": {
+ "SN-DEV-PODS-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.56.0/23",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-d-platform-oke-pods",
+ "dns_label": "sndplatokepods",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-DEV-PODS-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-PODS-KEY"
+ ]
+ },
+ "SN-DEV-WORKERS-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.58.0/23",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-d-platform-oke-workers",
+ "dns_label": "sndplatokework",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-DEV-WORKERS-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-WORKERS-KEY"
+ ]
+ },
+ "SN-DEV-PRIV-LB-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.61.0/24",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-d-platform-oke-PRIV-lb",
+ "dns_label": "sndplatokepublb",
+ "prohibit_internet_ingress": false,
+ "prohibit_public_ip_on_vnic": false,
+ "route_table_key": "RT-DEV-PRIV-LB-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-PRIV-LB-KEY"
+ ]
+ },
+ "SN-DEV-CP-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.62.0/25",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-d-platform-oke-cp",
+ "dns_label": "sndplatokecp",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-DEV-CP-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-CP-KEY"
+ ]
+ },
+ "SN-DEV-DATABASE-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.60.0/24",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-d-platform-oke-db",
+ "dns_label": "sndplatokedb",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-DEV-GENERIC-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-CP-KEY"
+ ]
+ },
+ "SN-DEV-BASTION-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.62.128/25",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": " sn-fra-lzp-d-platform-oke-bastion",
+ "dns_label": "sndplatfokebast",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-DEV-GENERIC-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-CP-KEY"
+ ]
+ },
+ "SN-DEV-FSS-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.63.0/25",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-d-platform-oke-fss",
+ "dns_label": "sndplatfokefss",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-DEV-GENERIC-KEY",
+ "security_list_keys": [
+ "SECLIST-DEV-CP-KEY"
+ ]
+ }
+ },
+ "vcn_specific_gateways": {
+ "service_gateways": {
+ "SGW-DEV-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "sg-fra-lzp-dev",
+ "services": "all-services"
+ }
+ },
+ "nat_gateways": {
+ "NAT-DEV-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "display_name": "nt-fra-lzp-dev",
+ "services": "nt-fra-lzp-dev"
+ }
+ }
+ }
+ },
+ "VCN-MGT-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "block_nat_traffic": false,
+ "cidr_blocks": [
+ "10.0.32.0/21"
+ ],
+ "display_name": "vcn-fra-lzp-m-platform-oke",
+ "dns_label": "vcnfralzpmoke",
+ "is_attach_drg": false,
+ "is_create_igw": false,
+ "is_ipv6enabled": false,
+ "is_oracle_gua_allocation_enabled": false,
+ "security_lists": {
+ "SECLIST-MGT-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "display_name": "mgt",
+ "defined_tags": null,
+ "freeform_tags": null,
+ "egress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ICMP",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ICMP traffic for: All",
+ "protocol": "ICMP",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+ }
+ },
+ "network_security_groups": {},
+ "route_tables": {
+ "RT-MGT-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "display_name": "rt-fra-fdz-m-workers",
+ "route_rules": {
+ "sgw_route": {
+ "network_entity_key": "SGW-MGT-KEY",
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK"
+ },
+ "ngw_route": {
+ "network_entity_key": "NAT-MGT-KEY",
+ "description": "Route to ngw",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK"
+ }
+ }
+ }
+ },
+ "subnets": {
+ "SN-MGT-PODS-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "availability_domain": null,
+ "cidr_block": "10.0.32.0/23",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-lzp-m-platform-oke-mgt",
+ "dns_label": "snmplatokemgt",
+ "prohibit_internet_ingress": false,
+ "prohibit_public_ip_on_vnic": false,
+ "route_table_key": "RT-MGT-KEY",
+ "security_list_keys": [
+ "SECLIST-MGT-KEY"
+ ]
+ }
+ },
+ "vcn_specific_gateways": {
+ "service_gateways": {
+ "SGW-MGT-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "display_name": "sg-fra-lzp-mgt",
+ "services": "all-services"
+ }
+ },
+ "nat_gateways": {
+ "NAT-MGT-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "display_name": "nt-fra-lzp-mgt",
+ "services": "nt-fra-lzp-mgt"
+ }
+ }
+ }
+ }
+ }
+ },
+ "drgattach": {
+ "non_vcn_specific_gateways": {
+ "inject_into_existing_drgs": {
+ "DRG-KEY": {
+ "drg_id": "DRG-FRA-LZP-HUB-KEY",
+ "drg_attachments": {
+ "DRG-VCN-OKE-MGT-KEY": {
+ "compartment_id": "CMP-LZP-NETWORK-KEY",
+ "defined_tags": null,
+ "display_name": "drgatt-vcn-fra-lzp-m-platform-oke",
+ "drg_route_table_id": "ocid1.drgroutetable.oc1.eu-frankfurt-1.aaaaaaaacylvkqat2zn2k5kbinakmwkdv74i3ut3u53eoqgdagu2bzdqhg4a",
+ "network_details": {
+ "attached_resource_id": null,
+ "attached_resource_key": "VCN-MGT-KEY",
+ "type": "VCN",
+ "route_table_id": null,
+ "route_table_name": null,
+ "vcn_route_type": null
+ }
+ },
+ "DRG-VCN-OKE-PROD-KEY": {
+ "compartment_id": "CMP-LZP-P-NETWORK-KEY",
+ "defined_tags": null,
+ "display_name": "drgatt-vcn-fra-lzp-p-platform-oke",
+ "drg_route_table_id": "ocid1.drgroutetable.oc1.eu-frankfurt-1.aaaaaaaacylvkqat2zn2k5kbinakmwkdv74i3ut3u53eoqgdagu2bzdqhg4a",
+ "network_details": {
+ "attached_resource_id": null,
+ "attached_resource_key": "VCN-PROD-KEY",
+ "type": "VCN",
+ "route_table_id": null,
+ "route_table_name": null,
+ "vcn_route_type": null
+ }
+ },
+ "DRG-VCN-OKE-DEV-KEY": {
+ "compartment_id": "CMP-LZP-D-NETWORK-KEY",
+ "defined_tags": null,
+ "display_name": "drgatt-vcn-fra-lzp-d-platform-oke",
+ "drg_route_table_id": "ocid1.drgroutetable.oc1.eu-frankfurt-1.aaaaaaaacylvkqat2zn2k5kbinakmwkdv74i3ut3u53eoqgdagu2bzdqhg4a",
+ "network_details": {
+ "attached_resource_id": null,
+ "attached_resource_key": "VCN-DEV-KEY",
+ "type": "VCN",
+ "route_table_id": null,
+ "route_table_name": null,
+ "vcn_route_type": null
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/workload-extensions/oke/2_oke/README.md b/workload-extensions/oke/2_oke/README.md
new file mode 100644
index 00000000..230483e4
--- /dev/null
+++ b/workload-extensions/oke/2_oke/README.md
@@ -0,0 +1,63 @@
+# OKE foundations Set-up
+
+
+## **1. Summary**
+
+| | |
+| -------------------- | ----------------------------------------------------- |
+| **NAME** | OKE cluster set-up |
+| **OBJECTIVE** | Provision OCI OKE cluster as a new platform on top of the OKE Landing Zone Extensions. |
+| **TARGET RESOURCES** | OKE |
+
+
+
+## **2. OKE Deployment**
+
+We recommend automating the OKE Cluster deployment using Terraform.
+
+To deploy a new OKE Cluster ( VCN-native pod networking for OKE CNI ) as a new Platform (on top of ONE-OE LZ), follow next steps.
+
+For this Demo we are going to use Cloud Shell. See the full module documentation [here](https://github.com/oracle-terraform-modules/terraform-oci-oke/tree/main/examples) if required.
+
+1. Click the 'Next' button, cloud shell will be open
+
+[![Open in Code Editor](https://raw.githubusercontent.com/oracle-devrel/oci-code-editor-samples/main/images/open-in-code-editor.png)](https://cloud.oracle.com/?region=home&cs_repo_url=https://github.com/oci-landing-zones/oci-landing-zone-operating-entities.git&cs_branch=master&cs_readme_path=workload-extensions/oke/2_oke/README.md&cs_open_ce=false)
+
+2. `$ git clone git@github.com:oci-landing-zones/oci-landing-zone-operating-entities.git`
+3. `$ cd oci-landing-zone-operating-entities/workload-extensions/oke/2_oke/oke_lz_tf`
+4. Change the **KEYS values** for the respective **OCIDs** in the oke.tf file
+
+| Placeholder | Description |
+| --- | --- |
+| CMP-PLATFORM-OKE-KEY | OCID of OKE Platform Compartment where we want to deploy OKE. Created in step 1_foundation |
+| VCN-OKE-KEY | OCID of OKE VCN deployed in Network Compartment in respective environment. Created in step 1_foundation |
+| SN-CP-KEY | OCID of Control plane subnet in OKE VCN. Created in step 1_foundation. |
+| SN-PRIV-LB-KEY | OCID of private Load Balancer subnet in OKE VCN. Created in step 1_foundation. |
+| SN-WORKERS-KEY | OCID of workers subnet in OKE VCN. Created in step 1_foundation. |
+| SN-PODS-KEY | OCID of pods subnet in OKE VCN. Created in step 1_foundation. |
+| NSG-CP-KEY | OCID of Control plane NSG in OKE VCN. Created in step 1_foundation. |
+| NSG-INT-LB-KEY | OCID of private Load Balancer NSG in OKE VCN. Created in step 1_foundation. |
+| NSG-WORKERS-KEY | OCID of workers NSG in OKE VCN. Created in step 1_foundation. |
+| NSG-PODS-KEY | OCID of pods NSG in OKE VCN. Created in step 1_foundation. |
+| CMP-NETWORK-KEY | OCID of Network compartment in respective environment.
+
+> [!NOTE]
+> Make any additional changes needed to customize your cluster. If you have any questions, please refer to the documentation.
+
+5. Run `$ terraform init`
+6. Run `$ terraform apply -var="tenancy_ocid=$OCI_TENANCY" -var="region=$OCI_REGION" `
+
+> [!WARNING]
+> Be careful to store your `terraform.tfstate` file. This files holds information about Terraform Managed resources. Without it, you won't be able to modify or destroy your Terraform configured infrastructure. Local storage in Cloud Shell is deleted after a period of inactivity.
+>
+> To destroy created OKE cluster run `$ terraform destroy -var="tenancy_ocid=$OCI_TENANCY" -var="region=$OCI_REGION" `
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/oke/2_oke/oke_lz_tf/oke.tf b/workload-extensions/oke/2_oke/oke_lz_tf/oke.tf
new file mode 100644
index 00000000..aacdb9de
--- /dev/null
+++ b/workload-extensions/oke/2_oke/oke_lz_tf/oke.tf
@@ -0,0 +1,104 @@
+module "oke" {
+ source = "oracle-terraform-modules/oke/oci"
+ version = "5.1.8"
+ compartment_id = ""
+ # IAM - Policies
+ create_iam_autoscaler_policy = "never"
+ create_iam_kms_policy = "never"
+ create_iam_operator_policy = "never"
+ create_iam_worker_policy = "never"
+ # Network module - VCN
+ vcn_id = ""
+ subnets = {
+ cp = { id = "" }
+ int_lb = { id = "" }
+ workers = { id = "" }
+ pods = { id = "" }
+ }
+ nsgs = {
+ cp = { id = "" }
+ int_lb = { id = "" }
+ workers = { id = "" }
+ pods = { id = "" }
+ }
+ network_compartment_id = ""
+ assign_public_ip_to_control_plane = false
+ assign_dns = true
+ create_vcn = false
+ vcn_dns_label = "oke"
+ lockdown_default_seclist = true
+ # Network module - security
+ allow_node_port_access = true
+ allow_pod_internet_access = true
+ allow_worker_internet_access = true
+ allow_worker_ssh_access = true
+ control_plane_allowed_cidrs = ["0.0.0.0/0"]
+ control_plane_is_public = false
+ enable_waf = false
+ load_balancers = "internal"
+ preferred_load_balancer = "internal"
+ worker_is_public = false
+ # Network module - routing
+ ig_route_table_id = null # Only include it if create_vcn = false
+ nat_route_table_id = null # Only include it if create_vcn = false
+ # Cluster module
+ create_cluster = true
+ cluster_kms_key_id = null
+ cluster_name = "oke-quickstart"
+ cluster_type = "enhanced"
+ cni_type = "npn"
+ image_signing_keys = []
+ kubernetes_version = "v1.29.1"
+ pods_cidr = "10.244.0.0/16"
+ services_cidr = "10.96.0.0/16"
+ use_signed_images = false
+ use_defined_tags = false
+ # Workers
+ worker_pool_mode = "node-pool"
+ worker_pool_size = 1
+ worker_image_type = "custom"
+ worker_image_id = "Oracle-Linux-8.9-2024.05.29-0-OKE-1.29.1-707"
+ worker_cloud_init = [
+ {
+ content = <<-EOT
+ runcmd:
+ - sudo /usr/libexec/oci-growfs -y
+ EOT
+ content_type = "text/cloud-config",
+ }]
+ freeform_tags = {
+ workers = {
+ "cluster" = "oke-pp-quickstart"
+ }
+ }
+ worker_pools = {
+ np1 = {
+ shape = "VM.Standard.E4.Flex",
+ ocpus = 1,
+ memory = 8,
+ boot_volume_size = 50,
+ node_cycling_enabled = false,
+ create = true
+ }
+ }
+
+ # Bastion
+ create_bastion = false
+
+ # Operator
+ create_operator = false
+}
+
+resource "oci_containerengine_addon" "oke_cert_manager" {
+ addon_name = "CertManager"
+ cluster_id = module.oke.cluster_id
+ remove_addon_resources_on_delete = false
+ depends_on = [module.oke]
+}
+
+resource "oci_containerengine_addon" "oke_metrics_server" {
+ addon_name = "KubernetesMetricsServer"
+ cluster_id = module.oke.cluster_id
+ remove_addon_resources_on_delete = false
+ depends_on = [module.oke, oci_containerengine_addon.oke_cert_manager]
+}
diff --git a/workload-extensions/oke/2_oke/oke_lz_tf/provider.tf b/workload-extensions/oke/2_oke/oke_lz_tf/provider.tf
new file mode 100644
index 00000000..b3e88c31
--- /dev/null
+++ b/workload-extensions/oke/2_oke/oke_lz_tf/provider.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_version = ">=1.5.7"
+ required_providers {
+ oci = {
+ source = "oracle/oci"
+ version = "6.2.0"
+ }
+ }
+}
+
+provider "oci" {
+ region = var.region
+}
diff --git a/workload-extensions/oke/2_oke/oke_lz_tf/variables.tf b/workload-extensions/oke/2_oke/oke_lz_tf/variables.tf
new file mode 100644
index 00000000..38092d48
--- /dev/null
+++ b/workload-extensions/oke/2_oke/oke_lz_tf/variables.tf
@@ -0,0 +1,9 @@
+variable "tenancy_ocid" {
+ type = string
+ description = "Tenancy OCID"
+}
+
+variable "region" {
+ type = string
+ description = "Renion Identifier from https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm"
+}
diff --git a/workload-extensions/oke/content/Network.png b/workload-extensions/oke/content/Network.png
new file mode 100644
index 00000000..7e7ab282
Binary files /dev/null and b/workload-extensions/oke/content/Network.png differ
diff --git a/workload-extensions/oke/content/One-OE-LZP.png b/workload-extensions/oke/content/One-OE-LZP.png
new file mode 100644
index 00000000..f82595c6
Binary files /dev/null and b/workload-extensions/oke/content/One-OE-LZP.png differ
diff --git a/workload-extensions/oke/content/One-OE-LZPLZNP.png b/workload-extensions/oke/content/One-OE-LZPLZNP.png
new file mode 100644
index 00000000..e3516cda
Binary files /dev/null and b/workload-extensions/oke/content/One-OE-LZPLZNP.png differ
diff --git a/workload-extensions/oke/content/ProdNetwork.png b/workload-extensions/oke/content/ProdNetwork.png
new file mode 100644
index 00000000..1c9d21ef
Binary files /dev/null and b/workload-extensions/oke/content/ProdNetwork.png differ
diff --git a/workload-extensions/oke/content/Routing_OKE-ext.png b/workload-extensions/oke/content/Routing_OKE-ext.png
new file mode 100644
index 00000000..fdbc059f
Binary files /dev/null and b/workload-extensions/oke/content/Routing_OKE-ext.png differ
diff --git a/workload-extensions/oke/content/Routing_ONE-OE.png b/workload-extensions/oke/content/Routing_ONE-OE.png
new file mode 100644
index 00000000..6c2e54ae
Binary files /dev/null and b/workload-extensions/oke/content/Routing_ONE-OE.png differ
diff --git a/workload-extensions/oke/readme.md b/workload-extensions/oke/readme.md
new file mode 100644
index 00000000..fc2e8f17
--- /dev/null
+++ b/workload-extensions/oke/readme.md
@@ -0,0 +1,38 @@
+# **[OKE Landing Zone Extension](#)**
+## **An OCI Open LZ [Workload Extensions](#) to Reduce Your Time-to-Production**
+
+
+
+
+## **1. Introduction**
+Welcome to the **OKE Landing Zone Extension**.
+
+The OKE Landing Zone Extension is a secure cloud environment, designed with best practices to simplify the on-boarding of OKE workloads and enable the continuous operations of their cloud resources. This reference architecture provides an automated landing zone configuration.
+
+
+## **2. Design Overview**
+This workload extension uses the [One-OE](https://github.com/oracle-quickstart/terraform-oci-open-lz/tree/master/blueprints/one-oe) Blueprint as the reference Landing Zone and guides the deployment of OKE on top of it.
+
+
+## **3. Deployment**
+
+There are four deployment steps to provision OKE landing zone extension:
+
+ 1. The [One-OE](https://github.com/oracle-quickstart/terraform-oci-open-lz/tree/master/blueprints/one-oe) LZ is a requirement and needs to be deployed before continuing. Any other OCI landing zone, such as a [CIS landing zone](https://github.com/oci-landing-zones/oci-cis-landingzone-quickstart), [OCI Core Landing Zone](https://github.com/oci-landing-zones/terraform-oci-core-landingzone) [Multi-OE](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/tree/master/blueprints/multi-oe/generic_v1/runtime), can be deployed as a baseline landing zone.
+ 2. Deploy the **foundation infrastructure**. Follow the guide in [Step 1](/1_foundation/)
+ 3. Create **OKE clusters** in [Step 2](2_oke/)
+
+
+
+## Acknowledgments
+* **Authors**: *Paola Juárez* (Landing Zones Specialist) and *Alberto Campagna* ( Application Development DevOps Specialist)
+* **Contributors**: *Peter Hrvola* (Landing Zones Specialist)
+
+
+## License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/readme.md b/workload-extensions/readme.md
index 56e033dd..24c0f52f 100644
--- a/workload-extensions/readme.md
+++ b/workload-extensions/readme.md
@@ -21,7 +21,7 @@ Find below the list of available workload landing zones and our backlog. Be free
| 1 | [](./ebs/)| A Pluggable **EBS** Landing Zone Workload. | [Available](./ebs/) |
| 2 | [](./ocvs) | A Pluggable **OCVS** Landing Zone Workload. | [Available](./ocvs/) |
| 3 | [](./ai-services) | A Pluggable **AI** Landing Zone Workload. | [Available](./ai-services/) |
-| 4 | **OCI OKE** | A Pluggable **OKE** Landing Zone Extension. | Available On Demand |
+| 4 | | An **OKE** Landing Zone Extension. | [Available](./oke/)|
| 5 | **OCI ExaCS** | A Pluggable **ExaCS** Landing Zone Extension. | Available On Demand |
| 6 | **ExaCC** | A Pluggable **ExaCC** Landing Zone Extension. | Available On Demand |