Kubernetes Engine FAQ

General questions

What is OCI Kubernetes Engine (OKE)?

Oracle Cloud Infrastructure Kubernetes Engine (OKE) is a managed Kubernetes service that simplifies the development, deployment, and operation of containerized workloads at scale. OKE enables you to quickly create, manage, and consume Kubernetes clusters that leverage underlying OCI compute, networking, and storage services.

When should I use OKE?

You should use OKE when you want to leverage Kubernetes to deploy and manage your Kubernetes-based container applications. It allows you to combine the production-grade container orchestration of standard upstream Kubernetes with the control, security, and high, predictable performance of OCI.

In which regions is OKE available?

OKE is supported in all regions as documented in Regions and Availability Domains.

What standards and regulations does OKE comply with?

OKE supports compliance with numerous industry standards and regulations, including, but not limited to, FedRAMP High, ISO/IEC 27001, PCI DSS, and SOC1/2/3. For more information, please refer to the infrastructure compliance page.

Am I required to manage the control plane of my OKE cluster?

No. Whenever you create a Kubernetes cluster with OKE, the service automatically creates a highly available Kubernetes control plane. The service also handles ongoing management tasks related to the control plane, such as Kubernetes version upgrades, seamlessly and without interruption.

Is OKE certified to be Kubernetes-conformant?

Yes, all Kubernetes versions released by OKE are certified against the Cloud Native Computing Foundation (CNCF) conformance program.

How does OKE provide resiliency?

When you create an OKE cluster, OKE automatically creates and manages multiple Kubernetes control plane nodes spread across fault domains and availability domains (logical data centers). This is done to help ensure that the managed Kubernetes control plane is highly available. Control plane operations, such as upgrading to newer versions of Kubernetes, can be performed without service interruptions. Additionally, when you provision worker nodes, you can use a placement configuration to control the fault domain and availability domain where they are created. Nodes will automatically come online with labels, which you can use to schedule your workloads so they are robust and highly available.

Does OKE support Kubernetes role-based access control (RBAC)?

Yes, OKE clusters are enabled with Kubernetes RBAC. Managed Kubernetes is also integrated with Oracle Identity and Access Management (IAM), providing users with powerful controls over access to their clusters.

Can I deploy my Kubernetes cluster into an existing virtual cloud network (VCN)?

Yes, you can deploy a managed Kubernetes cluster into an existing VCN, giving you a greater degree of control over security lists and the use of underlying subnets.

Can I deploy private Kubernetes clusters?

Yes; with OKE, your Kubernetes clusters are integrated in your VCN. Your cluster worker nodes, load balancers, and the Kubernetes API endpoint are part of a private or public subnet of your VCN. Regular VCN routing and firewall rules control access to the Kubernetes API endpoint, making it accessible from a corporate network only, through a bastion host, or by specific platform services.

What are enhanced and basic clusters?

When creating a new cluster with Kubernetes Engine, you must specify the cluster type as one of the following:

• Enhanced cluster - Enhanced clusters support all available features. See Enhanced Clusters.
• Basic cluster - Basic clusters support all the core functionality provided by Kubernetes and OKE, but none of the enhanced features that OKE provides. See Basic Clusters.

Basic clusters are suitable if you’re willing to take on more management responsibilities and don't require the advanced capabilities of enhanced OKE clusters. If you need more advanced management capabilities in the future, you can easily switch to enhanced OKE clusters.

How is OKE priced?

OKE charges a $0.10 hourly fee per cluster, backed by an SLA. Additionally, you’ll be charged based on the OCI services created through OKE: compute, storage, networking, and other types of infrastructure resources.

When you choose virtual nodes for worker nodes, there’s an additional hourly fee of $0.015 per node based on their runtime usage.

Worker nodes

Can I deploy my Kubernetes cluster on bare metal nodes?

Yes, you can deploy a managed Kubernetes cluster with bare metal worker nodes. You can also create a cluster with both bare metal and virtual machines, then target your Kubernetes workloads appropriately.

What level of access do I have to my worker nodes?

When setting up an OKE cluster, you can assign a public/private SSH key pair to managed and self-managed nodes. This allows you to use that SSH key pair to access your worker nodes. However, note that OKE virtual nodes cannot be accessed via an SSH key pair, as they are fully managed by OKE.

Can I mix different node types in a single cluster?

It is possible to combine managed and self-managed nodes within a single OKE cluster. However, virtual nodes cannot be mixed with other node types in an OKE cluster.

When should I use virtual nodes, managed nodes, or self-managed nodes?

• Virtual nodes
  Virtual nodes offer a serverless Kubernetes experience. This option is ideal if you’d rather focus on your application and avoid managing the underlying infrastructure. Virtual nodes relieve you of management-related tasks such as scaling, upgrading, patching, troubleshooting, and provisioning worker nodes.
• Managed nodes
  Managed nodes are a good choice for general purpose workloads. They offer an extensive list of customizable configuration options that have been tested by the OKE service. Unlike fully managed virtual nodes, you share the management of worker nodes with OCI. OKE simplifies the management process through features such as on-demand cycling to automate worker node updates, cluster self-healing upon failure detection, autoscaling, and more.
• Self-managed nodes
  Self-managed nodes offer access to the underlying infrastructure, configuration options, and compute shapes that aren’t currently available to managed nodes. This includes access to specialized infrastructure, such as RDMA-enabled bare metal cluster networks or confidential compute shapes. This advanced control makes self-managed nodes ideal for specialized use cases that aren’t supported with managed nodes. Note that with self-managed nodes, you are fully responsible for managing the worker nodes—without the automated features provided by managed or virtual nodes.

What are the storage options for virtual nodes?

OKE virtual nodes do not yet have persistent storage capabilities. However, there are plans to introduce support for attaching persistent volumes backed by OCI Block Storage and OCI File Storage. If your Kubernetes application requires persistent storage, it’s advisable to use OKE managed nodes.

What compute shapes are supported by virtual nodes?

Virtual nodes are compatible with E3, E4, and A1 compute shapes, and new shapes are added regularly. If you need a shape that virtual nodes don't currently offer for your workloads, you can use managed nodes instead.

Add-ons

What are the available software packages with add-ons for lifecycle management?

The following software packages are available with add-ons for lifecycle management. New software packages are added regularly.

• CoreDNS
• Kube-proxy
• Flannel CNI plugin
• OCI VCN-Native Pod Networking CNI plugin
• Kubernetes Dashboard
• OCI Operator for Kubernetes
• Oracle WebLogic Kubernetes Operator
• Certificates manager
• Kubernetes Cluster Autoscaler
• Istio
• Kubernetes Metrics Server