terraform-oci-oke
terraform-oci-oke copied to clipboard
Published
20 hours ago •
oracle-terraform-modules
oracle-terraform-modules
Add IAM resources (tags, dynamic group, policies) for worker nodes that will be running cluster autoscaler
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Running cluster autoscaler requires a dedicated unmanaged node pool that have certain rights such as:
Allow dynamic-group acme-oke-cluster-autoscaler-dyn-grp to manage cluster-node-pools in compartment <compartment-name>
Allow dynamic-group acme-oke-cluster-autoscaler-dyn-grp to manage instance-family in compartment <compartment-name>
Allow dynamic-group acme-oke-cluster-autoscaler-dyn-grp to use subnets in compartment <compartment-name>
Allow dynamic-group acme-oke-cluster-autoscaler-dyn-grp to read virtual-network-family in compartment <compartment-name>
Allow dynamic-group acme-oke-cluster-autoscaler-dyn-grp to use vnics in compartment <compartment-name>
Allow dynamic-group acme-oke-cluster-autoscaler-dyn-grp to inspect compartments in compartment <compartment-name>
The rights are defined in a policy. However, instead of using compartment as the criteria for dynamic group membership, we will be using defined tags instead.
We need to therefore create or reuse (where possible):
- tag namespaces, keys
- dynamic group
- policy
New or Affected Resource(s)
Potential Terraform Configuration
# Copy-paste any Terraform configurations for how the requested feature may be used.
