Welcome back. In this lesson we look at the capability that allows you to leverage network security groups in your OKE Cluster. In addition to using security list rules to control access to resources in your OKE cluster, you can also choose to append additional rules defined in one or more network security groups. Now, as a reminder, when creating a new OKE cluster, you must select a public or private sub-net for the API server and for the node pools containing your worker nodes. You also select one or more sub-nets for load balancers. Although rules for ingress and egress traffic are commonly defined in security list rules that are associated with those sub-nets you may wish to add specific access rules that would apply to the API server or worker nodes or to a load balancer. For the API server, you can assign an NSG if it is already defined in the VCN if you use the custom create wizard as shown here. However, if you've already provisioned your OKE cluster, you can create a new NSG in the VCN, then assign it later using the edit cluster wizard. Likewise, if you've already created one or more NSGs and you're using the custom create wizard, you can assign them as you're defining the node pool, or you can assign one or more NSGs later using the edit cluster wizard. Let's now take a closer look at those options in the OCI console. Let's start out by looking at an existing OKE cluster. In this case, I have OKE demo. When I click on that cluster, I can see it's basic information to include the VCN and it's associated with. If I wish to edit and make a change to add a network security group, I need to make sure that those security groups actually already exists. For this particular example, I'm going to go ahead and navigate over, open up a new tab and look at the VCN that's associated with this cluster. In this VCN, you'll notice down here, I have four network security groups that I've created ahead of time and what I have in mind is using one for my work nodes, using one for my API server and I've got a couple that can be leveraged for load balancer services. Now that we see that they are there, let's go back to our cluster itself and if I wish to edit the cluster, I can edit the Kubernetes API server endpoint. That's one way. Or I can just work on updating the nodes in the node pool. Let's do that one first, I go to my node pool, and then the node pool, I click on edit and there I can see I can change the options like the shape of my nodes and the images and so forth. But in this case, I simply am looking to add a network security group to control traffic, and I'll select that cluster worker nodes that I had earlier and save those changes. Now that that's done, let's go back and take a look at our cluster and go ahead and edit and make a change to the network security groups to control the API server. Same thing, I click on that, choose the appropriate network security group. Or I can actually add more than one to any of these if I need to, but usually one is sufficient. Then I simply would click on save to make that change. That's going to take a little bit longer because it involves the control plane. Now let's switch back over to our clusters and show what it looks like when you're creating a brand new cluster. In this case, I'm going to use the custom create wizard launching that workflow. When I do, I'm just going to be presented with some options as to which VCN that already exists. I'm just going to leverage the same one I had for the other cluster. I need a sub-net for my load balancer, I'll choose a public sub-net. For my API server, as typical, I'll use a private sub-net. Then right below that is the opportunity to go ahead and define the network security group I wish to use. In this case I'm going to use that Kubernetes API, network security group and when I click on Next, it allows me then to define my node pool. When I define my node pool right there, once I choose a shape of my servers and how many nodes. Here's where I would now choose a network security group for them. In this case, I'm going to choose that one. Then I would simply click on Next and configure it to finish the configuration of my cluster. Now that we've seen how to assign network security groups to the API server and to the worker nodes. How do we specify an NSG for an OCI load balancer that gets automatically created by OKE whenever you deploy a new Kubernetes load balancer service to your cluster? Well, first you need to locate the OCID or Oracle Cloud identifier of the Network Security Group you wish to assign. Then in the manifest file, you add this annotation in the metadata section, providing the OCID of the network security group to be used. That's it for this lesson on leveraging Network Security Groups and OKE. Thanks for watching.
