Configure policies for a self-provisioned cluster

Although some policies required for Oracle Container Engine for Kubernetes (OKE) and self-provisioned clusters may overlap, we recommend you create another user and group for the principal that will be provisioning the self-provisioned clusters.

Create a user in OCI e.g. cluster_api_usr
Create a group in OCI e.g. cluster_api_grp and add the user cluster_api_usr to this group
Create a policy in OCI and add the following policies:
- Allow group cluster_api_grp to manage virtual-network-family in <compartment>
- Allow group cluster_api_grp to manage load-balancers in <compartment>
- Allow group cluster_api_grp to manage instance-family in <compartment>

where <compartment> is the name of the OCI compartment of the workload cluster. Your workload compartment may be different from the management compartment. Refer to the OCI documentation if you have not created a compartment yet.

Info

If you are an administrator and you are experimenting with CAPOCI, you can skip creating the policies.

Repeat the procedure as for the iaas_oke_usr above to obtain the IAM details.

Warning

You should not create your workload cluster in the root compartment.

Kubernetes Cluster API Provider for Oracle Cloud Infrastructure

Configure policies for a self-provisioned cluster