Configure policies for a self-provisioned cluster

Although some policies required for Oracle Container Engine for Kubernetes (OKE) and self-provisioned clusters may overlap, we recommend you create another user and group for the principal that will be provisioning the self-provisioned clusters.

  1. Create a user in OCI e.g. cluster_api_usr
  2. Create a group in OCI e.g. cluster_api_grp and add the user cluster_api_usr to this group
  3. Create a policy in OCI and add the following policies:
    • Allow group cluster_api_grp to manage virtual-network-family in <compartment>
    • Allow group cluster_api_grp to manage load-balancers in <compartment>
    • Allow group cluster_api_grp to manage instance-family in <compartment>

where <compartment> is the name of the OCI compartment of the workload cluster. Your workload compartment may be different from the management compartment. Refer to the OCI documentation if you have not created a compartment yet.


If you are an administrator and you are experimenting with CAPOCI, you can skip creating the policies.

  1. Repeat the procedure as for the iaas_oke_usr above to obtain the IAM details.


You should not create your workload cluster in the root compartment.