Migrating existing OCI Kubernetes to VCN-Native Cluster with Terraform

Your OCI Kubernetes Cluster might have a little tool tip which states “migration required”. This is because, “in earlier releases (before March 16, 2021), Container Engine for Kubernetes provisioned clusters with Kubernetes API endpoints that were not integrated into your own VCN.” (oracle doc).

Situation at Hand

While you could specify custom VCNs, subnets and networking rules for the deployed resources such as container engine and node pools, the API endpoint was provisioned separately by the OCI provider. This endpoint was publicly accessible and is used to create resources within Kubernetes (using e.g. kubectl to create pods). By migrating this endpoint into your VCN you would now additionally be able to configure and limit access to the endpoint (e.g. provision the endpoint in a private subnet and only let clients who are inside a VPN access it).

Migrating Kubernetes Cluster using Terraform

This can be done through the web-console, however in this post i would like to show you how to implement this in (an already existing) Terraform code. It can be easily done, by specifying the subnet_id to your code.

resource "oci_containerengine_cluster" "hungsblog_k8scluster" {
  compartment_id = var.compartment_id
  kubernetes_version = var.cluster_kubernetes_version
  name = var.cluster_name
  vcn_id = var.vcn_id

  # https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/containerengine_cluster
  # placing the endpoint in the specified subnet (public or private)
  endpoint_config {
    subnet_id  = var.subnet_id

The process takes about 15 minutes. After a successful migration, you will notice, that you have two API Endpoints now. The old endpoint managed by OCI will be decommissioned after 30 days but can still be used within this time period.

If you migrate to a private subnet

If you moved your endpoint to a private subnet, remember to set the appropriate security rules and assign them to the subnet to let the clients in your private network access the API. (see OCI-seclist)

Further References:


Leave a Comment

Your email address will not be published. Required fields are marked *

hungsblog | Nguyen Hung Manh | Dresden
Scroll to Top