Container Engine for Kubernetes

Serverless Kubernetes with virtual nodes

Virtual nodes provide a serverless Kubernetes experience to run containerized applications at scale without spending additional resources on managing, scaling, upgrading, and troubleshooting the infrastructure of your clusters.

Virtual nodes provide the abstraction of regular nodes to Kubernetes, delivering granular pod elasticity with per-pod pricing. You can scale your deployments without taking into consideration the cluster's capacity, simplifying the execution of scalable workloads, such as high-traffic web applications and data-processing jobs.

Managed nodes

Managed nodes are worker nodes created within a customer's tenancy and operated with shared responsibility between OKE and the customer. Customers can define the desired specifications for their worker node pools, and OKE streamlines the provisioning of these nodes. OKE offers features for automating and simplifying key ongoing operations for these worker nodes with on-demand cycling to automate updating worker nodes, self-healing of worker nodes upon detection of failure, autoscaling, and more. Managed nodes are suitable for customers who need worker nodes’ configuration or compute shapes that are not supported by virtual nodes.

Self-managed nodes

Self-managed nodes offer even more customization and control for running containerized workloads on OKE that require unique compute configurations or advanced setup across the stack that are not supported with managed nodes. Customers can leverage specialized infrastructure options, including RDMA-enabled bare metal HPC/GPU, confidential computing, or other specialized use cases. Customers still benefit from a managed control plane, but must manage the worker nodes themselves, including Kubernetes upgrades and OS patching.

Automatic Kubernetes upgrades

Trigger an upgrade of your Kubernetes version with one click. Virtual nodes automatically deliver seamless, on-the-fly updates and security patches of your worker nodes and underlying infrastructure, while respecting the availability of your applications.

Highly available Kubernetes with autoscaling

Increase the availability of applications using clusters that span multiple availability domains (data centers) in any commercial region or in Oracle Cloud Infrastructure (OCI) Dedicated Region. Scale pods horizontally and vertically and scale clusters too.

On-demand node cycling

On-demand node cycling significantly streamlines the task of updating managed worker nodes in OKE clusters, eliminating the need for time-consuming, manual rotation of nodes or the development of custom solutions. The new feature makes updating Kubernetes and host OS versions a significantly easier and more efficient. Additionally, you can effortlessly modify various node pool properties, including SSH keys, boot volume size, custom cloud-init scripts, and more.

Add-ons lifecycle management

You can easily expand and control the functionality of your Kubernetes cluster with a curated collection of configurable add-on software that is fully managed by OCI. This software includes a growing portfolio of operational software deployed on your cluster as well related apps and operators, including CNI, CoreDNS, Kubernetes Dashboard, Oracle Database Operator, WebLogic operator, and more.

OKE manages the lifecycle for the add-on software—from the initial deployment and configuration through ongoing operations, such as upgrades, patching, scaling, rolling configuration changes, and more.

Users can select add-ons and customize configurations during the cluster creation, including disabling specific add-ons, specifying the add-on version, and opting out of automatic updates or of certain OCI-provided add-ons to use their own software.

Cluster observability

Monitor and secure these applications with tools from Oracle Cloud Infrastructure, Datadog, Aqua Security, and other partners.

Self-healing cluster nodes

When it detects node failures, Container Engine for Kubernetes automatically provisions new worker nodes to maintain cluster availability.

Safe node delete

Safely delete your worker nodes without disrupting your applications with automated cordon and drain options.

Financially backed SLA

The service level agreement (SLA) included with OKE clusters provides financial support for the uptime and availability of the OKE control plane and worker nodes. The coverage for the worker nodes is equivalent to what the OCI Compute SLA provides.

Container Marketplace

Within the OCI ecosystem, you can access Container Marketplace which introduces a wide range of prepackaged containerized solutions finely tuned for optimal performance on the OKE infrastructure. Effortlessly discover, deploy, and manage containerized applications and services, all seamlessly integrated into the OCI environment.

Coming soon: Kubernetes governance with Oracle Cloud Guard

Oracle Cloud Guard offers out-of-the-box Kubernetes governance, delivering automated security and adherence to Kubernetes best practices when deploying resources on OKE. This is accomplished by automatically identifying configuration issues using policies curated by Cloud Guard, enabling you to effortlessly secure and maintain compliance on your OKE clusters.

Encryption

Encrypt Kubernetes secrets at-rest using the Key Management service.

Oracle always encrypts block volumes, boot volumes, and volume backups at rest using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. You can also manage the lifecycle of your own encryption keys using Oracle Cloud Infrastructure Vault.

Compliance

OCI Container Engine for Kubernetes complies with regulatory frameworks, such as HIPAA, PCI, and SOC 2.

Private Kubernetes clusters and Bastion

With private clusters, you can restrict access to the Kubernetes API endpoint to your on-premises network or a Bastion host, improving your security posture. To easily access fully private clusters, you can now use Oracle Cloud Infrastructure (OCI) Bastion.

Strong isolation at the pod level

Virtual nodes provide strong isolation to each Kubernetes pod. Pods do not share any underlying kernel, memory, or CPU resources. This pod-level isolation enables you to run untrusted workloads, multitenant applications, and sensitive data.

Network security groups for your Kubernetes clusters

Container Engine for Kubernetes supports network security groups (NSGs) for all cluster components. An NSG consists of a set of ingress and egress security rules that apply to virtual network interface cards (VNICs) in your virtual cloud network (VCN). With NSG, you can separate your virtual cloud network architecture from your cluster components’ security requirements.

Authentication and authorization

Control access and permissions using native OCI Identity and Access Management (IAM), Oracle Identity Cloud Service, and Kubernetes role-based access control. You can also configure OCI IAM multifactor authentication.

Workload Identity enables you to establish secure authentication at the pod level for OCI APIs and services. By implementing the principle of “least privilege” for your workloads, you can ensure users only have access to necessary resources. This enhances your security posture by minimizing the potential of security breaches or unauthorized access.

Container image scanning, signing, and verification

OKE supports container image scanning, signing, and verification so you can ensure that your application images are free of serious security vulnerabilities and that the integrity of the container images is preserved when deployed by enforcing image signing.

Audit the Kubernetes activity

All Kubernetes audit events are made available in the OCI Audit service.

Build apps that work across on-premises and other clouds

Container Engine for Kubernetes uses unmodified open source Kubernetes that complies with the Cloud Native Computing Foundation (CNCF) and Open Container Initiative (OCI) standards for application portability.

Flexibility to use any tool for cluster management

Bring your own tools, or take advantage of Oracle's partners for security, federation, observability, and build automation.

End-to-end container lifecycle management

Manage containers’ lifecycle from start to finish. Build and test images with OCI DevOps, deploy from Container Registry, integrate with Autonomous Database, and more.

Better price-performance than other providers

Compared to AWS, Oracle Cloud provides more than 3X better compute price-performance and 20X the IOPS for half the price.

Better price-performance than other providers

When compared to AWS, Oracle Cloud provides more than 3X better compute price-performance and 20X the IOPS for half the price.

Tight integration with infrastructure, Autonomous Database, and Oracle WebLogic Server

Container Engine for Kubernetes easily integrates with Oracle Cloud Infrastructure services, Autonomous Database using the Service Broker, and WebLogic Server using the WebLogic Operator.

Encryption and compliance

Encrypt Kubernetes secrets at-rest using the Key Management service, and stay in compliance with HIPAA, PCI, and SOC 2.

Private Kubernetes clusters and security

Leverage private Kubernetes clusters. Control access and permissions using native Identity and Access Management, Identity Cloud Service and Kubernetes Role-Based Access Control (RBAC).

• Choose Oracle Cloud Infrastructure for performance
• Five best practices for Kubernetes security