What is OKE?
Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) is a fully managed, scalable, and highly available service for deploying containerized applications to the cloud. It handles the hard parts of running Kubernetes — so your team can focus on building applications, not managing infrastructure.
How OKE is Structured
┌─────────────────────────────────────────────────────────┐
│ YOUR OCI TENANCY │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────┐ │
│ │ CONTROL PLANE │ │ DATA PLANE │ │
│ │ (Managed by Oracle) │ │ (Managed by You) │ │
│ │ │ │ │ │
│ │ • etcd │ │ • Worker Node 1 │ │
│ │ • API Server │ │ • Worker Node 2 │ │
│ │ • Controller Manager │ │ • Worker Node 3 │ │
│ │ • K8s Dashboard │ │ │ │
│ │ • Self-healing │ │ (Your compute │ │
│ │ │ │ shapes & sizes) │ │
│ └─────────────────────────┘ └─────────────────────┘ │
│ │
│ Spread across Availability Domains │
└─────────────────────────────────────────────────────────┘Oracle manages all master/control plane nodes for reliability. You control worker nodes using whatever compute shapes fit your workload.
Two Cluster Types
┌───────────────────────────┬───────────────────────────────┐
│ BASIC CLUSTER │ ENHANCED CLUSTER │
├───────────────────────────┼───────────────────────────────┤
│ ✓ Core Kubernetes │ ✓ Everything in Basic, plus: │
│ ✓ Managed nodes │ ✓ Virtual nodes │
│ ✓ Service Level Objective │ ✓ Fine-grained add-on mgmt │
│ │ ✓ Workload identity (IAM) │
│ ✗ Virtual nodes │ ✓ More worker nodes │
│ ✗ Add-on management │ ✓ Financially backed SLA │
│ ✗ Workload identity │ │
│ ✗ Financially backed SLA │ │
└───────────────────────────┴───────────────────────────────┘Key rules to remember:
- Console default → Enhanced cluster
- CLI/API default → Basic cluster
- You can upgrade Basic → Enhanced anytime
- You cannot downgrade Enhanced → Basic
Node Types: Managed vs Virtual
MANAGED NODES VIRTUAL NODES
───────────────── ─────────────────────────
You provision & Oracle manages all
manage the VMs infrastructure for you
Good for: Good for:
- Custom OS config • Large clusters
- Specific hardware needs • Frequent scaling
- Full node control • Minimal ops overheadVirtual nodes (Enhanced only) remove the burden of manually scaling, upgrading, and troubleshooting worker nodes entirely.
How Applications Run Inside OKE
Your App Code
│
▼
┌──────────┐ grouped into ┌──────────────────┐
│Container │ ─────────────────▶ │ Pod │
└──────────┘ │ (logical unit) │
┌──────────┐ └──────┬───────────┘
│Container │ ─────────────────▶ │
└──────────┘ │ scheduled onto
▼
┌─────────────┐
│ Worker Node │
└─────────────┘Kubernetes groups containers into pods — the smallest deployable unit. OKE handles scheduling, scaling, and self-healing of these pods across your worker nodes.
Enhanced Cluster: Key Features Explained
1. Virtual Nodes Removes infrastructure management entirely. No manual scaling or OS patching — just deploy your workloads.
2. Add-on Management Full control over cluster add-ons:
Essential add-ons Optional add-ons
──────────────── ────────────────
- CoreDNS • Kubernetes Dashboard
- kube-proxy • (growing portfolio)
Control: version selection, auto-update opt-in/out, custom config3. Workload Identity
Pod (your app)
│
│ makes API call
▼
OCI IAM Policy ──▶ scoped to K8s Service Account
│
▼
OCI Resource (Object Storage, DB, etc.)
+
OCI Audit logs every call automaticallyApplications inside pods can access OCI resources directly, with IAM policies scoped tightly to specific service accounts.
4. Financially Backed SLA Enhanced clusters tie Kubernetes API server uptime to a real SLA with monetary compensation — not just a best-effort guarantee.
Ways to Access & Manage OKE
CREATE clusters via: MANAGE clusters via:
─────────────────── ───────────────────
• OCI Console • kubectl (CLI)
• REST API • Kubernetes Dashboard
• Kubernetes APIWhat OKE Integrates With
┌────────┐
│ OKE │
└───┬────┘
┌─────────────┼─────────────┐
│ │ │
▼ ▼ ▼
Container CI/CD Networking
Registries Frameworks & Storage
│ │ │
└─────────────┼─────────────┘
│
▼
OCI IAM & SecurityOKE is designed to plug into your entire cloud-native toolchain — not operate in isolation.
Why OKE?
| Need | How OKE helps |
|---|---|
| Fast container deployment | Managed control plane, ready to go |
| Security & access control | IAM, workload identity, audit logs |
| Compliance | ISO/IEC 27001, 27017, 27018 certified |
| Kubernetes conformance | CNCF-certified K8s versions |
| Ops simplicity | Oracle manages master nodes & self-healing |
| Flexibility | You choose node types, shapes, and cluster tier |
Summary
OKE gives you a production-grade Kubernetes environment without the operational overhead of managing control plane infrastructure. Choose Basic for straightforward workloads with core Kubernetes, or Enhanced when you need virtual nodes, tighter security via workload identity, granular add-on control, and a financially backed SLA. Either way, Oracle handles the hard infrastructure — you stay focused on shipping applications.
keep these diagrams but add text to expain that also
11:33 pm
Oracle Container Engine for Kubernetes (OKE): A Deep Dive
Oracle Cloud Infrastructure Container Engine for Kubernetes — OKE for short — is a fully managed, scalable, and highly available service for deploying containerized applications to the cloud. Rather than spending engineering time standing up and maintaining Kubernetes clusters yourself, OKE handles the complex infrastructure underneath, letting your team focus on building and shipping applications.
At its core, OKE runs on Kubernetes, the open-source system from the Cloud Native Computing Foundation (CNCF) that has become the industry standard for container orchestration. All Kubernetes versions used by OKE are CNCF-certified conformant, and the service is ISO/IEC 27001, 27017, and 27018 compliant — giving you a strong security and compliance baseline out of the box.
How OKE is Structured
The most important thing to understand about OKE is the division of responsibility between Oracle and you.
┌─────────────────────────────────────────────────────────┐
│ YOUR OCI TENANCY │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────┐ │
│ │ CONTROL PLANE │ │ DATA PLANE │ │
│ │ (Managed by Oracle) │ │ (Managed by You) │ │
│ │ │ │ │ │
│ │ • etcd │ │ • Worker Node 1 │ │
│ │ • API Server │ │ • Worker Node 2 │ │
│ │ • Controller Manager │ │ • Worker Node 3 │ │
│ │ • K8s Dashboard │ │ │ │
│ │ • Self-healing │ │ (Your compute │ │
│ │ │ │ shapes & sizes) │ │
│ └─────────────────────────┘ └─────────────────────┘ │
│ │
│ Spread across Availability Domains │
└─────────────────────────────────────────────────────────┘Oracle fully manages the control plane — the brain of any Kubernetes cluster. This includes etcd (the distributed key-value store that holds all cluster state), the API server (the gateway for all cluster operations), and the controller manager (which keeps the cluster in its desired state). Multiple copies of these components are distributed across availability domains to ensure resilience. Oracle also handles self-healing, so if a control plane component goes down, it’s automatically recovered without any action on your part.
Your responsibility is the data plane — the worker nodes where your application containers actually run. You choose the compute shapes, sizes, and number of nodes, giving you flexibility to match node capacity to your workload’s needs.
Two Cluster Types
Not every workload needs the same level of capability. OKE offers two cluster tiers to match different requirements and budgets.
┌───────────────────────────┬───────────────────────────────┐
│ BASIC CLUSTER │ ENHANCED CLUSTER │
├───────────────────────────┼───────────────────────────────┤
│ ✓ Core Kubernetes │ ✓ Everything in Basic, plus: │
│ ✓ Managed nodes │ ✓ Virtual nodes │
│ ✓ Service Level Objective │ ✓ Fine-grained add-on mgmt │
│ │ ✓ Workload identity (IAM) │
│ ✗ Virtual nodes │ ✓ More worker nodes │
│ ✗ Add-on management │ ✓ Financially backed SLA │
│ ✗ Workload identity │ │
│ ✗ Financially backed SLA │ │
└───────────────────────────┴───────────────────────────────┘Basic clusters provide all core Kubernetes functionality and are a solid choice for teams getting started or running workloads that don’t require advanced features. They come with a service-level objective — Oracle targets a specific availability level — but there is no monetary compensation if it isn’t met.
Enhanced clusters unlock every feature OKE offers, including virtual nodes, advanced add-on management, workload identity, and a financially backed SLA with compensation if uptime falls below the stated threshold.
One practical detail worth noting: when creating a cluster through the console, the default is Enhanced. When using the CLI or API, the default is Basic. You can upgrade a Basic cluster to Enhanced at any time, but the reverse is not possible — you cannot downgrade an Enhanced cluster to Basic.
Node Types: Managed vs Virtual
MANAGED NODES VIRTUAL NODES
───────────────── ─────────────────────────
You provision & Oracle manages all
manage the VMs infrastructure for you
Good for: Good for:
- Custom OS config • Large clusters
- Specific hardware needs • Frequent scaling
- Full node control • Minimal ops overheadWith managed nodes, you provision and control the underlying virtual machines. This is the right choice when you need specific compute shapes, custom OS configurations, or direct access to node-level settings.
Virtual nodes (available on Enhanced clusters only) go a step further in abstracting infrastructure away. Oracle handles all provisioning, scaling, and maintenance of the underlying compute — you never touch a node directly. This is particularly powerful for large clusters that need to scale frequently, or for teams that want to eliminate infrastructure toil entirely and focus purely on application delivery.
How Applications Run Inside OKE
Your App Code
│
▼
┌──────────┐ grouped into ┌──────────────────┐
│Container │ ─────────────────▶ │ Pod │
└──────────┘ │ (logical unit) │
┌──────────┐ └──────┬───────────┘
│Container │ ─────────────────▶ │
└──────────┘ │ scheduled onto
▼
┌─────────────┐
│ Worker Node │
└─────────────┘Kubernetes — and by extension OKE — organizes containers into pods. A pod is the smallest deployable unit in Kubernetes and typically wraps one or more tightly related containers that share networking and storage. Pods are what Kubernetes schedules, scales, and monitors, rather than individual containers directly.
When you deploy an application, Kubernetes places its pods onto worker nodes based on the available resources, policies, and constraints you define. If a pod or node fails, Kubernetes automatically reschedules affected pods elsewhere — this is the self-healing behavior that makes container orchestration so powerful in production.
Enhanced Cluster: Key Features Explained
Add-on Management
Essential add-ons Optional add-ons
──────────────── ────────────────
- CoreDNS • Kubernetes Dashboard
- kube-proxy • (growing portfolio)
Control: version selection, auto-update opt-in/out, custom configEvery Kubernetes cluster depends on a set of essential add-ons — CoreDNS for cluster DNS resolution, kube-proxy for network routing — and optionally a growing list of extras like the Kubernetes Dashboard. With a Basic cluster, managing these is largely your responsibility. Enhanced clusters let you manage add-ons directly through OKE, including choosing specific versions, opting in or out of automatic Oracle-managed updates, and applying per-add-on configuration. Oracle handles the lifecycle so you don’t have to deploy or patch them manually.
Workload Identity
Pod (your app)
│
│ makes API call
▼
OCI IAM Policy ──▶ scoped to K8s Service Account
│
▼
OCI Resource (Object Storage, DB, etc.)
+
OCI Audit logs every call automaticallyWorkload identity solves a common and important security problem: how do applications running inside Kubernetes pods authenticate to OCI services like Object Storage or databases? The traditional approach involves distributing credentials or API keys — which is difficult to manage and creates security risk.
With workload identity on Enhanced clusters, you write IAM policies that are scoped to a specific Kubernetes service account. Any pod running under that service account automatically inherits the permissions defined in the policy — no credentials to distribute or rotate. OCI Audit logs every API call made by those workloads, giving you a complete audit trail of what your applications accessed and when.
Financially Backed SLA
Basic clusters come with a best-effort service level objective. Enhanced clusters elevate this to a financially backed SLA tied specifically to Kubernetes API server uptime. If availability drops below the committed threshold, you receive compensation. For production workloads where downtime has real business impact, this provides meaningful assurance beyond a verbal guarantee.
Ways to Access & Manage OKE
CREATE clusters via: MANAGE clusters via:
─────────────────── ───────────────────
• OCI Console • kubectl (CLI)
• REST API • Kubernetes Dashboard
• Kubernetes APIYou create clusters through either the OCI Console (a browser-based UI) or the REST API (for scripted, automated provisioning). Once a cluster is running, day-to-day management uses standard Kubernetes tooling — kubectl for command-line operations, the Kubernetes Dashboard for a visual interface, or direct calls to the Kubernetes API for programmatic control. Because OKE uses CNCF-conformant Kubernetes, any standard Kubernetes tooling works without modification.
What OKE Integrates With
┌────────┐
│ OKE │
└───┬────┘
┌─────────────┼─────────────┐
│ │ │
▼ ▼ ▼
Container CI/CD Networking
Registries Frameworks & Storage
│ │ │
└─────────────┼─────────────┘
│
▼
OCI IAM & SecurityOKE is designed to fit into a complete cloud-native toolchain rather than operate in isolation. It integrates with container registries for image storage and distribution, CI/CD frameworks for automated build and deploy pipelines, OCI networking and storage primitives, and OCI IAM for access control across both cluster management and workload identity. This means OKE can slot into an existing DevOps workflow without requiring you to rebuild your tooling around it.
Why OKE?
| Need | How OKE helps |
|---|---|
| Fast container deployment | Managed control plane, ready to go |
| Security & access control | IAM, workload identity, audit logs |
| Compliance | ISO/IEC 27001, 27017, 27018 certified |
| Kubernetes conformance | CNCF-certified K8s versions |
| Ops simplicity | Oracle manages master nodes & self-healing |
| Flexibility | You choose node types, shapes, and cluster tier |
Summary
OKE gives you a production-grade Kubernetes environment without the operational burden of managing control plane infrastructure. Oracle handles the hard parts — master nodes, self-healing, availability — while you retain full control over your worker nodes, workloads, and application architecture.
For most teams, the decision comes down to cluster tier. Choose Basic for straightforward workloads where core Kubernetes is sufficient. Choose Enhanced when you need virtual nodes to eliminate infrastructure ops, workload identity for secure application-to-OCI-service authentication, fine-grained add-on management, or the assurance of a financially backed SLA. Either way, the underlying Kubernetes is standard, conformant, and compatible with the tools your team already uses.
Recent Comments