Summary
OCI Cloud Controller Manager should stop using automatic OCI security-list management as the implicit default for OKE/Kubernetes Service type=LoadBalancer.
For both OCI Load Balancer and OCI Network Load Balancer paths, the default security-list management behavior should be None, meaning CCM should not mutate OCI security lists unless the user explicitly opts in.
Today, users must know and remember annotations such as:
service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "None"
and, for NLB:
oci-network-load-balancer.oraclecloud.com/security-list-management-mode: "None"
This makes safe behavior opt-out rather than default.
Problem
Security lists are subnet-scoped network perimeter controls, not resources local to a single Kubernetes Service. When CCM automatically manages security lists, a Kubernetes Service manifest can indirectly mutate OCI network ingress rules.
For classic OCI Load Balancer, the documented default security-list management mode is All. This can result in broad ingress rules being added unless users explicitly set the annotation to None.
This is risky because every application team, Helm chart, Terraform module, and platform owner must remember the annotation. A single missed annotation can unintentionally widen network exposure, including public ingress such as 0.0.0.0/0.
Request
Please change OCI CCM so automatic security-list management is opt-in, not opt-out.
Desired default:
security-list-management-mode = None
for all OCI load balancer types provisioned through CCM, including:
- OCI Load Balancer
- OCI Network Load Balancer
Legacy behavior should remain available only when explicitly configured, for example:
service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "All"
or
oci-network-load-balancer.oraclecloud.com/security-list-management-mode: "All"
Compatibility / migration options
If changing the default immediately is too disruptive, please consider one of these migration paths:
- Change the default to None only for new clusters or future CCM versions.
- Add a cluster-level CCM configuration option to set the default security-list management mode.
- Allow administrators to set:
default-security-list-management-mode = None
once at the cluster level, without requiring every Service manifest to repeat the annotation.
4. Keep per-Service annotations as explicit overrides.
5. Deprecate implicit All behavior over time with warnings and release notes.
Desired behavior
- CCM does not mutate OCI security lists by default.
- Users who want CCM-managed security-list rules must explicitly opt in.
- Missing annotations should not result in All.
- Invalid annotations should fail closed or warn clearly, rather than silently falling back to a permissive default.
- Documentation should recommend NSGs or explicitly managed security rules as the secure default path.
Why this matters
The current default makes network exposure dependent on every workload author remembering an annotation. For platform teams and OCI customers, the safer model is that shared network perimeter controls are not changed automatically unless explicitly requested.
Secure default should be:
Do not manage security lists unless explicitly configured to do so.
Summary
OCI Cloud Controller Manager should stop using automatic OCI security-list management as the implicit default for OKE/Kubernetes Service type=LoadBalancer.
For both OCI Load Balancer and OCI Network Load Balancer paths, the default security-list management behavior should be None, meaning CCM should not mutate OCI security lists unless the user explicitly opts in.
Today, users must know and remember annotations such as:
service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "None"and, for NLB:
oci-network-load-balancer.oraclecloud.com/security-list-management-mode: "None"This makes safe behavior opt-out rather than default.
Problem
Security lists are subnet-scoped network perimeter controls, not resources local to a single Kubernetes Service. When CCM automatically manages security lists, a Kubernetes Service manifest can indirectly mutate OCI network ingress rules.
For classic OCI Load Balancer, the documented default security-list management mode is All. This can result in broad ingress rules being added unless users explicitly set the annotation to None.
This is risky because every application team, Helm chart, Terraform module, and platform owner must remember the annotation. A single missed annotation can unintentionally widen network exposure, including public ingress such as 0.0.0.0/0.
Request
Please change OCI CCM so automatic security-list management is opt-in, not opt-out.
Desired default:
security-list-management-mode = Nonefor all OCI load balancer types provisioned through CCM, including:
Legacy behavior should remain available only when explicitly configured, for example:
service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "All"or
oci-network-load-balancer.oraclecloud.com/security-list-management-mode: "All"Compatibility / migration options
If changing the default immediately is too disruptive, please consider one of these migration paths:
default-security-list-management-mode = Noneonce at the cluster level, without requiring every Service manifest to repeat the annotation.
4. Keep per-Service annotations as explicit overrides.
5. Deprecate implicit All behavior over time with warnings and release notes.
Desired behavior
Why this matters
The current default makes network exposure dependent on every workload author remembering an annotation. For platform teams and OCI customers, the safer model is that shared network perimeter controls are not changed automatically unless explicitly requested.
Secure default should be: