Access Modes
OKE clusters can be configured with two different access modes for the Kubernetes API. Choose the most relevant, based on your security requirements:
| Access Mode | provision_bastion | endpoint_public_access | Use Case |
|---|---|---|---|
| Public Endpoint | false | true | Development/testing or when direct access is acceptable |
| Bastion Tunnel | true | false | Production clusters with strict network isolation |
| Feature | Bastion Tunnel | Public Endpoint |
|---|---|---|
| Network exposure | Private only (VCN) | Public internet (IP-restricted) |
| kubernetes_api_host | Required (tunnel URL) | Auto-detected from kubeconfig |
| SSH tunnel required | Yes | No |
| Terraform commands |
Need -var="kubernetes_api_host=..." | No extra variables needed |
| Security | Higher (no public exposure) | Medium (IP allowlist via control_plane_allowed_cidrs) |
Important
The kubernetes_api_host variable should only be set when using
bastion tunnel mode (provision_bastion=true). When using public endpoint mode
(endpoint_public_access=true), do not set
this variable; the Kubernetes and Helm providers will automatically discover the cluster's
public endpoint from the OCI-generated kubeconfig.