OCI Bastion Service (module.oci-bastion)

Purpose: Optional. Deploys the OCI Bastion Service to provide secure SSH tunnel access to the OKE cluster when the Kubernetes API endpoint is private (not exposed to the internet).

This module is only needed when provision_bastion = true. When the OKE cluster uses a public API endpoint (endpoint_public_access = true), the bastion is not required and should not be deployed.

Deployed on: Any workspace where provision_bastion = true.

Key resources created:

Resource Purpose
oci_bastion_bastionOCI-managed Bastion Service (STANDARD type)
Dedicated bastion subnet (/24)Public subnet for the bastion service (created by module.oci-core)
Bastion NSG + security rulesEgress rules allowing SSH and traffic to worker nodes and the K8s API endpoint
Worker/API NSG ingress rulesIngress rules allowing traffic from the bastion NSG into worker and API subnets
Enhanced route tableVCN routing from the bastion subnet to all worker node subnets

How it works:

The OCI Bastion Service is a fully managed service, meaning that there is no jump host to maintain. Access is session-based: the operator creates a PORT_FORWARDING session via the OCI CLI, then establishes a local SSH tunnel through the bastion to reach the private Kubernetes API endpoint. Sessions have a configurable TTL (default 3 hours, range 30 minutes to 3 hours).

Configuration (tfvars):

Variable Default Description
provision_bastiontrueDeploy the bastion service and supporting network resources
bastion_client_allow_list[]CIDRs allowed to connect to the bastion (required when bastion is enabled; 0.0.0.0/0 is prohibited)
max_session_ttl10800 (3h)Maximum session duration in seconds
enable_dns_proxyfalseEnable the bastion DNS proxy feature

Tunnel scripts:

Helper scripts are provided in scripts/ to automate session creation and tunnel management:

shell
# Cluster tunnel (port 16443)
LOCAL_PORT=16443 ./scripts/setup-bastion-tunnel.sh --workspace primary kubectl

See Kubernetes Access for full Bastion tunnel setup and access mode details.