Access Modes
OKE clusters can be configured with two different access modes for the Kubernetes API. Choose the most relevant, based on your security requirements:
| Access Mode | provision_bastion | endpoint_public_access | Use Case |
|---|---|---|---|
| Public Endpoint | false | true | Development/testing or when direct access is acceptable |
| Bastion Tunnel | true | false | Production clusters with strict network isolation |
| Feature | Bastion Tunnel | Public Endpoint |
|---|---|---|
| Network exposure | Private only (VCN) | Public internet (IP-restricted) |
| kubernetes_api_host | Required (tunnel URL) | Auto-detected from kubeconfig |
| SSH tunnel required | Yes | No |
| Terraform commands |
Need -var="kubernetes_api_host=..."
| No extra variables needed |
| Security | Higher (no public exposure) |
Medium (IP allowlist via
control_plane_allowed_cidrs)
|
Important
The kubernetes_api_host variable should only be set
when using bastion tunnel mode (provision_bastion=true).
When using public endpoint mode
(endpoint_public_access=true), do
not set this variable; the Kubernetes
and Helm providers will automatically discover the cluster's public
endpoint from the OCI-generated kubeconfig.