OCI Bastion Service (module.oci-bastion)
Purpose: Optional. Deploys the OCI Bastion Service to provide secure SSH tunnel access to the OKE cluster when the Kubernetes API endpoint is private (not exposed to the internet).
This module is only needed when provision_bastion = true.
When the OKE cluster uses a public API endpoint
(endpoint_public_access = true), the bastion is not required
and should not be deployed.
Deployed on: Any workspace where
provision_bastion = true.
Key resources created:
| Resource | Purpose |
|---|---|
oci_bastion_bastion
| OCI-managed Bastion Service (STANDARD type) |
Dedicated bastion subnet (/24)
|
Public subnet for the bastion service (created by
module.oci-core)
|
| Bastion NSG + security rules | Egress rules allowing SSH and traffic to worker nodes and the K8s API endpoint |
| Worker/API NSG ingress rules | Ingress rules allowing traffic from the bastion NSG into worker and API subnets |
| Enhanced route table | VCN routing from the bastion subnet to all worker node subnets |
How it works:
The OCI Bastion Service is a fully managed service, meaning that there is
no jump host to maintain. Access is session-based: the operator creates a
PORT_FORWARDING session via the OCI CLI, then
establishes a local SSH tunnel through the bastion to reach the private
Kubernetes API endpoint. Sessions have a configurable TTL (default 3
hours, range 30 minutes to 3 hours).
Configuration (tfvars):
| Variable | Default | Description |
|---|---|---|
provision_bastion
| true | Deploy the bastion service and supporting network resources |
bastion_client_allow_list
| [] |
CIDRs allowed to connect to the bastion (required when bastion is
enabled; 0.0.0.0/0 is prohibited)
|
max_session_ttl
| 10800 (3h) | Maximum session duration in seconds |
enable_dns_proxy
| false | Enable the bastion DNS proxy feature |
Tunnel scripts:
Helper scripts are provided in scripts/ to automate
session creation and tunnel management:
# Cluster tunnel (port 16443)
LOCAL_PORT=16443 ./scripts/setup-bastion-tunnel.sh --workspace primary kubectlSee Kubernetes Access for full Bastion tunnel setup and access mode details.