Bastion support for private instances

[arindam-bandyopadhyay]

Problem Description

CAPOCI by default creates Kubernetes master and worker nodes as private, i.e they don't have any public ip, only they have private ip. As a result, the operators manually needs to create bastions hosts(a compute with publci ip) aka jump host or use bastion service(https://www.oracle.com/security/cloud-security/bastion) to connect to those private instances.

Solution

CAPOCI should automatically create bastion service(https://docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm) in the control-plan (kubernetes master) instance subnet and worker node subnet if user opt for it via oci cluster spec. This would be allowed only for control-plan subnet and worker subnet role.
Example:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: OCICluster
metadata:
  name: foo
spec:
  networkSpec:
    vcn:
      name: cluster-vcn
      subnets:
        - name: cp-subnet
          role: control-plan
          type: private
          bastion:
            name: control-plan-bastion
            cidr: 11.0.0.0/24
        - name: worker-subnet
          role: worker
          type: private
          bastion:
            name: worker-bastion
            cidr: 10.0.0.0/24

Notes

• This bastion spec is optional. CAPOCI won't create any default bastion if inside subnet, bastian spec is missing
• name is the name of the bastion and cidr is the allowed cidr that would have access to the private instance via bastion service
• CAPOCI would only create the bastion on the subnet. However, it won't create the bastion sessions since bastion sessions are short-lived (TTL 180 minutes). The user(operator) needs to create bastion session manually when they want to connect to the instance
• We would document how to create bastion sessions.

[joekr]

Love this idea! As a part of this can we document how to use the OCI cli? I think we should cover create and delete at least. I know we could just point them to the web console, but since our docs talk about clusterctl I think it would be nice to call out how to use OCI's cli as well.

[arindam-bandyopadhyay]

Yes @joekr. We would document how to create bastion session using OCI cli since we are not automating that using CAPOCI

[joekr]

Since a Bastion is a "nice to have" on a given cluster how will we handle if there is a failure to create the bastion? Will the cluster still be considered "healthy"?

[arindam-bandyopadhyay]

@joekr IMO, we should fail if we can't create bastion since we are not able to reach desired state. bastion itself a optional feature, customer adding that in spec means it's part of desired state. Since we are not able to reach to desired state, we should fail.

[Jenksho]

Afreed

[Jenksho]

This is good and will bring us on par with AWS