Learn how to effectively leverage Oracle Cloud Infrastructure Bastion sessions and GitHub Actions to deploy to a private Oracle Container Engine Kubernetes (OKE) cluster when needed for security, compliance, network isolation, and control. OKE is a fully managed, scalable, and highly available service that you can use to deploy containerized applications to the cloud.
GitHub Actions is a powerful workflow automation and continuous integration (CI CD) platform provided by GitHub. It allows you to define custom workflows using YAML syntax that can be triggered by various events, such as pushes, pull requests, or scheduled tasks. This reference architecture illustrates the deployment to a private OKE cluster using OCI Bastion sessions and GitHub Actions. This reference architecture demonstrates the integration of OCI Bastion and GitHub Actions to facilitate the deployment of private OKE clusters. Private OKE clusters are not accessible from external networks. In order to access the K8S API private endpoint, an OCI Bastion session is established for SSH port**. This setup makes it possible to execute kubectl commands for various deployment operations within the cluster. When a GitHub Actions workflow is pushed to a repository, the GitHub Actions workflow is automatically triggered. During workflow runs, create and leverage an OCI Bastion session to connect to a private K8S API endpoint to perform deployment operations. When the workflow completes, the OCI Bastion session is deleted. This approach ensures a highly secure and efficient deployment process. In addition, this workflow can be used as a framework for performing continuous integration tasks and can be further customized to match your specific development processes and requirements. The following diagram illustrates this reference architecture. 
Before you beginConfigure an OKE cluster with Kubernetes API endpoints and worker nodes in a private subnet. Note: The private Kubernetes API endpoint will be used to establish the OCI Bastion Port** session.
Set the OCI Bastion service you created to target the OCN for the OCN and the OKE node subnet for the target subnet.
Set the required IAM service policies. Note: For more information on setting the required IAM policies, see the "Policy Configuration for Cluster Creation and Deployment" link in More Exploration.
The schema consists of the following components:TenantsWhen you sign up for Oracle Cloud Infrastructure, Oracle sets up a secure, separate partition in Oracle Cloud for you, the tenant. You can create, organize, and manage resources in Oracle Cloud within your tenant. A tenant can be synonymous with a company or organization. Typically, a company will have a tenant within which its organizational structure is reflected. A tenant is typically associated with a subscription, and a subscription typically has only one tenant. areaAn Oracle Cloud Infrastructure region is a geographic region that contains one or more data centers, called availability domains. Regions are independent of each other and can be very far apart (across countries or even continents). PartitioningPartitioning is a logical cross-region division within an Oracle Cloud Infrastructure tenant. Use partitions to organize resources in Oracle Cloud, control access to resources, and set usage quotas. In order to control access to resources in a given partition, you need to define policies that specify who can access resources and what actions they can perform. Availability domainsAvailability domains are independent, independent data centers within a region. The physical resources within each availability domain are isolated from the resources of other availability domains, providing fault tolerance. Availability domains do not share infrastructure such as power or cooling, or internal availability domain networks. As a result, the failure of one availability domain is unlikely to affect other availability domains within that region. Fault domainsA fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains, which have independent power and hardware. When you distribute resources across multiple fault domains, your application can withstand physical server failures, system maintenance, and power failures within the fault domains. Virtual Cloud Networks (VCNs) and SubnetsA VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks, which you can change after you create the VCN. You can divide a VCN into subnets, which can be scoped to regions or availability domains. Each subnet contains a contiguous range of addresses that do not overlap with other subnets in the VCN. You can change the size of the subnet after it has been created. Subnets can be public or private. Load balancingdeviceOracle Cloud Infrastructure Load Balancing provides automatic traffic distribution from a single entry point to multiple servers on the back end. Safe listsFor each subnet, you can create security rules that specify the traffic, destination, and type of traffic that must be allowed in and out of the subnet. Network Address Translation (NAT) gatewaysThe NAT gateway enables private resources in the VCN to access hosts on the Internet without exposing those resources to incoming Internet connections. Services GatewayThe Services Gateway provides access from the VCN to other services, such as Oracle Cloud Infrastructure Object Storage. Traffic from the VCN to Oracle services travels through the Oracle network infrastructure and never traverses the Internet. cloud guardYou can use Oracle Cloud Guard to monitor and maintain the security of resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to check your resources for security weaknesses and monitor high-risk activities for operators and users. When any misconfigurations or unsafe activity is detected, Cloud Guard recommends corrective actions and assists in taking them, based on a responder recipe that you can define. Safe ZoneSecurity zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access on the network. A security zone is associated with a partition with the same name and includes a security zone policy or "recipe" that applies to that partition and its subzones. You can't add or move a standard partition to a security zone. Kubernetes Container EngineOracle Cloud Infrastructure Kubernetes Container Engine is a fully managed, scalable, and highly available service that you can use to deploy containerized applications to the cloud. You specify the compute resources required by your application, and the container engine provisions them for Kubernetes on Oracle Cloud Infrastructure for your existing tenant. The container engine uses Kubernetes to automate the deployment, scaling, and management of containerized applications across host clusters. Bastion serviceOracle Cloud Infrastructure Bastion provides limited and time-limited secure access to resources that do not have public endpoints and require strict resource access controls, such as bare metal and virtual machines, Oracle MySQL Database Service, Autonomous Transaction Processing (ATP), Oracle Container Engine Kubernetes (OKE), and any other resources that allow access to Secure Shell Protocol (SSH). With Oracle Cloud Infrastructure Bastion Service, you can enable access to private hosts without deploying and maintaining jump hosts. In addition, you get an improved security posture with identity-based permissions and centralized, recorded, time-limited SSH sessions. Oracle Cloud Infrastructure Bastion eliminates the need for public IPs for bastion access, eliminating the hassle and potential attack surface when providing remote access. Use the following suggestions as a starting point. Your needs may differ from the architecture described here. vcnWhen you create a VCN, determine the number of CIDR blocks you need and the size of each block based on the number of resources you plan to attach to the VCN subnet. Use CIDR blocks within a standard private IP address space.
Select CIDR blocks that don't overlap with any other networks (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) that you intend to have a private connection to. Once you have created a VCN, you can change, add, and remove its CIDR blocks.
When designing your subnets, consider your traffic flow and security requirements. Attaching all resources within a specific tier or role to the same subnet can serve as a security boundary.
cloud guardClone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what types of security violations generate warnings and what actions are allowed to be taken on them. For example, you might want to detect an Object Storage bucket that has visibility set to public.
Apply Cloud Guard at the tenant level to cover the widest possible reach and reduce the administrative burden of maintaining multiple configurations.
You can also use the Manage List feature to apply specific configurations to detectors.
FortressOCI Bastion enables authorized users to connect to a target resource from a specific IP address through a Secure Shell (SSH) session. Make sure that only authorized users can create bastion services and sessions. Access to the bastion should be granted only to authorized users. Kubernetes Container Engine (OKE).Make sure that you have created the necessary IAM policies and that only authorized users can access the cluster resources. Additional monitoring and logging should be enabled to improve the security posture. PrecautionsWhen deploying this reference architecture, consider the following points. oke scalabilityYou can scale your application by updating the number of worker nodes in your Kubernetes cluster, depending on the load. Similarly, you can scale down by reducing the number of worker nodes in your cluster. When you create a service on a Kubernetes cluster, you can create a load balancer to distribute service traffic between the nodes assigned to that service. Application availabilityFault domains provide optimal resiliency within a single availability domain. You can also deploy instances or nodes that perform the same tasks in multiple availability domains. This design eliminates single points of failure by introducing redundancy. Security uses policies that limit who can access which OCI resources and how. OKE integrates with Oracle Cloud Infrastructure Identity and Access Management (IAM). IAM provides easy authentication with native OCI identity capabilities. DeploymentGitHub Actions Workflows are available on GitHub. Visit GitHub.
Clone or repositorate to your local computer.
Follow the instructions in the README documentation.
As an Oracle Premier Partner, Agilewing is redefining the way enterprises experience Oracle Cloud Services. With its streamlined account opening process and best-in-class technical support, Agilewing transforms the complex process of account opening and operation into an easy, intuitive experience. With our one-stop shop, you can quickly get up and running with the full range of Oracle Cloud services, so you can seamlessly integrate into the cloud. Agilewing's AgileCDN service, combined with OCI's cloud-based services, provides a best-in-class global content acceleration solution. A strong network of more than 2,800 global POP nodes and 7,000 direct connection points ensures efficient and stable operation no matter where your business expands to the world. Leveraging the advanced technology of Oracle Cloud, Agilewing is committed to simplifying the process of cloud service building, cloud migration, and business going global. "Our partnership model provides customers with cost-effective solutions that allow them to focus more on their core business while enjoying the high performance and security of Oracle Cloud." Oracle Cloud Service, as a promising field, opens the door to new opportunities for enterprises with its high performance, security, and globally consistent service standards. Through Agilewing's professional services, both individual users and enterprises can easily enter this new era full of technological innovation and high performance. Let Agilewing start exploring Oracle Cloud Services and open the door to a whole new world today.