Secure deployments to private Kubernetes clusters with OCI DevOps

April 12, 2022 | 2 minute read
Saurabh Shah
Principal Product Manager
Text Size 100%:

Last year, we released Oracle Cloud Infrastructure (OCI) DevOps service with the ability to automate your software deployments to the OCI platform. To read more about this release, see our blog on simplifying software deployments with OCI DevOps.

As customers leverage our managed and fully automated Continuous Integration (CI) and Continuous Deployment (CD) pipeline to build, test, and deploy software artifacts to the OCI platform, many have asked us how to securely deploy applications to a private Kubernetes cluster. Customers use a private Kubernetes cluster to avoid internet access for internal applications and to satisfy security, compliance, and regulatory requirements. Some use it to restrict access to the cluster API only via authorized subnets in their corporate network.

We're excited to announce the General Availability of our support for secure deployments to a private Kubernetes cluster on Oracle Container Engine for Kubernetes (OKE) using OCI DevOps.

DevOps environment with access to private Kubernetes API endpoint

A CI/CD system that deploys applications to a Kubernetes cluster requires access to the cluster's control plane. In a private Kubernetes cluster, the control plane is enabled on a VCN subnet that does not have access to the internet gateway. Customers have to either deploy agents or bridge the networking between the DevOps platform and the Kubernetes cluster via a jump host or bastion host to allow access to a private cluster. While these workarounds can enable access to the private cluster, they come with added compliance and operational overhead.

Using OCI DevOps, you can simplify the operations and enable secure deployments using a managed private endpoint that bridges networking access between the private Kubernetes cluster in the customer compartment and the DevOps service. The private endpoint is seamlessly provisioned along with the DevOps environment. Access to this private endpoint is enabled via the service gateway. With the environment successfully configured, the deployment pipeline is unchanged and can be used to deploy Kubernetes manifest or Helm chart artifacts. You can further secure the private endpoint access by configuring specific security rules that only allow traffic from OCI services.

Learn More

To configure this feature, see Creating a Kubernetes Cluster Environment for the private OKE cluster. To get started with OCI DevOps in your Oracle Cloud Infrastructure account, use our automated QuickStart reference architecture to deploy and run a DevOps pipeline.

Saurabh Shah

Principal Product Manager

Previous Post

Announcing bidirectional forwarding detection and enhancements for OCI FastConnect

Misha Kasvin | 4 min read

Next Post

Why shared IPs are the right place to start with OCI Email Delivery

Josh Nason | 3 min read