cluster access via ssh local port forwarding

[RoodeyMental]

Hi everyone, first if all i want to thank you for putting in the time to provide this awesome project. It helped me learn a lot about kubernetes and terraform.

At the moment i am evaluating different ways of connecting to the kubernetes cluster. My understanding is, that out of the box there are two ways to choose from in this project:

1. accessing the API via external IP Address and whitelisting the source IP
   Disadvantage: Needing a static ip address which is not a problem if working from within the company office but problematic if i am working from home office (Need to configure a route in the vpn client to route traffic through vpn interface when accessing external control plane node ip)
2. disable access from external ip addresses and use 127.0.0.1 as the bind adress, so the cluster is only accessible after you ssh into a control plane node
   Disadvantage: All kubernetes manifests must be stored on the control plane node

A possible third way, would be the following:

1. Set up ssh gateway with external ip address and ip whitelist (same problem with office/homeoffice as 1.)
2. use hetzner private network ip adress which is accessible from the ssh gateway as api bind address
3. enable TcpForwarding in sshd on control plane nodes
4. use ssh local port forwarding of port 6443 through ssh gateway to access the kubernetes api
5. set cluster server to https://127.0.0.1:6443 in client kube config

From a security standpoint, i think this has the advantage of needing a valid ssh key in addition to the client certificate, but i am really not sure if its worth the additional effort of setting up a ssh gateway and deviating from the default network configuration as described in "Deploy in a pre-constructed private network (for proxies etc)" in the Examples section.

I would really like to hear your thoughts on this!