I have a deployment layout where there would be various pods (each pod dedicated for each user has a service listens on a particular port). I need to give customer access to their pod directly without revealing the specific port and other secure stuff like cluster certificate details to the user of each pod. Should I go about over vs the other or would it even work?

a) How can I do that over the api server ?
b) Can I create a custom pod access service with a custom certificate to handle all pod access requests.
c) Or do I need a CNI plugin to assign each pod a public ip hosting everything on a cloud vpc?