Setup SSH or reverse SSH tunnel to only one kubernetes service

Question

I need to allow inbound connections from a remote platform to do some administrative tasks on one of my databases (in my case, allow a reverse-ETL service to feed one of my postgresql databases in a pod in my k8s cluster)

The remote platform lets me configure a PostgreSQL destination through SSH tunnels or reverse SSH tunnels, or direct connections. Of course, I would like traffic to be encrypted, so I’m opting for the SSH or reverse SSH Tunnel.

Any idea if/how I can setup this access on my k8s cluster ?

I would like to give the remote service ONLY access to one of my pg database (and not the whole cluster/namespace for security reasons)

The scenario I was thinking about

1. Traefik listens to ssh on specific port (like 2222)
2. route this port to a SSH bastion pod capable of managing incoming SSH connections, and log in as a specific linux user. Only allow connections from the remote service IPs via an ip whitelist middleware.
3. Allow connections from this bastion host pod (or ideally, this linux user) ONLY to my postgresql instance on the default pg port

If I open a bastion host (2), by default, all my users will have access to all services on the cluster...right ? How can I isolate my bastion host instance to only connect it to PG ? I haven't used Network policies yet, but I believe they may be the answer... however, would it be possible to activate networking policies for a single pod only ? (my bastion host) and leave the rest as it is ?