How do I lock down API access to specific IP addresses in my Amazon EKS cluster?

Last updated: 2020-01-16

I want to lock down API access to specific IP addresses in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

Short Description

You can lock down access to two types of Amazon EKS API server access endpoints:

  • Public access endpoints. Access to the API server is open to the public by default. You can lock down access to specific CIDR blocks and IP addresses.
  • Private access endpoints. The API server can be accessed only from within an Amazon Virtual Private Cloud (Amazon VPC). You can further lock down access to specific VPC CIDR blocks through cluster security groups.

Resolution

Lock down API public access endpoints

  1. Open the Amazon EKS console.
  2. In the navigation pane, choose Clusters, and then select your cluster.
  3. In the Networking section, choose Update.
  4. Expand Advanced Settings.
    Note: The Advanced Settings options appear only when you enable public access.
  5. Enter a CIDR block that you want to allow access from.
    Note: For example, you can summarize an IP address range from 54.240.193.129 to 54.240.193.190 as 54.240.193.129/26. You can form a single IP address with a /32 notation (for example, 54.240.193.130/32). These CIDR blocks can't include reserved addresses.
  6. (Optional) To enter additional blocks, choose Add Source.
  7. Choose Update.

Keep the following in mind:

  • If you don't specify any CIDR blocks, then the public API server endpoint receives requests from all (0.0.0.0/0) IP addresses.
  • It's a best practice to enable private endpoint access so that worker nodes and AWS Fargate pods (if used) can communicate with the cluster through the private endpoint.
  • Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your Amazon VPC. For example, if you have a worker node in a private subnet that communicates with the internet through a NAT gateway, then you must add the outbound IP address of the NAT gateway as part of a CIDR block that's allowed on your public endpoint.

Lock down API private access endpoints

  1. Open the Amazon EKS console.
  2. In the navigation pane, choose Clusters, and then select your cluster.
  3. In the Networking section, note the name of the cluster security group and any additional security groups.
  4. Add ingress rules to any one of the security groups that you noted in step 3.
    Note: For your ingress rule, set TCP as the protocol, and set 443 as the port and source IP from which you allow access.

Did this article help you?

Anything we could improve?


Need more help?