How do I set up public and private access to the API server in Amazon EKS?

Last updated: 2020-01-27

I want to set up public and private access for the Kubernetes API server endpoint of my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

Short Description

To set up public and private access for the Kubernetes API server endpoint, you must:

  • Understand the default behavior of the Kubernetes API server
  • Understand how private access to the Amazon EKS API endpoint works
  • Modify endpoint access
  • Understand how DNS resolution for the Amazon EKS API endpoint works

If you have issues with your Kubernetes API server endpoint, see How do I troubleshoot issues with the API server endpoint of my Amazon EKS cluster?

Resolution

Understand the default behavior of the Kubernetes API server

When you create a new cluster, the following is true:

  • Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster.
  • The API server endpoint is public to the internet.
  • Access to the API server is secured with AWS Identity and Access Management (IAM) and native Kubernetes role-based access control (RBAC).

Understand how private access to the Amazon EKS API endpoint works

To keep communication between your worker nodes and the API server within your Amazon Virtual Private Cloud (Amazon VPC), enable private access to the Amazon EKS API endpoint.

When you enable private access to the API endpoint for your cluster, the following is true:

  • Amazon EKS creates an Amazon Route 53 private hosted zone on your behalf and associates that private hosted zone only with your cluster's VPC.
  • The private hosted zone is managed by Amazon EKS, and it doesn't appear in your account's Route 53 resources.

You can only access a cluster that's configured to allow only private access from the following:

  • The VPC where the worker nodes reside
  • Networks that are peered with the Amazon EKS cluster's VPC
  • A network that's connected to the Amazon EKS cluster's VPC through AWS Direct Connect or a virtual private network (VPN)

Understand how DNS resolution for the Amazon EKS API endpoint works

If public = true and private = false, then the Amazon EKS API endpoint is reachable anywhere from the internet. This is also the default behavior of an Amazon EKS cluster. You can also limit access with the AWS Command Line Interface (AWS CLI).

If public = true and private = true, then the Amazon EKS API endpoint is accessible and resolvable over the internet and from within the connected networks of the VPC. The connected networks include DX, a VPN, or a VPC peered connection.

If public = false and private = true, then all traffic to the API server of the Amazon EKS cluster must originate from within your VPC or its connected networks. The API server endpoint isn't accessible over the internet. The cluster's API server endpoint is resolved by public DNS servers to a private IP address from the VPC.

Modify endpoint access

To update private access on a cluster that has private API endpoint access disabled (set to true), run the following AWS CLI command:

aws eks update-cluster-config \
    --region region \
    --name dev \
    --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true

To disable public API access to the endpoint, set endpointPublicAccess to false.