How do I set up public and private access to the API server in Amazon EKS?
Last updated: 2020-06-12
I want to set up public and private access for the Kubernetes API server endpoint of my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
To set up public and private access for the Kubernetes API server endpoint, you must:
- Understand the default behavior of the Kubernetes API server
- Understand how private access to the Amazon EKS API endpoint works
- Modify endpoint access
- Understand how DNS resolution for the Amazon EKS API endpoint works
If you have issues with your Kubernetes API server endpoint, see How do I troubleshoot issues with the API server endpoint of my Amazon EKS cluster?
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
Understand the default behavior of the Kubernetes API server
When you create a new cluster, the following is true:
- Amazon EKS creates an endpoint for the managed Kubernetes API server that's used to communicate with your cluster.
- The API server endpoint is public to the internet.
- Access to the API server is secured with AWS Identity and Access Management (IAM) and native Kubernetes role-based access control (RBAC) (from the Kubernetes website).
Understand how private access to the Amazon EKS API endpoint works
To keep communication between your worker nodes and the API server within your Amazon Virtual Private Cloud (Amazon VPC), enable private access to the Amazon EKS API endpoint.
When you enable private access to the API endpoint for your cluster, the following is true:
- Amazon EKS creates an Amazon Route 53 private hosted zone on your behalf, and then associates that private hosted zone only with your cluster's VPC.
- The private hosted zone is managed by Amazon EKS, and the zone doesn't appear in your account's Route 53 resources.
You can only access a cluster that's configured to allow only private access from the following:
- The VPC where the worker nodes reside
- Networks that are peered with the Amazon EKS cluster's VPC
- A network that's connected to the Amazon EKS cluster's VPC through AWS Direct Connect or a virtual private network (VPN)
Understand how DNS resolution for the Amazon EKS API endpoint works
If public = true and private = false, then the Amazon EKS API endpoint is reachable anywhere from the internet. This is the default behavior of an Amazon EKS cluster. You can also limit access with the AWS CLI.
If public = true and private = true, then the Amazon EKS API endpoint is accessible and resolvable over the internet and from within the connected networks of the VPC. The connected networks include DX, a VPN, or a VPC peered connection. If you access the endpoint from within the same VPC, then the endpoint resolves to internal IP. However, if you access the endpoint through the connected networks like DX, a VPN, or a VPC peered connection, the API endpoint resolves to the public IP.
If public = false and private = true, then all traffic to the API server of the Amazon EKS cluster must originate from within your VPC or its connected networks. The API server endpoint isn't accessible over the internet. The cluster's API server endpoint is resolved by public DNS servers to a private IP address from the VPC.
Modify endpoint access
To update private access on a cluster that has private API endpoint access disabled (set to true), run the following AWS CLI command:
aws eks update-cluster-config \ --region region \ --name dev \ --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true
To disable public API access to the endpoint, set endpointPublicAccess to false.