Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar

Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.

How do I securely access the Amazon EKS cluster API server endpoint from within a VPC or peered VPC?

Lesedauer: 4 Minute

I want to securely access the Amazon Elastic Kubernetes Service (Amazon EKS) cluster API server endpoint from within an Amazon Virtual Private Cloud (Amazon VPC) or peered VPC.

Short description

When you create a new Amazon EKS cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server. By default, the API server endpoint is public to the internet. The system uses a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC) to secure access to the API server. For more information, see Using RBAC authorization on the Kubernetes website.

To securely access your Amazon EKS cluster from within a VPC or peered VPC, you must configure a private endpoint. For more information about security best practices, see Best practices for security.

Resolution

Turn on private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely turn off internet access to the API server.

When you turn on the endpoint private access, the Amazon EKS cluster behaves as follows:

All traffic to your cluster API server comes from within your cluster's VPC or a connected network.
Your API server has no public access from the internet. Any kubectl commands run from within the VPC or a connected network. For connectivity options, see Accessing a private only API server.
Public DNS servers resolve the cluster's API server endpoint to a private IP address from the VPC.

If your endpoint doesn't resolve to a private IP address within the VPC for an existing cluster, then take one of the following actions:

Turn on public access, and then turn it off again. You only need to do this once for a cluster for the endpoint to resolve to a private IP address.
Update your cluster.

When you turn off public access for your cluster's Kubernetes API server endpoint, you can only access the API server from within your VPC or a connected network. You can access the Kubernetes API server endpoint in either of the following ways:

Connect your network to the VPC with a transit gateway or other connectivity option, and then use a computer in the connected network. Make sure that your Amazon EKS control plane security group contains rules that allow ingress traffic on port 443 from your connected network.
Launch an Amazon Elastic Compute Cloud (Amazon EC2) instance into a public subnet in your cluster's VPC. Then, use SSH to sign in to that instance to run kubectl commands. For more information, see Access a bastion host by using Session Manager and Amazon EC2 Instance Connect.

Use the AWS Management Console to modify your cluster API server endpoint access

Open the Amazon EKS console.
Select the name of the cluster to display your cluster information.
Open the Networking tab, and then choose Update.
Choose whether to Turn on or off private access for your cluster's Kubernetes API server endpoint. If you turn on private access, then Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint. To turn off public access, you must first turn on private access.
Choose whether to turn on or off public access for your cluster's Kubernetes API server endpoint. If you turn off public access, then your cluster's Kubernetes API server can only receive requests from within the cluster VPC.
Choose Update.

Use the AWS CLI to modify your cluster API server endpoint access

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To turn off endpoint public access and turn on private endpoint access for a cluster, run the following command:

aws eks update-cluster-config --name example \
--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

Note: Replace example with the name of your cluster.

Example output:

{
    "update": {
        "id": "ec883c93-2e9e-407c-a22f-8f6fa6e67d4f",
        "status": "InProgress",
        "type": "EndpointAccessUpdate",
        "params": [
            {
                "type": "EndpointPublicAccess",
                "value": "false"
            },
            {
                "type": "EndpointPrivateAccess",
                "value": "true"
            }
        ],
        "createdAt": 1565806986.506,
        "errors": []
    }
}

If you turn on private access, then Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for the parameter is false, which turns off private access for your Kubernetes API server. For more information, see update-cluster-config.

Themen: Containers
Tags: Amazon Elastic Kubernetes Service
Sprache: English

AWS OFFICIALAktualisiert vor 2 Monaten

Keine Kommentare

Relevanter Inhalt

Warum erreicht mein VPC-CNI-Plugin den API-Server in Amazon EKS nicht?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie behebe ich Konnektivitätsprobleme mit dem API-Serverendpunkt meines Amazon-EKS-Clusters?
AWS OFFICIALAktualisiert vor 3 Monaten
Wie stelle ich von außerhalb der Amazon VPC eine Verbindung zu einem privaten Amazon EKS-Cluster-Endpunkt her?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie sperre ich den API-Zugriff auf bestimmte IP-Adressen in meinem Amazon EKS-Cluster?
AWS OFFICIALAktualisiert vor einem Jahr