How do I lock down API access to specific IP addresses in my Amazon EKS cluster?

3 minute read
0

I want to lock down API access to specific IP addresses in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

Resolution

You can lock down access to two types of Amazon EKS API server access endpoints:

  • Public access endpoints: Access to the API server is open to the public by default. You can lock down access to specific CIDR blocks and IP addresses.
  • Private access endpoints: The API server can be accessed from within an Amazon Virtual Private Cloud (Amazon VPC) only. To further lock down access to specific Amazon VPC CIDR blocks, use cluster security groups.

Lock down API public access endpoints

Complete the following steps:

  1. Open the Amazon EKS console.
  2. In the navigation pane, choose Clusters, and then select your cluster.
  3. In the Networking section, choose Manage Endpoint Access.
  4. Expand Advanced Settings.
    Note: The Advanced Settings options only show when you activate public access.
  5. Enter a CIDR block that you want to allow access from.
    Note: You can summarize an IP address range from 54.240.193.129 to 54.240.193.190 as 54.240.193.129/26. You can form a single IP address with a /32 notation (for example, 54.240.193.130/32). These CIDR blocks can't include reserved addresses.
  6. (Optional) To enter additional blocks, choose Add Source.
  7. Choose Save changes.

Note: If you don't specify CIDR blocks, then the public API server endpoint receives requests from all (0.0.0.0/0) IP addresses.

It's a best practice to activate private endpoint access so that worker nodes and AWS Fargate pods communicate with the cluster through the private endpoint.

Without the private endpoint activated, your public access endpoint CIDR sources must include the egress sources from your Amazon VPC. For example, you have a worker node in a private subnet that communicates with the internet through a NAT gateway. So, you must add the outbound IP address of the NAT gateway as part of a CIDR block that's allowed on your public endpoint.

Lock down API private access endpoints

Complete the following steps:

  1. Open the Amazon EKS console.
  2. In the navigation pane, choose Clusters, and then select your cluster.
  3. In the Networking section, note the name of the cluster security group and any additional security groups.
  4. Add ingress rules to one of the security groups that you noted in step 3.
    Note: For your ingress rule, set TCP as the protocol, and set 443 as the port and source IP address from where you allow access.

Related information

Modifying cluster endpoint access

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago