How EKS Control Plane is communicate with worker node
Hello Everyone, I am new to EKS.I am was going through the docs,it say that when during eks creation it create a ENI in the subnet which we mentioned.In the docs i went through the Type of Cluster Endpoint Access mentioned ie Public and Private.In docs it also mentioned the we can launch Worker Nodes in the subnets which are different than the one mentioned during EKS Creation. When the node group is created,I dont see the ENI that are created are attached to EC2. Then how the communication is taking place.I am not able to understand this. What is use of ENI if not being attached to any EC2. If anyone could please explain it would be really helpful
Hello,
When you create a cluster, EKS creates the control plane components in Amazon owned VPC, and EKS Managed ENIs in your VPC. The subnets you specify while creating the cluster decides where the EKS Managed ENIs are created.
When you choose to use Public access for your API server endpoint, EKS service creates a public endpoint for your API server, and therefore your EC2 worker nodes will communicate with your control plane using the Public endpoint. However, some of the pods running in your cluster (e.g. pods in kube-system namespace) will need to talk to the API server. They will do so by connecting to the IP addresses of the above mentioned EKS Managed ENIs that are configured as endpoints for the "kubernetes" service in the default namespace (kubectl get endpoints -n default).
When you choose to use Private access for your API server endpoint, EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC and adds the Private IP addresses of the EKS Managed ENIs to it. Your EC2 worker nodes will use this private DNS to communicate with the API server.
For more info about control-plane to worker-node communication, please refer https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/
Yes, that is correct. Public endpoint will be used by end-users for performing kubectl commands from outside the VPC, and private endpoint will be used by EC2 worker nodes from within the VPC when you use Public and Private access.
When Public and Private endpoint access is being used, EKS creates a route53 private hosted zone and associates it with your VPC, but this Route53 entry is not visible to you on your account as this is managed by EKS.
When Public and Private endpoint access is being used, if you login to your EC2 worker node and run
nslookup <APIServerEndpoint>, you can see that it returns private IP addresses of your EKS Managed ENIs. However, if you do the samenslookup <APIServerEndpoint>from anywhere outside of your VPC, you will see that it returns Public IP addresses of the Public endpoint.I hope that clarifies your question. Please let me know if you need more clarification.
Thank you venkat for the detailed explanation.Appreciate your efforts. Just one question,Do EKS managed ENI need to go into public subnets or private.Does it have any effect if placed either in public or private?
EKS Managed ENIs go into the subnets that you choose while creating the cluster. They can be either public subnets or private subnets.
Relevant questions
EKS issue when adding node group with t4g class instance
asked 5 months agoEKS Node Group with RI
Accepted AnswerEKS Worker-node join
asked 3 years agoHow EKS Control Plane is communicate with worker node
asked 5 months agoHow to create EKS cluster with dedicated host node group
Accepted Answerasked 6 months agoEKS Control Plane Security
Accepted Answerasked 2 years agoEKS static IPs for managed node group nodes
Accepted Answerasked a year agoUnable to Upgrade EKS Control Plane or Managed Node Groups
asked a month agoUnable to create EKS Cluster
asked a month agoImplications of automatic EKS Platform version update
asked 2 months ago
Hello Venkat Thank you for the explanation. Even i went through the above docs link with you shared. So when we choose Public and Private endpoints access for our API Server Endpoint.It says Kubernetes API requests from within the VPC communicate to the control plane via the EKS-managed ENIs within your VPC. Because when i use public and private endpoint option.I don't see it create a route53 private hosted zone. So does it mean worker nodes would use private endpoint to communicate with Control Plane ie via ENI that are created? And Public endpoint can be used by enduser to performing kubectl commands?