- Newest
- Most votes
- Most comments
Hello,
When you create a cluster, EKS creates the control plane components in Amazon owned VPC, and EKS Managed ENIs in your VPC. The subnets you specify while creating the cluster decides where the EKS Managed ENIs are created.
When you choose to use Public access for your API server endpoint, EKS service creates a public endpoint for your API server, and therefore your EC2 worker nodes will communicate with your control plane using the Public endpoint. However, some of the pods running in your cluster (e.g. pods in kube-system namespace) will need to talk to the API server. They will do so by connecting to the IP addresses of the above mentioned EKS Managed ENIs that are configured as endpoints for the "kubernetes" service in the default namespace (kubectl get endpoints -n default).
When you choose to use Private access for your API server endpoint, EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC and adds the Private IP addresses of the EKS Managed ENIs to it. Your EC2 worker nodes will use this private DNS to communicate with the API server.
For more info about control-plane to worker-node communication, please refer https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/
Thank you venkat for the detailed explanation.Appreciate your efforts. Just one question,Do EKS managed ENI need to go into public subnets or private.Does it have any effect if placed either in public or private?
EKS Managed ENIs go into the subnets that you choose while creating the cluster. They can be either public subnets or private subnets.
Relevant content
- asked a year ago
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hello Venkat Thank you for the explanation. Even i went through the above docs link with you shared. So when we choose Public and Private endpoints access for our API Server Endpoint.It says Kubernetes API requests from within the VPC communicate to the control plane via the EKS-managed ENIs within your VPC. Because when i use public and private endpoint option.I don't see it create a route53 private hosted zone. So does it mean worker nodes would use private endpoint to communicate with Control Plane ie via ENI that are created? And Public endpoint can be used by enduser to performing kubectl commands?
Yes, that is correct. Public endpoint will be used by end-users for performing kubectl commands from outside the VPC, and private endpoint will be used by EC2 worker nodes from within the VPC when you use Public and Private access.
When Public and Private endpoint access is being used, EKS creates a route53 private hosted zone and associates it with your VPC, but this Route53 entry is not visible to you on your account as this is managed by EKS.
When Public and Private endpoint access is being used, if you login to your EC2 worker node and run
nslookup <APIServerEndpoint>, you can see that it returns private IP addresses of your EKS Managed ENIs. However, if you do the samenslookup <APIServerEndpoint>from anywhere outside of your VPC, you will see that it returns Public IP addresses of the Public endpoint.I hope that clarifies your question. Please let me know if you need more clarification.