By using AWS re:Post, you agree to the Terms of Use
/How EKS Control Plane is communicate with worker node/

How EKS Control Plane is communicate with worker node

0

Hello Everyone, I am new to EKS.I am was going through the docs,it say that when during eks creation it create a ENI in the subnet which we mentioned.In the docs i went through the Type of Cluster Endpoint Access mentioned ie Public and Private.In docs it also mentioned the we can launch Worker Nodes in the subnets which are different than the one mentioned during EKS Creation. When the node group is created,I dont see the ENI that are created are attached to EC2. Then how the communication is taking place.I am not able to understand this. What is use of ENI if not being attached to any EC2. If anyone could please explain it would be really helpful

2 Answers
1

Hello,

When you create a cluster, EKS creates the control plane components in Amazon owned VPC, and EKS Managed ENIs in your VPC. The subnets you specify while creating the cluster decides where the EKS Managed ENIs are created.

When you choose to use Public access for your API server endpoint, EKS service creates a public endpoint for your API server, and therefore your EC2 worker nodes will communicate with your control plane using the Public endpoint. However, some of the pods running in your cluster (e.g. pods in kube-system namespace) will need to talk to the API server. They will do so by connecting to the IP addresses of the above mentioned EKS Managed ENIs that are configured as endpoints for the "kubernetes" service in the default namespace (kubectl get endpoints -n default).

When you choose to use Private access for your API server endpoint, EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC and adds the Private IP addresses of the EKS Managed ENIs to it. Your EC2 worker nodes will use this private DNS to communicate with the API server.

For more info about control-plane to worker-node communication, please refer https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/

SUPPORT ENGINEER
answered 5 months ago
  • Hello Venkat Thank you for the explanation. Even i went through the above docs link with you shared. So when we choose Public and Private endpoints access for our API Server Endpoint.It says Kubernetes API requests from within the VPC communicate to the control plane via the EKS-managed ENIs within your VPC. Because when i use public and private endpoint option.I don't see it create a route53 private hosted zone. So does it mean worker nodes would use private endpoint to communicate with Control Plane ie via ENI that are created? And Public endpoint can be used by enduser to performing kubectl commands?

  • Yes, that is correct. Public endpoint will be used by end-users for performing kubectl commands from outside the VPC, and private endpoint will be used by EC2 worker nodes from within the VPC when you use Public and Private access.

    When Public and Private endpoint access is being used, EKS creates a route53 private hosted zone and associates it with your VPC, but this Route53 entry is not visible to you on your account as this is managed by EKS.

  • When Public and Private endpoint access is being used, if you login to your EC2 worker node and run nslookup <APIServerEndpoint>, you can see that it returns private IP addresses of your EKS Managed ENIs. However, if you do the same nslookup <APIServerEndpoint> from anywhere outside of your VPC, you will see that it returns Public IP addresses of the Public endpoint.

    I hope that clarifies your question. Please let me know if you need more clarification.

0

Thank you venkat for the detailed explanation.Appreciate your efforts. Just one question,Do EKS managed ENI need to go into public subnets or private.Does it have any effect if placed either in public or private?

answered 5 months ago
  • EKS Managed ENIs go into the subnets that you choose while creating the cluster. They can be either public subnets or private subnets.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions