By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Elastic Kubernetes Service

0

Hi AWS, I have a question i.e.

A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.

Which solution will allow the node to join the cluster?

  1. Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole IAM role.
  2. Create interface VPC endpoints to allow nodes to access the control plane.
  3. Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
  4. Allow outbound traffic in the security group of the nodes.

As per the survey 59% votes is for option (B) and the remaining 41% is for option (A).

I also prefer option (A) because the control plane and data plane nodes are in the same VPC and data plane nodes don't need any interface VPC endpoints, but they definitely need to have IAM role with correct permissions.

Amazon EKS node IAM role

Nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched. This requirement applies to nodes launched with the Amazon EKS optimized AMI provided by Amazon, or with any other node AMIs that you intend to use.

Link: https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html

Please suggest

Topics
Security, Identity, & ComplianceContainersCompute
Tags
AWS Identity and Access ManagementAmazon Elastic Kubernetes ServiceContainersKubernetes
Language
English
profile picture
Arjun
asked 10 months ago401 views
1 Answer
0

Let's immediately remove C and D as those are clearly not the answer, which of course you're not considering anyways, but I digress.

This question is one of security and access, although your immediate thought would be to go for an IAM policy, and it would be good to check your policies, if I were in a test I would look at the keywords. Endpoint access is limited to private subnets and denied to any public facing pings. This tells me I'm probably thinking of a network based question, and not an identity permission. That doesn't mean we can remove the IAM piece entirely, but I'd be leaning towards B because of that.

Let's look at documentation next. This blog, answers our question. You must have an interface endpoint for communication between nodes and other services. More details can be found in the EKS documentation: "Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require."

Finally, IAM permissions are important here. Here's the documentation around IAM roles, which state three roles needed to communicate between the data plane and the control plane. If we go to the automatically created EKS role: AmazonEKSNodeRole, we can see that those three are included. Thus I can safely say that B is truly the answer.

This is an example of a question that challenges you to determine what the question is actually asking unless you happen to be an expert on EKS, namely is it networking, or identity? Look for keywords to help you determine what the question is leading you towards. Good luck with your studies!

AWS
AWS-User-5098416
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content