By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon EKS service IP addresses

3

Hi, where can we find the IPs of the Amazon EKS service? I want to correctly identify a CloudTrail event with the name GetCallerIdentity that is made by the EKS. EKS docs specifies the existence of such event, but on AWS IP ranges there is no EKS service. Insted the IP is in AMAZON and EC2 CIDR like any other EC2 ip.

Thank you!

Topics
ContainersManagement & GovernanceAWS Well-Architected Framework
Tags
Amazon Elastic Kubernetes ServiceAWS CloudTrailSecurityNetwork Security
Language
English
Raphael
asked 2 years ago3402 views
2 Answers
0

The EKS cluster control plane IP addresses will vary depending on the configuration of the VPC and Subnets where the EKS cluster is configured. The cluster will configure one ENI in each selected subnet, consuming one IP address from the subnet's configured CIDR block. You can view these ENIs from the AWS Management Console, in the EC2 Dashboard, under the Network interfaces section. Keep in mind, that these IP addresses may change due to the cluster upgrades.

AWS
AWS-Harrison
answered 2 years ago
  • Raphael
    2 years ago

    I'm aware that the EKS cluster control plane IP addresses will vary. I need a list with the CIDRs used by the EKS control plane, to differentiate in Cloud Trail if an event is from AWS or a bad actor. For: Amazon EKS uses the authentication token to make the sts:GetCallerIdentity call. As a result, AWS CloudTrail events with the name GetCallerIdentity from the source sts.amazonaws.com can have Amazon EKS service IP addresses for their source IP address. I need the Amazon EKS service IP addresses list.

0

Kubernetes assigns a stable, reliable IP address to each newly created service from the cluster's pool of available service IP addresses. Previously, Amazon EKS automatically chose a value for this range based on the primary CIDR block of the Amazon VPC used by the cluster. While this worked for most cases, customers with VPCs peered to on-premise networks or other Amazon VPCs found that the EKS chosen Kubernetes service IP address range may conflict with other IP ranges in use across their network. This resulted in pods being unable to communicate with certain applications that reside on peered networks external to the cluster. Now, EKS users can configure the Kubernetes service IP address range on cluster creation. Customers who operate clusters in a peered or direct connected network environment can ensure pods are able to communicate with external services available across their networks.

If you want to specify which IPv4 Classless Inter-domain Routing (CIDR) block Kubernetes assigns service IP addresses from, specify the serviceIPv4CIDR option.

You can only specify this option when using the IPv4 address family and only at cluster creation. If you don't specify this, then Kubernetes assigns service IP addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks.

https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-eks-supports-configurable-kubernetes-service-ip-address-range/ https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html

profile pictureAWS
EXPERT
AWS-User-Nitin
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content