Description:
Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications. Elastic Kubernetes Service (EKS is a managed service that can run Kubernetes on AWS without installing, operating, and maintaining your own Kubernetes control plane or nodes.
Rationale:
If endpoint public accessible from the internet it can access by anybody over the internet these type of cluster is more vulnerable, so avoid exposing private data and minimizing security risks. For security best practices we disable public access.
Impact:
After making EKS not publicly accessible will reduce the malicious activities and attacks.
Default Value:
By default, endpoint public access is enabled in EKS clusters and endpoint private access is disabled.
Pre-Requisite:
Network configuration in EKS you must have a security group in aws do not assign default security group.
Remediation:
Test Plan:
Login to AWS Management Console
Go to EKS dashboard at https://console.aws.amazon.com/eks
Choose a cluster you want to examine
Click on the Configuration tab
In configuration go to the Networking section
You see API server endpoint access is public or private in the Networking section
Using AWS CLI:
To check eks enable or disable endpoint access public or private
aws eks describe-cluster --region us-east-1 --name <name of cluster> --query 'cluster.resourcesVpcConfig.{endpointPrivateAccess: endpointPrivateAccess, endpointPublicAccess: endpointPublicAccess}'
Implementation Steps:
Login to AWS Management Console
Go to EKS dashboard at https://console.aws.amazon.com/eks
Choose a cluster to disable the public access
Click on the Configuration tab
In configuration go to the Networking section and click on Manage Networking to change API server endpoint access from public to private.
In manage networking select the Private option and click on the save changes button.
To save changes write the name of the Cluster in the name box and click on Confirm button
Using AWS CLI:
To update cluster endpoint access
aws eks update-cluster-config --name <name of cluster> \
--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true
Backout Plan:
Login to AWS Management Console
Go to EKS dashboard at https://console.aws.amazon.com/eks
Choose a cluster
Click on the Configuration tab
In configuration go to the Networking section
Click on Manage Networking to change API server endpoint access change private to public. In manage, networking selects the Private option and click on the save changes button.
For confirmation in Cluster name box write the name of icompaasCluster and click on Confirm button
Using AWS CLI:
To update cluster endpoint access
aws eks update-cluster-config --name <name of cluster> \
--resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=false