Description:

Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications. Elastic Kubernetes Service (EKS is a managed service that can run Kubernetes on AWS without installing, operating, and maintaining your own Kubernetes control plane or nodes.


Rationale:

If endpoint public accessible from the internet it can access by anybody over the internet these type of cluster is more vulnerable, so avoid exposing private data and minimizing security risks. For security best practices we disable public access.


Impact:

After making EKS not publicly accessible will reduce the malicious activities and attacks.


Default Value:

By default, endpoint public access is enabled in EKS clusters and endpoint private access is disabled.


Pre-Requisite:

  • Network configuration in EKS you must have a security group in aws do not assign default security group.  


Remediation:


Test Plan:

  • Login to AWS Management Console

  • Go to EKS dashboard at https://console.aws.amazon.com/eks

  • Choose a cluster you want to examine

  • Click on the Configuration tab

  • In configuration go to the Networking section

  • You see API server endpoint access is public or private in the Networking section


Using AWS  CLI:

To check eks enable or disable endpoint access public or private

aws eks describe-cluster
  --region us-east-1
  --name <name of cluster>
  --query 'cluster.resourcesVpcConfig.{endpointPrivateAccess: endpointPrivateAccess, endpointPublicAccess: endpointPublicAccess}'


Implementation Steps:

  • Login to AWS Management Console

  • Go to EKS dashboard at https://console.aws.amazon.com/eks

  • Choose a cluster to disable the public access

  • Click on the Configuration tab

  • In configuration go to the Networking section and click on Manage Networking to change API server endpoint access from public to private.

  • In manage networking select the Private option and click on the save changes button.

  • To save changes write the name of the Cluster in the name box and click on Confirm button


Using AWS CLI:

To update cluster endpoint access

aws eks update-cluster-config --name <name of cluster> \
--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true


Backout Plan:

  • Login to AWS Management Console

  • Go to EKS dashboard at https://console.aws.amazon.com/eks

  • Choose a cluster

  • Click on the Configuration tab

  • In configuration go to the Networking section

  • Click on Manage Networking to change API server endpoint access change private to public. In manage, networking selects the Private option and click on the save changes button.

  • For confirmation in Cluster name box write the name of icompaasCluster and click on Confirm button


Using AWS CLI:

To update cluster endpoint access

aws eks update-cluster-config --name <name of cluster> \
--resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=false


Reference:

  1. Amazon EKS cluster endpoint access control - Amazon EKS