Profile Applicability:
• Level 1
Description:
Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs.
Rationale:
Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your cluster's control plane. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster's control plane from the public internet. This provides you with flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.
Impact:
When implementing Endpoint Private Access, ensure all desired networks are on the allowlist to prevent inadvertently blocking external access to your cluster's control plane.
Default Value:
By default, Endpoint Public Access is disabled, and Endpoint Private Access is disabled.
Pre-requisites:
The cluster must be set up to support private endpoint access. You need to configure the VPC and enable private access to the API server during the creation or modification of the cluster.
Remediation
Test Plan:
Using AWS Console:
Go to the EKS Console and select your cluster.
Check the Cluster Configuration under Networking to ensure Private Endpoint Access is enabled and Public Endpoint Access is disabled.
Using AWS CLI:
1. Run the following commands to check the configuration:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.endpointPublicAccess"aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.endpointPrivateAccess"Implementation Plan:
Using AWS Console:
During cluster creation or when modifying an existing cluster, ensure Private Endpoint Access is enabled and Public Access is disabled (or restricted via CIDR blocks if needed).
Using AWS CLI:
To enable private endpoint access and disable public access, use:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=falseOptionally, if public access is needed with restrictions, use:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32"
Backout Plan:
Using AWS Console:
If changes need to be reverted, modify the Control Plane Access settings to allow public access or adjust the CIDR blocks.
Using AWS CLI:
To revert the configuration and allow public access, run:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=false,endpointPublicAccess=true