Profile Applicability:
• Level 1
Description:
Disable access to the Kubernetes API from outside the node network if it is not required.
Rationale:
In a private cluster, the master node has two endpoints, a private and a public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose Kubernetes publicly with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Disabling the public endpoint unless required helps prevent such threats, and requires the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.
Impact:
Configure the EKS cluster endpoint to be private.
Leave the cluster endpoint public and specify which CIDR blocks can communicate with the cluster endpoint. The blocks are effectively a whitelisted set of public IP addresses that are allowed to access the cluster endpoint.
Configure public access with a set of whitelisted CIDR blocks and set private endpoint access to enabled. This will allow public access from a specific range of public IPs while forcing all network traffic between the kubelets (workers) and the Kubernetes API through the cross-account ENIs that get provisioned into the cluster VPC when the control plane is provisioned.
Default Value:
By default, the Public Endpoint is disabled.
Pre-requisites:
The cluster must be configured to support private endpoint access, and public access should be disabled or restricted by specifying an allowed set of CIDR blocks.
Remediation:
Test Plan:
Using AWS Console:
Go to the EKS Console and check the cluster configuration under Networking.
Verify that Private Endpoint Access is enabled and Public Endpoint Access is disabled.
Using AWS CLI:
1. Run the following commands to confirm the configuration:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.endpointPublicAccess"
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.endpointPrivateAccess"
Implementation Plan:
Using AWS Console:
During cluster creation or when modifying an existing cluster, ensure Private Endpoint Access is enabled, and Public Access is disabled.
Optionally, restrict Public Endpoint Access to specific CIDR blocks by whitelisting IP ranges.
Using AWS CLI:
To update the cluster configuration to ensure Private Endpoint Access is enabled and Public Access is disabled, run:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=falseIf public access is necessary, allow specific CIDR blocks:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32"
Backout Plan:
Using AWS Console:
If you need to revert the changes, modify the Control Plane Access settings to enable public access or adjust the CIDR blocks.
Using AWS CLI:
To revert to public access, run the following:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=false,endpointPublicAccess=true