AWS eks medium security documentation change
Summary
Removed AWS console/CLI configuration steps and added detailed CIDR block restrictions for IPv4/IPv6 clusters. Clarified public endpoint access rules based on cluster creation date and IP family.
Security assessment
The changes explicitly document network access control restrictions (CIDR block validation rules) for API server endpoints. This clarifies security boundaries by specifying allowed IP ranges for public endpoints, preventing misconfigurations that could expose clusters to unintended public access. The error message documentation ('invalid CIDRs') helps users avoid insecure configurations.
Diff
diff --git a/eks/latest/userguide/cluster-endpoint.md b/eks/latest/userguide/cluster-endpoint.md index f2e3a9572..a2b12e0ab 100644 --- a//eks/latest/userguide/cluster-endpoint.md +++ b//eks/latest/userguide/cluster-endpoint.md @@ -5 +5 @@ -IPv6 cluster endpoint formatIPv4 cluster endpoint formatCluster private endpointModifying cluster endpoint accessConfigure endpoint access - AWS consoleConfigure endpoint access - AWS CLIAccessing a private only API server +IPv6 cluster endpoint formatIPv4 cluster endpoint formatCluster private endpointModifying cluster endpoint accessAccessing a private only API server @@ -11 +11 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t -# Control network access to cluster API server endpoint +# Cluster API server endpoint @@ -105 +105 @@ Disabled | Enabled | -You can modify your cluster API server endpoint access using the AWS Management Console or AWS CLI. +**CIDR blocks in the public endpoint (`IPv6` cluster)** @@ -107 +107 @@ You can modify your cluster API server endpoint access using the AWS Management -## Configure endpoint access - AWS console +You can add `IPv6` and `IPv4` CIDR blocks to the public endpoint of an `IPv6` cluster, because the public endpoint is dual-stack. This only applies to new clusters with the `ipFamily` set to `IPv6` that you made in October 2024 or later. You can identify these clusters by the new endpoint domain name `api.aws`. @@ -109,90 +109 @@ You can modify your cluster API server endpoint access using the AWS Management - 1. Open the [Amazon EKS console](https://console.aws.amazon.com/eks/home#/clusters). - - 2. Choose the name of the cluster to display your cluster information. - - 3. Choose the **Networking** tab and choose **Manage endpoint access**. - - 4. For **Private access** , choose whether to enable or disable private access for your cluster’s Kubernetes API server endpoint. If you enable private access, Kubernetes API requests that originate from within your cluster’s VPC use the private VPC endpoint. You must enable private access to disable public access. - - 5. For **Public access** , choose whether to enable or disable public access for your cluster’s Kubernetes API server endpoint. If you disable public access, your cluster’s Kubernetes API server can only receive requests from within the cluster VPC. - - 6. (Optional) If you’ve enabled **Public access** , you can specify which addresses from the internet can communicate to the public endpoint. Select **Advanced Settings**. Enter a CIDR block, such as `203.0.113.5/32`. The block cannot include [reserved addresses](https://en.wikipedia.org/wiki/Reserved_IP_addresses). You can enter additional blocks by selecting **Add Source**. There is a maximum number of CIDR blocks that you can specify. For more information, see [View and manage Amazon EKS and Fargate service quotas](./service-quotas.html). If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate Pods (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. - - 7. Choose **Update** to finish. - - - - -## Configure endpoint access - AWS CLI - -Complete the following steps using the AWS CLI version `1.27.160` or later. You can check your current version with `aws --version`. To install or upgrade the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html). - - 1. Update your cluster API server endpoint access with the following AWS CLI command. Substitute your cluster name and desired endpoint access values. If you set `endpointPublicAccess=true`, then you can (optionally) enter single CIDR block, or a comma-separated list of CIDR blocks for `publicAccessCidrs`. The blocks cannot include [reserved addresses](https://en.wikipedia.org/wiki/Reserved_IP_addresses). If you specify CIDR blocks, then the public API server endpoint will only receive requests from the listed blocks. There is a maximum number of CIDR blocks that you can specify. For more information, see [View and manage Amazon EKS and Fargate service quotas](./service-quotas.html). If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate Pods (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. If you specify no CIDR blocks, then the public API server endpoint receives requests from all (0.0.0.0/0) IP addresses. - -###### Note - -The following command enables private access and public access from a single IP address for the API server endpoint. Replace `203.0.113.5/32` with a single CIDR block, or a comma-separated list of CIDR blocks that you want to restrict network access to. - - aws eks update-cluster-config \ - --region region-code \ - --name my-cluster \ - --resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32",endpointPrivateAccess=true - -An example output is as follows. - - { - "update": { - "id": "e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000", - "status": "InProgress", - "type": "EndpointAccessUpdate", - "params": [ - { - "type": "EndpointPublicAccess", - "value": "true" - }, - { - "type": "EndpointPrivateAccess", - "value": "true" - }, - { - "type": "publicAccessCidrs", - "value": "[\203.0.113.5/32\"]" - } - ], - "createdAt": 1576874258.137, - "errors": [] - } - } - - 2. Monitor the status of your endpoint access update with the following command, using the cluster name and update ID that was returned by the previous command. Your update is complete when the status is shown as `Successful`. - - aws eks describe-update \ - --region region-code \ - --name my-cluster \ - --update-id e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000 - -An example output is as follows. - - { - "update": { - "id": "e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000", - "status": "Successful", - "type": "EndpointAccessUpdate", - "params": [ - { - "type": "EndpointPublicAccess", - "value": "true" - }, - { - "type": "EndpointPrivateAccess", - "value": "true" - }, - { - "type": "publicAccessCidrs", - "value": "[\203.0.113.5/32\"]" - } - ], - "createdAt": 1576874258.137, - "errors": [] - } - } +**CIDR blocks in the public endpoint (`IPv4` cluster)** @@ -199,0 +111 @@ An example output is as follows. +You can add `IPv4` CIDR blocks to the public endpoint of an `IPv4` cluster. You can’t add `IPv6` CIDR blocks to the public endpoint of an `IPv4` cluster. If you try, EKS returns the following error message: `The following CIDRs are invalid in publicAccessCidrs` @@ -200,0 +113 @@ An example output is as follows. +**CIDR blocks in the public endpoint (`IPv6` cluster made before October 2024)** @@ -201,0 +115 @@ An example output is as follows. +You can add `IPv4` CIDR blocks to the public endpoint of the old `IPv6` clusters that you made before October 2024. You can identify these clusters by the `eks.amazonaws.com` endpoint. You can’t add `IPv6` CIDR blocks to the public endpoint of these old `IPv6` clusters that you made before October 2024. If you try, EKS returns the following error message: `The following CIDRs are invalid in publicAccessCidrs` @@ -225,0 +140,2 @@ When you configure `kubectl` for your AWS Cloud9 IDE, be sure to use AWS credent +📝 [Edit this page on GitHub](https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-endpoint%5D&type=code) + @@ -234 +150 @@ Delete a cluster -Enable Windows support +Configure endpoint access