AWS eks documentation change
Summary
Enhanced documentation about cluster endpoint access controls, clarifying security group and CIDR restrictions
Security assessment
Added explicit guidance about using cluster security groups for private endpoint control and clarified public CIDR restrictions. While improving security documentation, there's no evidence this addresses a specific vulnerability.
Diff
diff --git a/eks/latest/userguide/cluster-endpoint.md b/eks/latest/userguide/cluster-endpoint.md index 1d9db0ea4..7d18fe420 100644 --- a//eks/latest/userguide/cluster-endpoint.md +++ b//eks/latest/userguide/cluster-endpoint.md @@ -69 +69 @@ Enabled | Disabled | - * Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint. If you limit access to specific CIDR blocks, then it is recommended that you also enable the private endpoint, or ensure that the CIDR blocks that you specify include the addresses that nodes and Fargate Pods (if you use them) access the public endpoint from. + * Your cluster API server is accessible from the internet. You can, optionally, use the list of _public access CIDRs_ to control access to the public endpoint by a list of CIDR blocks. If you limit access to specific CIDR blocks, then we recommend that you also enable the private endpoint, or ensure that the CIDR blocks that you specify include the addresses that nodes and Fargate Pods (if you use them) access the public endpoint from. @@ -74,3 +74,3 @@ Enabled | Enabled | - * Kubernetes API requests within your cluster’s VPC (such as node to control plane communication) use the private VPC endpoint. - * Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint. - * If you are using hybrid nodes with your Amazon EKS cluster, it is not recommended to have both Public and Private cluster endpoint access enabled. Because your hybrid nodes are running outside of your VPC, they will resolve the cluster endpoint to the public IP addresses. It is recommended to use either Public or Private cluster endpoint access for clusters with hybrid nodes. + * Kubernetes API requests within your cluster’s VPC (such as node to control plane communication) use the private VPC endpoint. You use the rules on the _cluster security group_ to control access to the private endpoint. + * Your cluster API server is accessible from the internet. You can, optionally, use the list of _public access CIDRs_ to control access to the public endpoint by a list of CIDR blocks. + * If you are using hybrid nodes with your Amazon EKS cluster, it is not recommended to have both Public and Private endpoint access enabled. Because your hybrid nodes are running outside of your VPC, they will resolve the cluster endpoint to the public IP addresses. It is recommended to use either Public or Private endpoint access for clusters with hybrid nodes. @@ -82,0 +83 @@ Disabled | Enabled | + * You use the rules on the _cluster security group_ to control access to the private endpoint. Note that the public access CIDRs don’t affect the private endpoint. @@ -88,0 +90,14 @@ Disabled | Enabled | +**Endpoint access controls** + +Note that each of the following methods to control endpoint access only affect the respective endpoint. + +_Cluster security group_ + + +The cluster security group controls two types of connections: connections to the _kubelet API_ and the private endpoint. The connections to the `kubelet` API are used in the `kubectl attach`, `kubectl cp`, `kubectl exec`, `kubectl logs`, and `kubectl port-forward` commands. The cluster security group doesn’t affect the public endpoint. + +_Public access CIDRs_ + + +The _public access CIDRs_ control access to the public endpoint by a list of CIDR blocks. Note that the public access CIDRs don’t affect the private endpoint. The public access CIDRs behave differently on the `IPv6` clusters and `IPv4` clusters depending on the date they were created, which the following describes: +