AWS eks high security documentation change
Summary
Added connectivity note for OIDC issuers regarding control plane egress routing
Security assessment
Highlights security requirement for issuer reachability in authentication flow. Specifically addresses network configuration risks when using customer-routed egress that could break authentication.
Diff
diff --git a/eks/latest/userguide/authenticate-oidc-identity-provider.md b/eks/latest/userguide/authenticate-oidc-identity-provider.md index 3464e5bb5..052ec25b4 100644 --- a//eks/latest/userguide/authenticate-oidc-identity-provider.md +++ b//eks/latest/userguide/authenticate-oidc-identity-provider.md @@ -33,0 +34,4 @@ Amazon EKS supports using OpenID Connect (OIDC) identity providers as a method t +###### Note + +The control plane fetches the provider’s signing keys from the issuer URL, so the issuer must be reachable from the control plane. If your cluster uses customer-routed control plane egress (`controlPlaneEgressMode=CUSTOMER_ROUTED`), make sure the issuer endpoint is reachable through the egress path you configure in your VPC. For more information, see [Configuring control plane egress routing](./control-plane-egress.html). +