docs.aws.amazon.com
Open in
urlscan Pro
13.35.58.67
Public Scan
Submitted URL: http://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
Effective URL: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
Submission: On June 13 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
Submission: On June 13 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. Amazon EKS
5. User Guide
Feedback
Preferences
AMAZON EKS
USER GUIDE
* What is Amazon EKS?
* Common use cases
* Architecture
* Kubernetes concepts
* Deployment options
* Setting up
* Installing kubectl
* Getting started with Amazon EKS
* Create your first cluster – eksctl
* Create your first cluster – AWS Management Console
* Clusters
* Creating a cluster
* Cluster insights
* Updating Kubernetes version
* Deleting a cluster
* Configuring endpoint access
* Enabling secret encryption
* Enabling Windows support
* Private cluster requirements
* Kubernetes versions
* Standard support versions
* Extended support versions
* Versions 1.21, 1.22
* Platform versions
* Autoscaling
* Manage access
* Grant access to Kubernetes APIs
* Manage access entries
* Associate access policies
* Migrate to access entries
* Update aws-auth ConfigMap
* Link external OIDC provider
* Access my cluster with kubectl
* Grant workloads access to AWS
* Pod Identity
* How EKS Pod Identity works
* Set up the EKS Pod Identity Agent
* Assign role to service account
* Assign service account to pod
* Use attribute-based access control (ABAC)
* Supported SDKs
* EKS Pod Identity role
* IAM roles for service accounts
* Create IAM OIDC provider
* Assign IAM role to service account
* Assign service account to pod
* Use regional AWS STS endpoints
* Authenticate to another account
* Supported SDKs
* Fetch signing keys
* Nodes
* Managed node groups
* Creating a managed node group
* Updating a managed node group
* Managed node update behavior
* Node taints on managed node groups
* Customizing managed nodes with launch templates
* Deleting a managed node group
* Self-managed nodes
* Amazon Linux
* Capacity Blocks for ML
* Bottlerocket
* Windows
* Ubuntu
* Updates
* Migrating to a new node group
* Updating an existing node group
* AWS Fargate
* Getting started with Fargate
* Fargate profile
* Fargate Pod configuration
* Fargate OS patching
* Fargate metrics
* Fargate logging
* Instance types
* Amazon EKS optimized AMIs
* Dockershim deprecation
* Amazon Linux
* View versions
* Retrieve IDs
* Create a custom Amazon Linux AMI
* Xilinx accelerated transcoding device support (VT1)
* Habana Deep Learning (DL1) device support
* Bottlerocket
* Retrieve IDs
* Compliance support
* Ubuntu Linux
* Windows
* View versions
* Retrieve IDs
* Create a custom Windows AMI
* Storage
* Amazon EBS CSI driver
* Create an IAM role
* Manage the Amazon EKS add-on
* Deploy a sample application
* CSI migration FAQ
* Amazon EFS CSI driver
* Amazon FSx for Lustre CSI driver
* Amazon FSx for NetApp ONTAP CSI driver
* Amazon FSx for OpenZFS CSI driver
* Amazon File Cache CSI driver
* Mountpoint for Amazon S3 CSI driver
* CSI snapshot controller
* Networking
* VPC and subnet requirements
* Creating a VPC
* Security group requirements
* Add-ons
* Amazon VPC CNI plugin for Kubernetes
* Configure plugin for IRSA
* Use cases
* IPv6
* SNAT
* Kubernetes network policies
* Custom networking
* Increase available IP addresses
* Security groups for pods
* Multiple network interfaces for Pods
* Alternate compatible CNI plugins
* AWS Load Balancer Controller
* Install with Helm
* Install with Manifests
* Migrate from Deprecated Controller
* CoreDNS
* Autoscaling CoreDNS
* CoreDNS metrics
* kube-proxy
* AWS PrivateLink
* Workloads
* Sample application deployment
* Vertical Pod Autoscaler
* Horizontal Pod Autoscaler
* Network load balancing
* Application load balancing
* Restrict service external IP address assignment
* Copy an image to a repository
* Amazon container image registries
* Amazon EKS add-ons
* Managing add-ons
* Kubernetes field management
* Attach IAM Role
* Verify container images
* Machine learning training
* Machine learning inference
* Cluster management
* Cost monitoring
* Metrics server
* Using Helm
* Tagging your resources
* Service quotas
* Security
* Certificate signing
* IAM Reference
* How Amazon EKS works with IAM
* Identity-based policy examples
* Using service-linked roles
* Amazon EKS cluster role
* Amazon EKS node groups role
* Amazon EKS Fargate profile role
* Amazon EKS cluster connector role
* Amazon EKS local cluster role
* Cluster IAM role
* Node IAM role
* Pod execution IAM role
* Connector IAM role
* AWS managed policies
* Troubleshooting
* Default Kubernetes roles and users
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* Security best practices
* Pod security policy
* 1.25 Pod security policy removal FAQ
* Managing Kubernetes secrets
* Amazon EKS Connector considerations
* View Kubernetes resources
* Observability
* Prometheus metrics
* Amazon CloudWatch
* Configuring logging
* AWS CloudTrail
* Amazon EKS information in CloudTrail
* Understanding Amazon EKS log file entries
* Enable Auto Scaling group metrics collection
* ADOT Operator
* Working with other services
* Creating Amazon EKS resources with AWS CloudFormation
* Amazon EKS and AWS Local Zones
* Deep Learning Containers
* Amazon VPC Lattice
* AWS Resilience Hub
* Amazon GuardDuty
* Amazon Security Lake
* Amazon Detective
* Troubleshooting
* Amazon EKS Connector
* Connecting a cluster
* Granting access to an IAM principal to view Kubernetes resources on a
cluster
* Deregister a cluster
* Amazon EKS Connector Troubleshooting
* Frequently asked questions
* Amazon EKS on AWS Outposts
* Local clusters
* Creating a local cluster
* Platform versions
* VPC and subnet requirements
* Network disconnects
* Capacity considerations
* Troubleshooting
* Launching nodes
* Related projects
* Amazon EKS new features and roadmap
* Document history
Amazon EKS cluster endpoint access control - Amazon EKS
AWSDocumentationAmazon EKSUser Guide
Modifying cluster endpoint accessAccessing a private only API server
Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and
select Edit this page on GitHub. Your contributions will help make our user
guide better for everyone.
Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and
select Edit this page on GitHub. Your contributions will help make our user
guide better for everyone.
AMAZON EKS CLUSTER ENDPOINT ACCESS CONTROL
PDFRSS
This topic helps you to enable private access for your Amazon EKS cluster's
Kubernetes API server endpoint and limit, or completely disable, public access
from the internet.
When you create a new cluster, Amazon EKS creates an endpoint for the managed
Kubernetes API server that you use to communicate with your cluster (using
Kubernetes management tools such as kubectl). By default, this API server
endpoint is public to the internet, and access to the API server is secured
using a combination of AWS Identity and Access Management (IAM) and native
Kubernetes Role Based Access Control (RBAC).
You can enable private access to the Kubernetes API server so that all
communication between your nodes and the API server stays within your VPC. You
can limit the IP addresses that can access your API server from the internet, or
completely disable internet access to the API server.
NOTE
Because this endpoint is for the Kubernetes API server and not a traditional AWS
PrivateLink endpoint for communicating with an AWS API, it doesn't appear as an
endpoint in the Amazon VPC console.
When you enable endpoint private access for your cluster, Amazon EKS creates a
Route 53 private hosted zone on your behalf and associates it with your
cluster's VPC. This private hosted zone is managed by Amazon EKS, and it doesn't
appear in your account's Route 53 resources. In order for the private hosted
zone to properly route traffic to your API server, your VPC must have
enableDnsHostnames and enableDnsSupport set to true, and the DHCP options set
for your VPC must include AmazonProvidedDNS in its domain name servers list. For
more information, see Updating DNS support for your VPC in the Amazon VPC User
Guide.
You can define your API server endpoint access requirements when you create a
new cluster, and you can update the API server endpoint access for a cluster at
any time.
MODIFYING CLUSTER ENDPOINT ACCESS
Use the procedures in this section to modify the endpoint access for an existing
cluster. The following table shows the supported API server endpoint access
combinations and their associated behavior.
API server endpoint access options
Endpoint public access Endpoint private access Behavior Enabled Disabled
* This is the default behavior for new Amazon EKS clusters.
* Kubernetes API requests that originate from within your cluster's VPC (such
as node to control plane communication) leave the VPC but not Amazon's
network.
* Your cluster API server is accessible from the internet. You can, optionally,
limit the CIDR blocks that can access the public endpoint. If you limit
access to specific CIDR blocks, then it is recommended that you also enable
the private endpoint, or ensure that the CIDR blocks that you specify include
the addresses that nodes and Fargate Pods (if you use them) access the public
endpoint from.
Enabled Enabled
* Kubernetes API requests within your cluster's VPC (such as node to control
plane communication) use the private VPC endpoint.
* Your cluster API server is accessible from the internet. You can, optionally,
limit the CIDR blocks that can access the public endpoint.
Disabled Enabled
* All traffic to your cluster API server must come from within your cluster's
VPC or a connected network.
* There is no public access to your API server from the internet. Any kubectl
commands must come from within the VPC or a connected network. For
connectivity options, see Accessing a private only API server.
* The cluster's API server endpoint is resolved by public DNS servers to a
private IP address from the VPC. In the past, the endpoint could only be
resolved from within the VPC.
If your endpoint does not resolve to a private IP address within the VPC for
an existing cluster, you can:
* Enable public access and then disable it again. You only need to do so
once for a cluster and the endpoint will resolve to a private IP address
from that point forward.
* Update your cluster.
You can modify your cluster API server endpoint access using the AWS Management
Console or AWS CLI.
AWS Management Console
TO MODIFY YOUR CLUSTER API SERVER ENDPOINT ACCESS USING THE AWS MANAGEMENT
CONSOLE
1. Open the Amazon EKS console at
https://console.aws.amazon.com/eks/home#/clusters.
2. Choose the name of the cluster to display your cluster information.
3. Choose the Networking tab and choose Update.
4. For Private access, choose whether to enable or disable private access for
your cluster's Kubernetes API server endpoint. If you enable private access,
Kubernetes API requests that originate from within your cluster's VPC use
the private VPC endpoint. You must enable private access to disable public
access.
5. For Public access, choose whether to enable or disable public access for
your cluster's Kubernetes API server endpoint. If you disable public access,
your cluster's Kubernetes API server can only receive requests from within
the cluster VPC.
6. (Optional) If you've enabled Public access, you can specify which addresses
from the internet can communicate to the public endpoint. Select Advanced
Settings. Enter a CIDR block, such as 203.0.113.5/32. The block cannot
include reserved addresses. You can enter additional blocks by selecting Add
Source. There is a maximum number of CIDR blocks that you can specify. For
more information, see Amazon EKS service quotas. If you specify no blocks,
then the public API server endpoint receives requests from all (0.0.0.0/0)
IP addresses. If you restrict access to your public endpoint using CIDR
blocks, it is recommended that you also enable private endpoint access so
that nodes and Fargate Pods (if you use them) can communicate with the
cluster. Without the private endpoint enabled, your public access endpoint
CIDR sources must include the egress sources from your VPC. For example, if
you have a node in a private subnet that communicates to the internet
through a NAT Gateway, you will need to add the outbound IP address of the
NAT gateway as part of an allowed CIDR block on your public endpoint.
7. Choose Update to finish.
AWS CLI
TO MODIFY YOUR CLUSTER API SERVER ENDPOINT ACCESS USING THE AWS CLI
Complete the following steps using the AWS CLI version 1.27.160 or later. You
can check your current version with aws --version. To install or upgrade the AWS
CLI, see Installing the AWS CLI.
1. Update your cluster API server endpoint access with the following AWS CLI
command. Substitute your cluster name and desired endpoint access values. If
you set endpointPublicAccess=true, then you can (optionally) enter single
CIDR block, or a comma-separated list of CIDR blocks for publicAccessCidrs.
The blocks cannot include reserved addresses. If you specify CIDR blocks,
then the public API server endpoint will only receive requests from the
listed blocks. There is a maximum number of CIDR blocks that you can
specify. For more information, see Amazon EKS service quotas. If you
restrict access to your public endpoint using CIDR blocks, it is recommended
that you also enable private endpoint access so that nodes and Fargate Pods
(if you use them) can communicate with the cluster. Without the private
endpoint enabled, your public access endpoint CIDR sources must include the
egress sources from your VPC. For example, if you have a node in a private
subnet that communicates to the internet through a NAT Gateway, you will
need to add the outbound IP address of the NAT gateway as part of an allowed
CIDR block on your public endpoint. If you specify no CIDR blocks, then the
public API server endpoint receives requests from all (0.0.0.0/0) IP
addresses.
NOTE
The following command enables private access and public access from a single
IP address for the API server endpoint. Replace 203.0.113.5/32 with a single
CIDR block, or a comma-separated list of CIDR blocks that you want to
restrict network access to.
aws eks update-cluster-config \
--region region-code \
--name my-cluster \
--resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32",endpointPrivateAccess=true
An example output is as follows.
{
"update": {
"id": "e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000",
"status": "InProgress",
"type": "EndpointAccessUpdate",
"params": [
{
"type": "EndpointPublicAccess",
"value": "true"
},
{
"type": "EndpointPrivateAccess",
"value": "true"
},
{
"type": "publicAccessCidrs",
"value": "[\203.0.113.5/32\"]"
}
],
"createdAt": 1576874258.137,
"errors": []
}
}
2. Monitor the status of your endpoint access update with the following
command, using the cluster name and update ID that was returned by the
previous command. Your update is complete when the status is shown as
Successful.
aws eks describe-update \
--region region-code \
--name my-cluster \
--update-id e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000
An example output is as follows.
{
"update": {
"id": "e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000",
"status": "Successful",
"type": "EndpointAccessUpdate",
"params": [
{
"type": "EndpointPublicAccess",
"value": "true"
},
{
"type": "EndpointPrivateAccess",
"value": "true"
},
{
"type": "publicAccessCidrs",
"value": "[\203.0.113.5/32\"]"
}
],
"createdAt": 1576874258.137,
"errors": []
}
}
anchoranchor
* AWS Management Console
* AWS CLI
TO MODIFY YOUR CLUSTER API SERVER ENDPOINT ACCESS USING THE AWS MANAGEMENT
CONSOLE
1. Open the Amazon EKS console at
https://console.aws.amazon.com/eks/home#/clusters.
2. Choose the name of the cluster to display your cluster information.
3. Choose the Networking tab and choose Update.
4. For Private access, choose whether to enable or disable private access for
your cluster's Kubernetes API server endpoint. If you enable private access,
Kubernetes API requests that originate from within your cluster's VPC use
the private VPC endpoint. You must enable private access to disable public
access.
5. For Public access, choose whether to enable or disable public access for
your cluster's Kubernetes API server endpoint. If you disable public access,
your cluster's Kubernetes API server can only receive requests from within
the cluster VPC.
6. (Optional) If you've enabled Public access, you can specify which addresses
from the internet can communicate to the public endpoint. Select Advanced
Settings. Enter a CIDR block, such as 203.0.113.5/32. The block cannot
include reserved addresses. You can enter additional blocks by selecting Add
Source. There is a maximum number of CIDR blocks that you can specify. For
more information, see Amazon EKS service quotas. If you specify no blocks,
then the public API server endpoint receives requests from all (0.0.0.0/0)
IP addresses. If you restrict access to your public endpoint using CIDR
blocks, it is recommended that you also enable private endpoint access so
that nodes and Fargate Pods (if you use them) can communicate with the
cluster. Without the private endpoint enabled, your public access endpoint
CIDR sources must include the egress sources from your VPC. For example, if
you have a node in a private subnet that communicates to the internet
through a NAT Gateway, you will need to add the outbound IP address of the
NAT gateway as part of an allowed CIDR block on your public endpoint.
7. Choose Update to finish.
ACCESSING A PRIVATE ONLY API SERVER
If you have disabled public access for your cluster's Kubernetes API server
endpoint, you can only access the API server from within your VPC or a connected
network. Here are a few possible ways to access the Kubernetes API server
endpoint:
Connected network
Connect your network to the VPC with an AWS transit gateway or other
connectivity option and then use a computer in the connected network. You must
ensure that your Amazon EKS control plane security group contains rules to allow
ingress traffic on port 443 from your connected network.
Amazon EC2 bastion host
You can launch an Amazon EC2 instance into a public subnet in your cluster's VPC
and then log in via SSH into that instance to run kubectl commands. For more
information, see Linux bastion hosts on AWS. You must ensure that your Amazon
EKS control plane security group contains rules to allow ingress traffic on port
443 from your bastion host. For more information, see Amazon EKS security group
requirements and considerations.
When you configure kubectl for your bastion host, be sure to use AWS credentials
that are already mapped to your cluster's RBAC configuration, or add the IAM
principal that your bastion will use to the RBAC configuration before you remove
endpoint public access. For more information, see Grant access to Kubernetes
APIs and Unauthorized or access denied (kubectl).
AWS Cloud9 IDE
AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets
you write, run, and debug your code with just a browser. You can create an AWS
Cloud9 IDE in your cluster's VPC and use the IDE to communicate with your
cluster. For more information, see Creating an environment in AWS Cloud9. You
must ensure that your Amazon EKS control plane security group contains rules to
allow ingress traffic on port 443 from your IDE security group. For more
information, see Amazon EKS security group requirements and considerations.
When you configure kubectl for your AWS Cloud9 IDE, be sure to use AWS
credentials that are already mapped to your cluster's RBAC configuration, or add
the IAM principal that your IDE will use to the RBAC configuration before you
remove endpoint public access. For more information, see Grant access to
Kubernetes APIs and Unauthorized or access denied (kubectl).
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Deleting a cluster
Enabling secret encryption
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
Edit this page on GitHub
NEXT TOPIC:
Enabling secret encryption
PREVIOUS TOPIC:
Deleting a cluster
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* Modifying cluster endpoint access
* Accessing a private only API server