5

When I create a EKS cluster, I can access the master node from anywhere. Even though, the control plane security group only allows the worker to control plane connectivity (default configuration).

How can the access to the control plane be limited to a security group?

Paddy
  • 455
  • 1
  • 5
  • 8

1 Answers1

7

You can't

The EKS master nodes are managed by AWS and are run in a different account. You need access to the internet in order to reach the endpoint, and security groups won't stop anyone else from hitting the public endpoint.

Run a Dig against the API server endpoint and you can see this:

{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN   A xxx.xxx.xxx.xxx
{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN   A xxx.xxx.xxx.xxx

This is just the API endpoint though, and I suspect that the master nodes are not actually publicly accessible, only the API endpoint, and I am certain that the API has the same AWS authentication measures as any other service's public API endpoint.
https://docs.aws.amazon.com/general/latest/gr/rande.html#eks_region

I would suggest going through the EKS VPC tutorial and the read the section in the docs on EKS Networking.

RtmY
  • 277
  • 2
  • 9
Brandon
  • 408
  • 2
  • 11
  • damn, spooky. It's not clear at all in the documentation that this is the case, though through our experience it is in fact the case. – Mr.Budris Jan 24 '19 at 19:20
  • 2
    I think this is a new feature but it is now possible to configure EKS to use a private API endpoint: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html – FGreg Mar 21 '19 at 23:01