-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS::EKS::Cluster - ResourcesVpcConfig-endpointPrivateAccess #118
Comments
@luiseduardocolon what is the ETA for this feature? |
Would adding CIDR ranges ( |
@dnascimento we don't have an ETA currently. @rwkarg unsure, I will ask. |
@luiseduardocolon I would like to add that updating AWS::EKS::Cluster resource to include ResourcesVpcConfig if you only define/change EndpointPrivateAccess, EndpointPublicAccess or PublicAccessCidrs should NOT require replacement. Currently adding ResourcesVpcConfig requires replacement which is not needed to only change values for public/private access in the API/CLI CloudFormation should allow the same level of flexibility. Kind regards |
This is an issue from a security standpoint since CloudFormation creates clusters with endpointPublicAccess enabled. Only after creation can you disable that, which means there's a window where your cluster is publicly accessible. It's also a pain because it can take ~15 minutes (in my testing) to modify |
+1 we need this |
Tags, Logging and End point access will be supported in next release |
Hi any updates? Related: aws/containers-roadmap#242 |
This feature is now available using the EKS cluster CFN resource https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html |
1. Title
AWS::EKS::Cluster-ResourcesVpcConfig-endpointPrivateAccess
2. Scope of request
AWS::EKS::Cluster-ResourcesVpcConfig supports
SecurityGroupIds
andSubnetIds
but notendpointPrivateAccess
andendpointPublicAccess
. These properties can be created via API but not via CloudFormation.3. Expected behavior
Allow users to set endpointPrivateAccess=True/False and endpointPublicAccess=True/False
4. Suggest specific test cases
Many users do not want to expose their EKS API to public and/or need to expose a private endpoint to EKS. This is a blocker for many customers as their security policies don't allow public endpoints. EKS Cluster Endpoint Access
As alternative, many are using awscli and terraform.
5. Helpful Links to speed up research and evaluation
EKS API Reference
EKS Cluster Endpoint Access
eksctl-io/eksctl#649
eksctl-io/eksctl#778
aws/containers-roadmap#242
https://github.com/aws-quickstart/quickstart-amazon-eks/issues/37
6. Category
The text was updated successfully, but these errors were encountered: