Cloudformation-coverage-roadmap: AWS::EKS::Cluster-ResourcesVpcConfig-endpointPrivateAccess

Created on 8 Aug 2019  路  5Comments  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

1. Title

AWS::EKS::Cluster-ResourcesVpcConfig-endpointPrivateAccess

2. Scope of request

AWS::EKS::Cluster-ResourcesVpcConfig supports SecurityGroupIds and SubnetIds but not endpointPrivateAccess and endpointPublicAccess. These properties can be created via API but not via CloudFormation.

3. Expected behavior

Allow users to set endpointPrivateAccess=True/False and endpointPublicAccess=True/False

Type: AWS::EKS::Cluster
Properties: 
  Name: String
  ResourcesVpcConfig: 
    SecurityGroupIds:
        - String
    SubnetIds: 
        - String
    EndpointPrivateAccess: Boolean
    EndpointPublicAccess: Boolean
  RoleArn: String
  Version: String

4. Suggest specific test cases

Many users do not want to expose their EKS API to public and/or need to expose a private endpoint to EKS. This is a blocker for many customers as their security policies don't allow public endpoints. EKS Cluster Endpoint Access
As alternative, many are using awscli and terraform.

5. Helpful Links to speed up research and evaluation

EKS API Reference
EKS Cluster Endpoint Access

https://github.com/weaveworks/eksctl/issues/649
https://github.com/weaveworks/eksctl/issues/778
https://github.com/aws/containers-roadmap/issues/242
https://github.com/aws-quickstart/quickstart-amazon-eks/issues/37

6. Category

  1. Compute (EKS)
compute
Source
picture dnascimento
👍81

Most helpful comment

Would adding CIDR ranges (publicAccessCidrs) for public endpoints be a separate issue or looped in to this one?

picture rwkarg on 16 Jan 2020
👍4 😄1

All 5 comments

@luiseduardocolon what is the ETA for this feature?

dnascimento picture dnascimento on 11 Jan 2020
👀2

Would adding CIDR ranges (publicAccessCidrs) for public endpoints be a separate issue or looped in to this one?

rwkarg picture rwkarg on 16 Jan 2020
👍4 😄1

@dnascimento we don't have an ETA currently. @rwkarg unsure, I will ask.

luiseduardocolon picture luiseduardocolon on 1 Apr 2020

@luiseduardocolon I would like to add that updating AWS::EKS::Cluster resource to include ResourcesVpcConfig if you only define/change EndpointPrivateAccess, EndpointPublicAccess or PublicAccessCidrs should NOT require replacement. Currently adding ResourcesVpcConfig requires replacement which is not needed to only change values for public/private access in the API/CLI CloudFormation should allow the same level of flexibility.

Kind regards

seb-steuer picture seb-steuer on 30 Oct 2020
👍1

This is an issue from a security standpoint since CloudFormation creates clusters with endpointPublicAccess enabled. Only after creation can you disable that, which means there's a window where your cluster is publicly accessible.

It's also a pain because it can take ~15 minutes (in my testing) to modify resourcesVpcConfig, which adds to the total amount of time it takes to provision a cluster (which already takes a long time).

gabegorelick picture gabegorelick on 6 Apr 2021
👀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

san-san picture san-san  路  3Comments
seansummers picture seansummers  路  3Comments
msaggar picture msaggar  路  3Comments
fimbulvetr picture fimbulvetr  路  3Comments
rjpereira picture rjpereira  路  4Comments