Containers-roadmap: [EKS] Cloudformation support for control plane logging and endpoint access control
Ability to define control plane logging and endpoint access control (public/private) during EKS cluster creation and update via Cloudformation.
Which service(s) is this request for?
Amazon EKS, AWS Cloudformation
Are you currently working around this issue?
You can currently control these settings for EKS clusters using the EKS APIs, console, and AWS CLI.
Attachments
Control Plane logging: https://github.com/aws/containers-roadmap/issues/26
Endpoint access control: https://github.com/aws/containers-roadmap/issues/22
tabern
All 12 comments
Hello,
is there any ETA on this? We need to build dirty workarounds for this.
Best,
Icereed
icereed
on 7 Oct 2019
Most people are doing "secure by default" and here AWS are doing "open to the internet" by default and all my carefully secured instances without any internet connectivity cannot join an EKS cluster. Unless I run the cloudformation and then manually enable the private access later.
Please hurry it up!
The feature is already there, it just needs exposing to CloudFormation.
max-allan-surevine
on 21 Nov 2019
PatMyron
on 20 Jan 2020
+1
sbonasu
on 27 Jan 2020
+1
quocdung3007
on 29 Jan 2020
Big +1. This just caused me a solid week of pulling my hair out trying to figure out why my private EC2 nodes won't bootstrap. Why amazon, why would you ever default to private off. I get public on but private off? why?
zetas
on 3 Mar 2020
I would like to configure EKS endpoint parameter by Cloudformation templates.
Current cloudformation AWS::EKS::Cluster does not have any parameter to configure private/public endpoints. It creates the cluster with public endpoint enabled and we have to run some cli commands to enable private endpoint.
ismailyenigul
on 24 Mar 2020
+1
Would love to see these features in CloudFormation:
- endpointPrivateAccess
- endpointPublicAccess
- publicAccessCidrs
- clusterLogging
This already available in API:
https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html
vikram-katkar
on 6 Apr 2020
It's not a good look when even Terraform beats CloudFormation to support both logging and private endpoints.
https://www.terraform.io/docs/providers/aws/r/eks_cluster.html#vpc_config-1
clayvan
on 7 Apr 2020
FYI the AWS Quick start team created their own custom CF resource to do this https://github.com/aws-quickstart/quickstart-amazon-eks-cluster-resource-provider
Commit to the quick start guide for reference https://github.com/aws-quickstart/quickstart-amazon-eks/commit/0bf72f132fbe9c34c84e4d2b9b2e0a603ec06d0b
It seems..weird..that the AWS quick start team had to create a workaround to do this instead of just baking that logic into the EKS CF resource itself?
clayvan
on 22 Apr 2020
I noticed today that the EKS cloudformation resource has been updated to mention these parameters, but are not in the example.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html
I have not tried it yet.
clayvan
on 16 Oct 2020
@clayvan I tried today and got a failed deploy. Property validation failure: [Encountered unsupported properties in {/ResourcesVpcConfig}: [EndpointPrivateAccess]] I know there is some sort of way to disable validation that sometimes works but I can't remember the syntax.
evanlurvey
on 27 Oct 2020
Related issues
MartinDevillers
路
3Comments
AndrewMcFarren
路
3Comments
aliabas7
路
3Comments
talawahtech
路
3Comments
adlemich
路
3Comments
Most helpful comment
It's not a good look when even Terraform beats CloudFormation to support both logging and private endpoints.
https://www.terraform.io/docs/providers/aws/r/eks_cluster.html#vpc_config-1