stackoom
  简体   繁体   中英

How is eks cluster accessible when deployed in a private subnet?

 原文  2023-01-23 09:30:49       amazon-web-services/ amazon-eks

Question

When deploying an EKS cluster, the best practice is to deploy the managed control plane in private su.nets. In terms of accessibility, the defalt option is public cluster, meaning that I can access it locally with kubectl tool and updated kubeconfig.

How am I able to access the cluster if it is deployed in private su.nets with no inbound traffic? As per the documentation , AWS creates a managed endpoint that can access the cluster from within the AWS.network.

What is the architecture behind it, how does it internally work? Is there some kind of a proxy (agent) being deployed (found aws-node )?

  1. deployed my own EKS cluster
  2. read the documentation
  3. tried to scrape for additional info

1 answers

solution1
 0  2023-01-26 08:33:20

The type of EKS.networking you're setting up is configured to restrict access to the API server with a private endpoint that's only accessible from within the VPC. So any Kube.netes API requests (kubectl commands) have to originate from within the VPC (public or private su.nets). If you are doing this as a personal project, then you can do the following:

  1. Create abastion host in the public su.net of your VPC with a key pair. Launch this host with user data that installs kubectl and any other CLI tools you need.
  2. Access the bastion host via SSH from your workstation to ensure it works as expected.
  3. Check that the security group attached to your EKS control plane can receive 443 traffic from the public su.net. You can create a rule for this if one doesn't exist. This will enable communication between the bastion host in the public su.net and the cluster in the private su.nets.
  4. Access the bastion host and then use it to communicate with the cluster just as you would with your personal machine. For example, run aws eks --region <region> update-kubeconfig --name <name-of-your-cluster> to update your kubeconfig and then proceed to run kubectl commands.

Sidenote: If this is for an enterprise project, you can also look into using AWS VPN or DirectConnect to access the VPC.

Other helpful resources:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create an EKS cluster with public and private subnets using terraform? How to integrate AWS api gateway with EKS cluster to access the microservices deployed on cluster IP using ELB How to use iam role when creating aws eks cluster with terraform? Create EKS private cluster using CLI without NAT gateway? How to enable Secrets encryption on EKS cluster? How to give access to Federrated Users to EKS cluster How to access EKS cluster with kubeconfig even when disabling endpoint public access How to configure private registries in EKS (1.24 kubernetes) Spark Application Failing when deployed on Dataproc cluster How can I use AWS to authenticate to the EKS Kubernetes API using .NET when my program is running outside the cluster?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM