Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS::EKS::Cluster - ResourcesVpcConfig-endpointPrivateAccess #118

Closed
dnascimento opened this issue Aug 8, 2019 · 9 comments
Closed

AWS::EKS::Cluster - ResourcesVpcConfig-endpointPrivateAccess #118

dnascimento opened this issue Aug 8, 2019 · 9 comments
Labels
compute EC2, ECR, ECS, EKS, Lambda, Batch, Elastic Beanstalk, Serverless Application Repository
Projects
coverage-roadmap
Milestone
cov

Comments

@dnascimento
Copy link

dnascimento commented Aug 8, 2019
edited

1. Title

AWS::EKS::Cluster-ResourcesVpcConfig-endpointPrivateAccess

2. Scope of request

AWS::EKS::Cluster-ResourcesVpcConfig supports SecurityGroupIds and SubnetIds but not endpointPrivateAccess and endpointPublicAccess. These properties can be created via API but not via CloudFormation.

3. Expected behavior

Allow users to set endpointPrivateAccess=True/False and endpointPublicAccess=True/False

Type: AWS::EKS::Cluster
Properties: 
  Name: String
  ResourcesVpcConfig: 
    SecurityGroupIds:
        - String
    SubnetIds: 
        - String
    EndpointPrivateAccess: Boolean
    EndpointPublicAccess: Boolean
  RoleArn: String
  Version: String

4. Suggest specific test cases

Many users do not want to expose their EKS API to public and/or need to expose a private endpoint to EKS. This is a blocker for many customers as their security policies don't allow public endpoints. EKS Cluster Endpoint Access
As alternative, many are using awscli and terraform.

5. Helpful Links to speed up research and evaluation

EKS API Reference
EKS Cluster Endpoint Access

eksctl-io/eksctl#649
eksctl-io/eksctl#778
aws/containers-roadmap#242
https://github.com/aws-quickstart/quickstart-amazon-eks/issues/37

6. Category

  1. Compute (EKS)
@rjlohan rjlohan added the compute EC2, ECR, ECS, EKS, Lambda, Batch, Elastic Beanstalk, Serverless Application Repository label Aug 9, 2019
@luiseduardocolon luiseduardocolon added this to Researching in coverage-roadmap Oct 18, 2019
@whereisaaron whereisaaron mentioned this issue Oct 21, 2019
Closed
8 tasks
@luiseduardocolon luiseduardocolon moved this from Researching to We're working on it in coverage-roadmap Nov 7, 2019
@dnascimento
Copy link
Author

@luiseduardocolon what is the ETA for this feature?

@dnascimento dnascimento mentioned this issue Jan 12, 2020
Closed
@rwkarg
Copy link

rwkarg commented Jan 16, 2020
edited

Would adding CIDR ranges (publicAccessCidrs) for public endpoints be a separate issue or looped in to this one?

@luiseduardocolon
Copy link
Contributor

@dnascimento we don't have an ETA currently. @rwkarg unsure, I will ask.

@craigataws craigataws added this to the cov milestone Jul 21, 2020
@seb-steuer
Copy link

@luiseduardocolon I would like to add that updating AWS::EKS::Cluster resource to include ResourcesVpcConfig if you only define/change EndpointPrivateAccess, EndpointPublicAccess or PublicAccessCidrs should NOT require replacement. Currently adding ResourcesVpcConfig requires replacement which is not needed to only change values for public/private access in the API/CLI CloudFormation should allow the same level of flexibility.

Kind regards

@gabegorelick
Copy link

This is an issue from a security standpoint since CloudFormation creates clusters with endpointPublicAccess enabled. Only after creation can you disable that, which means there's a window where your cluster is publicly accessible.

It's also a pain because it can take ~15 minutes (in my testing) to modify resourcesVpcConfig, which adds to the total amount of time it takes to provision a cluster (which already takes a long time).

@WaelA WaelA changed the title AWS::EKS::Cluster-ResourcesVpcConfig-endpointPrivateAccess AWS::EKS::Cluster - ResourcesVpcConfig-endpointPrivateAccess Aug 4, 2021
@xor007
Copy link

xor007 commented Aug 16, 2021

+1 we need this

@cfn-github-issues-bot cfn-github-issues-bot moved this from We're working on it to Researching in coverage-roadmap Aug 19, 2021
@lynnnnnnluo
Copy link

lynnnnnnluo commented Aug 20, 2021
edited

Tags, Logging and End point access will be supported in next release

@cfn-github-issues-bot cfn-github-issues-bot moved this from Researching to Shipped in coverage-roadmap Aug 20, 2021
@rohits-spec rohits-spec reopened this Aug 20, 2021
@cfn-github-issues-bot cfn-github-issues-bot moved this from Shipped to We're working on it in coverage-roadmap Aug 20, 2021
@aws-tatarkin
Copy link

Hi any updates?

Related: aws/containers-roadmap#242

@mikestef9
Copy link

mikestef9 commented Nov 10, 2021
edited

This feature is now available using the EKS cluster CFN resource

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html

@cfn-github-issues-bot cfn-github-issues-bot moved this from We're working on it to Researching in coverage-roadmap Nov 11, 2021
@cfn-github-issues-bot cfn-github-issues-bot moved this from Researching to Shipped in coverage-roadmap Nov 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compute EC2, ECR, ECS, EKS, Lambda, Batch, Elastic Beanstalk, Serverless Application Repository
Projects
coverage-roadmap
  
Shipped
Milestone
cov
Development

No branches or pull requests