Skip to content

Commit

Permalink
Add documentation for utils update-cluster-vpc-config
Browse files Browse the repository at this point in the history
  • Loading branch information
cpu1 committed Oct 24, 2023
1 parent 79b271e commit c2c91ab
Show file tree
Hide file tree
Showing 5 changed files with 142 additions and 5 deletions.
22 changes: 22 additions & 0 deletions examples/38-cluster-subnets-sgs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# An example config for updating API server endpoint access, public access CIDRs, and control plane subnets and security groups.
# To perform the update, run `eksctl utils update-cluster-vpc-config -f 38-cluster-subnets-sgs.yaml`

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster-38
region: us-west-2

iam:
withOIDC: true

vpc:
controlPlaneSubnetIDs: [subnet-1234, subnet-5678]
controlPlaneSecurityGroupIDs: [sg-1234, sg-5678]
clusterEndpoints:
publicAccess: true
privateAccess: true
publicAccessCIDRs: ["1.1.1.1/32"]

managedNodeGroups:
- name: mng1
1 change: 1 addition & 0 deletions userdocs/mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,7 @@ nav:
- usage/vpc-configuration.md
- usage/vpc-subnet-settings.md
- usage/vpc-cluster-access.md
- usage/cluster-subnets-security-groups.md
- usage/vpc-ip-family.md
- IAM:
- usage/minimum-iam-policies.md
Expand Down
2 changes: 2 additions & 0 deletions userdocs/src/getting-started.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Getting started

!!! tip "New for 2023"
`eksctl` now supports [updating the subnets and security groups](/usage/cluster-subnets-security-groups) associated with the EKS control plane.

`eksctl` now supports creating fully private clusters on [AWS Outposts](/usage/outposts).

`eksctl` now supports new ISO regions `us-iso-east-1` and `us-isob-east-1`.
Expand Down
83 changes: 83 additions & 0 deletions userdocs/src/usage/cluster-subnets-security-groups.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# Updating control plane subnets and security groups

## Updating control plane subnets
When a cluster is created with eksctl, a set of public and private subnets are created and passed to the EKS API.
EKS creates 2 to 4 cross-account elastic network interfaces (ENIs) in those subnets to enable communication between the EKS
managed Kubernetes control plane and your VPC.

To update the subnets used by the EKS control plane, run:

```console
eksctl utils update-cluster-vpc-config --cluster=<cluster> --control-plane-subnet-ids=subnet-1234,subnet-5678
```

To update the setting using a config file:

```yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster
region: us-west-2

vpc:
controlPlaneSubnetIDs: [subnet-1234, subnet-5678]
```
```console
eksctl utils update-cluster-vpc-config -f config.yaml
```

Without the `--approve` flag, eksctl only logs the proposed changes. Once you are satisfied with the proposed changes, rerun the command with
the `--approve` flag.

## Updating control plane security groups
To manage traffic between the control plane and worker nodes, EKS supports passing additional security groups that are applied to the cross-account network interfaces
provisioned by EKS. To update the security groups for the EKS control plane, run:

```console
eksctl utils update-cluster-vpc-config --cluster=<cluster> --control-plane-security-group-ids=sg-1234,sg-5678 --approve
```

To update the setting using a config file:

```yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster
region: us-west-2

vpc:
controlPlaneSecurityGroupIDs: [sg-1234, sg-5678]
```
```console
eksctl utils update-cluster-vpc-config -f config.yaml
```

To update both control plane subnets and security groups for a cluster, run:

```console
eksctl utils update-cluster-vpc-config --cluster=<cluster> --control-plane-subnet-ids=<> --control-plane-security-group-ids=<> --approve
```

To update both fields using a config file:

```yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster
region: us-west-2

vpc:
controlPlaneSubnetIDs: [subnet-1234, subnet-5678]
controlPlaneSecurityGroupIDs: [sg-1234, sg-5678]
```
```console
eksctl utils update-cluster-vpc-config -f config.yaml
```

For a complete example, refer to [https://github.com/eksctl-io/eksctl/blob/main/examples/38-cluster-subnets-sgs.yaml](cluster-subnets-sgs.yaml).
39 changes: 34 additions & 5 deletions userdocs/src/usage/vpc-cluster-access.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,18 @@ There are some additional caveats when configuring Kubernetes API endpoint acces

The following is an example of how one could configure the Kubernetes API endpoint access using the `utils` sub-command:

```console
eksctl utils update-cluster-vpc-config --cluster=<clustername> --private-access=true --public-access=false
```
eksctl utils update-cluster-endpoints --name=<clustername> --private-access=true --public-access=false
```

!!! warning
`eksctl utils update-cluster-endpoints` has been deprecated in favour of `eksctl utils update-cluster-vpc-config`
and will be removed soon.

To update the setting using a `ClusterConfig` file, use:

```console
eksctl utils update-cluster-endpoints -f config.yaml --approve
eksctl utils update-cluster-vpc-config -f config.yaml --approve
```

Note that if you don't pass a flag, it will keep the current value. Once you are satisfied with the proposed changes,
Expand All @@ -59,13 +63,17 @@ vpc:
To update the restrictions on an existing cluster, use:

```console
eksctl utils set-public-access-cidrs --cluster=<cluster> 1.1.1.1/32,2.2.2.0/24
eksctl utils update-cluster-vpc-config --cluster=<cluster> 1.1.1.1/32,2.2.2.0/24
```

!!! warning
`eksctl utils set-public-access-cidrs` has been deprecated in favour of `eksctl utils update-cluster-vpc-config`
and will be removed soon.

To update the restrictions using a `ClusterConfig` file, set the new CIDRs in `vpc.publicAccessCIDRs` and run:

```console
eksctl utils set-public-access-cidrs -f config.yaml
eksctl utils update-cluster-vpc-config -f config.yaml
```

!!! warning
Expand All @@ -81,3 +89,24 @@ eksctl utils set-public-access-cidrs -f config.yaml
the internet. (Source: https://github.com/aws/containers-roadmap/issues/108#issuecomment-552766489)

Implementation notes: https://github.com/aws/containers-roadmap/issues/108#issuecomment-552698875


To update both API server endpoint access and public access CIDRs for a cluster in a single command, run:

```console
eksctl utils update-cluster-vpc-config --cluster=<cluster> --public-access=true --private-access=true --public-access-cidrs=1.1.1.1/32,2.2.2.0/24
```

To update the setting using a config file:

```yaml
vpc:
clusterEndpoints:
publicAccess: <true|false>
privateAccess: <true|false>
publicAccessCIDRs: ["1.1.1.1/32"]
```

```console
eksctl utils update-cluster-vpc-config --cluster=<cluster> -f config.yaml
```

0 comments on commit c2c91ab

Please sign in to comment.