Private Access

How to create private EKS clusters

This section helps you to enable private access for your Amazon EKS cluster’s Kubernetes API server endpoint and completely disable public access so that it’s not accessible from the internet.

Enable Private Access for your cluster’s API server endpoint

You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC. You can also completely disable public access to your API server so that it’s not accessible from the internet.

You can enable private access in ${KUBEFLOW_SRC}/${KFAPP}/aws_config/cluster_features.sh.

  1. PRIVATE_LINK=false
  2. ENDPOINT_PUBLIC_ACCESS=true
  3. ENDPOINT_PRIVATE_ACCESS=false

By default, this API server endpoint is public to the internet (ENDPOINT_PUBLIC_ACCESS=true) , and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (ENDPOINT_PRIVATE_ACCESS=false).

You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC (ENDPOINT_PRIVATE_ACCESS=true). You can also completely disable public access to your API server so that it’s not accessible from the internet (ENDPOINT_PUBLIC_ACCESS=false). In this case, you need to have an instance inside your VPC to talk with your Kubernetes API server.

Note: You may see InvalidParameterException if you have invalid combination.

Please check Amazon EKS Cluster Endpoint Access Control for more details.