In AWS EKS, what security group allows access to master node from kubernetes client?

amazon-web-services kubernetes

When I create a EKS cluster, I can access the master node from anywhere. Even though, the control plane security group only allows the worker to control plane connectivity (default configuration).

How can the access to the control plane be limited to a security group?


You can't

The EKS master nodes are managed by AWS and are run in a different account. You need access to the internet in order to reach the endpoint, and security groups won't stop anyone else from hitting the public endpoint.

Run a Dig against the API server endpoint and you can see this:

{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN   A xxx.xxx.xxx.xxx
{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN   A xxx.xxx.xxx.xxx

This is just the API endpoint though, and I suspect that the master nodes are not actually publicly accessible, only the API endpoint, and I am certain that the API has the same AWS authentication measures as any other service's public API endpoint.
https://docs.aws.amazon.com/general/latest/gr/rande.html#eks_region

I would suggest going through the EKS VPC tutorial and the read the section in the docs on EKS Networking.

Related

PHP 7.2.8 PDO Fails to Connect to MySQL 8.0.12 (GA) in AWS EC2 LEMP Stack
Kubernetes: detect and auto-update deployment on image update
How can I duplicate incoming DNS packets and send them to a different nameserver with iptables?
Copying over indexes with AWS DMS
SSH authentication sequence and key files : explain
Connecting two buildings, 250 meters, heavy snow country, high lighting risk
systemctl stops Tomcat service immediately after start
How can IPv6 clients find servers such as NTP, SIP
Shrinking a preallocated VMDK
What is Edge to Edge Routing?
Journalctl and syslog: How does it actually work? [closed]
ReFS with or without hardware RAID? With or without storage spaces?