bnaydenov
commented
1 year ago @aceat64 you can do it using ClusterProvider and setting endpointAccess: eks.EndpointAccess.PUBLIC_AND_PRIVATE.onlyFrom(...cidr: string[])
See example bellow.
import * as cdk from 'aws-cdk-lib';
import * as eks from "aws-cdk-lib/aws-eks";
import * as blueprints from '@aws-quickstart/eks-blueprints';
import { Construct } from 'constructs';
export default class YourClusterConstruct extends Construct {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id);
const account = props?.env?.account!;
const region = props?.env?.region!;
const clusterProvider = new blueprints.GenericClusterProvider({
version: eks.KubernetesVersion.V1_21,
endpointAccess: eks.EndpointAccess.PUBLIC_AND_PRIVATE.onlyFrom('1.1.1.1/32', '2.2.2.2/32'),
});
const blueprint = blueprints.EksBlueprint.builder()
.clusterProvider(clusterProvider)
.account(account)
.region(region)
.addOns()
.teams()
.build(scope, id+'-eks');
}
}
Describe the feature
Allow limiting access to the public EKS/K8S endpoints to a list of CIDRs.
Use Case
This would allow users to protect the endpoint from being accessed by anyone, without having to set it to private and then establish a link of some kind to the VPC (e.g. VPN).
Proposed Solution
EKS clusters with EndpointAccess set to PUBLIC_AND_PRIVATE (or PUBLIC) can optionally specify a list of CIDR blocks that are allowed to access the endpoint. Currently the ClusterProvider only exposes the
privateClusteroption as a boolean, with the default (true) setting the cluster to PUBLIC_AND_PRIVATE. This option could be replaced with one that accepts an EndpointAccess object, as it already includes a method for restricting public access.https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.EndpointAccess.html
Other Information
No response
Acknowledgements
CDK version used
2.43.0
EKS Blueprints Version
1.3.0
Node.js Version
v18.9.0
Environment details (OS name and version, etc.)
macOS M1