Open tgeoghegan opened 4 years ago
When I last updated the public API whitelist it took ~15 minutes which seems excessive. I'd appreciate being able to manage this via security group too.
https://github.com/aws/containers-roadmap/issues/1349 mentioned the addition of EC2 Managed Prefix Lists, as well as security groups. We use prefix-lists to manage access from our network to EC2 / ALBs, and it would be very useful to use the same lists for access to EKS Clusters
Being able to use managed prefix lists would be a huge improvement. I would like to be able to add a prefix list of GitHub actions addresses for example.
I just hit this same issue. Am using Github Actions and want to restrict the public endpoint to the published IPv4 Actions IPs, plus a few of our own...
The alternative would be to run a self-hosted runner inside AWS, but that seems like a troublesome workaround.
+1
Restating my support on this issue given the other duplicate was closed. "I want to promote this feature as I think that this is a far more intuitive way of handling the whitelisting given the parity with all of the other amazon services that use security groups for traffic filtering. The current solution is very EKS centric and feels like it was just a stop gap solution to get ip whitelisting in place. Please prioritize this feature so that securing EKS API endpoints through firewalling is as familiar as other services."
Community Note
Tell us about your request
108 added the ability to define an allow-list of CIDRs that can reach the Kubernetes API endpoint. We would like the ability to manage this allow-list using a security group.
Which service(s) is this request for? EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We have existing tooling built around security groups. We use their tags and the fact that individual ingress or egress rules on a security group can have descriptions in automation that analyses rules and can revoke them if they are expired or invalid. The existing API server allow-list only lets you specify a list of CIDRs in a call to
UpdateClusterConfig
, so there is nowhere to store metadata, and even if there was, we would have to write some new code to achieve parity with the current tools built on security groups.