[EKS] [Security] Allow restricting access to EKS Kubernetes Public API Endpoint by security group

[tgeoghegan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

108 added the ability to define an allow-list of CIDRs that can reach the Kubernetes API endpoint. We would like the ability to manage this allow-list using a security group.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We have existing tooling built around security groups. We use their tags and the fact that individual ingress or egress rules on a security group can have descriptions in automation that analyses rules and can revoke them if they are expired or invalid. The existing API server allow-list only lets you specify a list of CIDRs in a call to UpdateClusterConfig, so there is nowhere to store metadata, and even if there was, we would have to write some new code to achieve parity with the current tools built on security groups.

[pgporada]

When I last updated the public API whitelist it took ~15 minutes which seems excessive. I'd appreciate being able to manage this via security group too.

[aRobinson-R7]

https://github.com/aws/containers-roadmap/issues/1349 mentioned the addition of EC2 Managed Prefix Lists, as well as security groups. We use prefix-lists to manage access from our network to EC2 / ALBs, and it would be very useful to use the same lists for access to EKS Clusters

[smailc]

Being able to use managed prefix lists would be a huge improvement. I would like to be able to add a prefix list of GitHub actions addresses for example.

[drewhemm]

I just hit this same issue. Am using Github Actions and want to restrict the public endpoint to the published IPv4 Actions IPs, plus a few of our own...

The alternative would be to run a self-hosted runner inside AWS, but that seems like a troublesome workaround.

[vuskeedoo]

+1

[jessesanford]

Restating my support on this issue given the other duplicate was closed. "I want to promote this feature as I think that this is a far more intuitive way of handling the whitelisting given the parity with all of the other amazon services that use security groups for traffic filtering. The current solution is very EKS centric and feels like it was just a stop gap solution to get ip whitelisting in place. Please prioritize this feature so that securing EKS API endpoints through firewalling is as familiar as other services."