Describe alternatives you've considered
Creating a separate module that configures/locks down API network access. But this means the cluster will always be configured first with public access and then switched to limited access.
Additional context
Customers running GuardDuty detect malicious access attempts from IP scanners that attempt to use guest/unauthenticated/anonymous credentials for accessing the EKS API. In order to limit the ability for scanners to be able to invoke the API, filtering based on whitelisted CIDRs is a simple and effective solution.
Switching purely to private endpoints has many knock on effects. For instance, it forced all seedfarmer modules that invoke kubectl to run within the VPC. It also requires all custom resources created by CDK to apply manifests to be run within the VPC. Finally it also requires either Cloud9 or a Bastion host to interact with the EKS API.
Is your feature request related to a problem? Please describe. As an enterprise user, I would like to:
Describe the solution you'd like The current EKS module allows either private or public API endpoint.
only_from
function (https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_eks/EndpointAccess.html#aws_cdk.aws_eks.EndpointAccess)Describe alternatives you've considered Creating a separate module that configures/locks down API network access. But this means the cluster will always be configured first with public access and then switched to limited access.
Additional context Customers running GuardDuty detect malicious access attempts from IP scanners that attempt to use guest/unauthenticated/anonymous credentials for accessing the EKS API. In order to limit the ability for scanners to be able to invoke the API, filtering based on whitelisted CIDRs is a simple and effective solution.
Switching purely to private endpoints has many knock on effects. For instance, it forced all seedfarmer modules that invoke kubectl to run within the VPC. It also requires all custom resources created by CDK to apply manifests to be run within the VPC. Finally it also requires either Cloud9 or a Bastion host to interact with the EKS API.