Views:
Profile applicability: Level 1
Disable access to the Kubernetes API from outside the node network if it is not required.
In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publicly with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.
Note
Note
By default, the Public Endpoint is disabled.

Impact

Configure the EKS cluster endpoint to be private.
  1. Leave the cluster endpoint public and specify which CIDR blocks can communicate with the cluster endpoint. The blocks are effectively a whitelisted set of public IP addresses that are allowed to access the cluster endpoint.
  2. Configure public access with a set of whitelisted CIDR blocks and set private endpoint access to enabled. This will allow public access from a specific range of public IPs while forcing all network traffic between the kubelets (workers) and the Kubernetes API through the cross-account ENIs that get provisioned into the cluster VPC when the control plane is provisioned.

Audit

Check for private endpoint access to the Kubernetes API server:
export CLUSTER_NAME=<your cluster name>
export REGION_CODE=<your region>
aws eks describe-cluster \
--name "${CLUSTER_NAME}" \
--region "${REGION_CODE}" \
--query \
"cluster.resourcesVpcConfig.{endpointPublicAccess:endpointPublicAccess,endpointPrivateAccess:endpointPrivateAccess}" \
--output json
Check for the following to be "endpointPrivateAccess": true.
Check for the following to be "endpointPublicAccess": true.

Remediation

By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC.
With this in mind, you can update your cluster accordingly using the AWS CLI to ensure that Private Endpoint Access is enabled.
For example, the following command would enable private access to the Kubernetes API and ensure that no public access is permitted:
aws eks update-cluster-config \
--region $AWS_REGION \
--name $CLUSTER_NAME \
--resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false
Note
Note
For more detailed information, see the EKS Cluster Endpoint documentation link in the references section.