5.4.1 - Restrict Access to the Control Plane Endpoint (Automated)

Profile applicability: Level 1 - Cluster / Control Plane

Enable Endpoint Private Access to restrict access to your cluster's control plane to only a list of authorized IP addresses. This measure specifies a restricted range of IP addresses that are allowed to access your cluster’s control plane, which, in combination with Transport Layer Security (TLS) and authentication, secures access from the public internet. Although Kubernetes Engine provides the capability to manage your cluster from anywhere, you might opt to limit access further to specific IP addresses under your control. Authorized networks enhance security by shielding your cluster from potential outsider attacks by limiting external access to designated addresses, and from insider threats by preventing access even if master certificates are accidentally leaked outside your organization. Care must be taken when setting up Endpoint Private Access to include all necessary IP addresses in the authorized list to avoid unintentionally blocking legitimate access to the cluster’s control plane.

    export CLUSTER_NAME=<your cluster name>
    aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.resourcesVpcConfig.endpointPublicAccess"
    aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.resourcesVpcConfig.endpointPrivateAccess"
   

    export CLUSTER_NAME=<your cluster name>
    aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.resourcesVpcConfig.publicAccessCidrs"
   

    aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true, endpointPublicAccess=true, publicAccessCidrs="203.0.113.5/32"