Profile applicability: Level 1 - Cluster / Control Plane
Ensure that clusters are created with the Private Endpoint enabled and Public Access
disabled
to enhance the security of the Kubernetes API. In private clusters, the master node
features
both a private and a public endpoint. The private endpoint, an internal IP address
behind a VPC
network's internal load balancer, facilitates node-to-master communications, whereas
the public
endpoint allows external access to the Kubernetes API from outside the master's VPC
network.
While the Kubernetes API requires an authorized token for sensitive operations, vulnerabilities
might still expose it publicly, allowing attackers to potentially identify the cluster
and its
API version to exploit known vulnerabilities. By disabling the public endpoint, you
limit such
risks, necessitating attackers to be within the master’s VPC network to launch attacks.
If
public access is necessary, it should be configured to allow only specified whitelisted
CIDR
blocks, providing controlled access while maintaining all internal traffic between
kubelets and
the Kubernetes API through securely provisioned cross-account ENIs in the cluster’s
VPC.
Impact
Configure the EKS cluster endpoint to be private.
1. Leave the cluster endpoint public and specify which CIDR blocks can communicate
with the cluster endpoint. The blocks are effectively a whitelisted set of public
IP addresses allowed to access the cluster endpoint.
2. Configure public access with a set of whitelisted CIDR blocks and set private endpoint
access to enabled. This allows public access from a specific range of public IPs while
forcing all network traffic between the kubelets (workers) and the Kubernetes API
through the cross-account ENIs that get provisioned into the cluster VPC when the
control plane is provisioned.
Audit
Check for private endpoint access to the Kubernetes API server. Check for the following
to be 'enabled: false'
export CLUSTER_NAME=<your cluster name>
aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.resourcesVpcConfig.endpointPublicAccess"
Check for the following to be 'enabled: true'
export CLUSTER_NAME=<your cluster name>
aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.resourcesVpcConfig.endpointPrivateAccess"
Remediation
By enabling private endpoint access to the Kubernetes API server, all communication
between your nodes and the API server stays within your VPC. With this in mind, you
can update your cluster accordingly using the AWS CLI to ensure that Private Endpoint
Access is enabled.
For example, the following command would enable private access to the Kubernetes API
and ensure that no public access is permitted:
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false