Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Updating EKS server endpoint access to Public+Private fails

0

Hello, I have an Amazon EKS cluster where the API server endpoint access is currently set to Public only. I’m trying to update it to Public + Private to run Fargate instances without NAT.

I tried the update from the console and with AWS-cli ( aws eks update-cluster-config --region eu-central-1 --name <cluster-name> --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true,publicAccessCidrs=0.0.0.0/0). Both cases the update fails. I'm unable to see the reason for the failed update.

Cluster spec:

  • Three public subnets with EC2 instances
  • One private subnet
  • enableDnsHostnames set to true
  • enabledDnsSupport set to true
  • DHCP options with AmazonProvidedDNS in its domain name servers list

Versions: Kubernetes version: 1.29 AWS CLI version: 2.24.2 kubectl client version: v1.30.3 kubectl server version:v1.29.15-eks-b707fbb

Any advice on enabling Public+Private API endpoint access for a mixed EC2 and Fargate EKS cluster would be very helpful. Thank you!

Topics
ServerlessComputeContainersNetworking & Content Delivery
Tags
AWS FargateAmazon VPCKubernetesAmazon Elastic Kubernetes Service
Language
English
asked a month ago77 views
1 Answer
0

When updating an EKS cluster's API server endpoint access from Public only to Public + Private, there are several potential reasons why the update might fail.

Based on your cluster configuration, here are some things to check:

  1. VPC Configuration: Ensure that your VPC has the necessary DNS settings properly configured. While you mentioned that enableDnsHostnames and enableDnsSupport are set to true, and you have the AmazonProvidedDNS in your DHCP options, verify that these settings are applied correctly.

  2. Security Groups and Network ACLs: Check if there are any security groups or network ACLs that might be blocking the required traffic between your VPC and the EKS control plane.

  3. Try using eksctl: As an alternative approach, you could try using the eksctl utility to update the cluster configuration:

eksctl utils update-cluster-vpc-config --cluster=<cluster-name> --public-access=true --private-access=true --public-access-cidrs=0.0.0.0/0
  1. Check update status: After attempting an update, you can check the status of the update operation to get more details about why it might be failing:
aws eks describe-update --name <cluster-name> --update-id <update-id>

The update ID would be returned in the output of your update-cluster-config command.

  1. Subnet Configuration: Ensure that your private subnet has proper routing configured. For private API endpoint access, the EKS control plane needs to be able to communicate with the VPC.

  2. AWS Service Quotas: Verify that you haven't hit any service quotas that might prevent the update.

If the issue persists, you might need to check the CloudTrail logs for more detailed error information or contact AWS Support for assistance with your specific cluster configuration.
Sources
Cluster Access - Eksctl User Guide
Use UpdateClusterConfig with a CLI - AWS SDK Code Examples
Securely access EKS cluster API server endpoint from within a VPC | AWS re:Post
UpdateClusterConfig - Amazon EKS

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content