[EKS] [request]: Definable Service ClusterIP CIDR range

[dewjam]

Tell us about your request
What do you want us to build?
Expose the "--service-cluster-ip-range" kube-apiserver flag so it can be defined by customers at EKS cluster creation time.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Currently, the Service ClusterIP CIDR range is statically defined as 10.100.x.x/16 or 172.20.x.x/16 depending on the subnet range assigned to the VPC you're deploying workers to. Being unable to define the Service ClusterIP CIDR range can result in IP overlaps if the same range is in use elsewhere in the infrastructure. The issue would manifest as pods being unable to talk to a specific external service/resource if a ClusterIP service happens to be assigned the same IP and port as the external service/resource.

Are you currently working around this issue?
EKS is not being used in favor of a more flexible option. Someone could work around this issue by designating a specific port to be used by all ClusterIP services that is not used by any on-premise services. This could be difficult to enforce for large organizations with many applications.

Additional context
A more generic solution to allow "kube-apiserver" or "kube-controller" flags to be defined by the customer would also be a good approach. This could be an "advanced" configuration option that a customer can opt into, but otherwise sane defaults are provided.

Attachments
N/A

[dawidmalina]

It's very good idea! 👍

[pawelprazak]

this feature would be necessary for cross-cluster service discovery and connectivity, wouldn't it?

[BeneStem]

And if you are using VPN connection and having an already blocked network range...

[chrw]

I would love to see this feature because the assigned CIDR range 10.100.0.0/16 is colliding with a network of our VPN connections!

[msvechla]

How is this not configurable? This behaviour is completely intransparent for the enduser. Currently this is also colliding with a private network for us.

[pfremm]

Any updates if this has made it to the EKS roadmap?

[chrw]

Any news on this one. I got asked by our AWS account manager what's blocking us from using EKS and this is exactly it! 😉

[chris-vest]

This would be very useful to be able to configure!

[jwenz723]

Would love to see this built out. My current network configuration makes use of both 10.100 and 172.20 ip spaces, thus, making it hard for me to use EKS and reliably communicate with private services that reside outside of EKS.

[chrw]

Curious if there is any work going on with this feature request? :-)

[derjohn]

Hmmm .... IIRC is this already resolved. At least in Terraform / API I used subnet IDs from the VPC in EKS. Or did I misunderstand the issue?

resource "aws_eks_cluster" "xxxx" {
  name     = var.cluster-name
  role_arn = data.terraform_remote_state.aws_iam.outputs.eks_cluster_role_arn
  version  = "1.14"

  vpc_config {
    endpoint_private_access = true
    endpoint_public_access  = true
    security_group_ids = [
    aws_security_group.xxx.id]
    subnet_ids = data.terraform_remote_state.aws_vpc.outputs.xxxx_eks_private_subnet_ids
  }
}

[derjohn]

Update: I didn't read the issue fully,

Yes, the services are still on that fixed IPs even with Kubernetes 1.14, Platform version eks.2 on AWS.
Though, the pods are not. I looked for the wrong thing.

[nastrofaction]

We need this so we can define static IP for our services.

[mikestef9]

Hey all,

You can configure the Kubernetes Service IP Range on newly created EKS clusters.

What's New: https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-eks-supports-configurable-kubernetes-service-ip-address-range/

[lobshunter]

Does EKS use configured service IP range to generate proper in-cluster DNS service address? I use a custom service IP range 10.20.0.0/16, but the DNS service address is still 172.20.0.2. So DNS resolution doesn't work for pods.