Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for cluster endpoint access control #86

Closed
rjkernick opened this issue Mar 28, 2019 · 4 comments · Fixed by #154
Closed

Add support for cluster endpoint access control #86

rjkernick opened this issue Mar 28, 2019 · 4 comments · Fixed by #154
Assignees
@lukehoban
Labels
kind/enhancement Improvements or new features
Milestone
0.24

Comments

@rjkernick
Copy link

I know the feature is recent, but I would like to set the cluster endpoint access control as shown here: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

I may be wrong, but I don't see the option currently
@janwillies
Copy link

This feature would be helpful for enterprise adoption

@lukehoban lukehoban added this to the 0.24 milestone Jun 6, 2019
@Josh-Tilles
Copy link

Something to consider when implementing this: it would be great if the library accounted for ensuring that the machine that it’s running on has access to the cluster API, probably via an additional extra security group rule or assertion. (See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)

lukehoban added a commit that referenced this issue Jun 7, 2019
@lukehoban
Add support for endpointPrivateAccess and endpointPublicAccess
ca9a389 
Espose these options through to the aws.eks.Cluster.

Fixes #86.
@lukehoban lukehoban mentioned this issue Jun 7, 2019
Merged
lukehoban added a commit that referenced this issue Jun 7, 2019
@lukehoban
Add support for endpointPrivateAccess and endpointPublicAccess
d30c5e5 
Espose these options through to the aws.eks.Cluster.

Fixes #86.
@lukehoban lukehoban assigned lukehoban and unassigned metral Jun 7, 2019
@lukehoban
Copy link
Member

lukehoban commented Jun 8, 2019
edited
Loading

Something to consider when implementing this: it would be great if the library accounted for ensuring that the machine that it’s running on has access to the cluster API, probably via an additional extra security group rule or assertion. (See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)

This is a great point. If public=false,private=true then the @pulumi/kuberentes API calls we make will not succeed by default. The two options I can think of are:

  1. Automatically add a SG ingress rule targetting the IP of the current machine (potentially NATed?)
  2. Ensure that users can provide a custom Cluster security group so that they can configure ingress with the CIDR blocks, IPs or other SGs they want to have access (and document that deployments will only be possible if done from an IP within one of these).

(2) would require some slightly non-trivial manual configuration - but should otherwise be reliable.

(1) is "automatic" but doesn't feel reliable - for one its subtly defeating security best-practices by default. But then also if deployments happen from different IPs (even different IPs within a single CI system), there will be unexpected churn in the deployment.

I think I'll solve for (2) for now, and we could explore (1) or some variant of it as an ease-of-use addon in the future if really needed (though I suspect that ease-of-use will not be aligned with private-only endpoint access :-)).

Thoughts?

@metral
Copy link
Contributor

metral commented Jun 8, 2019
edited
Loading

I agree that option 2 is the best path forward.

I've added some comments in #154 (comment).

lukehoban added a commit that referenced this issue Jun 12, 2019
@lukehoban
Add support for endpointPrivateAccess and endpointPublicAccess
589d32f 
Espose these options through to the aws.eks.Cluster.

Fixes #86.
lukehoban added a commit that referenced this issue Jun 20, 2019
@lukehoban
Add support for endpoint access control and custom cluster securitygr…
d729833 
…oup (#154)

Expose endpoint access control options through to the `aws.eks.Cluster`.

Also, allow users to provide their own security group to apply to the cluster endpoint.

Fixes #86.
@infin8x infin8x added the kind/enhancement Improvements or new features label Jul 10, 2021
@github-actions github-actions bot mentioned this issue Nov 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukehoban lukehoban

Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
0.24
Development

Successfully merging a pull request may close this issue.

Add support for endpoint access control and custom cluster securitygroup pulumi/pulumi-eks
6 participants
@lukehoban @infin8x @Josh-Tilles @metral @janwillies @rjkernick