Public Access Source Allowlist Changes Don't Break Ec2 Node Communication

Modifying EKS public access source allowlists doesn't disrupt EC2 node communication but requires careful validation of API.

JR

2 minute read

Modifying EKS public access source allowlists doesn’t disrupt EC2 node communication but requires careful validation of API server and worker node connectivity.

Context

The “Public access source allowlist” in EKS controls which IP ranges can access the Kubernetes API server endpoint. This setting does not govern communication between EC2 nodes and the control plane. Nodes communicate via private VPC channels and instance roles, independent of the public API server allowlist.

Actionable Workflow

  1. Review current allowlist: 
    eksctl get cluster --name <cluster-name> --region <region> --json | jq '.cluster.info.endpointPublicAccessConfiguration'
  2. Update allowlist cautiously:
    • Use CIDR blocks, not individual IPs, for maintainability.
    • Avoid overly broad ranges (e.g., 0.0.0.0/0) unless strictly necessary.
  3. Validate post-change:
    • Check node status: kubectl get nodes
    • Test API access from allowed IPs: curl -v https://<api-endpoint>/api/v1/namespaces/default/pods

Policy Example

Sample AWS Security Group rule for EKS API access (replace <CIDR>):

{  
  "IpProtocol": "tcp",  
  "FromPort": 443,  
  "ToPort": 443,  
  "IpRanges": [{ "CidrIp": "<CIDR>" }]  
}

Tooling

  • eksctl: eksctl utils edit-cluster --name <cluster-name> --set=endpointPublicAccess=<CIDR>
  • AWS CLI: aws eks update-kubeconfig --name <cluster-name> --region <region> --v2-api-endpoint
  • kubectl: kubectl auth can-i --list (verify API access post-change)

Tradeoffs

  • Security vs. accessibility: Tight allowlists improve security but risk blocking legitimate users.
  • Misconfiguration risk: Overly restrictive rules can break CI/CD pipelines or admin access without affecting node operations.

Troubleshooting

  • Symptom: Nodes show as “NotReady” post-change.
    • Check: Security group inbound rules on the control plane SG.
    • Fix: Ensure nodes can reach the API server on port 443 (not blocked by node SG or NACLs).
  • Symptom: kubectl commands fail from allowed IPs.
    • Check: API server endpoint DNS resolution (nslookup <api-endpoint>).
    • Fix: Verify VPC routing tables and endpoint policies.

Key Caveat

While node-to-control-plane communication remains unaffected, misconfigured allowlists can silence critical alerts or block admin access during incidents. Always test changes in staging environments first.

Source thread: [EKS Cluster] Does modifying “Public access source allowlist” affect the interaction between the EKS cluster and the EC2 nodes?

comments powered by Disqus