Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] - Fully Private EKS Cluster #136

Open
starchx opened this issue Jul 24, 2021 · 3 comments
Open

[FEATURE] - Fully Private EKS Cluster #136

starchx opened this issue Jul 24, 2021 · 3 comments
Labels

Comments

@starchx
Copy link
Contributor

starchx commented Jul 24, 2021

This one is commonly required in the financial industry. User may provide proxy server but with strict outbound filtering (e.g. block Github access, which means all the addons need to be hosted within private repos internally).

This requires us to use AWS service VPC endpoint as much as we can and only use proxy when the AWS services that do not support VPC Endpoint (such as EKS service API).

Related to this issue: #49

@kcoleman731 kcoleman731 changed the title Add full private EKS cluster support without outbound internet access [FEATURE] - Fully Private EKS Cluster Aug 15, 2021
@shapirov103
Copy link
Collaborator

@starchx can you specify where specifically private VPC endpoints are needed? Is it Velero for S3 access? Something else?
Private cluster support with private repos is supported. I can add an example pattern with the proxy server for GitHub access for example.

@starchx
Copy link
Contributor Author

starchx commented May 8, 2022

Thanks @shapirov103 .

The use case is when the customer only allows outbound access via an internal managed proxy server, or no outbound internet access at all. That means the cluster creator lambda and kubectl lambda (from cdk-eks module) will need to be placed inside the customer's VPC.

EKS VPC endpoint support is on the roadmap (aws/containers-roadmap#298), so outbound internet is still required via proxy.

For the blueprint, I think we can just add the proxy support, e.g. allow customers to specify their own proxy servers. We would need to pass that proxy to environment variables to both lambdas (https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-eks.Cluster.html#kubectlenvironment)

@starchx
Copy link
Contributor Author

starchx commented May 30, 2023

This feature may not be needed anymore, thanks to EKS Private Endpoint: aws/containers-roadmap#298

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants