diff --git a/examples/38-cluster-subnets-sgs.yaml b/examples/38-cluster-subnets-sgs.yaml new file mode 100644 index 0000000000..67e1b8202a --- /dev/null +++ b/examples/38-cluster-subnets-sgs.yaml @@ -0,0 +1,22 @@ +# An example config for updating API server endpoint access, public access CIDRs, and control plane subnets and security groups. +# To perform the update, run `eksctl utils update-cluster-vpc-config -f 38-cluster-subnets-sgs.yaml` + +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: cluster-38 + region: us-west-2 + +iam: + withOIDC: true + +vpc: + controlPlaneSubnetIDs: [subnet-1234, subnet-5678] + controlPlaneSecurityGroupIDs: [sg-1234, sg-5678] + clusterEndpoints: + publicAccess: true + privateAccess: true + publicAccessCIDRs: ["1.1.1.1/32"] + +managedNodeGroups: + - name: mng1 diff --git a/userdocs/mkdocs.yml b/userdocs/mkdocs.yml index 66ac005bfa..6ce84d4a44 100644 --- a/userdocs/mkdocs.yml +++ b/userdocs/mkdocs.yml @@ -179,6 +179,7 @@ nav: - usage/vpc-configuration.md - usage/vpc-subnet-settings.md - usage/vpc-cluster-access.md + - usage/cluster-subnets-security-groups.md - usage/vpc-ip-family.md - IAM: - usage/minimum-iam-policies.md diff --git a/userdocs/src/getting-started.md b/userdocs/src/getting-started.md index 8c055fa2d5..fefb363dfa 100644 --- a/userdocs/src/getting-started.md +++ b/userdocs/src/getting-started.md @@ -1,6 +1,8 @@ # Getting started !!! tip "New for 2023" + `eksctl` now supports [updating the subnets and security groups](/usage/cluster-subnets-security-groups) associated with the EKS control plane. + `eksctl` now supports creating fully private clusters on [AWS Outposts](/usage/outposts). `eksctl` now supports new ISO regions `us-iso-east-1` and `us-isob-east-1`. diff --git a/userdocs/src/usage/cluster-subnets-security-groups.md b/userdocs/src/usage/cluster-subnets-security-groups.md new file mode 100644 index 0000000000..1fb83cf135 --- /dev/null +++ b/userdocs/src/usage/cluster-subnets-security-groups.md @@ -0,0 +1,83 @@ +# Updating control plane subnets and security groups + +## Updating control plane subnets +When a cluster is created with eksctl, a set of public and private subnets are created and passed to the EKS API. +EKS creates 2 to 4 cross-account elastic network interfaces (ENIs) in those subnets to enable communication between the EKS +managed Kubernetes control plane and your VPC. + +To update the subnets used by the EKS control plane, run: + +```console +eksctl utils update-cluster-vpc-config --cluster= --control-plane-subnet-ids=subnet-1234,subnet-5678 +``` + +To update the setting using a config file: + +```yaml +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: cluster + region: us-west-2 + +vpc: + controlPlaneSubnetIDs: [subnet-1234, subnet-5678] +``` + +```console +eksctl utils update-cluster-vpc-config -f config.yaml +``` + +Without the `--approve` flag, eksctl only logs the proposed changes. Once you are satisfied with the proposed changes, rerun the command with +the `--approve` flag. + +## Updating control plane security groups +To manage traffic between the control plane and worker nodes, EKS supports passing additional security groups that are applied to the cross-account network interfaces +provisioned by EKS. To update the security groups for the EKS control plane, run: + +```console +eksctl utils update-cluster-vpc-config --cluster= --control-plane-security-group-ids=sg-1234,sg-5678 --approve +``` + +To update the setting using a config file: + +```yaml +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: cluster + region: us-west-2 + +vpc: + controlPlaneSecurityGroupIDs: [sg-1234, sg-5678] +``` + +```console +eksctl utils update-cluster-vpc-config -f config.yaml +``` + +To update both control plane subnets and security groups for a cluster, run: + +```console +eksctl utils update-cluster-vpc-config --cluster= --control-plane-subnet-ids=<> --control-plane-security-group-ids=<> --approve +``` + +To update both fields using a config file: + +```yaml +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: cluster + region: us-west-2 + +vpc: + controlPlaneSubnetIDs: [subnet-1234, subnet-5678] + controlPlaneSecurityGroupIDs: [sg-1234, sg-5678] +``` + +```console +eksctl utils update-cluster-vpc-config -f config.yaml +``` + +For a complete example, refer to [https://github.com/eksctl-io/eksctl/blob/main/examples/38-cluster-subnets-sgs.yaml](cluster-subnets-sgs.yaml). \ No newline at end of file diff --git a/userdocs/src/usage/vpc-cluster-access.md b/userdocs/src/usage/vpc-cluster-access.md index 128757c2e7..2a9fec28dc 100644 --- a/userdocs/src/usage/vpc-cluster-access.md +++ b/userdocs/src/usage/vpc-cluster-access.md @@ -33,14 +33,18 @@ There are some additional caveats when configuring Kubernetes API endpoint acces The following is an example of how one could configure the Kubernetes API endpoint access using the `utils` sub-command: +```console +eksctl utils update-cluster-vpc-config --cluster= --private-access=true --public-access=false ``` -eksctl utils update-cluster-endpoints --name= --private-access=true --public-access=false -``` + +!!! warning + `eksctl utils update-cluster-endpoints` has been deprecated in favour of `eksctl utils update-cluster-vpc-config` + and will be removed soon. To update the setting using a `ClusterConfig` file, use: ```console -eksctl utils update-cluster-endpoints -f config.yaml --approve +eksctl utils update-cluster-vpc-config -f config.yaml --approve ``` Note that if you don't pass a flag, it will keep the current value. Once you are satisfied with the proposed changes, @@ -59,13 +63,17 @@ vpc: To update the restrictions on an existing cluster, use: ```console -eksctl utils set-public-access-cidrs --cluster= 1.1.1.1/32,2.2.2.0/24 +eksctl utils update-cluster-vpc-config --cluster= 1.1.1.1/32,2.2.2.0/24 ``` +!!! warning + `eksctl utils set-public-access-cidrs` has been deprecated in favour of `eksctl utils update-cluster-vpc-config` + and will be removed soon. + To update the restrictions using a `ClusterConfig` file, set the new CIDRs in `vpc.publicAccessCIDRs` and run: ```console -eksctl utils set-public-access-cidrs -f config.yaml +eksctl utils update-cluster-vpc-config -f config.yaml ``` !!! warning @@ -81,3 +89,24 @@ eksctl utils set-public-access-cidrs -f config.yaml the internet. (Source: https://github.com/aws/containers-roadmap/issues/108#issuecomment-552766489) Implementation notes: https://github.com/aws/containers-roadmap/issues/108#issuecomment-552698875 + + +To update both API server endpoint access and public access CIDRs for a cluster in a single command, run: + +```console +eksctl utils update-cluster-vpc-config --cluster= --public-access=true --private-access=true --public-access-cidrs=1.1.1.1/32,2.2.2.0/24 +``` + +To update the setting using a config file: + +```yaml +vpc: + clusterEndpoints: + publicAccess: + privateAccess: + publicAccessCIDRs: ["1.1.1.1/32"] +``` + +```console +eksctl utils update-cluster-vpc-config --cluster= -f config.yaml +```