I have deployed an EKS cluster with a private endpoint (with the help of vpc endpoints). There is no public endpoint and there is no internet gateway.

I need to understand how to access the Kubernetes API from an EC2 instance launched in one of the private subnets in the same VPC. I am using Session Manager with vpc endpoint to run commands on the EC2 instance.

Any advice on how to install and configure kubectl to manage the cluster in this case?

CodePudding user response：

...how to access the Kubernetes API from an EC2 instance launched in one of the private subnets in the same VPC.

Typically you use SSM connect on the EC2 console to start a session with the EC2 instance launched in the private subnet, and interact with your fully private cluster from there.

CodePudding user response：

There are several ways to achieve this:

• If you have an on-premise sever in your on-premise network that is connected to the underlying VPC of the EKS cluster (You can connect them via AWS VPN or Direct Connect), you can configure your kubectl to connect via this private connectivity. PS: You have to be careful of subnet segment selection to avoid conflicting CIDRs and ease integration of the networks
• You can setup a bastion on the public subnet and use it as a jumpbox for connecting to another EC2 inside the private subnet. In that private EC2, you can install kubectl and integrate with the EKS API server, the connectivity could then be setup thanks to the private endpoints with EKS.
• (UPDATE): You can also use AWS SSM to connect to a private EC2 server that contains a kubectl that can manage the EKS cluster (Same suggestion with gohmc).
• If you have a Cloud9 server that can connect to the underlying VPC of the EKS server, you can use that as a base of your kubectl and manage it from there.
• You can introduce an automation VPC that can connect to the underlying VPC of the EKS cluster via VPC Peering or Transient Gateways, you can use that VPC to host your CI/CD servers (Jenkins or TeamCity) plus your command center EC2 that contains a kubectl for debugging purpose, this can also be a great place to host your other kubernetes tooling.

To be honest, I'm excited to see a command portal inside the AWS console that would allow us to do this easily instead of having to perform hardcore network setups.