fix: clarify usage of cluster endpoint public CIDR list var #1592
Conversation
schollii
changed the title
| @@ -214,7 +214,7 @@ Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraf | |||
| | <a name="input_cluster_endpoint_private_access_cidrs"></a> [cluster\_endpoint\_private\_access\_cidrs](#input\_cluster\_endpoint\_private\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS private API server endpoint. To use this `cluster_endpoint_private_access` and `cluster_create_endpoint_private_access_sg_rule` must be set to `true`. | `list(string)` | `null` | no | | |||
| | <a name="input_cluster_endpoint_private_access_sg"></a> [cluster\_endpoint\_private\_access\_sg](#input\_cluster\_endpoint\_private\_access\_sg) | List of security group IDs which can access the Amazon EKS private API server endpoint. To use this `cluster_endpoint_private_access` and `cluster_create_endpoint_private_access_sg_rule` must be set to `true`. | `list(string)` | `null` | no | | |||
| | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. When it's set to `false` ensure to have a proper private access with `cluster_endpoint_private_access = true`. | `bool` | `true` | no | | |||
| | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no | | |||
| | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint. If you use this, also set `cluster_endpoint_private_access` to true otherwise the nodes will use public access point but their WAN IP will not be in the CIDR list (see _API server endpoint access options_ table in [EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) for details). | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no | | |||
There was a problem hiding this comment.
Please move your addition into notes section in README.
The documentation for inputs is extracted from variables.tf and we try to exclude very detailed explanations and links to other docs or variables from the description of the variables.
There was a problem hiding this comment.
I think better place will be https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/faq.md#networking where we already have some info about it
There was a problem hiding this comment.
OK, it certainly makes sense to move it there, I will do that shortly.
There was a problem hiding this comment.
I completely forgot that we have FAQ where such details should be written. :)
|
I have opened #1603 for same to fix it |
|
#1603 has been merged so this PR can be closed |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
PR o'clock
Description
Fixes #1111.
If private access is false, then worker nodes have no choice but to access API server through the public access point, ie internet.
But If you set public endpoint CIDR list, their IP will be blocked (you don't have a way to determine WAN IP of nodes). So worker nodes will never join the cluster. This caused me headache so I wanted to avoid this for others.
So if you set public access = true and public SG CIDR list, you HAVE to enable private access too so the nodes can directly access the API server from within the VPC. The docs on this point in AWS are very easy to miss / not see / not remember.
Checklist