Enhance EKS Cluster Security with New Endpoint Access Modes in Convox

Introduction

We are excited to introduce a new feature in Convox that enhances the security and flexibility of your EKS clusters: configurable Kubernetes API server endpoint access. This feature allows you to adjust how your cluster's API server is accessed, providing more control over your cluster's security and connectivity.

Cluster Endpoint Access Modes

Configuring access to your Kubernetes API server endpoint is essential for balancing security and connectivity. Convox now supports three modes for managing EKS cluster endpoint access:

• Public: The EKS cluster endpoint is accessible from outside the VPC, allowing external connections. This mode is the default configuration. Despite being publicly accessible, it is protected by multiple security layers, ensuring that only authorized access is allowed.
• Semi-Private: In this mode, the cluster switches to public access temporarily during updates or configuration changes and reverts to private once the changes are complete. This mode is suitable for older racks but can be used with any version. Note that enabling Semi-Private mode adds approximately 15 minutes to each update due to the temporary access changes.
• Private: The EKS cluster endpoint is restricted to VPC access only, ensuring that only internal traffic can access it. This mode provides the highest level of security by limiting access to within the VPC while maintaining full Convox API functionality.

Benefits of Configurable Endpoint Access

Choosing the appropriate endpoint access mode provides significant benefits tailored to your security and operational needs:

• Enhanced Security: Limiting access to the Kubernetes API server minimizes exposure to external threats. The Private mode ensures that only internal VPC traffic can access the API server.
• Operational Flexibility: The Semi-Private mode provides a balance between security and ease of maintenance, allowing temporary public access during essential updates or configuration changes.
• Optimized Performance: Selecting the appropriate endpoint access mode helps optimize cluster performance by reducing unnecessary external traffic, particularly in Private mode, where only internal VPC traffic is allowed.

How to Configure Cluster Endpoint Access in Convox

To configure the cluster endpoint access mode for your EKS cluster, follow these steps in the Convox Console:

Step 1: Access the Convox Console

Log in to the Convox Console and navigate to your Rack Settings by selecting the desired rack and clicking the cogwheel icon in the upper right-hand corner of the screen.

Step 2: Open the Security Tab

Once in the Rack Settings, navigate to the Security tab to access the cluster endpoint access configuration options.

Step 3: Select Your Desired Access Mode

Choose the desired mode for your cluster endpoint access—Public, Semi-Private, or Private—based on your operational and security needs. This configuration helps ensure your cluster meets your security requirements while maintaining necessary connectivity.

Step 4: Verify Your Configuration

After selecting your preferred access mode, monitor your cluster to ensure it operates as expected. Changes to the access mode, especially when switching to Semi-Private, may take additional time during updates.

Conclusion

The new functionality to configure EKS cluster endpoint access in Convox provides a valuable tool for enhancing the security and operational flexibility of your Kubernetes environments. By choosing the appropriate access mode, you can better align your cluster's configuration with your application's specific needs, ensuring optimal performance and security. Start leveraging these new capabilities today to enhance your cluster management strategy.