EKS Cluster with private access endpoint and a bastion host
Last updated
Last updated
You can connect to the private Kubernetes access endpoint via Systems Manager Session.
Create a Systems Manager Host Configuration for the bastion host. You can follow the to create a host configuration for the bastion host.
For example, you can open this link in the browser. https://<eks-region>.console.aws.amazon.com/systems-manager/quick-setup?region=<eks-region>
Choose Create to create a new Host Configuration
Choose Host Management Option and choose Create;
In the creation wizard, select the instances based on the tags or select the instance ID manually and choose Create.
Once the Host Configuration is complete, proceed with the next steps.You can connect to the private Kubernetes access endpoint via Systems Manager Session.
You should be able to see the ssm agent is listed as below.
Note: If the ssh to the bastion host fails with this error, make sure the port 22 is open in the security group for INBOUND access from global CIDR 0.0.0.0/0
ssh: connect to host <bastionhost-public-ip> port 22: Operation timed out
Create an SSM IAM User with the SSM priviledges - AmazonSSMFullAccess and provide programatic access to the AWS APIs.
Grab the SSM IAM User credentials.
In your local machine, configure the SSM IAM User and the EKS region.
Make sure the Access Key, Secret Key and the Region are added to the ~/.aws/config file.
In your local machine, start the SSM port forwarding session.
If you get the below error, make sure the EKS point is just a DNS Name and NOT a URL.
Form the Kubernetes Configuration file - kube.conf. Edit the template below and replace the configurations based on your EKS cluster
Set the Kubernetes configuration file.
Once configured, Check Cluster Connectivity to proceed further.
in the Bastion Host. For example, you can run these commands in an Ubuntu 18.04 based Bastion Host.
in your local machine