Question
When deploying to an EKS cluster located in another AWS account using CodePipeline, what considerations should be made if the EKS cluster endpoint is configured with Private Access?
Answer
EKS Cluster Endpoint
If the EKS cluster is configured with Public Access, the API server endpoint can be accessed via the internet. However, if it is set to Private Access, it can only be accessed from within the same VPC or from a VPC connected via VPC Peering, etc. [1]
For a relevant architecture example, please refer to the reference document [2].
Container Registry
When setting up a private cluster, access to Amazon ECR occurs without outbound internet access [3]. Therefore, the IAM role assigned to the EKS worker nodes must be configured with trusted identity permissions to access the ECR located in another IAM account.
Cross-Account IAM Role Configuration
If the CodeBuild instance is accessing the EKS API server within the same account, it is typically configured by adding the CodeBuild service role to the
aws-authConfigMap [4]. However, in a cross-account setup, you must add the cross-account IAM roles (created in Dev, Stg, Prd accounts) to theaws-authConfigMap.
[1] Amazon EKS Cluster Endpoint Access Control https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
[2] De-mystifying cluster networking for Amazon EKS worker nodes
https://aws.amazon.com/ko/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/#:~:text=Private endpoint only
[3] Creating Local Copies of Container Images
https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/private-clusters.html#container-images
[4] How do I resolve the 'error: You must be logged in to the server (Unauthorized)' error when connecting to an Amazon EKS cluster from CodeBuild?
https://aws.amazon.com/ko/premiumsupport/knowledge-center/codebuild-eks-unauthorized-errors/