Amazon EKS security group requirements and considerations - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon EKS security group requirements and considerations

This topic describes the security group requirements of an Amazon EKS cluster.

When you create a cluster, Amazon EKS creates a security group that's named eks-cluster-sg-my-cluster-uniqueID. This security group has the following default rules:

Rule type Protocol Ports Source Destination

Inbound

All

All

Self

Outbound

All

All

0.0.0.0/0

Amazon EKS tags this security group with the following tags:

Key Value
kubernetes.io/cluster/my-cluster owned
aws:eks:cluster-name my-cluster

Amazon EKS automatically associates this security group to the following resources that it also creates:

  • 2–4 elastic network interfaces (referred to for the rest of this document as network interface) that are created when you create your cluster.

  • Network interfaces of the nodes in any managed node group that you create.

The default rules allow all traffic to flow freely between your cluster and nodes, and allows all outbound traffic to any destination. When you create a cluster, you can (optionally) specify your own security groups. If you do, then Amazon EKS also associates the security groups that you specify to the network interfaces that it creates for your cluster. However, it doesn't associate them to any node groups that you create.

You can determine the ID of your cluster security group in the Amazon Web Services Management Console under the cluster's Networking section. Or, you can do so by running the following Amazon CLI command.

aws eks describe-cluster --name my-cluster --query cluster.resourcesVpcConfig.clusterSecurityGroupId

Restricting cluster traffic

If you need to limit the open ports between the cluster and nodes, you can remove the default rules and add the following minimum rules that are required for the cluster:

Rule type Protocol Port Source Destination
Inbound TCP

443

Cluster security group
Inbound TCP

10250

Cluster security group
Inbound (CoreDNS) TCP and UDP 53 Cluster security group
Outbound TCP

443

Cluster security group

Outbound TCP

10250

Cluster security group

Outbound (DNS) TCP and UDP 53 Cluster security group

You must also add rules for the following traffic:

  • Any protocol and ports that you expect your nodes to use for inter-node communication.

  • Outbound internet access so that nodes can access the Amazon EKS APIs for cluster introspection and node registration at launch time. If your nodes don't have internet access, review Private cluster requirements for additional considerations.

  • Node access to pull container images from Amazon ECR or other container registries APIs that they need to pull images from, such as DockerHub. For more information, see Amazon IP address ranges in the Amazon General Reference.

  • Node access to Amazon S3.

  • Separate rules are required for IPv4 and IPv6 addresses.

If you're considering limiting the rules, we recommend that you thoroughly test all of your pods before you apply your changed rules to a production cluster.

If you originally deployed a cluster with Kubernetes 1.14 and a platform version of eks.3 or earlier, then consider the following:

  • You might also have control plane and node security groups. When these groups were created, they included the restricted rules listed in the previous table. These security groups are no longer required and can be removed. However, you need to make sure your cluster security group contains the rules that those groups contain.

  • If you deployed the cluster using the API directly or you used a tool such as the Amazon CLI or Amazon CloudFormation to create the cluster and you didn't specify a security group at cluster creation, then the default security group for the VPC was applied to the cluster network interfaces that Amazon EKS created.