Skip to main content

Control plane

To have EKS manage the control plane for you, you need to create an EKS cluster. When you create an EKS cluster, behind the scenes, AWS fires up several master nodes in a highly available configuration, complete with the Kubernetes API Server, scheduler, controller manager, and etcd. Here are the key considerations for your EKS cluster:

Kubernetes version

When creating your EKS cluster, you can pick which version of Kubernetes to use. For each version of Kubernetes, EKS may have one or more platform versions that are compatible with it. For example, Kubernetes 1.12.6 had platform versions eks.1 and eks.2. AWS automatically updates the control plane to use the latest platform version compatible with your chosen Kubernetes minor version.

Subnets

Your EKS cluster will run in the subnets you specify. We strongly recommend running solely in private subnets that are NOT directly accessible from the public Internet. See How to deploy a production-grade VPC on AWS for more info.

Endpoint access

You can configure whether the API endpoint for your EKS cluster is accessible from (a) within the same VPC and/or (b) from the public Internet. We recommend allowing access from within the VPC, but not from the public Internet. If you need to talk to your Kubernetes cluster from your own computer (e.g., to issue commands via kubectl), use a bastion host or VPN server. See How to deploy a production-grade VPC on AWS for more info.

Cluster IAM Role

To be able to make API calls to other AWS services, your EKS cluster must have an IAM role with the following managed IAM policies: AmazonEKSServicePolicy and AmazonEKSClusterPolicy.

Security group

You should define a security group that controls what traffic can go in and out of the control plane. The worker nodes must be able to talk to the control plane and vice versa: see Cluster Security Group Considerations for the ports you should open up between them.

Logging

We recommend enabling control plane logging so that the logs from the Kubernetes API server, controller manager, scheduler, and other components are sent to CloudWatch.