NodeGroup stack failed: EKSPrivateAccessEndpoint only with HttpProxy enabled

[yanivpaz]

Error

eks-stack-NodeGroupStack is failing when creating ConfigureProxy resource with error: "Failed to create the resource. Unable to connect to the server: net/http: TLS handshake timeout"

Parameters used

HttpProxy is defined with our corporate proxy URL
EKSPrivateAccessEndpoint Enabled EKSPublicAccessEndpoint Disabled

Analysis

When using private endpoint with the HTTP proxy :

• kubectl CLI does not require the HTTP proxy variables as the connection is being done directly from the kubectl client on bastion to the control plane
• AWS CLI requires the HTTP proxy

Proper HTTP proxy parameters should be sent to the function below : https://github.com/aws-quickstart/quickstart-amazon-eks/blob/master/functions/source/KubeManifest/lambda_function.py#L68

Possible solution

1. Add eks.amazonaws.com and local link addresses to the no proxy in amazon-eks-functions.template.yaml : FunctionName: !Sub "EKS-QuickStart-KubeManifest-${EKSClusterName}" Should have new environment variable :

NO_PROXY: !If [NoProxy, !Ref 'AWS::NoValue', '169.254.169.254,eks.amazonaws.com']

2. Add Inbound rule "HTTPS TCP 443 eks-stack-BastionStack " to eks-stack-ControlPlaneSecurityGroup in order to enable kubectl access to control plan

Manual validation

Login to bastion and run the following commands :

export https_proxy=<proxy>
export http_proxy=<proxy>
export no_proxy=169.254.169.254,eks.amazonaws.com

aws eks update-kubeconfig --name <cluster-name> --region <region>
kubectl config use-context  <arn of cluster>
kubectl api-versions

PR

PR will be opened based on the approved solution challenge: how to update the bastion sg to the control plane sg, as the control plane is created before the Bastion