eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard
verified publisher icon eksctl-io

Issues running kubectl and eks commands in a fully private cluster

Open uchiha-pain opened this issue 3 years ago • 2 comments

I have created a VPC fully private (no direct internet access), let's call it VPC-A. This vpc is peer connected to another VPC, let's call it VPC-B. This VPC-B has internet connection and is being used as a gateway for VPC-A. I have deployed a fully private cluster noly (not any node) in the private subnet of the VPC-A using the guide. The problem is I am not able to run any kubectl and eks command just like mentioned in the guide. After digging a lot on the internet and I found few things to access the cluster. One thing is that I must create a machine in that private VPC and try to access the cluster from there. I also created many issues on github but did not get proper answer. Below are some experts' answers

You can communicate with the K8s API by deploying EC2 instance inside that VPC and defining the EKS K8s API to your kubectl.

Well, I have deploye the instance in the vpc but the main question is how can I define the EKS k8s API to the kubectl? It has been 3 weeks since I am trying to create fully functional cluster but no success. Whenever I run the kubectl command from the instance inside the private vpc, I get the following error message Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Also in the EKS fully private cluster guide it is mentioned that

For all commands to work post cluster creation, eksctl will need private access to the EKS API server endpoint, and outbound internet access (for EKS:DescribeCluster). Commands that do not need access to the API server will be supported if eksctl has outbound internet access.

Can please someone guide me properly how to give private access to the EKS API server endpoint, and outbound internet access (for EKS:DescribeCluster). I have opened all the traffic at all port for outbound rules in security groups.

Thanks

uchiha-pain avatar Sep 07 '22 09:09 uchiha-pain

@uchiha-pain what do you mean how can I define the EKS k8s API to the kubectl? .you need to use the kubeconfig of the cluster which will have server address which the client (kubectl) will use to connect and that address should be accessible from that machine which is in the same vpc as of control plane K8s API.

NaivePa avatar Sep 09 '22 06:09 NaivePa

Thanks for your response. I ran a number of commands to check if anything is wrong with accessing the server address.

nmap -p 443 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com

Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-09 11:11 UTC
Nmap scan report for 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com (192.168.*.*)
Host is up (0.00031s latency).
Other addresses for 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com (not scanned): 192.168.*.*
rDNS record for 192.168.*.*: ip-192-168-*-*.eu-west-*.compute.internal

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Another command is

nslookup 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:

Name:   1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com
Address: 192.168.*.*
Name:   1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com
Address: 192.168.*.*

And another is

telnet  1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com 443
Trying 192.168.*.*...
Connected to 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com
Escape character is '^]'.
^CConnection closed by foreign hos

It is clear that I can access the api server endpoints from my machine which is in the same vpc as the api server. But still when I run the kubectl command I am getting this output

Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

@NaivePa Could you guide me how can I run kubectl or eks commands? Thanks

uchiha-pain avatar Sep 09 '22 11:09 uchiha-pain

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Oct 10 '22 02:10 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Oct 15 '22 02:10 github-actions[bot]