You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -1385,6 +1385,23 @@ export class Cluster extends ClusterBase {
throw new UnscopedValidationError('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.');
}
// Validate that kubectl subnets are not isolated. Isolated subnets have no
// internet access by definition, so the kubectl Lambda will not be able to
// reach the EKS API, STS, or other AWS service endpoints required for
// kubectl operations (including the CoreDNS compute type patch).
// See https://github.com/aws/aws-cdk/issues/26613
const isolatedSubnetIds = new Set(this.vpc.isolatedSubnets.map(s => s.subnetId));
The reason will be displayed to describe this comment to others. Learn more.
Same as the aws-eks module — consider adding the this.vpc instanceof ec2.Vpc guard here for consistency with the DNS validation at line 1384 and to avoid blocking users with VPC endpoints on imported VPCs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -1868,6 +1868,23 @@ export class Cluster extends ClusterBase {
throw new ValidationError('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.', this);
}
// Validate that kubectl subnets are not isolated. Isolated subnets have no
// internet access by definition, so the kubectl Lambda will not be able to
// reach the EKS API, STS, or other AWS service endpoints required for
// kubectl operations (including the CoreDNS compute type patch).
// See https://github.com/aws/aws-cdk/issues/26613
const isolatedSubnetIds = new Set(this.vpc.isolatedSubnets.map(s => s.subnetId));
The reason will be displayed to describe this comment to others. Learn more.
The error message mentions "VPC endpoints for STS, EKS, and ECR" but per the AWS private clusters documentation, ECR also requires an S3 gateway endpoint (com.amazonaws.region-code.s3) for pulling container images. Consider updating to "STS, EKS, ECR, and S3" for completeness.
The reason will be displayed to describe this comment to others. Learn more.
This validation throws unconditionally for isolated subnets, but the error message itself suggests VPC endpoints as a valid alternative. Users who have properly configured VPC endpoints for STS, EKS, ECR, and S3 in their isolated subnets will be blocked at synth time with no workaround.
The DNS validation directly above (line 1867) uses this.vpc instanceof ec2.Vpc to avoid false positives with imported VPCs. Consider applying the same guard here — when the VPC is CDK-created, we know isolated subnets have no egress; when it's imported, we can't be sure.
if(this.vpcinstanceofec2.Vpc){constisolatedSubnetIds=newSet(this.vpc.isolatedSubnets.map(s=>s.subnetId));consthasIsolatedSubnets=privateSubnets.some(s=>isolatedSubnetIds.has(s.subnetId));if(hasIsolatedSubnets){thrownewValidationError('Isolated subnets cannot be used for kubectl private subnets. ...',this,);}}
this.kubectlPrivateSubnets = privateSubnets;
// the vpc must exist in order to properly delete the cluster (since we run `kubectl delete`).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as the
aws-eksmodule — consider adding thethis.vpc instanceof ec2.Vpcguard here for consistency with the DNS validation at line 1384 and to avoid blocking users with VPC endpoints on imported VPCs.Per the AWS private clusters documentation, isolated subnets with VPC endpoints are a supported configuration.