Add documentation for utils update-cluster-vpc-config

eksctl-io · Oct 24, 2023 · c2c91ab · c2c91ab
1 parent 79b271e
commit c2c91ab
Show file tree

Hide file tree

Showing 5 changed files with 142 additions and 5 deletions.
diff --git a/examples/38-cluster-subnets-sgs.yaml b/examples/38-cluster-subnets-sgs.yaml
@@ -0,0 +1,22 @@
+# An example config for updating API server endpoint access, public access CIDRs, and control plane subnets and security groups.
+# To perform the update, run `eksctl utils update-cluster-vpc-config -f 38-cluster-subnets-sgs.yaml`
+
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+  name: cluster-38
+  region: us-west-2
+
+iam:
+  withOIDC: true
+
+vpc:
+  controlPlaneSubnetIDs: [subnet-1234, subnet-5678]
+  controlPlaneSecurityGroupIDs: [sg-1234, sg-5678]
+  clusterEndpoints:
+    publicAccess: true
+    privateAccess: true
+  publicAccessCIDRs: ["1.1.1.1/32"]
+
+managedNodeGroups:
+  - name: mng1
diff --git a/userdocs/mkdocs.yml b/userdocs/mkdocs.yml
@@ -179,6 +179,7 @@ nav:
       - usage/vpc-configuration.md
       - usage/vpc-subnet-settings.md
       - usage/vpc-cluster-access.md
+      - usage/cluster-subnets-security-groups.md
       - usage/vpc-ip-family.md
     - IAM:
       - usage/minimum-iam-policies.md

diff --git a/userdocs/src/getting-started.md b/userdocs/src/getting-started.md
@@ -1,6 +1,8 @@
 # Getting started
 
 !!! tip "New for 2023"
+    `eksctl` now supports [updating the subnets and security groups](/usage/cluster-subnets-security-groups) associated with the EKS control plane.
+
     `eksctl` now supports creating fully private clusters on [AWS Outposts](/usage/outposts).
 
     `eksctl` now supports new ISO regions `us-iso-east-1` and `us-isob-east-1`.

diff --git a/userdocs/src/usage/cluster-subnets-security-groups.md b/userdocs/src/usage/cluster-subnets-security-groups.md
@@ -0,0 +1,83 @@
+# Updating control plane subnets and security groups
+
+## Updating control plane subnets
+When a cluster is created with eksctl, a set of public and private subnets are created and passed to the EKS API.
+EKS creates 2 to 4 cross-account elastic network interfaces (ENIs) in those subnets to enable communication between the EKS
+managed Kubernetes control plane and your VPC.
+
+To update the subnets used by the EKS control plane, run:
+
+```console
+eksctl utils update-cluster-vpc-config --cluster=<cluster> --control-plane-subnet-ids=subnet-1234,subnet-5678
+```
+
+To update the setting using a config file:
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+  name: cluster
+  region: us-west-2
+
+vpc:
+  controlPlaneSubnetIDs: [subnet-1234, subnet-5678]
+```
+
+```console
+eksctl utils update-cluster-vpc-config -f config.yaml
+```
+
+Without the `--approve` flag, eksctl only logs the proposed changes. Once you are satisfied with the proposed changes, rerun the command with
+the  `--approve` flag.
+
+## Updating control plane security groups
+To manage traffic between the control plane and worker nodes, EKS supports passing additional security groups that are applied to the cross-account network interfaces
+provisioned by EKS. To update the security groups for the EKS control plane, run:
+
+```console
+eksctl utils update-cluster-vpc-config --cluster=<cluster> --control-plane-security-group-ids=sg-1234,sg-5678 --approve
+```
+
+To update the setting using a config file:
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+  name: cluster
+  region: us-west-2
+
+vpc:
+  controlPlaneSecurityGroupIDs: [sg-1234, sg-5678]
+```
+
+```console
+eksctl utils update-cluster-vpc-config -f config.yaml
+```
+
+To update both control plane subnets and security groups for a cluster, run:
+
+```console
+eksctl utils update-cluster-vpc-config --cluster=<cluster> --control-plane-subnet-ids=<> --control-plane-security-group-ids=<> --approve
+```
+
+To update both fields using a config file:
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+  name: cluster
+  region: us-west-2
+
+vpc:
+  controlPlaneSubnetIDs: [subnet-1234, subnet-5678]
+  controlPlaneSecurityGroupIDs: [sg-1234, sg-5678]
+```
+
+```console
+eksctl utils update-cluster-vpc-config -f config.yaml
+```
+
+For a complete example, refer to [https://github.com/eksctl-io/eksctl/blob/main/examples/38-cluster-subnets-sgs.yaml](cluster-subnets-sgs.yaml).
diff --git a/userdocs/src/usage/vpc-cluster-access.md b/userdocs/src/usage/vpc-cluster-access.md
@@ -33,14 +33,18 @@ There are some additional caveats when configuring Kubernetes API endpoint acces
 
 The following is an example of how one could configure the Kubernetes API endpoint access using the `utils` sub-command:
 
+```console
+eksctl utils update-cluster-vpc-config --cluster=<clustername> --private-access=true --public-access=false
 ```
-eksctl utils update-cluster-endpoints --name=<clustername> --private-access=true --public-access=false
-```
+
+!!! warning
+    `eksctl utils update-cluster-endpoints` has been deprecated in favour of `eksctl utils update-cluster-vpc-config`
+    and will be removed soon.
 
 To update the setting using a `ClusterConfig` file, use:
 
 ```console
-eksctl utils update-cluster-endpoints -f config.yaml --approve
+eksctl utils update-cluster-vpc-config -f config.yaml --approve
 ```
 
 Note that if you don't pass a flag, it will keep the current value. Once you are satisfied with the proposed changes,
@@ -59,13 +63,17 @@ vpc:
 To update the restrictions on an existing cluster, use:
 
 ```console
-eksctl utils set-public-access-cidrs --cluster=<cluster> 1.1.1.1/32,2.2.2.0/24
+eksctl utils update-cluster-vpc-config --cluster=<cluster> 1.1.1.1/32,2.2.2.0/24
 ```
 
+!!! warning
+    `eksctl utils set-public-access-cidrs` has been deprecated in favour of `eksctl utils update-cluster-vpc-config`
+    and will be removed soon.
+
 To update the restrictions using a `ClusterConfig` file, set the new CIDRs in `vpc.publicAccessCIDRs` and run:
 
 ```console
-eksctl utils set-public-access-cidrs -f config.yaml
+eksctl utils update-cluster-vpc-config -f config.yaml
 ```
 
 !!! warning
@@ -81,3 +89,24 @@ eksctl utils set-public-access-cidrs -f config.yaml
     the internet. (Source: https://github.com/aws/containers-roadmap/issues/108#issuecomment-552766489)
 
     Implementation notes: https://github.com/aws/containers-roadmap/issues/108#issuecomment-552698875
+
+
+To update both API server endpoint access and public access CIDRs for a cluster in a single command, run:
+
+```console
+eksctl utils update-cluster-vpc-config --cluster=<cluster> --public-access=true --private-access=true --public-access-cidrs=1.1.1.1/32,2.2.2.0/24
+```
+
+To update the setting using a config file:
+
+```yaml
+vpc:
+  clusterEndpoints:
+    publicAccess:  <true|false>
+    privateAccess: <true|false>
+  publicAccessCIDRs: ["1.1.1.1/32"]
+```
+
+```console
+eksctl utils update-cluster-vpc-config --cluster=<cluster> -f config.yaml
+```