Skip to content

fix: harden k8s apiserver endpoint access#44863

Merged
gandro merged 2 commits intocilium:mainfrom
sekhar-isovalent:pr/sekhar-isovalent/eksctl-fix
Mar 19, 2026
Merged

fix: harden k8s apiserver endpoint access#44863
gandro merged 2 commits intocilium:mainfrom
sekhar-isovalent:pr/sekhar-isovalent/eksctl-fix

Conversation

@sekhar-isovalent
Copy link
Copy Markdown
Contributor

@sekhar-isovalent sekhar-isovalent commented Mar 18, 2026
edited
Loading

This PR tries to harden the K8s server cluster apiservre endpoint by allowing access to runner IP alone.

Includes:

#43694

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 18, 2026
@sekhar-isovalent sekhar-isovalent marked this pull request as ready for review March 18, 2026 12:34
@sekhar-isovalent sekhar-isovalent requested review from a team as code owners March 18, 2026 12:34
@sekhar-isovalent sekhar-isovalent force-pushed the pr/sekhar-isovalent/eksctl-fix branch 2 times, most recently from 8a9b663 to 7f5fc87 Compare March 18, 2026 12:37
@sekhar-isovalent
Copy link
Copy Markdown
Contributor Author

sekhar-isovalent commented Mar 18, 2026

/test

@sekhar-isovalent
chore: add get-runner-ip github action
ac31222 
Signed-off-by: Sekhar Sankaramanchi <sekhar@isovalent.com>
@sekhar-isovalent sekhar-isovalent force-pushed the pr/sekhar-isovalent/eksctl-fix branch 2 times, most recently from 22202b7 to fef2afb Compare March 18, 2026 16:13
@aanm aanm added kind/bug/CI This is a bug in the testing code. area/CI Continuous Integration testing issue or flake release-note/ci This PR makes changes to the CI. labels Mar 18, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 18, 2026
aanm
aanm requested changes Mar 18, 2026
View reviewed changes
@aanm aanm added needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 18, 2026
@sekhar-isovalent
fix: k8s apiserver should be restricted to runner
5014beb 
To prevent EKS Cluster API server from being exposed to the public internet,
we need to update the cluster endpoint access control list to allow only the
runner's IP address before accessing the cluster.

This ensures that only authorized users can access the API server during
creation, testing and deletion process.

Signed-off-by: Sekhar Sankaramanchi <sekhar@isovalent.com>
@sekhar-isovalent sekhar-isovalent force-pushed the pr/sekhar-isovalent/eksctl-fix branch from fef2afb to 5014beb Compare March 18, 2026 16:33
@sekhar-isovalent sekhar-isovalent requested a review from aanm March 18, 2026 16:40
joestringer
joestringer reviewed Mar 18, 2026
View reviewed changes
@sekhar-isovalent
Copy link
Copy Markdown
Contributor Author

sekhar-isovalent commented Mar 18, 2026

/test

1 similar comment
@cilium-ariane
Copy link
Copy Markdown

cilium-ariane bot commented Mar 18, 2026

/test

@gandro gandro enabled auto-merge March 19, 2026 07:41
@gandro gandro added this pull request to the merge queue Mar 19, 2026
Merged via the queue into cilium:main with commit a24e600 Mar 19, 2026
78 of 81 checks passed
@sekhar-isovalent sekhar-isovalent mentioned this pull request Mar 19, 2026
Open
@aanm aanm mentioned this pull request Mar 23, 2026
Open
@tklauser tklauser added the backport/author The backport will be carried out by the author of the PR. label Mar 24, 2026
@tklauser
Copy link
Copy Markdown
Member

tklauser commented Mar 24, 2026

Hitting merge conflicts when attempting to backport to v1.17 and v1.18 due to missing prerequisite PR. Adding backport/author as agreed with @sekhar-isovalent.

This was referenced Mar 24, 2026
Merged
Merged
@tklauser tklauser added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport/author The backport will be carried out by the author of the PR. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Mar 25, 2026
@tklauser tklauser mentioned this pull request Mar 25, 2026
Merged
5 tasks
@tklauser tklauser added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 25, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Mar 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joestringer joestringer joestringer left review comments

@aanm aanm aanm approved these changes

@viktor-kurchenko viktor-kurchenko Awaiting requested review from viktor-kurchenko viktor-kurchenko is a code owner automatically assigned from cilium/github-sec

Assignees

No one assigned

Labels

area/CI Continuous Integration testing issue or flake backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/bug/CI This is a bug in the testing code. release-note/ci This PR makes changes to the CI.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sekhar-isovalent @tklauser @joestringer @aanm @gandro @msune