Connecting to Private EKS API - Invalid x509 Certificate

ben.ganley · June 22, 2021, 5:32am

Hi All,

I suspect this is more of a question for the EKS team at Amazon but I thought I’d still ask here to see if anyone has a workaround for this, or I’m doing something dumb.

I have Kubernetes clusters running in EKS in various VPCs with their k8s API endpoints set to private, so they can only be accessed via my “access” VPC that contains Boundary.

As boundary is doing TCP level proxying, kubectl and terraform complain of insecure certificates, which makes sense as the self-signed cert that AWS is issuing for the API only contains its IPs as valid names.

Unable to connect to the server: x509: certificate is valid for 172.20.0.1, 10.0.31.62, 172.16.184.187, not 127.0.0.1

It’s easy to work around this by setting the insecure flag everywhere, but it seems dirty and leaves MITM a possibility.

I’m thinking outside of being able to customize the certificate within the EKS service, there isn’t much I’m going to be able to do to get around this?

Would appreciate any ideas!

Thanks, Ben

omkensey · June 25, 2021, 3:59pm

The only thing I can think of that you could do client-side is manipulate the client host’s IPVS/equivalent rules so that traffic with a destination of one of the valid EKS IPs is captured and sent over the localhost IP to the Boundary proxy. That’s really not the kind of thing I’d want to be doing routinely though.

jeff · June 25, 2021, 8:49pm

At the moment @omkensey is right – longer term we will have some features to enable these kinds of workflows but they don’t exist quite yet, sorry!