DEV Community

the kubernetes api server is part of your network policy now

AWS announced a small-looking Amazon EKS feature in June that says a lot about where Kubernetes operations are going.

Customer-routed control plane egress.

I know. The name sounds like a feature flag generated by a committee that was not allowed to leave the room until everyone had inserted one noun.

But the idea is useful: EKS can now route customer-controllable Kubernetes API server outbound traffic through your own VPC. Admission webhook callbacks, OIDC provider lookups, aggregate API server requests, and the DNS resolution for those calls can leave through an ENI in your network instead of only through the EKS-managed control plane path.

In less AWS-language:

The API server makes outbound calls.

Those calls matter.

And now you can treat some of them like real network traffic instead of mystical cloud weather.

the control plane leaving through the front door this time

the api server was never just a thing you call

Most engineers learn the Kubernetes API server as the thing clients talk to.

kubectl talks to it. Controllers talk to it. Nodes talk to it. CI talks to it. Your platform automation talks to it, sometimes with permissions that make security people stare silently at the wall.

So we naturally think about API server networking as inbound access.

Can my node reach it?

Can my laptop reach it?

Is the endpoint public?

Did someone add 0.0.0.0/0 because "temporary" is apparently a religion?

That model is incomplete.

The API server also calls out. It calls admission webhooks. It fetches OIDC discovery documents. It proxies requests to aggregated API servers. If your cluster has serious extension points, the API server is not just receiving traffic. It is participating in your network design.

That is the part this EKS feature makes very explicit.

admission webhooks made this inevitable

Admission webhooks are one of those Kubernetes features that start innocent and then become load-bearing.

At first, maybe you use a validating webhook to block privileged containers. Nice. Useful. Easy to explain.

Then you add mutation for sidecars. Then policy enforcement. Then security scanning. Then internal platform defaults. Then some vendor controller installs a webhook with a certificate rotation story that feels like folklore.

Eventually a pod creation request is not just a write to the API server. It is a small distributed transaction involving your control plane, webhook services, DNS, network routing, TLS, timeouts, retries, and humans asking why deployments are stuck.

Very calm technology.

everything is fine, it is only the admission path

When the API server calls an admission webhook, that outbound path is part of your availability and security boundary. If you cannot observe it, route it, restrict it, or explain it during an audit, then it is not really governed. It is just trusted.

And "trusted because the cloud provider handles it somewhere" is not always enough, especially for regulated teams.

private endpoints solved only half the story

EKS has had private endpoint options for a long time. Those are about how clients reach the Kubernetes API server. Private endpoint access is the inbound side of the conversation.

Customer-routed control plane egress is the other direction.

It answers a different question:

Where does the API server go when it needs to call something on my behalf?

That distinction matters because a private cluster endpoint can make a team feel more secure than it really is. Yes, your workers and operators may reach the API server privately. Good. But if the API server still needs to call a webhook, identity provider, or extension API, the outbound path has its own controls, logs, failure modes, and surprises.

This is the kind of detail that does not fit nicely in architecture diagrams. The diagram has a box named "EKS control plane" and a line to "VPC" and everyone nods because meetings must end eventually.

Reality is more annoying.

The control plane has traffic classes. Some are AWS-managed. Some are customer-controllable. Some can now route through your VPC. Some cannot. AWS is explicit that EKS-managed components keep using EKS-managed paths, and that things like EKS Capabilities run in separate AWS-managed infrastructure. The IAM Authenticator's STS calls continue on the EKS-managed path too.

That is not a flaw. That is the contract.

The useful work is understanding the contract instead of pretending the box is magic.

this is network policy for the grown-up cluster

The phrase "network policy" usually makes Kubernetes people think about pod-to-pod traffic.

Which namespace can call which service? Which egress destinations are allowed? Is DNS open? Did we accidentally allow half the internet because the payment API changed IP ranges again?

All still important.

But serious platform teams are going to start applying the same instinct to control-plane initiated traffic.

If the API server calls a webhook, should that traffic stay inside the VPC? Should it go through AWS Network Firewall? Should it use PrivateLink? Should VPC Flow Logs capture it? Should an organization policy require customer-routed egress for certain clusters?

AWS even added an IAM condition key for this, eks:controlPlaneEgressMode, which is the kind of boring detail that tells you the feature is aimed at real enterprise control, not demo confetti.

This is what platform maturity looks like. Not always heroic. Often just routing a packet through the boring place where your controls already live.

extensions turned the control plane into an application dependency

The bigger story is that Kubernetes keeps moving more business logic into extension points.

Admission controllers enforce policy. Aggregated APIs extend the platform. Operators reconcile the weird stuff. OIDC connects identity. Controllers talk constantly. The "cluster" is no longer just a scheduler plus some pods. It is an operating system made of APIs, callbacks, controllers, and disappointed YAML.

So the API server's outbound traffic is not background noise.

It can decide whether deployments proceed, whether identities validate, whether custom resources work, and whether your platform rules actually run.

That means it belongs in the same discussions as workload egress, service mesh policy, private networking, audit trails, and incident response. Not because every company needs maximum lockdown. Because every company needs to know which parts of the system are allowed to call which other parts, and what happens when they cannot.

the network diagram after one more webhook

managed kubernetes is not an excuse to stop understanding kubernetes

The lazy interpretation of managed Kubernetes is "the cloud provider runs the hard parts, so I do not have to care."

The better interpretation is "the cloud provider runs some hard parts, and I still need to understand the contract at the boundaries."

Customer-routed control plane egress is one of those boundary features. It does not make the EKS control plane yours. It does not turn managed Kubernetes into self-managed Kubernetes. Please do not take a useful feature and convert it into weekend suffering.

It just gives you more control over specific outbound traffic that exists because of your cluster configuration and your extension choices.

That is exactly the sort of feature regulated and platform-heavy teams need. Not because it looks exciting in a keynote, but because it lets them answer practical questions: where did this traffic go, which policy controlled it, can we prove it, and can we explain the failure?

This is the boring endgame for a lot of cloud features. The first version makes the thing easy. The later versions make it governable.

the punchline

The Kubernetes API server is not just a sacred endpoint in the sky.

It is part of your system.

If it calls your webhooks, identity providers, and extension APIs, then its outbound path is part of your architecture. It deserves routing, logging, policy, failure testing, and ownership.

That may feel like one more thing for platform teams to carry.

It is.

Sorry.

But it is also healthier than pretending the control plane is outside the blast radius of the extensions we keep attaching to it.

Managed Kubernetes made clusters easier to create.

Extension-heavy Kubernetes made them harder to reason about.

Customer-routed control plane egress is a useful reminder that the control plane is not above the network.

It is in the network.

Act accordingly.

references

To test my projects, I use Railway. If you want $20 USD to get started, use this link.

Top comments (0)