What is the feature/update/fix?

Feature: Support for Public-Private EKS Cluster Endpoint Access Mode

We have added support for a new public-private endpoint access mode for EKS clusters, complementing the existing public and private options. This hybrid access mode enables both public and private network access to your EKS cluster API server simultaneously, providing greater flexibility in how you connect to and manage your Kubernetes infrastructure.

Why is this important?

Flexible API Server Access:

• Dual Access Modes - Allow both public internet access and private VPC access to the Kubernetes API server simultaneously
• Compliance Requirements - Many security frameworks and compliance standards require that API servers be accessible only from private networks, but the public-private mode allows you to meet these requirements while still maintaining external access for management tools
• Operational Flexibility - Keep using external CI/CD pipelines, kubectl from developer machines, and monitoring tools while also allowing nodes and internal services to communicate with the API server privately
• Gradual Migration Path - Transition from public-only to more restrictive configurations without breaking existing workflows

This feature is particularly valuable for organizations that need:

• External tools and CI/CD systems to access the API server while keeping node-to-control-plane communication private
• To meet compliance requirements that mandate private API access without losing external management capabilities
• A balance between security (private access) and operational convenience (public access)

How to use it?

After updating your rack to version 3.22.4, you can enable the public-private endpoint access mode through the Convox Console:

1. Navigate to Rack Settings

   • Log in to the Convox Console
   • Select your rack
   • Click on Rack Settings in the left sidebar

2. Configure EKS Endpoint Security

   • Locate the EKS Endpoint Security Setting
   • Select public-private from the dropdown menu
   • The change will be applied to your rack automatically

Available EKS Endpoint Access Modes

Your rack now supports three endpoint access configurations:

Network Behavior with Public-Private Mode

When public-private is enabled:

• External clients (CI/CD, developer machines) connect via the public endpoint
• In-VPC resources (pods, services, internal tools) automatically use the private endpoint
• Security groups and NACLs continue to apply for additional access control
• API server authentication remains unchanged regardless of access path

Does it have a breaking change?

No breaking changes are introduced with this update.

Existing racks will maintain their current endpoint access configuration (public or private) until explicitly changed through the Rack Settings page.

Requirements

To use this feature, you must be on at least version 3.22.4.

For a minor version update, you must state the version with the command convox rack update 3.22.4 -r rackName.
You must be on at least rack version 3.21.0 to perform this update.

If you are unfamiliar with v3 rack versioning, we advise checking the documentation Updating a Rack for more information before applying any updates.