Update private-clusters.adoc (#869)

geoffcline · web-flow · commit 6d7be17836b5 · 2025-02-12T15:59:49.000-06:00
* Update private-clusters.adoc

* add eks and eks-auth endpoints

* Update private-clusters.adoc
diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc
@@ -90,17 +90,24 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl
 
 |{aws} Security Token Service (required when using IAM roles for service accounts)
 |com.amazonaws.[.replaceable]`region-code`.sts 
-|===
+
+|Amazon EKS Auth
+|com.amazonaws.[.replaceable]`region-code`.eks-auth 
 
 
+|Amazon EKS
+|com.amazonaws.[.replaceable]`region-code`.eks
+
+|===
 * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group.
 * If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <<efs-csi,Store an elastic file system with Amazon EFS>>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster.
 * Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns].
+* If you use the EKS Optimized AMI, you should enable the `ec2` endpoint in the table above. Alternatively, you can manually set the Node DNS name. The optimized AMI uses EC2 APIs to set the node DNS name automatically. 
 * You can use the <<aws-load-balancer-controller,{aws} Load Balancer Controller>> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint.
 +
 The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <<alb-ingress>> and <<network-load-balancer>>.
 * https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler [.noloc]`Pods`, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on [.noloc]`GitHub`. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint.
 * Some container software products use API calls that access the {aws} Marketplace Metering Service to monitor usage. Private clusters do not allow these calls, so you can't use these container types in private clusters.
 
 
-📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23private-clusters%5D&type=code[Edit this page on GitHub]
+📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23private-clusters%5D&type=code[Edit this page on GitHub]
