{"id":748,"date":"2025-11-11T08:20:12","date_gmt":"2025-11-11T08:20:12","guid":{"rendered":"https:\/\/devsecopsschool.com\/blog\/?p=748"},"modified":"2025-11-11T08:20:13","modified_gmt":"2025-11-11T08:20:13","slug":"kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security","status":"publish","type":"post","link":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/","title":{"rendered":"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"1024\" src=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg\" alt=\"\" class=\"wp-image-749\" srcset=\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg 683w, http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-200x300.jpg 200w, http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-768x1152.jpg 768w, http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed.jpg 800w\" sizes=\"auto, (max-width: 683px) 100vw, 683px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>EKS ACCESS CONTROL BLUEPRINT \u2014 COMPLETE 13-LAYER ACL FRAMEWORK (2025 Edition)<\/strong><\/h1>\n\n\n\n<p><em>A single-page, production-ready guide for implementing ACLs across VPC, ALB, Kubernetes, and AWS APIs.<\/em><\/p>\n\n\n\n<p>This blueprint covers <strong>every layer<\/strong> where access can be allowed, denied, restricted, or authenticated in an <strong>EKS Full Auto Mode<\/strong> cluster fronted by <strong>AWS ALB<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>1. AWS Network ACLs (Subnet-Level ACLs)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> Coarse, stateless allow\/deny at the VPC subnet layer.<br><strong>Use Cases:<\/strong> Block unwanted IPs before they reach nodes; restrict subnet-to-subnet traffic.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create NACLs per subnet.<\/li>\n\n\n\n<li>Allow only trusted inbound ports.<\/li>\n\n\n\n<li>Deny unknown external CIDRs.<\/li>\n\n\n\n<li>Restrict DB\/private subnets to EKS subnet CIDRs.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>2. ALB Access Controls (CIDR, Host, Header, Path, Query)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> Gate who can reach your ALB and what content they can request.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set <strong>ALB Security Group<\/strong> ingress to trusted CIDRs.<\/li>\n\n\n\n<li>Use listener rules for <strong>host<\/strong>, <strong>path<\/strong>, <strong>header<\/strong>, <strong>query<\/strong> filtering.<\/li>\n\n\n\n<li>Limit exposure by avoiding 0.0.0.0\/0 where possible.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>3. ALB WAFv2 WebACL (L7 Firewall)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> Application-layer ACL (SQLi, XSS, bots, geo-block, IP sets).<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a WAF ACL with AWS managed rules.<\/li>\n\n\n\n<li>Add IP sets for allowlist\/denylist.<\/li>\n\n\n\n<li>Attach to ALB using: <code>alb.ingress.kubernetes.io\/wafv2-acl-arn: arn:aws:wafv2:...<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>4. Kubernetes Ingress (ALB) Annotations<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> Per-application edge ACLs.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add CIDR restrictions using <code>inbound-cidrs<\/code>.<\/li>\n\n\n\n<li>Enforce TLS policies.<\/li>\n\n\n\n<li>Enable access logs.<\/li>\n\n\n\n<li>Add authentication (OIDC\/Cognito) or mTLS if required.<\/li>\n\n\n\n<li>Apply path-based routing + header-based rules.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>5. Kubernetes NetworkPolicies (Pod-to-Pod ACLs)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> L3\/L4 internal ACL\u2014east-west traffic control.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure CNI supports NetworkPolicy (Calico\/Cilium\/AWS NP Mode).<\/li>\n\n\n\n<li>Apply:\n<ul class=\"wp-block-list\">\n<li><strong>default-deny ingress<\/strong><\/li>\n\n\n\n<li><strong>default-deny egress<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Explicitly allow:\n<ul class=\"wp-block-list\">\n<li>DNS<\/li>\n\n\n\n<li>ingress \u2192 web<\/li>\n\n\n\n<li>web \u2192 db<\/li>\n\n\n\n<li>specific egress IPs\/domains<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>6. Kubernetes RBAC (API Access ACLs)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> ACL for Kubernetes API (resource access).<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create ServiceAccounts for each workload.<\/li>\n\n\n\n<li>Bind Roles (not ClusterRoles) with least-privilege verbs.<\/li>\n\n\n\n<li>Deny cluster-admin to all but break-glass users.<\/li>\n\n\n\n<li>Audit RBAC changes regularly.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>7. Security Groups for Nodes &amp; Pods (SGP)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> VPC-level ACLs for workloads.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Harden Node SG: restrict inbound ports.<\/li>\n\n\n\n<li>Enable <strong>Security Groups for Pods<\/strong> in EKS add-ons.<\/li>\n\n\n\n<li>Attach pod-specific SGs for DB\/RDS layer restrictions (pod \u2192 RDS only).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>8. IRSA (IAM Roles for Service Accounts)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> AWS API ACLs per pod.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create IAM role with least privilege.<\/li>\n\n\n\n<li>Annotate ServiceAccount: <code>eks.amazonaws.com\/role-arn: arn:aws:iam::123:role\/app-role<\/code><\/li>\n\n\n\n<li>Use IAM policy to restrict S3, DynamoDB, SQS, etc.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>9. VPC Egress Controls (Outbound ACLs)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> Control outbound to internet\/AWS.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Place workloads in private subnets.<\/li>\n\n\n\n<li>Use NAT \u2192 restrict egress ports.<\/li>\n\n\n\n<li>Add VPC Endpoints for AWS APIs.<\/li>\n\n\n\n<li>Apply endpoint policies (deny wildcard \u201c*\u201d).<\/li>\n\n\n\n<li>For strong controls: deploy <strong>AWS Network Firewall<\/strong> for domain\/port rules.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>10. Pod Security Admission (PSA)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> ACL for pod security settings.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Label namespaces: <code>pod-security.kubernetes.io\/enforce=restricted<\/code><\/li>\n\n\n\n<li>Block privileged containers, hostPath, hostNetwork, root user.<\/li>\n\n\n\n<li>Force hardened workload specs across prod namespaces.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>11. EKS API Server Access Controls<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> ACL for who may reach or control the cluster API.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict public endpoint CIDRs to office\/VPN.<\/li>\n\n\n\n<li>Prefer <strong>private API endpoint<\/strong> if possible.<\/li>\n\n\n\n<li>Lock down <code>aws-auth<\/code> Access Entries.<\/li>\n\n\n\n<li>Enable API audit logging for RBAC\/Ingress\/NetPol changes.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>12. Admission Policies (Kyverno or Gatekeeper)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> Additional, programmable ACLs.<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deny pods without NetworkPolicy.<\/li>\n\n\n\n<li>Block use of default ServiceAccount.<\/li>\n\n\n\n<li>Enforce image registry allowlists (e.g., only ECR).<\/li>\n\n\n\n<li>Require labels, owners, resource limits.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>13. Service Mesh L7 Authorization (Optional but Advanced)<\/strong><\/h1>\n\n\n\n<p><strong>Purpose:<\/strong> In-cluster L7 ACL (JWT claims, methods, paths).<br><strong>Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable Istio or Cilium Service Mesh.<\/li>\n\n\n\n<li>Turn on mTLS cluster-wide.<\/li>\n\n\n\n<li>Add AuthorizationPolicies:\n<ul class=\"wp-block-list\">\n<li>allow only GET\/POST<\/li>\n\n\n\n<li>allow only JWT role=admin<\/li>\n\n\n\n<li>allow specific frontend \u2192 backend routes<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><\/h1>\n","protected":false},"excerpt":{"rendered":"<p>EKS ACCESS CONTROL BLUEPRINT \u2014 COMPLETE 13-LAYER ACL FRAMEWORK (2025 Edition) A single-page, production-ready guide for implementing ACLs across VPC, ALB, Kubernetes, and AWS APIs. This blueprint covers every layer where access can be allowed, denied, restricted, or authenticated in an EKS Full Auto Mode cluster fronted by AWS ALB. 1. AWS Network ACLs (Subnet-Level &#8230; <a title=\"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security\" class=\"read-more\" href=\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\" aria-label=\"Read more about Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-748","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security - DevSecOps School<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security - DevSecOps School\" \/>\n<meta property=\"og:description\" content=\"EKS ACCESS CONTROL BLUEPRINT \u2014 COMPLETE 13-LAYER ACL FRAMEWORK (2025 Edition) A single-page, production-ready guide for implementing ACLs across VPC, ALB, Kubernetes, and AWS APIs. This blueprint covers every layer where access can be allowed, denied, restricted, or authenticated in an EKS Full Auto Mode cluster fronted by AWS ALB. 1. AWS Network ACLs (Subnet-Level ... Read more\" \/>\n<meta property=\"og:url\" content=\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\" \/>\n<meta property=\"og:site_name\" content=\"DevSecOps School\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-11T08:20:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-11T08:20:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg\" \/>\n<meta name=\"author\" content=\"Rajesh Kumar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rajesh Kumar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#article\",\"isPartOf\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\"},\"author\":{\"name\":\"Rajesh Kumar\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\"},\"headline\":\"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security\",\"datePublished\":\"2025-11-11T08:20:12+00:00\",\"dateModified\":\"2025-11-11T08:20:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\"},\"wordCount\":551,\"commentCount\":0,\"image\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg\",\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\",\"url\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\",\"name\":\"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security - DevSecOps School\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage\"},\"image\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg\",\"datePublished\":\"2025-11-11T08:20:12+00:00\",\"dateModified\":\"2025-11-11T08:20:13+00:00\",\"author\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\"},\"breadcrumb\":{\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage\",\"url\":\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed.jpg\",\"contentUrl\":\"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed.jpg\",\"width\":800,\"height\":1200},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/devsecopsschool.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/\",\"name\":\"DevSecOps School\",\"description\":\"DevSecOps Redefined\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\",\"name\":\"Rajesh Kumar\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g\",\"caption\":\"Rajesh Kumar\"},\"sameAs\":[\"http:\/\/devsecopsschool.com\/blog\"],\"url\":\"http:\/\/devsecopsschool.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security - DevSecOps School","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/","og_locale":"en_US","og_type":"article","og_title":"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security - DevSecOps School","og_description":"EKS ACCESS CONTROL BLUEPRINT \u2014 COMPLETE 13-LAYER ACL FRAMEWORK (2025 Edition) A single-page, production-ready guide for implementing ACLs across VPC, ALB, Kubernetes, and AWS APIs. This blueprint covers every layer where access can be allowed, denied, restricted, or authenticated in an EKS Full Auto Mode cluster fronted by AWS ALB. 1. AWS Network ACLs (Subnet-Level ... Read more","og_url":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/","og_site_name":"DevSecOps School","article_published_time":"2025-11-11T08:20:12+00:00","article_modified_time":"2025-11-11T08:20:13+00:00","og_image":[{"url":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg","type":"","width":"","height":""}],"author":"Rajesh Kumar","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rajesh Kumar","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#article","isPartOf":{"@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/"},"author":{"name":"Rajesh Kumar","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c"},"headline":"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security","datePublished":"2025-11-11T08:20:12+00:00","dateModified":"2025-11-11T08:20:13+00:00","mainEntityOfPage":{"@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/"},"wordCount":551,"commentCount":0,"image":{"@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage"},"thumbnailUrl":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg","inLanguage":"en","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#respond"]}]},{"@type":"WebPage","@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/","url":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/","name":"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security - DevSecOps School","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/#website"},"primaryImageOfPage":{"@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage"},"image":{"@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage"},"thumbnailUrl":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed-683x1024.jpg","datePublished":"2025-11-11T08:20:12+00:00","dateModified":"2025-11-11T08:20:13+00:00","author":{"@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c"},"breadcrumb":{"@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/"]}]},{"@type":"ImageObject","inLanguage":"en","@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#primaryimage","url":"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed.jpg","contentUrl":"http:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/11\/EKS-kubernetes-Security_compressed.jpg","width":800,"height":1200},{"@type":"BreadcrumbList","@id":"http:\/\/devsecopsschool.com\/blog\/kubernetes-security-eks-access-control-blueprint-a-complete-13-layer-acl-framework-for-kubernetes-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/devsecopsschool.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Kubernetes Security: EKS Access Control Blueprint: A Complete 13-Layer ACL Framework for Kubernetes Security"}]},{"@type":"WebSite","@id":"https:\/\/devsecopsschool.com\/blog\/#website","url":"https:\/\/devsecopsschool.com\/blog\/","name":"DevSecOps School","description":"DevSecOps Redefined","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Person","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c","name":"Rajesh Kumar","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g","caption":"Rajesh Kumar"},"sameAs":["http:\/\/devsecopsschool.com\/blog"],"url":"http:\/\/devsecopsschool.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=748"}],"version-history":[{"count":1,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/748\/revisions"}],"predecessor-version":[{"id":750,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/748\/revisions\/750"}],"wp:attachment":[{"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=748"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}