GitHub Actions accessing private-only EKS clusters

[dukarc]

Hi Folks,

We're running into an issue with our CI/CD pipelines. Our EKS clusters are configured with endpointPublicAccess: false and endpointPrivateAccess: true for security reasons, but this is causing our GitHub Actions workflows to fail with connection timeout errors when they try to interact with the cluster.

We're using self-hosted GitHub Actions runners with the runs-on service deployed in a private subnet. While we have Transit Gateway set up to connect our VPCs, the runners still can't reliably connect to the EKS API server. Manual operations work fine when connecting from our Geodesic shell, but automated pipelines consistently fail with "connection refused" or "i/o timeout" errors.

What's the recommended approach to address this? Should we implement a better networking solution between runners and cluster VPCs, or is there another approach that maintains security while enabling CI/CD access?

Happy to read any documentation if you have it :)

[milldr]

This is a common issue, but there isnt one solution. Please review these FAQs. In particular, I would recommend checking these 2 common issues:

1. Check the security group for EKS cluster. Does it allow the VPC of where the runs-on runners are deployed?
2. Check network connectivity. Can the VPC of the runs-on runners reach the VPC of the EKS cluster across accounts? How about reverse?