AWS lets EKS route control plane egress through customer VPCs

AWS’s new Amazon Elastic Kubernetes Service control plane egress option is the kind of compliance feature that matters because it is boring. Customer-routed control plane egress lets outbound Kubernetes API server traffic, including admission webhook callbacks, OpenID Connect provider lookups, and aggregate API server requests, flow through the customer’s Amazon VPC. That gives the customer control over routing, security groups, and the egress path.

For federal contractors and regulated cloud teams, the point is not that AWS made EKS newly compliant. AWS made a specific network path customer-governable. Organizations with data-perimeter requirements, compliance mandates, or private network infrastructure can use the feature to reach private OIDC providers and webhook servers that are available only inside the VPC. That is useful evidence for an architecture review, but the policy, logging, exception handling, and assessor narrative still belong to the customer.

The Monday work is narrow: decide which clusters need the mode, set controlPlaneEgressMode to CUSTOMER_ROUTED on new or existing clusters, and use the eks:controlPlaneEgressMode IAM condition key in AWS Organizations Service Control Policies if the requirement should be enforced across accounts. That is a real control surface. It is not a substitute for proving what the traffic can reach after AWS hands you the steering wheel.