Skip to content

AWS CloudFormation Account Controls

Use this guide when the customer account owner adjusts CloudFormation controls in the customer-owned CloudFormation onboarding stack, AccountConfigSetup, to set:

  • K8sDebugAccessEnabled, which controls whether dataplane agent pods in BYOC PrivateLink accounts can reach the Manager Kubernetes API proxy port used for Kubernetes debug access to the customer Kubernetes API.
  • AgentInfrastructureMutationEnabled, which controls whether the dataplane agent can make AWS infrastructure changes through the account-config roles.

The update runs in the AWS account that owns the stack and is visible in AWS CloudFormation history.

Parameters

Parameter Value Result
K8sDebugAccessEnabled true BYOC PrivateLink accounts only. Removes the block-k8s-api-proxy NetworkPolicy from the dataplane-agent namespace, allowing dataplane-agent egress to the manager Kubernetes API proxy port.
K8sDebugAccessEnabled false BYOC PrivateLink accounts only. Applies the block-k8s-api-proxy NetworkPolicy in the dataplane-agent namespace to block dataplane-agent egress to the manager Kubernetes API proxy port.
AgentInfrastructureMutationEnabled true Allows the dataplane agent to create, update, and delete AWS infrastructure when required for provisioning, updates, deletes, and reconciliation.
AgentInfrastructureMutationEnabled false Disables dataplane agent AWS infrastructure mutation by applying an explicit deny for non-read AWS actions while preserving read-only inspection.

K8sDebugAccessRegions is optional and only applies to BYOC PrivateLink debug-access reconciliation. Use it only when you need to limit reconciliation to specific AWS regions or region:host-cluster-id targets, for example us-west-2:hc-xxxx,us-east-1. Leave it blank to scan all enabled regions.

Generated account onboarding URLs set the account-type and topology parameters, and include K8sDebugAccessLambdaCodeS3Bucket and K8sDebugAccessLambdaCodeS3Key when BYOC PrivateLink debug-access reconciliation is available. Keep those generated parameters unchanged.

Update the Stack

  1. Open the generated AWS CloudFormation update URL or command for the target AWS account.
  2. Keep generated parameters unchanged, including OIDC values, service account values, Lambda artifact values, ProvisionAccountConfig=true, and generated account-type or topology values such as IsBYOAAccount and IsBYOCPrivateAccount.
  3. Change K8sDebugAccessEnabled, AgentInfrastructureMutationEnabled, or both.
  4. Submit the stack update and wait for UPDATE_COMPLETE.

Verify the State

After CloudFormation reaches UPDATE_COMPLETE, verify the stack parameters in the AWS CloudFormation console.

The Kubernetes debug-access reconciliation runs asynchronously after the stack update is queued. Allow that reconciliation to finish before checking the Kubernetes NetworkPolicy; UPDATE_COMPLETE does not by itself guarantee that the policy has already been applied or removed.

For K8sDebugAccessEnabled, the blocked state corresponds to the block-k8s-api-proxy NetworkPolicy being present in the dataplane-agent namespace. The unblocked state corresponds to that policy being absent.

For dataplane agent infrastructure mutation, verify that AgentInfrastructureMutationEnabled matches the intended value.