Skip to main content
Phase out notice

Nebari is evolving. The original Nebari project is now called Nebari Classic, and is in maintenance mode.

We'll continue to provide security updates and key bug fixes; however, no new features are planned at this time. We're using the lessons learned from Nebari Classic to build a new Nebari ecosystem of tools, on a more robust foundation with a modular architecture. Nebari Classic's maintenance window will remain open until the new architecture reaches stability and feature parity, and current users are able to migrate, expected through the end of 2026.

See the current Nebari documentation for details on the new platform.

enhanced-security

Nebari Security Considerations

The security of AWS Nebari deployments can be enhanced through the following deployment configuration options in nebari-config.yaml:

  • Explicit definition of container sources
    This option allows for the use of locally mirrored, security-hardened, or otherwise customized container images in place of the containers used by default. See: container-sources

  • Installation of custom SSL certificate(s) into EKS hosts
    Install private certificates used by (e.g.) in-line content inspection engines which re-encrypt traffic.

# Add client certificate to CA trust on node
amazon_web_services:
  node_groups:
    general:
      instance: m5.2xlarge
      launch_template:
        pre_bootstrap_command: |
            #!/bin/bash
            cat <<-EOT >> /etc/pki/ca-trust/source/anchors/client.pem
            -----BEGIN CERTIFICATE-----
            XzxzxzxzxxzxzxzxzxzxzxzxxzxzxzxzxzxzxzxxzxzxzxzxzxzxzxzxzxxzxzZx
            ZxyzxzxzxxzxzxzxzxzxzxzxxzxzxzxzxzxzxzxxzxzxzxzxzxzxzxzxzxxzxzXz
            -----END CERTIFICATE-----
            EOT
            sudo update-ca-trust extract
  • Private EKS endpoint configuration
    Mirrors the corresponding AWS console option, which routes all EKS traffic within the VPC.
  amazon_web_services:
    eks_endpoint_access: private # valid values: [public, private, public_and_private]
  • Deploy into existing subnets
    Instructs Nebari to be deployed into existing subnets, rather than creating its own new subnets. An advantage of deploying to existing subnets is the ability to use private subnets. Note that the ingress load-balancer-annotation must be set appropriately based on the type (private or public) of subnet.
existing_subnet_ids:
    - subnet-0123456789abcdef
    - subnet-abcdef0123456789
  existing_security_group_id: sg-0123456789abcdef
ingress:
  terraform_overrides:
    load-balancer-annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
      # Ensure the subnet IDs are also set below
      service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-0123456789abcdef,subnet-abcdef0123456789"
  • Use existing SSL certificate
    Instructs Nebari to use the SSL certificate specified by [k8s-custom-secret-name]
certificate:
  type: existing
  secret_name: [k8s-custom-secret-name]