Documentation Index
Fetch the complete documentation index at: https://docs.porter.run/llms.txt
Use this file to discover all available pages before exploring further.
Porter exposes advanced cluster configuration options for customers with specific compliance, security, or networking requirements. These settings are available on the Advanced tab of your cluster settings for AWS and GCP clusters.
Networking
Private cluster
When Private cluster is enabled, Porter provisions the EKS cluster with both public and private API server endpoint access, and restricts the public endpoint to an IP allowlist containing Porter’s control-plane IPs plus any customer CIDRs you add. This configuration is SOC2 / HIPAA compliant.| Setting | Description |
|---|
| Private cluster | Restricts the EKS API server’s public endpoint to an IP allowlist (Porter’s IPs plus any customer-supplied CIDRs). The private endpoint inside your VPC remains reachable from VPC-attached resources. |
| CIDR allowlist | Additional CIDR ranges (beyond Porter’s required IPs) that may reach the public endpoint. |
Porter intentionally does not enable EKS “private-only” endpoint mode. Private-only forces every control-plane call — including Porter’s — through a VPN or VPC-peered path, which adds operational complexity and has historically caused outages for customers. Public + private with a tight IP allowlist meets the same compliance requirements and is significantly more reliable.
porter kubectl and porter helm commands; it does not control how the EKS API server endpoint itself is exposed.Load balancer
Configure the type of load balancer used for your cluster’s ingress. Changing this setting causes downtime while the load balancer is recreated.| Type | Description |
|---|
| NLB | Network Load Balancer — operates at Layer 4, routes TCP/UDP traffic, and provides ultra-low latency and high throughput. |
| ALB | Application Load Balancer — operates at Layer 7, routes HTTP/HTTPS traffic, and supports wildcard domains, ACM certificates, and WAFv2. |
| Setting | Description |
|---|
| Wildcard domains | Domains to issue ACM certificates for. Do not include the *. prefix — Porter creates a SAN for *.<domain> automatically. Comma-separate multiple domains. |
| IP allow list | Comma-separated list of CIDR ranges (e.g. 160.72.72.58/32,160.72.72.59/32) permitted to reach the ALB. |
| Certificate ARNs | Existing ACM certificate ARNs to attach to the ALB. |
| AWS tags | Key/value tags applied to the ALB and related AWS resources. |
| WAFv2 enabled | Attaches a Regional WAFv2 web ACL to the ALB. |
| WAFv2 ARN | ARN of the Regional WAFv2 web ACL to attach. Only Regional WAFv2 is supported. |
Observability
CloudWatch control plane logs
Configure which EKS cluster control plane log types are sent to AWS CloudWatch. These logs help with debugging, auditing, and monitoring your cluster’s control plane components.| Log Type | Description |
|---|
| API Server logs | Logs from the Kubernetes API server, useful for debugging API requests |
| Audit logs | Records of individual users, administrators, or system components that have affected the cluster |
| Authenticator logs | Logs from the AWS IAM authenticator, useful for debugging authentication issues |
| Controller manager logs | Logs from the controller manager, which manages core control loops |
| Scheduler logs | Logs from the scheduler, useful for debugging pod scheduling decisions |
CloudWatch Observability agent
You may also enable the CloudWatch Observability agent as an EKS add-on for enhanced cluster monitoring.| Setting | Description |
|---|
| AWS CloudWatch Observability agent installed on cluster | Enables the CloudWatch Observability add-on for metrics and logs collection |
Security
ECR scanning
Enable Amazon ECR image scanning to automatically scan container images for software vulnerabilities.| Setting | Description |
|---|
| ECR scanning enabled | When enabled, images pushed to ECR are automatically scanned for vulnerabilities |
AWS GuardDuty
AWS GuardDuty provides intelligent threat detection for your EKS cluster, monitoring for malicious activity and unauthorized behavior.When enabling GuardDuty, you must also configure the following in your AWS Console:
- Enable EKS Protection in the EKS Protection tab of the GuardDuty console
- Enable Runtime Monitoring
For automated agent configuration, enable both:
- EKS agent auto-configuration
- EC2 agent auto-configuration
| Setting | Description |
|---|
| AWS GuardDuty agent installed on cluster | Installs the GuardDuty security agent on your cluster nodes |
KMS encryption
Enable AWS Key Management Service (KMS) encryption for Kubernetes secrets stored in etcd.| Setting | Description |
|---|
| KMS encryption enabled | Encrypts Kubernetes secrets at rest using a customer-managed KMS key |
Advanced Networking Config
Modifying these advanced network settings can impact cluster connectivity and performance. Ensure you understand the implications before making changes.
| Setting | Description | Default |
|---|
| Egress NAT IPs Count | Number of egress NAT IPs. Cannot be decreased once set. | 1 |
| Min Ports per VM | Configures the minimum number of ports allocated per VM for GKE | 64 |
| Enable Endpoint Independent Mapping | Recommended for most use cases. Affects Cloud NAT behavior. | Enabled |
| Enable Dynamic Port Allocation | Allows GKE to dynamically allocate more ports to VMs that need them | Disabled |
Observability Settings
Configure observability features for the GKE cluster control plane.| Setting | Description |
|---|
| Enable Control Plane Logging | Enable the collection of logs from the Kubernetes control plane components (e.g., API server, scheduler) |
| Enable Control Plane Metrics | Enable the collection of metrics from the Kubernetes control plane components |
