How does kubectl interact with EKS?

Let me start this by saying I am a complete newbie, and I’m trying to wrap my head around some Kubernetes concepts.

I created an EKS cluster whose worker nodes are all inside a private subnet, and then I configured kubectl to see and use it on my local computer. My computer is not connected to a VPN or any other means of accessing a private subnet directly.

I made a three-pod deployment of a trivial “hello world” type application that listens on port 8080. (Specifically, I ran luksa/kubia, the example used throughout Kubernetes in Action.) I did not set up any kind of ingress that would allow communication with the public internet.

As an experiment, I then ran the following:

kubectl exec kubia-deployment-c97c5cbcd-pntx4 -- curl -s http://10.2.36.193:8080

Where kubia-deployment-c97c5cbcd-pntx4 was one of the pods in my deployment, and 10.2.36.193 was the internal IP of a different pod.

To my surprise, I got a response:

This is v1 running in pod kubia-deployment-c97c5cbcd-66qzl

This implies that kubectl, once configured to work with an EKS cluster, is also able to access worker nodes even if they are inside an inaccessible private network. What is the path by which my exec command gets to the pod, and how do I get the response back? Basically, what happened here?

My manifest file:

apiVersion: apps/v1
kind: Deployment
metadata:
    name: kubia-deployment
    labels:
        app: kubia
spec:
    replicas: 3
    selector:
        matchLabels:
            app: kubia
    template:
        metadata:
            name: kubia-pod
            labels:
                app: kubia
        spec:
            containers:
                - image: luksa/kubia:v1
                  name: nodejs