How does kubectl interact with EKS?

Let me start this by saying I am a complete newbie, and I’m trying to wrap my head around some Kubernetes concepts.

I created an EKS cluster whose worker nodes are all inside a private subnet, and then I configured kubectl to see and use it on my local computer. My computer is not connected to a VPN or any other means of accessing a private subnet directly.

I made a three-pod deployment of a trivial “hello world” type application that listens on port 8080. (Specifically, I ran luksa/kubia, the example used throughout Kubernetes in Action.) I did not set up any kind of ingress that would allow communication with the public internet.

As an experiment, I then ran the following:

kubectl exec kubia-deployment-c97c5cbcd-pntx4 -- curl -s

Where kubia-deployment-c97c5cbcd-pntx4 was one of the pods in my deployment, and was the internal IP of a different pod.

To my surprise, I got a response:

This is v1 running in pod kubia-deployment-c97c5cbcd-66qzl

This implies that kubectl, once configured to work with an EKS cluster, is also able to access worker nodes even if they are inside an inaccessible private network. What is the path by which my exec command gets to the pod, and how do I get the response back? Basically, what happened here?

My manifest file:

apiVersion: apps/v1
kind: Deployment
    name: kubia-deployment
        app: kubia
    replicas: 3
            app: kubia
            name: kubia-pod
                app: kubia
                - image: luksa/kubia:v1
                  name: nodejs