Package @pulumi/eks
var eks = require("@pulumi/eks");
import * as eks from "@pulumi/eks";
Resources
Others
- ClusterCreationRoleProviderOptions
- ClusterNodeGroupOptions
- ClusterOptions
- computeWorkerSubnets
- CoreData
- createCore
- createDashboard
- createManagedNodeGroup
- createNodeGroup
- createNodeGroupSecurityGroup
- createStorageClass
- CreationRoleProvider
- DashboardOptions
- EBSVolumeType
- FargateProfile
- getRoleProvider
- KubeconfigOptions
- ManagedNodeGroupOptions
- NodeGroupBaseOptions
- NodeGroupData
- NodeGroupOptions
- NodeGroupSecurityGroupOptions
- RoleMapping
- ServiceRoleArgs
- StorageClass
- Taint
- UserMapping
- VpcCniOptions
Resources
Resource Cluster
class Cluster extends ComponentResource
Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
constructor
new Cluster(name: string, args?: ClusterOptions, opts?: pulumi.ComponentResourceOptions)
Create a new EKS cluster with worker nodes, optional storage classes, and deploy the Kubernetes Dashboard if requested.
name
The unique name of this component.args
The arguments for this cluster.opts
A bag of options that control this component's behavior.
method createNodeGroup
createNodeGroup(name: string, args: ClusterNodeGroupOptions): NodeGroup
Create a self-managed node group using CloudFormation and an ASG.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html
method getData
protected getData(): Promise<TData>
Retrieves the data produces by [initialize]. The data is immediately available in a
derived class’s constructor after the super(...)
call to ComponentResource
.
method getKubeconfig
getKubeconfig(args: KubeconfigOptions): pulumi.Output<string>
Generate a kubeconfig for cluster authentication that does not use the
default AWS credential provider chain, and instead is scoped to
the supported options in KubeconfigOptions
.
The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method initialize
protected initialize(args: Inputs): Promise<TData>
Can be overridden by a subclass to asynchronously initialize data for this Component
automatically when constructed. The data will be available immediately for subclass
constructors to use. To access the data use .getData
.
method isInstance
static isInstance(obj: any): obj is ComponentResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
method registerOutputs
protected registerOutputs(outputs?: Inputs | Promise<Inputs> | Output<Inputs>): void
registerOutputs registers synthetic outputs that a component has initialized, usually by allocating other child sub-resources and propagating their resulting property values.
ComponentResources can call this at the end of their constructor to indicate that they are
done creating child resources. This is not strictly necessary as this will automatically be
called after the initialize
method completes.
property awsProvider
public awsProvider: ProviderResource;
The AWS resource provider.
property clusterSecurityGroup
public clusterSecurityGroup: SecurityGroup;
The security group for the EKS cluster.
property core
public core: CoreData;
The EKS cluster and its dependencies.
property defaultNodeGroup
public defaultNodeGroup: NodeGroupData | undefined;
The default Node Group configuration, or undefined if skipDefaultNodeGroup
was specified.
property eksCluster
public eksCluster: Cluster;
The EKS cluster.
property eksClusterIngressRule
public eksClusterIngressRule: SecurityGroupRule;
The ingress rule that gives node group access to cluster API server
property instanceRoles
public instanceRoles: pulumi.Output<Role[]>;
The service roles used by the EKS cluster.
property kubeconfig
public kubeconfig: pulumi.Output<any>;
A kubeconfig that can be used to connect to the EKS cluster.
property nodeSecurityGroup
public nodeSecurityGroup: SecurityGroup;
The security group for the cluster’s nodes.
property provider
public provider: Provider;
A Kubernetes resource provider that can be used to deploy into this cluster. For example, the code below will create a new Pod in the EKS cluster.
let eks = new Cluster("eks");
let pod = new kubernetes.core.v1.Pod("pod", { ... }, { provider: eks.provider });
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Resource ClusterCreationRoleProvider
implements CreationRoleProvider
ClusterCreationRoleProvider is a component that wraps creating a role provider that can be passed to
new eks.Cluster("test", { creationRoleProvider: ... })
. This can be used to provide a
specific role to use for the creation of the EKS cluster different from the role being used
to run the Pulumi deployment.
constructor
new ClusterCreationRoleProvider(name: string, args: ClusterCreationRoleProviderOptions, opts?: pulumi.ComponentResourceOptions)
Creates a role provider that can be passed to new eks.Cluster("test", { creationRoleProvider: ... })
.
This can be used to provide a specific role to use for the creation of the EKS cluster different from
the role being used to run the Pulumi deployment.
name
The unique name of this component.args
The arguments for this component.opts
A bag of options that control this component's behavior.
method getData
protected getData(): Promise<TData>
Retrieves the data produces by [initialize]. The data is immediately available in a
derived class’s constructor after the super(...)
call to ComponentResource
.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method initialize
protected initialize(args: Inputs): Promise<TData>
Can be overridden by a subclass to asynchronously initialize data for this Component
automatically when constructed. The data will be available immediately for subclass
constructors to use. To access the data use .getData
.
method isInstance
static isInstance(obj: any): obj is ComponentResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
method registerOutputs
protected registerOutputs(outputs?: Inputs | Promise<Inputs> | Output<Inputs>): void
registerOutputs registers synthetic outputs that a component has initialized, usually by allocating other child sub-resources and propagating their resulting property values.
ComponentResources can call this at the end of their constructor to indicate that they are
done creating child resources. This is not strictly necessary as this will automatically be
called after the initialize
method completes.
property provider
public provider: ProviderResource;
property role
public role: Role;
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Resource ManagedNodeGroup
class ManagedNodeGroup extends ComponentResource
ManagedNodeGroup is a component that wraps creating an AWS managed node group.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
constructor
new ManagedNodeGroup(name: string, args: ManagedNodeGroupOptions, opts?: pulumi.ComponentResourceOptions)
Create a new AWS managed node group.
name
The unique name of this component.args
The arguments for this node group.opts
A bag of options that control this component's behavior.
method getData
protected getData(): Promise<TData>
Retrieves the data produces by [initialize]. The data is immediately available in a
derived class’s constructor after the super(...)
call to ComponentResource
.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method initialize
protected initialize(args: Inputs): Promise<TData>
Can be overridden by a subclass to asynchronously initialize data for this Component
automatically when constructed. The data will be available immediately for subclass
constructors to use. To access the data use .getData
.
method isInstance
static isInstance(obj: any): obj is ComponentResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
method registerOutputs
protected registerOutputs(outputs?: Inputs | Promise<Inputs> | Output<Inputs>): void
registerOutputs registers synthetic outputs that a component has initialized, usually by allocating other child sub-resources and propagating their resulting property values.
ComponentResources can call this at the end of their constructor to indicate that they are
done creating child resources. This is not strictly necessary as this will automatically be
called after the initialize
method completes.
property nodeGroup
public nodeGroup: NodeGroup;
The AWS managed node group.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Resource NodeGroup
implements NodeGroupData
NodeGroup is a component that wraps the AWS EC2 instances that provide compute capacity for an EKS cluster.
constructor
new NodeGroup(name: string, args: NodeGroupOptions, opts?: pulumi.ComponentResourceOptions)
Create a new EKS cluster with worker nodes, optional storage classes, and deploy the Kubernetes Dashboard if requested.
name
The unique name of this component.args
The arguments for this cluster.opts
A bag of options that control this component's behavior.
method getData
protected getData(): Promise<TData>
Retrieves the data produces by [initialize]. The data is immediately available in a
derived class’s constructor after the super(...)
call to ComponentResource
.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method initialize
protected initialize(args: Inputs): Promise<TData>
Can be overridden by a subclass to asynchronously initialize data for this Component
automatically when constructed. The data will be available immediately for subclass
constructors to use. To access the data use .getData
.
method isInstance
static isInstance(obj: any): obj is ComponentResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
method registerOutputs
protected registerOutputs(outputs?: Inputs | Promise<Inputs> | Output<Inputs>): void
registerOutputs registers synthetic outputs that a component has initialized, usually by allocating other child sub-resources and propagating their resulting property values.
ComponentResources can call this at the end of their constructor to indicate that they are
done creating child resources. This is not strictly necessary as this will automatically be
called after the initialize
method completes.
property autoScalingGroupName
autoScalingGroupName: pulumi.Output<string>;
The AutoScalingGroup name for the Node group.
property cfnStack
cfnStack: Stack;
The CloudFormation Stack which defines the Node AutoScalingGroup.
property extraNodeSecurityGroups
public extraNodeSecurityGroups: SecurityGroup[];
The additional security groups for the node group that captures user-specific rules.
property nodeSecurityGroup
public nodeSecurityGroup: SecurityGroup;
The security group for the node group to communicate with the cluster.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Resource NodeGroupSecurityGroup
class NodeGroupSecurityGroup extends ComponentResource
NodeGroupSecurityGroup is a component that wraps creating a security group for node groups with the default ingress & egress rules required to connect and work with the EKS cluster security group.
constructor
new NodeGroupSecurityGroup(name: string, args: NodeGroupSecurityGroupOptions, opts?: pulumi.ComponentResourceOptions)
Creates a security group for node groups with the default ingress & egress rules required to connect and work with the EKS cluster security group.
name
The unique name of this component.args
The arguments for this component.opts
A bag of options that control this component's behavior.
method getData
protected getData(): Promise<TData>
Retrieves the data produces by [initialize]. The data is immediately available in a
derived class’s constructor after the super(...)
call to ComponentResource
.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method initialize
protected initialize(args: Inputs): Promise<TData>
Can be overridden by a subclass to asynchronously initialize data for this Component
automatically when constructed. The data will be available immediately for subclass
constructors to use. To access the data use .getData
.
method isInstance
static isInstance(obj: any): obj is ComponentResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
method registerOutputs
protected registerOutputs(outputs?: Inputs | Promise<Inputs> | Output<Inputs>): void
registerOutputs registers synthetic outputs that a component has initialized, usually by allocating other child sub-resources and propagating their resulting property values.
ComponentResources can call this at the end of their constructor to indicate that they are
done creating child resources. This is not strictly necessary as this will automatically be
called after the initialize
method completes.
property securityGroup
public securityGroup: SecurityGroup;
The security group for node groups with the default ingress & egress rules required to connect and work with the EKS cluster security group.
property securityGroupRule
public securityGroupRule: SecurityGroupRule;
The EKS cluster ingress rule.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Resource ServiceRole
class ServiceRole extends ComponentResource
The ServiceRole component creates an IAM role for a particular service and attaches to it a list of well-known managed policies.
constructor
new ServiceRole(name: string, args: ServiceRoleArgs, opts?: pulumi.ResourceOptions)
Create a new ServiceRole.
name
The unique name of this component.args
The arguments for this cluster.opts
A bag of options that control this component's behavior.
method getData
protected getData(): Promise<TData>
Retrieves the data produces by [initialize]. The data is immediately available in a
derived class’s constructor after the super(...)
call to ComponentResource
.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method initialize
protected initialize(args: Inputs): Promise<TData>
Can be overridden by a subclass to asynchronously initialize data for this Component
automatically when constructed. The data will be available immediately for subclass
constructors to use. To access the data use .getData
.
method isInstance
static isInstance(obj: any): obj is ComponentResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
method registerOutputs
protected registerOutputs(outputs?: Inputs | Promise<Inputs> | Output<Inputs>): void
registerOutputs registers synthetic outputs that a component has initialized, usually by allocating other child sub-resources and propagating their resulting property values.
ComponentResources can call this at the end of their constructor to indicate that they are
done creating child resources. This is not strictly necessary as this will automatically be
called after the initialize
method completes.
property role
public role: pulumi.Output<Role>;
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Resource VpcCni
class VpcCni extends CustomResource
VpcCni manages the configuration of the Amazon VPC CNI plugin for Kubernetes by applying its YAML chart. Once Pulumi is able to programatically manage existing infrastructure, we can replace this with a real k8s resource.
constructor
new VpcCni(name: string, kubeconfig: pulumi.Input<any>, args?: VpcCniOptions, opts?: pulumi.CustomResourceOptions)
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method isInstance
static isInstance(obj: any): obj is CustomResource
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
property id
id: Output<ID>;
id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
Others
interface ClusterCreationRoleProviderOptions
interface ClusterCreationRoleProviderOptions
property profile
profile?: undefined | string;
property region
region?: aws.Region;
interface ClusterNodeGroupOptions
interface ClusterNodeGroupOptions extends NodeGroupBaseOptions
ClusterNodeGroupOptions describes the configuration options accepted by a cluster to create its own node groups. It’s a subset of NodeGroupOptions.
property amiId
amiId?: pulumi.Input<string>;
The AMI ID to use for the worker nodes.
Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
Note: amiId
and gpu
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
property autoScalingGroupTags
autoScalingGroupTags?: InputTags;
The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.
Per AWS, all stack-level tags, including automatically created tags, and
the cloudFormationTags
option are propagated to resources that AWS
CloudFormation supports, including the AutoScalingGroup. See
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
Note: Given the inheritance of auto-generated CF tags and
cloudFormationTags
, you should either supply the tag in
autoScalingGroupTags
or cloudFormationTags
, but not both.
property bootstrapExtraArgs
bootstrapExtraArgs?: undefined | string;
Additional args to pass directly to /etc/eks/bootstrap.sh
. Fror details on available options, see:
https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint
,
--b64-cluster-ca
and --kubelet-extra-args
flags are included automatically based on other configuration
parameters.
property cloudFormationTags
cloudFormationTags?: InputTags;
The tags to apply to the CloudFormation Stack of the Worker NodeGroup.
Note: Given the inheritance of auto-generated CF tags and
cloudFormationTags
, you should either supply the tag in
autoScalingGroupTags
or cloudFormationTags
, but not both.
property clusterIngressRule
clusterIngressRule?: aws.ec2.SecurityGroupRule;
The ingress rule that gives node group access.
property desiredCapacity
desiredCapacity?: pulumi.Input<number>;
The number of worker nodes that should be running in the cluster. Defaults to 2.
property encryptRootBlockDevice
encryptRootBlockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property encryptRootBockDevice
encryptRootBockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property extraNodeSecurityGroups
extraNodeSecurityGroups?: SecurityGroup[];
Extra security groups to attach on all nodes in this worker node group.
This additional set of security groups captures any user application rules that will be needed for the nodes.
property gpu
gpu?: pulumi.Input<boolean>;
Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
Defaults to false.
Note: gpu
and amiId
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html. - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
property instanceProfile
instanceProfile?: aws.iam.InstanceProfile;
The instance profile to use for this node group. Note, the role for the instance profile must be supplied in the ClusterOptions as either: ‘instanceRole’, or as a role of ‘instanceRoles’.
property instanceType
instanceType?: pulumi.Input<aws.ec2.InstanceType>;
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
property keyName
keyName?: pulumi.Input<string>;
Name of the key pair to use for SSH access to worker nodes.
property kubeletExtraArgs
kubeletExtraArgs?: undefined | string;
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs
flag to
/etc/eks/bootstrap.sh
. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels
and taints
properties will be applied to this list (using --node-labels
and --register-with-taints
respectively) after
to the expicit kubeletExtraArgs
.
property labels
labels?: undefined | {[key: string]: string};
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the --node-labels
kubelet argument.
property maxSize
maxSize?: pulumi.Input<number>;
The maximum number of worker nodes running in the cluster. Defaults to 2.
property minSize
minSize?: pulumi.Input<number>;
The minimum number of worker nodes running in the cluster. Defaults to 1.
property nodeAssociatePublicIpAddress
nodeAssociatePublicIpAddress?: undefined | false | true;
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
property nodePublicKey
nodePublicKey?: pulumi.Input<string>;
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
property nodeRootVolumeSize
nodeRootVolumeSize?: pulumi.Input<number>;
The size in GiB of a cluster node’s root volume. Defaults to 20.
property nodeSecurityGroup
nodeSecurityGroup?: aws.ec2.SecurityGroup;
The security group for the worker node group to communicate with the cluster.
This security group requires specific inbound and outbound rules.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
Note: The nodeSecurityGroup
option and the cluster option
nodeSecurityGroupTags
are mutually exclusive.
property nodeSubnetIds
nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The set of subnets to override and use for the worker node group.
Setting this option overrides which subnets to use for the worker node
group, regardless if the cluster’s subnetIds
is set, or if
publicSubnetIds
and/or privateSubnetIds
were set.
property nodeUserData
nodeUserData?: pulumi.Input<string>;
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node
signals its readiness to the managing CloudFormation stack. This code must be a typical user data script:
critically it must begin with an interpreter directive (i.e. a #!
).
property nodeUserDataOverride
nodeUserDataOverride?: pulumi.Input<string>;
User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html
property spotPrice
spotPrice?: pulumi.Input<string>;
Bidding price for spot instance. If set, only spot instances will be added as worker node
property taints
taints?: undefined | {[key: string]: Taint};
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints
kubelet argument.
property version
version?: pulumi.Input<string>;
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
interface ClusterOptions
interface ClusterOptions
ClusterOptions describes the configuration options accepted by an EKSCluster component.
property clusterSecurityGroup
clusterSecurityGroup?: aws.ec2.SecurityGroup;
The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
property clusterSecurityGroupTags
clusterSecurityGroupTags?: InputTags;
The tags to apply to the cluster security group.
property clusterTags
clusterTags?: InputTags;
The tags to apply to the EKS cluster.
property createOidcProvider
createOidcProvider?: pulumi.Input<boolean>;
Indicates whether an IAM OIDC Provider is created for the EKS cluster.
The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.
See for more details: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html - https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html - https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ - https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
property creationRoleProvider
creationRoleProvider?: CreationRoleProvider;
The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters]
permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
property customInstanceRolePolicy
instanceRole
or instanceRoles
. The role provided to either option
should already include all required policies.customInstanceRolePolicy?: pulumi.Input<string>;
Attach a custom role policy to worker node instance role
property deployDashboard
deployDashboard?: undefined | false | true;
Whether or not to deploy the Kubernetes dashboard to the cluster. If the dashboard is deployed, it can be accessed as follows:
Retrieve an authentication token for the dashboard by running the following and copying the value of
token
from the output of the last command:$ kubectl -n kube-system get secret | grep eks-admin | awk ‘{print $1}’ $ kubectl -n kube-system describe secret
Start the kubectl proxy:
$ kubectl proxy
Open
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
in a web browser.Choose
Token
authentication, paste the token retrieved earlier into theToken
field, and sign in.
Defaults to false
.
property desiredCapacity
desiredCapacity?: pulumi.Input<number>;
The number of worker nodes that should be running in the cluster. Defaults to 2.
property enabledClusterLogTypes
enabledClusterLogTypes?: pulumi.Input<pulumi.Input<string>[]>;
Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: [“api”, “audit”, “authenticator”, “controllerManager”, “scheduler”]. By default it is off.
property encryptRootBlockDevice
encryptRootBlockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property encryptRootBockDevice
encryptRootBockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property encryptionConfigKeyArn
encryptionConfigKeyArn?: pulumi.Input<string>;
KMS Key ARN to use with the encryption configuration for the cluster.
Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details: - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
property endpointPrivateAccess
endpointPrivateAccess?: pulumi.Input<boolean>;
Indicates whether or not the Amazon EKS private API server endpoint is enabled. The default is false
.
property endpointPublicAccess
endpointPublicAccess?: pulumi.Input<boolean>;
Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true
.
property fargate
fargate?: pulumi.Input<boolean | FargateProfile>;
Add support for launching pods in Fargate. Defaults to launching pods in the default
namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup:
true
had been passed.
property gpu
gpu?: pulumi.Input<boolean>;
Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
Defaults to false.
Note: gpu
and nodeAmiId
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html. - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
property instanceProfileName
instanceProfileName?: pulumi.Input<string>;
The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
property instanceRole
instanceRole?: pulumi.Input<Role>;
This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.
Note: options instanceRole
and instanceRoles
are mutually exclusive.
property instanceRoles
instanceRoles?: pulumi.Input<pulumi.Input<Role>[]>;
This enables the advanced case of registering many IAM instance roles
with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole
.
Note: options instanceRole
and instanceRoles
are mutually exclusive.
property instanceType
instanceType?: pulumi.Input<aws.ec2.InstanceType>;
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
property maxSize
maxSize?: pulumi.Input<number>;
The maximum number of worker nodes running in the cluster. Defaults to 2.
property minSize
minSize?: pulumi.Input<number>;
The minimum number of worker nodes running in the cluster. Defaults to 1.
property name
name?: pulumi.Input<string>;
The cluster’s physical resource name.
If not specified, the default is to use auto-naming for the cluster’s
name, resulting in a physical name with the format ${name}-eksCluster-0123abcd
.
See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming
property nodeAmiId
nodeAmiId?: pulumi.Input<string>;
The AMI ID to use for the worker nodes.
Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
Note: nodeAmiId
and gpu
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
property nodeAssociatePublicIpAddress
nodeAssociatePublicIpAddress?: undefined | false | true;
Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
property nodeGroupOptions
nodeGroupOptions?: ClusterNodeGroupOptions;
The common configuration settings for NodeGroups.
property nodePublicKey
nodePublicKey?: pulumi.Input<string>;
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
property nodeRootVolumeSize
nodeRootVolumeSize?: pulumi.Input<number>;
The size in GiB of a cluster node’s root volume. Defaults to 20.
property nodeSecurityGroupTags
nodeSecurityGroupTags?: InputTags;
The tags to apply to the default nodeSecurityGroup
created by the cluster.
Note: The nodeSecurityGroupTags
option and the node group option
nodeSecurityGroup
are mutually exclusive.
property nodeSubnetIds
nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The subnets to use for worker nodes. Defaults to the value of subnetIds.
property nodeUserData
nodeUserData?: pulumi.Input<string>;
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node
signals its readiness to the managing CloudFormation stack. This code must be a typical user data script:
critically it must begin with an interpreter directive (i.e. a #!
).
property privateSubnetIds
privateSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
If vpcId
is not set, the cluster will use the AWS account’s default VPC subnets.
Worker network architecture options:
- Private-only: Only set privateSubnetIds
.
- Default workers to run in a private subnet. In this setting, Kubernetes
cannot create public, internet-facing load balancers for your pods.
- Public-only: Only set publicSubnetIds
.
- Default workers to run in a public subnet.
- Mixed (recommended): Set both privateSubnetIds
and publicSubnetIds
.
- Default all worker nodes to run in private subnets, and use the public subnets
for internet-facing load balancers.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
Note: The use of subnetIds
, along with publicSubnetIds
and/or privateSubnetIds
is mutually exclusive. The use of
publicSubnetIds
and privateSubnetIds
is encouraged.
Also consider setting nodeAssociatePublicIpAddress: true
for
fully private workers.
property providerCredentialOpts
providerCredentialOpts?: pulumi.Input<KubeconfigOptions>;
The AWS provider credential options to scope the cluster’s kubeconfig authentication when using a non-default credential chain.
This is required for certain auth scenarios. For example:
- Creating and using a new AWS provider instance, or
- Setting the AWS_PROFILE environment variable, or
- Using a named profile configured on the AWS provider via:
pulumi config set aws:profile <profileName>
See for more details: - https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider - https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/ - https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
property proxy
proxy?: undefined | string;
The HTTP(S) proxy to use within a proxied environment.
The proxy is used during cluster creation, and OIDC configuration.
This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.
This option is required iff the proxy environment variables are not set.
Format:
Ex: - “http://proxy.example.com:3128" - “https://proxy.example.com" - “http://username:password@proxy.example.com:3128"
property publicAccessCidrs
publicAccessCidrs?: pulumi.Input<pulumi.Input<string>[]>;
Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
property publicSubnetIds
publicSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
If vpcId
is not set, the cluster will use the AWS account’s default VPC subnets.
Worker network architecture options:
- Private-only: Only set privateSubnetIds
.
- Default workers to run in a private subnet. In this setting, Kubernetes
cannot create public, internet-facing load balancers for your pods.
- Public-only: Only set publicSubnetIds
.
- Default workers to run in a public subnet.
- Mixed (recommended): Set both privateSubnetIds
and publicSubnetIds
.
- Default all worker nodes to run in private subnets, and use the public subnets
for internet-facing load balancers.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
Note: The use of subnetIds
, along with publicSubnetIds
and/or privateSubnetIds
is mutually exclusive. The use of
publicSubnetIds
and privateSubnetIds
is encouraged.
property roleMappings
roleMappings?: pulumi.Input<pulumi.Input<RoleMapping>[]>;
Optional mappings from AWS IAM roles to Kubernetes users and groups.
property serviceRole
serviceRole?: pulumi.Input<Role>;
IAM Service Role for EKS to use to manage the cluster.
property skipDefaultNodeGroup
skipDefaultNodeGroup?: undefined | false | true;
If this toggle is set to true, the EKS cluster will be created without node group attached.
Defaults to false, unless fargate
input is provided.
property storageClasses
storageClasses?: {[name: string]: StorageClass} | EBSVolumeType;
An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.
Note: As of Kubernetes v1.11+ on EKS, a default gp2
storage class will
always be created automatically for the cluster by the EKS service. See
https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
property subnetIds
subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
If vpcId
is not set, the cluster will use the AWS account’s default VPC subnets.
If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
Note: The use of subnetIds
, along with publicSubnetIds
and/or privateSubnetIds
is mutually exclusive. The use of
publicSubnetIds
and privateSubnetIds
is encouraged.
property tags
tags?: InputTags;
Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
property useDefaultVpcCni
useDefaultVpcCni?: undefined | false | true;
Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions
.
property userMappings
userMappings?: pulumi.Input<pulumi.Input<UserMapping>[]>;
Optional mappings from AWS IAM users to Kubernetes users and groups.
property version
version?: pulumi.Input<string>;
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
property vpcCniOptions
vpcCniOptions?: VpcCniOptions;
The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
property vpcId
vpcId?: pulumi.Input<string>;
The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.
function computeWorkerSubnets
computeWorkerSubnets(parent: Resource, subnetIds: string[]): Promise<string[]>
computeWorkerSubnets attempts to determine the subset of the given subnets to use for worker nodes.
As per https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html, an EKS cluster that is attached to public and private subnets will only expose its API service to workers on the private subnets. Any workers attached to the public subnets will be unable to communicate with the API server.
If all of the given subnet IDs are public, the list of subnet IDs is returned as-is. If any private subnet is given, only the IDs of the private subnets are returned. A subnet is deemed private iff it has no route in its route table that routes directly to an internet gateway. If any such route exists in a subnet’s route table, it is treated as public.
interface CoreData
interface CoreData
CoreData defines the core set of data associated with an EKS cluster, including the network in which it runs.
property awsProvider
awsProvider?: pulumi.ProviderResource;
property cluster
cluster: Cluster;
property clusterSecurityGroup
clusterSecurityGroup: SecurityGroup;
property eksNodeAccess
eksNodeAccess?: k8s.core.v1.ConfigMap;
property encryptionConfig
encryptionConfig?: pulumi.Output<ClusterEncryptionConfig>;
property endpoint
endpoint: pulumi.Output<string>;
property fargateProfile
fargateProfile: pulumi.Output<FargateProfile | undefined>;
property instanceRoles
instanceRoles: pulumi.Output<Role[]>;
property kubeconfig
kubeconfig?: pulumi.Output<any>;
property nodeGroupOptions
nodeGroupOptions: ClusterNodeGroupOptions;
property nodeSecurityGroupTags
nodeSecurityGroupTags?: InputTags;
property oidcProvider
oidcProvider?: aws.iam.OpenIdConnectProvider;
property privateSubnetIds
privateSubnetIds?: pulumi.Output<string[]>;
property provider
provider: Provider;
property publicSubnetIds
publicSubnetIds?: pulumi.Output<string[]>;
property storageClasses
storageClasses?: UserStorageClasses;
property subnetIds
subnetIds: pulumi.Output<string[]>;
property tags
tags?: InputTags;
property vpcCni
vpcCni?: VpcCni;
property vpcId
vpcId: pulumi.Output<string>;
function createCore
createCore(name: string, args: ClusterOptions, parent: ComponentResource, provider?: pulumi.ProviderResource): CoreData
Create the core components and settings required for the EKS cluster.
function createDashboard
createDashboard(name: string, args: DashboardOptions, parent: ComponentResource, k8sProvider: Provider): void
function createManagedNodeGroup
createManagedNodeGroup(name: string, args: ManagedNodeGroupOptions, parent?: pulumi.ComponentResource, provider?: pulumi.ProviderResource): NodeGroup
Create an AWS managed node group.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
function createNodeGroup
createNodeGroup(name: string, args: NodeGroupOptions, parent: ComponentResource, provider?: pulumi.ProviderResource): NodeGroupData
Create a self-managed node group using CloudFormation and an ASG.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html
function createNodeGroupSecurityGroup
createNodeGroupSecurityGroup(name: string, args: NodeGroupSecurityGroupOptions, parent: ComponentResource, provider?: pulumi.ProviderResource): [, SecurityGroup, SecurityGroupRule]
createNodeGroupSecurityGroup creates a security group for node groups with the default ingress & egress rules required to connect and work with the EKS cluster security group.
function createStorageClass
createStorageClass(name: string, storageClass: StorageClass, opts: CustomResourceOptions): StorageClass
Creates a single Kubernetes StorageClass from the given inputs.
interface CreationRoleProvider
interface CreationRoleProvider
CreationRoleProvider is a component containing the AWS Role and Provider necessary to override the [system:master]
entity ARN. This is an optional argument used in ClusterOptions
. Read more: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
property provider
provider: ProviderResource;
property role
role: Role;
interface DashboardOptions
interface DashboardOptions
type EBSVolumeType
type EBSVolumeType = "io1" | "gp2" | "sc1" | "st1";
EBSVolumeType lists the set of volume types accepted by an EKS storage class.
interface FargateProfile
interface FargateProfile
FargateProfile defines how Kubernetes pods are executed in Fargate. See aws.eks.FargateProfileArgs for reference.
property podExecutionRoleArn
podExecutionRoleArn?: pulumi.Input<string>;
Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role
with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy
policy attached.
property selectors
selectors?: pulumi.Input<pulumi.Input<FargateProfileSelector>[]>;
Specify the namespace and label selectors to use for launching pods into Fargate.
property subnetIds
subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.
function getRoleProvider
getRoleProvider(name: string, region?: aws.Region, profile?: undefined | string, parent?: pulumi.ComponentResource, provider?: pulumi.ProviderResource): CreationRoleProvider
getRoleProvider creates a role provider that can be passed to new eks.Cluster("test", {
creationRoleProvider: ... })
. This can be used to provide a specific role to use for the
creation of the EKS cluster different from the role being used to run the Pulumi deployment.
interface KubeconfigOptions
interface KubeconfigOptions
KubeconfigOptions represents the AWS credentials to scope a given kubeconfig when using a non-default credential chain.
The options can be used independently, or additively.
A scoped kubeconfig is necessary for certain auth scenarios. For example: 1. Assume a role on the default account caller, 2. Use an AWS creds profile instead of the default account caller, 3. Use an AWS creds creds profile instead of the default account caller, and then assume a given role on the profile. This scenario is also possible by only using a profile, iff the profile includes a role to assume in its settings.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
property profileName
profileName?: pulumi.Input<string>;
AWS credential profile name to always use instead of the default AWS credential provider chain.
The profile is passed to kubeconfig as an authentication environment setting.
property roleArn
roleArn?: pulumi.Input<aws.ARN>;
Role ARN to assume instead of the default AWS credential provider chain.
The role is passed to kubeconfig as an authentication exec argument.
type ManagedNodeGroupOptions
type ManagedNodeGroupOptions = Omit<NodeGroupArgs, "clusterName" | "nodeRoleArn" | "subnetIds" | "scalingConfig"> & {
cluster: Cluster | CoreData;
clusterName?: pulumi.Output<string>;
nodeGroupName?: pulumi.Input<string>;
nodeRole?: pulumi.Input<Role>;
nodeRoleArn?: pulumi.Input<string>;
scalingConfig?: pulumi.Input<NodeGroupScalingConfig>;
subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
};
ManagedNodeGroupOptions describes the configuration options accepted by an AWS Managed NodeGroup.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
interface NodeGroupBaseOptions
interface NodeGroupBaseOptions
NodeGroupArgs represents the common configuration settings for NodeGroups.
property amiId
amiId?: pulumi.Input<string>;
The AMI ID to use for the worker nodes.
Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
Note: amiId
and gpu
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
property autoScalingGroupTags
autoScalingGroupTags?: InputTags;
The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.
Per AWS, all stack-level tags, including automatically created tags, and
the cloudFormationTags
option are propagated to resources that AWS
CloudFormation supports, including the AutoScalingGroup. See
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
Note: Given the inheritance of auto-generated CF tags and
cloudFormationTags
, you should either supply the tag in
autoScalingGroupTags
or cloudFormationTags
, but not both.
property bootstrapExtraArgs
bootstrapExtraArgs?: undefined | string;
Additional args to pass directly to /etc/eks/bootstrap.sh
. Fror details on available options, see:
https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint
,
--b64-cluster-ca
and --kubelet-extra-args
flags are included automatically based on other configuration
parameters.
property cloudFormationTags
cloudFormationTags?: InputTags;
The tags to apply to the CloudFormation Stack of the Worker NodeGroup.
Note: Given the inheritance of auto-generated CF tags and
cloudFormationTags
, you should either supply the tag in
autoScalingGroupTags
or cloudFormationTags
, but not both.
property clusterIngressRule
clusterIngressRule?: aws.ec2.SecurityGroupRule;
The ingress rule that gives node group access.
property desiredCapacity
desiredCapacity?: pulumi.Input<number>;
The number of worker nodes that should be running in the cluster. Defaults to 2.
property encryptRootBlockDevice
encryptRootBlockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property encryptRootBockDevice
encryptRootBockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property extraNodeSecurityGroups
extraNodeSecurityGroups?: SecurityGroup[];
Extra security groups to attach on all nodes in this worker node group.
This additional set of security groups captures any user application rules that will be needed for the nodes.
property gpu
gpu?: pulumi.Input<boolean>;
Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
Defaults to false.
Note: gpu
and amiId
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html. - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
property instanceProfile
instanceProfile?: aws.iam.InstanceProfile;
The instance profile to use for this node group. Note, the role for the instance profile must be supplied in the ClusterOptions as either: ‘instanceRole’, or as a role of ‘instanceRoles’.
property instanceType
instanceType?: pulumi.Input<aws.ec2.InstanceType>;
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
property keyName
keyName?: pulumi.Input<string>;
Name of the key pair to use for SSH access to worker nodes.
property kubeletExtraArgs
kubeletExtraArgs?: undefined | string;
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs
flag to
/etc/eks/bootstrap.sh
. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels
and taints
properties will be applied to this list (using --node-labels
and --register-with-taints
respectively) after
to the expicit kubeletExtraArgs
.
property labels
labels?: undefined | {[key: string]: string};
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the --node-labels
kubelet argument.
property maxSize
maxSize?: pulumi.Input<number>;
The maximum number of worker nodes running in the cluster. Defaults to 2.
property minSize
minSize?: pulumi.Input<number>;
The minimum number of worker nodes running in the cluster. Defaults to 1.
property nodeAssociatePublicIpAddress
nodeAssociatePublicIpAddress?: undefined | false | true;
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
property nodePublicKey
nodePublicKey?: pulumi.Input<string>;
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
property nodeRootVolumeSize
nodeRootVolumeSize?: pulumi.Input<number>;
The size in GiB of a cluster node’s root volume. Defaults to 20.
property nodeSecurityGroup
nodeSecurityGroup?: aws.ec2.SecurityGroup;
The security group for the worker node group to communicate with the cluster.
This security group requires specific inbound and outbound rules.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
Note: The nodeSecurityGroup
option and the cluster option
nodeSecurityGroupTags
are mutually exclusive.
property nodeSubnetIds
nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The set of subnets to override and use for the worker node group.
Setting this option overrides which subnets to use for the worker node
group, regardless if the cluster’s subnetIds
is set, or if
publicSubnetIds
and/or privateSubnetIds
were set.
property nodeUserData
nodeUserData?: pulumi.Input<string>;
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node
signals its readiness to the managing CloudFormation stack. This code must be a typical user data script:
critically it must begin with an interpreter directive (i.e. a #!
).
property nodeUserDataOverride
nodeUserDataOverride?: pulumi.Input<string>;
User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html
property spotPrice
spotPrice?: pulumi.Input<string>;
Bidding price for spot instance. If set, only spot instances will be added as worker node
property taints
taints?: undefined | {[key: string]: Taint};
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints
kubelet argument.
property version
version?: pulumi.Input<string>;
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
interface NodeGroupData
interface NodeGroupData
NodeGroupData describes the resources created for the given NodeGroup.
property autoScalingGroupName
autoScalingGroupName: pulumi.Output<string>;
The AutoScalingGroup name for the node group.
property cfnStack
cfnStack: Stack;
The CloudFormation Stack which defines the node group’s AutoScalingGroup.
property extraNodeSecurityGroups
extraNodeSecurityGroups?: SecurityGroup[];
The additional security groups for the node group that captures user-specific rules.
property nodeSecurityGroup
nodeSecurityGroup: SecurityGroup;
The security group for the node group to communicate with the cluster.
interface NodeGroupOptions
interface NodeGroupOptions extends NodeGroupBaseOptions
NodeGroupOptions describes the configuration options accepted by a NodeGroup component.
property amiId
amiId?: pulumi.Input<string>;
The AMI ID to use for the worker nodes.
Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
Note: amiId
and gpu
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
property autoScalingGroupTags
autoScalingGroupTags?: InputTags;
The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.
Per AWS, all stack-level tags, including automatically created tags, and
the cloudFormationTags
option are propagated to resources that AWS
CloudFormation supports, including the AutoScalingGroup. See
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
Note: Given the inheritance of auto-generated CF tags and
cloudFormationTags
, you should either supply the tag in
autoScalingGroupTags
or cloudFormationTags
, but not both.
property bootstrapExtraArgs
bootstrapExtraArgs?: undefined | string;
Additional args to pass directly to /etc/eks/bootstrap.sh
. Fror details on available options, see:
https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint
,
--b64-cluster-ca
and --kubelet-extra-args
flags are included automatically based on other configuration
parameters.
property cloudFormationTags
cloudFormationTags?: InputTags;
The tags to apply to the CloudFormation Stack of the Worker NodeGroup.
Note: Given the inheritance of auto-generated CF tags and
cloudFormationTags
, you should either supply the tag in
autoScalingGroupTags
or cloudFormationTags
, but not both.
property cluster
cluster: Cluster | CoreData;
The target EKS cluster.
property clusterIngressRule
clusterIngressRule?: aws.ec2.SecurityGroupRule;
The ingress rule that gives node group access.
property desiredCapacity
desiredCapacity?: pulumi.Input<number>;
The number of worker nodes that should be running in the cluster. Defaults to 2.
property encryptRootBlockDevice
encryptRootBlockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property encryptRootBockDevice
encryptRootBockDevice?: pulumi.Input<boolean>;
Encrypt the root block device of the nodes in the node group.
property extraNodeSecurityGroups
extraNodeSecurityGroups?: SecurityGroup[];
Extra security groups to attach on all nodes in this worker node group.
This additional set of security groups captures any user application rules that will be needed for the nodes.
property gpu
gpu?: pulumi.Input<boolean>;
Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
Defaults to false.
Note: gpu
and amiId
are mutually exclusive.
See for more details: - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html. - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
property instanceProfile
instanceProfile?: aws.iam.InstanceProfile;
The instance profile to use for this node group. Note, the role for the instance profile must be supplied in the ClusterOptions as either: ‘instanceRole’, or as a role of ‘instanceRoles’.
property instanceType
instanceType?: pulumi.Input<aws.ec2.InstanceType>;
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
property keyName
keyName?: pulumi.Input<string>;
Name of the key pair to use for SSH access to worker nodes.
property kubeletExtraArgs
kubeletExtraArgs?: undefined | string;
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs
flag to
/etc/eks/bootstrap.sh
. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels
and taints
properties will be applied to this list (using --node-labels
and --register-with-taints
respectively) after
to the expicit kubeletExtraArgs
.
property labels
labels?: undefined | {[key: string]: string};
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the --node-labels
kubelet argument.
property maxSize
maxSize?: pulumi.Input<number>;
The maximum number of worker nodes running in the cluster. Defaults to 2.
property minSize
minSize?: pulumi.Input<number>;
The minimum number of worker nodes running in the cluster. Defaults to 1.
property nodeAssociatePublicIpAddress
nodeAssociatePublicIpAddress?: undefined | false | true;
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
property nodePublicKey
nodePublicKey?: pulumi.Input<string>;
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
property nodeRootVolumeSize
nodeRootVolumeSize?: pulumi.Input<number>;
The size in GiB of a cluster node’s root volume. Defaults to 20.
property nodeSecurityGroup
nodeSecurityGroup?: aws.ec2.SecurityGroup;
The security group for the worker node group to communicate with the cluster.
This security group requires specific inbound and outbound rules.
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
Note: The nodeSecurityGroup
option and the cluster option
nodeSecurityGroupTags
are mutually exclusive.
property nodeSubnetIds
nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
The set of subnets to override and use for the worker node group.
Setting this option overrides which subnets to use for the worker node
group, regardless if the cluster’s subnetIds
is set, or if
publicSubnetIds
and/or privateSubnetIds
were set.
property nodeUserData
nodeUserData?: pulumi.Input<string>;
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node
signals its readiness to the managing CloudFormation stack. This code must be a typical user data script:
critically it must begin with an interpreter directive (i.e. a #!
).
property nodeUserDataOverride
nodeUserDataOverride?: pulumi.Input<string>;
User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).
See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html
property spotPrice
spotPrice?: pulumi.Input<string>;
Bidding price for spot instance. If set, only spot instances will be added as worker node
property taints
taints?: undefined | {[key: string]: Taint};
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints
kubelet argument.
property version
version?: pulumi.Input<string>;
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
interface NodeGroupSecurityGroupOptions
interface NodeGroupSecurityGroupOptions
NodeGroupSecurityGroupOptions describes the configuration options accepted by a security group for use with a NodeGroup.
property clusterSecurityGroup
clusterSecurityGroup: SecurityGroup;
The security group associated with the EKS cluster.
property eksCluster
eksCluster: Cluster;
The EKS cluster associated with the worker node group.
property tags
tags?: InputTags;
property vpcId
vpcId: pulumi.Input<string>;
The VPC in which to create the worker node group.
interface RoleMapping
interface RoleMapping
RoleMapping describes a mapping from an AWS IAM role to a Kubernetes user and groups.
property groups
groups: pulumi.Input<pulumi.Input<string>[]>;
A list of groups within Kubernetes to which the role is mapped.
property roleArn
roleArn: pulumi.Input<aws.ARN>;
The ARN of the IAM role to add.
property username
username: pulumi.Input<string>;
The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.
interface ServiceRoleArgs
interface ServiceRoleArgs
ServiceRoleArgs describe the parameters to a ServiceRole component.
property description
description?: pulumi.Input<string>;
The description of the role.
property managedPolicyArns
managedPolicyArns?: string[];
One or more managed policy ARNs to attach to this role.
property service
service: pulumi.Input<string>;
The service associated with this role.
interface StorageClass
interface StorageClass
StorageClass describes the inputs to a single Kubernetes StorageClass provisioned by AWS. Any number of storage classes can be added to a cluster at creation time. One of these storage classes may be configured the default storage class for the cluster.
property allowVolumeExpansion
allowVolumeExpansion?: pulumi.Input<boolean>;
AllowVolumeExpansion shows whether the storage class allow volume expand
property default
default?: pulumi.Input<boolean>;
True if this storage class should be a default storage class for the cluster.
Note: As of Kubernetes v1.11+ on EKS, a default gp2
storage class will
always be created automatically for the cluster by the EKS service. See
https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
Please note that at most one storage class can be marked as default. If
two or more of them are marked as default, a PersistentVolumeClaim
without storageClassName
explicitly specified cannot be created. See:
https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass
property encrypted
encrypted?: pulumi.Input<boolean>;
Denotes whether the EBS volume should be encrypted.
property iopsPerGb
iopsPerGb?: pulumi.Input<number>;
I/O operations per second per GiB for “io1” volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.
property kmsKeyId
kmsKeyId?: pulumi.Input<string>;
The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.
property metadata
metadata?: pulumi.Input<ObjectMeta>;
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
property mountOptions
mountOptions?: pulumi.Input<string[]>;
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [“ro”, “soft”]. Not validated - mount of the PVs will simply fail if one is invalid.
property reclaimPolicy
reclaimPolicy?: pulumi.Input<string>;
Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
property type
type: pulumi.Input<EBSVolumeType>;
The EBS volume type.
property volumeBindingMode
volumeBindingMode?: pulumi.Input<string>;
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.
property zones
zones?: pulumi.Input<pulumi.Input<string>[]>;
The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.
interface Taint
interface Taint
Taint represents a Kubernetes taint
to apply to all Nodes in a NodeGroup. See
https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/.
property effect
effect: "NoSchedule" | "NoExecute" | "PreferNoSchedule";
The effect of the taint.
property value
value: string;
The value of the taint.
interface UserMapping
interface UserMapping
UserMapping describes a mapping from an AWS IAM user to a Kubernetes user and groups.
property groups
groups: pulumi.Input<pulumi.Input<string>[]>;
A list of groups within Kubernetes to which the user is mapped to.
property userArn
userArn: pulumi.Input<aws.ARN>;
The ARN of the IAM user to add.
property username
username: pulumi.Input<string>;
The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.
interface VpcCniOptions
interface VpcCniOptions
VpcCniOptions describes the configuration options available for the Amazon VPC CNI plugin for Kubernetes.
property customNetworkConfig
customNetworkConfig?: pulumi.Input<boolean>;
Specifies that your pods may use subnets and security groups (within the same VPC as your control plane
resources) that are independent of your cluster’s resourcesVpcConfig
.
Defaults to false.
property eniConfigLabelDef
eniConfigLabelDef?: pulumi.Input<string>;
property eniMtu
eniMtu?: pulumi.Input<number>;
Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.
Defaults to 9001.
property externalSnat
externalSnat?: pulumi.Input<boolean>;
Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.
Defaults to false.
property image
image?: pulumi.Input<string>;
Specifies the container image to use in the AWS CNI cluster DaemonSet.
Defaults to the official AWS CNI image in ECR.
property logFile
logFile?: pulumi.Input<string>;
Specifies the file path used for logs.
Defaults to “stdout” to emit Pod logs for kubectl logs
.
property logLevel
logLevel?: pulumi.Input<string>;
Specifies the log level used for logs.
Defaults to “DEBUG”. See more options: https://git.io/fj92K
property nodePortSupport
nodePortSupport?: pulumi.Input<boolean>;
Specifies whether NodePort services are enabled on a worker node’s primary network interface. This requires additional iptables rules and that the kernel’s reverse path filter on the primary interface is set to loose.
Defaults to true.
property vethPrefix
vethPrefix?: pulumi.Input<string>;
Specifies the veth prefix used to generate the host-side veth device name for the CNI.
The prefix can be at most 4 characters long.
Defaults to “eni”.
property warmEniTarget
warmEniTarget?: pulumi.Input<number>;
Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.
Defaults to 1.
property warmIpTarget
warmIpTarget?: pulumi.Input<number>;
Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.