Amazon EKS v3.9.1, May 5 25

Amazon EKS v3.9.1 published on Monday, May 5, 2025 by Pulumi

eks.Cluster

Explore with Pulumi AI

Amazon EKS v3.9.1 published on Monday, May 5, 2025 by Pulumi

pulumi/pulumi-eks

Example Usage

Provisioning a New EKS Cluster

import * as pulumi from "@pulumi/pulumi";
import * as eks from "@pulumi/eks";

// Create an EKS cluster with the default configuration.
const cluster = new eks.Cluster("cluster", {});

// Export the cluster's kubeconfig.
export const kubeconfig = cluster.kubeconfig;

 import pulumi
 import pulumi_eks as eks
 
 # Create an EKS cluster with the default configuration.
 cluster = eks.Cluster("cluster")

 # Export the cluster's kubeconfig.
 pulumi.export("kubeconfig", cluster.kubeconfig)

 package main
 
 import (
 	"github.com/pulumi/pulumi-eks/sdk/go/eks"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )

func main() {
 	pulumi.Run(func(ctx *pulumi.Context) error {
 		// Create an EKS cluster with the default configuration.
		cluster, err := eks.NewCluster(ctx, "cluster", nil)
 		if err != nil {
 			return err
 		}
 		// Export the cluster's kubeconfig.
 		ctx.Export("kubeconfig", cluster.Kubeconfig)
		return nil
 	})
 }

 using System.Collections.Generic;
 using Pulumi;
 using Eks = Pulumi.Eks;
 
 return await Deployment.RunAsync(() =>
 {
 	// Create an EKS cluster with the default configuration.
	var cluster = new Eks.Cluster("cluster");
 
 	return new Dictionary<string, object?>
 	{
 		// Export the cluster's kubeconfig.
 		["kubeconfig"] = cluster.Kubeconfig,
 	};
 });

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.eks.Cluster;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
	public static void main(String[] args) {
		Pulumi.run(App::stack);
	}

	 public static void stack(Context ctx) {
 		// Create an EKS cluster with the default configuration.
 		var cluster = new Cluster("cluster");
 
 		// Export the cluster's kubeconfig.
		ctx.export("kubeconfig", cluster.kubeconfig());
	}
 }

resources:
# Create an EKS cluster with the default configuration.
cluster:
type: eks:Cluster
outputs:
# Export the cluster's kubeconfig.
kubeconfig: ${cluster.kubeconfig}

Create Cluster Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Cluster(name: string, args?: ClusterArgs, opts?: ComponentResourceOptions);

@overload
def Cluster(resource_name: str,
            args: Optional[ClusterArgs] = None,
            opts: Optional[ResourceOptions] = None)

@overload
def Cluster(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            access_entries: Optional[Mapping[str, AccessEntryArgs]] = None,
            authentication_mode: Optional[AuthenticationMode] = None,
            auto_mode: Optional[AutoModeOptionsArgs] = None,
            cluster_security_group: Optional[pulumi_aws.ec2.SecurityGroup] = None,
            cluster_security_group_tags: Optional[Mapping[str, str]] = None,
            cluster_tags: Optional[Mapping[str, str]] = None,
            coredns_addon_options: Optional[CoreDnsAddonOptionsArgs] = None,
            create_instance_role: Optional[bool] = None,
            create_oidc_provider: Optional[bool] = None,
            creation_role_provider: Optional[CreationRoleProviderArgs] = None,
            default_addons_to_remove: Optional[Sequence[str]] = None,
            desired_capacity: Optional[int] = None,
            enable_config_map_mutable: Optional[bool] = None,
            enabled_cluster_log_types: Optional[Sequence[str]] = None,
            encryption_config_key_arn: Optional[str] = None,
            endpoint_private_access: Optional[bool] = None,
            endpoint_public_access: Optional[bool] = None,
            fargate: Optional[Union[bool, FargateProfileArgs]] = None,
            gpu: Optional[bool] = None,
            instance_profile_name: Optional[str] = None,
            instance_role: Optional[pulumi_aws.iam.Role] = None,
            instance_roles: Optional[Sequence[pulumi_aws.iam.Role]] = None,
            instance_type: Optional[str] = None,
            ip_family: Optional[str] = None,
            kube_proxy_addon_options: Optional[KubeProxyAddonOptionsArgs] = None,
            kubernetes_service_ip_address_range: Optional[str] = None,
            max_size: Optional[int] = None,
            min_size: Optional[int] = None,
            name: Optional[str] = None,
            node_ami_id: Optional[str] = None,
            node_associate_public_ip_address: Optional[bool] = None,
            node_group_options: Optional[ClusterNodeGroupOptionsArgs] = None,
            node_public_key: Optional[str] = None,
            node_root_volume_encrypted: Optional[bool] = None,
            node_root_volume_size: Optional[int] = None,
            node_security_group_tags: Optional[Mapping[str, str]] = None,
            node_subnet_ids: Optional[Sequence[str]] = None,
            node_user_data: Optional[str] = None,
            private_subnet_ids: Optional[Sequence[str]] = None,
            provider_credential_opts: Optional[KubeconfigOptionsArgs] = None,
            proxy: Optional[str] = None,
            public_access_cidrs: Optional[Sequence[str]] = None,
            public_subnet_ids: Optional[Sequence[str]] = None,
            role_mappings: Optional[Sequence[RoleMappingArgs]] = None,
            service_role: Optional[pulumi_aws.iam.Role] = None,
            skip_default_node_group: Optional[bool] = None,
            skip_default_security_groups: Optional[bool] = None,
            storage_classes: Optional[Union[str, Mapping[str, StorageClassArgs]]] = None,
            subnet_ids: Optional[Sequence[str]] = None,
            tags: Optional[Mapping[str, str]] = None,
            use_default_vpc_cni: Optional[bool] = None,
            user_mappings: Optional[Sequence[UserMappingArgs]] = None,
            version: Optional[str] = None,
            vpc_cni_options: Optional[VpcCniOptionsArgs] = None,
            vpc_id: Optional[str] = None)

func NewCluster(ctx *Context, name string, args *ClusterArgs, opts ...ResourceOption) (*Cluster, error)

public Cluster(string name, ClusterArgs? args = null, ComponentResourceOptions? opts = null)

public Cluster(String name, ClusterArgs args)
public Cluster(String name, ClusterArgs args, ComponentResourceOptions options)

type: eks:Cluster
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ClusterArgs: The arguments to resource properties.
opts ComponentResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ClusterArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ClusterArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ClusterArgs: The arguments to resource properties.
opts ComponentResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ClusterArgs: The arguments to resource properties.
options ComponentResourceOptions: Bag of options to control resource's behavior.

Cluster Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Cluster resource accepts the following input properties:

AccessEntries Dictionary<string, AccessEntryArgs>

Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

AuthenticationMode Pulumi.Eks.AuthenticationMode

The authentication mode of the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam

AutoMode AutoModeOptions

Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.

For more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html

ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

Note: The security group resource should not contain any inline ingress or egress rules. This type is defined in the AWS Classic package.

ClusterSecurityGroupTags Dictionary<string, string>

The tags to apply to the cluster security group.

ClusterTags Dictionary<string, string>

The tags to apply to the EKS cluster.

CorednsAddonOptions CoreDnsAddonOptions

Options for managing the coredns addon.

CreateInstanceRole bool

Whether to create the instance role for the EKS cluster. Defaults to true when using the default node group, false otherwise. If set to false when using the default node group, an instance role or instance profile must be provided.n Note: this option has no effect if a custom instance role is provided with instanceRole or instanceRoles.

CreateOidcProvider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts

CreationRoleProvider CreationRoleProvider

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

Note: This option is only supported with Pulumi nodejs programs. Please use ProviderCredentialOpts as an alternative instead.

DefaultAddonsToRemove List<string>

List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnableConfigMapMutable bool

Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.

Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs

EnabledClusterLogTypes List<string>

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

EncryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/

EndpointPrivateAccess bool

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

EndpointPublicAccess bool

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

Fargate bool | FargateProfile

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

InstanceProfileName string

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

InstanceRole Pulumi.Aws.Iam.Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive. This type is defined in the AWS Classic package.

InstanceRoles List<Pulumi.Aws.Iam.Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

IpFamily string

The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.

KubeProxyAddonOptions KubeProxyAddonOptions

Options for managing the kube-proxy addon.

KubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. This setting only applies to IPv4 clusters. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

Name string

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

NodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

NodeAssociatePublicIpAddress bool

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodeGroupOptions ClusterNodeGroupOptions

The common configuration settings for NodeGroups.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeEncrypted bool

Encrypt the root block device of the nodes in the node group.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeSecurityGroupTags Dictionary<string, string>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

NodeSubnetIds List<string>

The subnets to use for worker nodes. Defaults to the value of subnetIds.

NodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

PrivateSubnetIds List<string>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

ProviderCredentialOpts KubeconfigOptions

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

Creating and using a new AWS provider instance, or
Setting the AWS_PROFILE environment variable, or
Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

https://www.pulumi.com/registry/packages/aws/api-docs/provider/
https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

Proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

"http://proxy.example.com:3128"
"https://proxy.example.com"
"http://username:password@proxy.example.com:3128"

PublicAccessCidrs List<string>

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

PublicSubnetIds List<string>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

RoleMappings List<RoleMapping>

Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP

ServiceRole Pulumi.Aws.Iam.Role

IAM Service Role for EKS to use to manage the cluster. This type is defined in the AWS Classic package.

SkipDefaultNodeGroup bool

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate or autoMode is enabled.

SkipDefaultSecurityGroups bool

If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless autoMode is enabled.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

StorageClasses string | Dictionary<string, StorageClassArgs>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

SubnetIds List<string>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Tags Dictionary<string, string>

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

UseDefaultVpcCni bool

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions. Defaults to true, unless autoMode is enabled.

UserMappings List<UserMapping>

Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP.

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

VpcCniOptions VpcCniOptions

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

VpcId string

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

AccessEntries map[string]AccessEntryArgs

Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

AuthenticationMode AuthenticationMode

The authentication mode of the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam

AutoMode AutoModeOptionsArgs

Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.

For more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html

ClusterSecurityGroup SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

Note: The security group resource should not contain any inline ingress or egress rules. This type is defined in the AWS Classic package.

ClusterSecurityGroupTags map[string]string

The tags to apply to the cluster security group.

ClusterTags map[string]string

The tags to apply to the EKS cluster.

CorednsAddonOptions CoreDnsAddonOptionsArgs

Options for managing the coredns addon.

CreateInstanceRole bool

CreateOidcProvider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts

CreationRoleProvider CreationRoleProviderArgs

Note: This option is only supported with Pulumi nodejs programs. Please use ProviderCredentialOpts as an alternative instead.

DefaultAddonsToRemove []string

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnableConfigMapMutable bool

Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.

Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs

EnabledClusterLogTypes []string

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

EncryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/

EndpointPrivateAccess bool

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

EndpointPublicAccess bool

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

Fargate bool | FargateProfileArgs

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

InstanceProfileName string

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

InstanceRole Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive. This type is defined in the AWS Classic package.

InstanceRoles Role

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

IpFamily string

KubeProxyAddonOptions KubeProxyAddonOptionsArgs

Options for managing the kube-proxy addon.

KubernetesServiceIpAddressRange string

The block must meet the following requirements:

Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

Name string

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

NodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

NodeAssociatePublicIpAddress bool

NodeGroupOptions ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeEncrypted bool

Encrypt the root block device of the nodes in the node group.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeSecurityGroupTags map[string]string

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

NodeSubnetIds []string

The subnets to use for worker nodes. Defaults to the value of subnetIds.

NodeUserData string

PrivateSubnetIds []string

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

ProviderCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

Creating and using a new AWS provider instance, or
Setting the AWS_PROFILE environment variable, or
Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

https://www.pulumi.com/registry/packages/aws/api-docs/provider/
https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

Proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

"http://proxy.example.com:3128"
"https://proxy.example.com"
"http://username:password@proxy.example.com:3128"

PublicAccessCidrs []string

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

PublicSubnetIds []string

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

RoleMappings []RoleMappingArgs

Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP

ServiceRole Role

IAM Service Role for EKS to use to manage the cluster. This type is defined in the AWS Classic package.

SkipDefaultNodeGroup bool

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate or autoMode is enabled.

SkipDefaultSecurityGroups bool

If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless autoMode is enabled.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

StorageClasses string | map[string]StorageClassArgs

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

SubnetIds []string

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Tags map[string]string

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

UseDefaultVpcCni bool

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions. Defaults to true, unless autoMode is enabled.

UserMappings []UserMappingArgs

Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP.

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

VpcCniOptions VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

VpcId string

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

accessEntries Map<String,AccessEntryArgs>

Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

authenticationMode AuthenticationMode

The authentication mode of the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam

autoMode AutoModeOptions

Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.

For more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html

clusterSecurityGroup SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

Note: The security group resource should not contain any inline ingress or egress rules. This type is defined in the AWS Classic package.

clusterSecurityGroupTags Map<String,String>

The tags to apply to the cluster security group.

clusterTags Map<String,String>

The tags to apply to the EKS cluster.

corednsAddonOptions CoreDnsAddonOptions

Options for managing the coredns addon.

createInstanceRole Boolean

createOidcProvider Boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts

creationRoleProvider CreationRoleProvider

Note: This option is only supported with Pulumi nodejs programs. Please use ProviderCredentialOpts as an alternative instead.

defaultAddonsToRemove List<String>

desiredCapacity Integer

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableConfigMapMutable Boolean

Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.

Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs

enabledClusterLogTypes List<String>

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryptionConfigKeyArn String

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/

endpointPrivateAccess Boolean

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpointPublicAccess Boolean

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate Boolean | FargateProfile

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

instanceProfileName String

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instanceRole Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive. This type is defined in the AWS Classic package.

instanceRoles List<Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

ipFamily String

kubeProxyAddonOptions KubeProxyAddonOptions

Options for managing the kube-proxy addon.

kubernetesServiceIpAddressRange String

The block must meet the following requirements:

Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.

maxSize Integer

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize Integer

The minimum number of worker nodes running in the cluster. Defaults to 1.

name String

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

nodeAssociatePublicIpAddress Boolean

nodeGroupOptions ClusterNodeGroupOptions

The common configuration settings for NodeGroups.

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeEncrypted Boolean

Encrypt the root block device of the nodes in the node group.

nodeRootVolumeSize Integer

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeSecurityGroupTags Map<String,String>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds List<String>

The subnets to use for worker nodes. Defaults to the value of subnetIds.

nodeUserData String

privateSubnetIds List<String>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

providerCredentialOpts KubeconfigOptions

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

Creating and using a new AWS provider instance, or
Setting the AWS_PROFILE environment variable, or
Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

https://www.pulumi.com/registry/packages/aws/api-docs/provider/
https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

proxy String

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

"http://proxy.example.com:3128"
"https://proxy.example.com"
"http://username:password@proxy.example.com:3128"

publicAccessCidrs List<String>

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

publicSubnetIds List<String>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

roleMappings List<RoleMapping>

Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP

serviceRole Role

IAM Service Role for EKS to use to manage the cluster. This type is defined in the AWS Classic package.

skipDefaultNodeGroup Boolean

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate or autoMode is enabled.

skipDefaultSecurityGroups Boolean

If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless autoMode is enabled.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

storageClasses String | Map<String,StorageClassArgs>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

subnetIds List<String>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Map<String,String>

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

useDefaultVpcCni Boolean

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions. Defaults to true, unless autoMode is enabled.

userMappings List<UserMapping>

Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP.

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpcCniOptions VpcCniOptions

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpcId String

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

accessEntries {[key: string]: AccessEntryArgs}

Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

authenticationMode AuthenticationMode

The authentication mode of the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam

autoMode AutoModeOptions

Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.

For more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html

clusterSecurityGroup pulumiAwsec2SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

Note: The security group resource should not contain any inline ingress or egress rules. This type is defined in the AWS Classic package.

clusterSecurityGroupTags {[key: string]: string}

The tags to apply to the cluster security group.

clusterTags {[key: string]: string}

The tags to apply to the EKS cluster.

corednsAddonOptions CoreDnsAddonOptions

Options for managing the coredns addon.

createInstanceRole boolean

createOidcProvider boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts

creationRoleProvider CreationRoleProvider

Note: This option is only supported with Pulumi nodejs programs. Please use ProviderCredentialOpts as an alternative instead.

defaultAddonsToRemove string[]

desiredCapacity number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableConfigMapMutable boolean

Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.

Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs

enabledClusterLogTypes string[]

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/

endpointPrivateAccess boolean

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpointPublicAccess boolean

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate boolean | FargateProfile

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

instanceProfileName string

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instanceRole pulumiAwsiamRole

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive. This type is defined in the AWS Classic package.

instanceRoles pulumiAwsiamRole[]

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

ipFamily string

kubeProxyAddonOptions KubeProxyAddonOptions

Options for managing the kube-proxy addon.

kubernetesServiceIpAddressRange string

The block must meet the following requirements:

Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.

maxSize number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize number

The minimum number of worker nodes running in the cluster. Defaults to 1.

name string

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

nodeAssociatePublicIpAddress boolean

nodeGroupOptions ClusterNodeGroupOptions

The common configuration settings for NodeGroups.

nodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeEncrypted boolean

Encrypt the root block device of the nodes in the node group.

nodeRootVolumeSize number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeSecurityGroupTags {[key: string]: string}

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds string[]

The subnets to use for worker nodes. Defaults to the value of subnetIds.

nodeUserData string

privateSubnetIds string[]

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

providerCredentialOpts KubeconfigOptions

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

Creating and using a new AWS provider instance, or
Setting the AWS_PROFILE environment variable, or
Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

https://www.pulumi.com/registry/packages/aws/api-docs/provider/
https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

"http://proxy.example.com:3128"
"https://proxy.example.com"
"http://username:password@proxy.example.com:3128"

publicAccessCidrs string[]

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

publicSubnetIds string[]

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

roleMappings RoleMapping[]

Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP

serviceRole pulumiAwsiamRole

IAM Service Role for EKS to use to manage the cluster. This type is defined in the AWS Classic package.

skipDefaultNodeGroup boolean

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate or autoMode is enabled.

skipDefaultSecurityGroups boolean

If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless autoMode is enabled.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

storageClasses string | {[key: string]: StorageClassArgs}

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

subnetIds string[]

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags {[key: string]: string}

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

useDefaultVpcCni boolean

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions. Defaults to true, unless autoMode is enabled.

userMappings UserMapping[]

Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP.

version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpcCniOptions VpcCniOptions

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpcId string

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

access_entries Mapping[str, AccessEntryArgs]

Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

authentication_mode AuthenticationMode

The authentication mode of the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam

auto_mode AutoModeOptionsArgs

Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.

For more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html

cluster_security_group pulumi_aws.ec2.SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

Note: The security group resource should not contain any inline ingress or egress rules. This type is defined in the AWS Classic package.

cluster_security_group_tags Mapping[str, str]

The tags to apply to the cluster security group.

cluster_tags Mapping[str, str]

The tags to apply to the EKS cluster.

coredns_addon_options CoreDnsAddonOptionsArgs

Options for managing the coredns addon.

create_instance_role bool

create_oidc_provider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts

creation_role_provider CreationRoleProviderArgs

Note: This option is only supported with Pulumi nodejs programs. Please use ProviderCredentialOpts as an alternative instead.

default_addons_to_remove Sequence[str]

desired_capacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

enable_config_map_mutable bool

Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.

Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs

enabled_cluster_log_types Sequence[str]

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryption_config_key_arn str

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/

endpoint_private_access bool

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpoint_public_access bool

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate bool | FargateProfileArgs

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

instance_profile_name str

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instance_role pulumi_aws.iam.Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive. This type is defined in the AWS Classic package.

instance_roles Sequence[pulumi_aws.iam.Role]

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instance_type str

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

ip_family str

kube_proxy_addon_options KubeProxyAddonOptionsArgs

Options for managing the kube-proxy addon.

kubernetes_service_ip_address_range str

The block must meet the following requirements:

Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.

max_size int

The maximum number of worker nodes running in the cluster. Defaults to 2.

min_size int

The minimum number of worker nodes running in the cluster. Defaults to 1.

name str

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

node_ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

node_associate_public_ip_address bool

node_group_options ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

node_public_key str

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

node_root_volume_encrypted bool

Encrypt the root block device of the nodes in the node group.

node_root_volume_size int

The size in GiB of a cluster node's root volume. Defaults to 20.

node_security_group_tags Mapping[str, str]

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

node_subnet_ids Sequence[str]

The subnets to use for worker nodes. Defaults to the value of subnetIds.

node_user_data str

private_subnet_ids Sequence[str]

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

provider_credential_opts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

Creating and using a new AWS provider instance, or
Setting the AWS_PROFILE environment variable, or
Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

https://www.pulumi.com/registry/packages/aws/api-docs/provider/
https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

proxy str

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

"http://proxy.example.com:3128"
"https://proxy.example.com"
"http://username:password@proxy.example.com:3128"

public_access_cidrs Sequence[str]

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

public_subnet_ids Sequence[str]

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

role_mappings Sequence[RoleMappingArgs]

Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP

service_role pulumi_aws.iam.Role

IAM Service Role for EKS to use to manage the cluster. This type is defined in the AWS Classic package.

skip_default_node_group bool

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate or autoMode is enabled.

skip_default_security_groups bool

If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless autoMode is enabled.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

storage_classes str | Mapping[str, StorageClassArgs]

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

subnet_ids Sequence[str]

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Mapping[str, str]

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

use_default_vpc_cni bool

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions. Defaults to true, unless autoMode is enabled.

user_mappings Sequence[UserMappingArgs]

Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP.

version str

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpc_cni_options VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpc_id str

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

accessEntries Map<Property Map>

Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

authenticationMode "CONFIG_MAP" | "API" | "API_AND_CONFIG_MAP"

The authentication mode of the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam

autoMode Property Map

Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.

For more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html

clusterSecurityGroup aws:ec2:SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

Note: The security group resource should not contain any inline ingress or egress rules. This type is defined in the AWS Classic package.

clusterSecurityGroupTags Map<String>

The tags to apply to the cluster security group.

clusterTags Map<String>

The tags to apply to the EKS cluster.

corednsAddonOptions Property Map

Options for managing the coredns addon.

createInstanceRole Boolean

createOidcProvider Boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts

creationRoleProvider Property Map

Note: This option is only supported with Pulumi nodejs programs. Please use ProviderCredentialOpts as an alternative instead.

defaultAddonsToRemove List<String>

desiredCapacity Number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableConfigMapMutable Boolean

Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.

Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs

enabledClusterLogTypes List<String>

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryptionConfigKeyArn String

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/

endpointPrivateAccess Boolean

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpointPublicAccess Boolean

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate Boolean | Property Map

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

instanceProfileName String

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instanceRole aws:iam:Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive. This type is defined in the AWS Classic package.

instanceRoles List<aws:iam:Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

ipFamily String

kubeProxyAddonOptions Property Map

Options for managing the kube-proxy addon.

kubernetesServiceIpAddressRange String

The block must meet the following requirements:

Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.

maxSize Number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize Number

The minimum number of worker nodes running in the cluster. Defaults to 1.

name String

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

nodeAssociatePublicIpAddress Boolean

nodeGroupOptions Property Map

The common configuration settings for NodeGroups.

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeEncrypted Boolean

Encrypt the root block device of the nodes in the node group.

nodeRootVolumeSize Number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeSecurityGroupTags Map<String>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds List<String>

The subnets to use for worker nodes. Defaults to the value of subnetIds.

nodeUserData String

privateSubnetIds List<String>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

providerCredentialOpts Property Map

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

Creating and using a new AWS provider instance, or
Setting the AWS_PROFILE environment variable, or
Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

https://www.pulumi.com/registry/packages/aws/api-docs/provider/
https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

proxy String

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

"http://proxy.example.com:3128"
"https://proxy.example.com"
"http://username:password@proxy.example.com:3128"

publicAccessCidrs List<String>

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

publicSubnetIds List<String>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

Private-only: Only set privateSubnetIds.
- Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
Public-only: Only set publicSubnetIds.
- Default workers to run in a public subnet.
Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
- Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

roleMappings List<Property Map>

Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP

serviceRole aws:iam:Role

IAM Service Role for EKS to use to manage the cluster. This type is defined in the AWS Classic package.

skipDefaultNodeGroup Boolean

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate or autoMode is enabled.

skipDefaultSecurityGroups Boolean

If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless autoMode is enabled.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

storageClasses String | Map<Property Map>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

subnetIds List<String>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Map<String>

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

useDefaultVpcCni Boolean

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions. Defaults to true, unless autoMode is enabled.

userMappings List<Property Map>

Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode CONFIG_MAP or API_AND_CONFIG_MAP.

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpcCniOptions Property Map

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpcId String

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

Outputs

All input properties are implicitly available as output properties. Additionally, the Cluster resource produces the following output properties:

AutoModeNodeRoleName string

The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string.

AwsProvider Pulumi.Aws.Provider

The AWS resource provider. This type is defined in the pulumi package.

ClusterIngressRuleId string

The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if skipDefaultSecurityGroups is set to true.

ClusterSecurityGroupId string

The cluster security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

Core CoreData

The EKS cluster and its dependencies.

DefaultNodeGroupAsgName string

The name of the default node group's AutoScaling Group. Defaults to an empty string if skipDefaultNodeGroup is set to true.

EksCluster Pulumi.Aws.Eks.Cluster

The EKS cluster. This type is defined in the AWS Classic package.

FargateProfileId string

The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

FargateProfileStatus string

The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

Kubeconfig object

A kubeconfig that can be used to connect to the EKS cluster.

KubeconfigJson string

A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

NodeSecurityGroupId string

The node security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

OidcIssuer string

The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading https://).

This value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.

OidcProviderArn string

The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured.

OidcProviderUrl string

Issuer URL for the OpenID Connect identity provider of the EKS cluster.

DefaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

EksClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

The ingress rule that gives node group access to cluster API server. This type is defined in the AWS Classic package.

NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the cluster's nodes. This type is defined in the AWS Classic package.

AutoModeNodeRoleName string

The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string.

AwsProvider Provider

The AWS resource provider. This type is defined in the pulumi package.

ClusterIngressRuleId string

The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if skipDefaultSecurityGroups is set to true.

ClusterSecurityGroupId string

The cluster security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

Core CoreData

The EKS cluster and its dependencies.

DefaultNodeGroupAsgName string

The name of the default node group's AutoScaling Group. Defaults to an empty string if skipDefaultNodeGroup is set to true.

EksCluster Cluster

The EKS cluster. This type is defined in the AWS Classic package.

FargateProfileId string

The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

FargateProfileStatus string

The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

Kubeconfig interface{}

A kubeconfig that can be used to connect to the EKS cluster.

KubeconfigJson string

A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

NodeSecurityGroupId string

The node security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

OidcIssuer string

The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading https://).

This value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.

OidcProviderArn string

The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured.

OidcProviderUrl string

Issuer URL for the OpenID Connect identity provider of the EKS cluster.

DefaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

EksClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access to cluster API server. This type is defined in the AWS Classic package.

NodeSecurityGroup SecurityGroup

The security group for the cluster's nodes. This type is defined in the AWS Classic package.

autoModeNodeRoleName String

The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string.

awsProvider Provider

The AWS resource provider. This type is defined in the pulumi package.

clusterIngressRuleId String

The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if skipDefaultSecurityGroups is set to true.

clusterSecurityGroupId String

The cluster security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

core CoreData

The EKS cluster and its dependencies.

defaultNodeGroupAsgName String

The name of the default node group's AutoScaling Group. Defaults to an empty string if skipDefaultNodeGroup is set to true.

eksCluster Cluster

The EKS cluster. This type is defined in the AWS Classic package.

fargateProfileId String

The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

fargateProfileStatus String

The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

kubeconfig Object

A kubeconfig that can be used to connect to the EKS cluster.

kubeconfigJson String

A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

nodeSecurityGroupId String

The node security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

oidcIssuer String

The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading https://).

This value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.

oidcProviderArn String

The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured.

oidcProviderUrl String

Issuer URL for the OpenID Connect identity provider of the EKS cluster.

defaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

eksClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access to cluster API server. This type is defined in the AWS Classic package.

nodeSecurityGroup SecurityGroup

The security group for the cluster's nodes. This type is defined in the AWS Classic package.

autoModeNodeRoleName string

The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string.

awsProvider pulumiAwsProvider

The AWS resource provider. This type is defined in the pulumi package.

clusterIngressRuleId string

The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if skipDefaultSecurityGroups is set to true.

clusterSecurityGroupId string

The cluster security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

core CoreData

The EKS cluster and its dependencies.

defaultNodeGroupAsgName string

The name of the default node group's AutoScaling Group. Defaults to an empty string if skipDefaultNodeGroup is set to true.

eksCluster pulumiAwseksCluster

The EKS cluster. This type is defined in the AWS Classic package.

fargateProfileId string

The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

fargateProfileStatus string

The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

kubeconfig any

A kubeconfig that can be used to connect to the EKS cluster.

kubeconfigJson string

A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

nodeSecurityGroupId string

The node security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

oidcIssuer string

The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading https://).

This value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.

oidcProviderArn string

The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured.

oidcProviderUrl string

Issuer URL for the OpenID Connect identity provider of the EKS cluster.

defaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

eksClusterIngressRule pulumiAwsec2SecurityGroupRule

The ingress rule that gives node group access to cluster API server. This type is defined in the AWS Classic package.

nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the cluster's nodes. This type is defined in the AWS Classic package.

auto_mode_node_role_name str

The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string.

aws_provider pulumi_aws.Provider

The AWS resource provider. This type is defined in the pulumi package.

cluster_ingress_rule_id str

The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if skipDefaultSecurityGroups is set to true.

cluster_security_group_id str

The cluster security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

core CoreData

The EKS cluster and its dependencies.

default_node_group_asg_name str

The name of the default node group's AutoScaling Group. Defaults to an empty string if skipDefaultNodeGroup is set to true.

eks_cluster pulumi_aws.eks.Cluster

The EKS cluster. This type is defined in the AWS Classic package.

fargate_profile_id str

The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

fargate_profile_status str

The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

kubeconfig Any

A kubeconfig that can be used to connect to the EKS cluster.

kubeconfig_json str

A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

node_security_group_id str

The node security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

oidc_issuer str

The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading https://).

This value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.

oidc_provider_arn str

The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured.

oidc_provider_url str

Issuer URL for the OpenID Connect identity provider of the EKS cluster.

default_node_group NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

eks_cluster_ingress_rule pulumi_aws.ec2.SecurityGroupRule

The ingress rule that gives node group access to cluster API server. This type is defined in the AWS Classic package.

node_security_group pulumi_aws.ec2.SecurityGroup

The security group for the cluster's nodes. This type is defined in the AWS Classic package.

autoModeNodeRoleName String

The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string.

awsProvider pulumi:providers:aws

The AWS resource provider. This type is defined in the pulumi package.

clusterIngressRuleId String

The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if skipDefaultSecurityGroups is set to true.

clusterSecurityGroupId String

The cluster security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

core Property Map

The EKS cluster and its dependencies.

defaultNodeGroupAsgName String

The name of the default node group's AutoScaling Group. Defaults to an empty string if skipDefaultNodeGroup is set to true.

eksCluster aws:eks:Cluster

The EKS cluster. This type is defined in the AWS Classic package.

fargateProfileId String

The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

fargateProfileStatus String

The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured.

kubeconfig Any

A kubeconfig that can be used to connect to the EKS cluster.

kubeconfigJson String

A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

nodeSecurityGroupId String

The node security group ID of the EKS cluster. Returns the EKS created security group if skipDefaultSecurityGroups is set to true.

oidcIssuer String

The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading https://).

This value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.

oidcProviderArn String

The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured.

oidcProviderUrl String

Issuer URL for the OpenID Connect identity provider of the EKS cluster.

defaultNodeGroup Property Map

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

eksClusterIngressRule aws:ec2:SecurityGroupRule

The ingress rule that gives node group access to cluster API server. This type is defined in the AWS Classic package.

nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the cluster's nodes. This type is defined in the AWS Classic package.

Cluster Resource Methods

GetKubeconfig Method

Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in KubeconfigOptions.

The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

Using GetKubeconfig

getKubeconfig(args?: Cluster.GetKubeconfigArgs): Output<Cluster.GetKubeconfigResult>

def get_kubeconfig(self,
                   profile_name: Optional[pulumi.Input[str]] = None,
                   role_arn: Optional[pulumi.Input[str]] = None) -> Output[str]

func (r *Cluster) GetKubeconfig(ctx *Context, args *ClusterGetKubeconfigArgs) (pulumi.StringOutput, error)

public Output<string> GetKubeconfig(Cluster.GetKubeconfigArgs? args)

The following arguments are supported:

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profile_name str

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

role_arn str

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

GetKubeconfig Result

Result string: The kubeconfig for the cluster.

Result string: The kubeconfig for the cluster.

result String: The kubeconfig for the cluster.

result string: The kubeconfig for the cluster.

result str: The kubeconfig for the cluster.

result String: The kubeconfig for the cluster.

Supporting Types

AccessEntry, AccessEntryArgs

PrincipalArn string: The IAM Principal ARN which requires Authentication access to the EKS cluster.
AccessPolicies Dictionary<string, AccessPolicyAssociation>: The access policies to associate to the access entry.
KubernetesGroups List<string>: A list of groups within Kubernetes to which the IAM principal is mapped to.
Tags Dictionary<string, string>: The tags to apply to the AccessEntry.
Type Pulumi.Eks.AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
Username string: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

PrincipalArn string: The IAM Principal ARN which requires Authentication access to the EKS cluster.
AccessPolicies map[string]AccessPolicyAssociation: The access policies to associate to the access entry.
KubernetesGroups []string: A list of groups within Kubernetes to which the IAM principal is mapped to.
Tags map[string]string: The tags to apply to the AccessEntry.
Type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
Username string: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principalArn String: The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies Map<String,AccessPolicyAssociation>: The access policies to associate to the access entry.
kubernetesGroups List<String>: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Map<String,String>: The tags to apply to the AccessEntry.
type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username String: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principalArn string: The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies {[key: string]: AccessPolicyAssociation}: The access policies to associate to the access entry.
kubernetesGroups string[]: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags {[key: string]: string}: The tags to apply to the AccessEntry.
type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username string: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principal_arn str: The IAM Principal ARN which requires Authentication access to the EKS cluster.
access_policies Mapping[str, AccessPolicyAssociation]: The access policies to associate to the access entry.
kubernetes_groups Sequence[str]: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Mapping[str, str]: The tags to apply to the AccessEntry.
type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username str: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principalArn String: The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies Map<Property Map>: The access policies to associate to the access entry.
kubernetesGroups List<String>: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Map<String>: The tags to apply to the AccessEntry.
type "STANDARD" | "FARGATE_LINUX" | "EC2_LINUX" | "EC2_WINDOWS" | "EC2": The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username String: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

AccessEntryType, AccessEntryTypeArgs

Standard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

AccessEntryTypeStandard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
AccessEntryTypeFargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
AccessEntryTypeEC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
AccessEntryTypeEC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
AccessEntryTypeEC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

Standard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

Standard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

STANDARD: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FARGATE_LINUX: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2_LINUX: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2_WINDOWS: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

"STANDARD": STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
"FARGATE_LINUX": FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
"EC2_LINUX": EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
"EC2_WINDOWS": EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
"EC2": EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

AccessPolicyAssociation, AccessPolicyAssociationArgs

AccessScope Pulumi.Aws.Eks.Inputs.AccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
PolicyArn string: The ARN of the access policy to associate with the principal

AccessScope AccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
PolicyArn string: The ARN of the access policy to associate with the principal

accessScope AccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn String: The ARN of the access policy to associate with the principal

accessScope pulumiAwstypesinputeksAccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn string: The ARN of the access policy to associate with the principal

access_scope pulumi_aws.eks.AccessPolicyAssociationAccessScopeArgs: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policy_arn str: The ARN of the access policy to associate with the principal

accessScope Property Map: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn String: The ARN of the access policy to associate with the principal

AuthenticationMode, AuthenticationModeArgs

ConfigMap: CONFIG_MAPOnly aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
Api: APIOnly Access Entries will be used for authenticating to the Kubernetes API.
ApiAndConfigMap: API_AND_CONFIG_MAPBoth aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.

AuthenticationModeConfigMap: CONFIG_MAPOnly aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
AuthenticationModeApi: APIOnly Access Entries will be used for authenticating to the Kubernetes API.
AuthenticationModeApiAndConfigMap: API_AND_CONFIG_MAPBoth aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.

ConfigMap: CONFIG_MAPOnly aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
Api: APIOnly Access Entries will be used for authenticating to the Kubernetes API.
ApiAndConfigMap: API_AND_CONFIG_MAPBoth aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.

ConfigMap: CONFIG_MAPOnly aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
Api: APIOnly Access Entries will be used for authenticating to the Kubernetes API.
ApiAndConfigMap: API_AND_CONFIG_MAPBoth aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.

CONFIG_MAP: CONFIG_MAPOnly aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
API: APIOnly Access Entries will be used for authenticating to the Kubernetes API.
API_AND_CONFIG_MAP: API_AND_CONFIG_MAPBoth aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.

"CONFIG_MAP": CONFIG_MAPOnly aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
"API": APIOnly Access Entries will be used for authenticating to the Kubernetes API.
"API_AND_CONFIG_MAP": API_AND_CONFIG_MAPBoth aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API. For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.

AutoModeOptions, AutoModeOptionsArgs

Enabled bool: Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you. When enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities.
ComputeConfig ClusterComputeConfig: Compute configuration for EKS Auto Mode.
CreateNodeRole bool: Whether to create an IAM role for the EKS Auto Mode node group if none is provided in computeConfig.

Enabled bool: Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you. When enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities.
ComputeConfig ClusterComputeConfig: Compute configuration for EKS Auto Mode.
CreateNodeRole bool: Whether to create an IAM role for the EKS Auto Mode node group if none is provided in computeConfig.

enabled Boolean: Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you. When enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities.
computeConfig ClusterComputeConfig: Compute configuration for EKS Auto Mode.
createNodeRole Boolean: Whether to create an IAM role for the EKS Auto Mode node group if none is provided in computeConfig.

enabled boolean: Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you. When enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities.
computeConfig ClusterComputeConfig: Compute configuration for EKS Auto Mode.
createNodeRole boolean: Whether to create an IAM role for the EKS Auto Mode node group if none is provided in computeConfig.

enabled bool: Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you. When enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities.
compute_config ClusterComputeConfig: Compute configuration for EKS Auto Mode.
create_node_role bool: Whether to create an IAM role for the EKS Auto Mode node group if none is provided in computeConfig.

enabled Boolean: Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you. When enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities.
computeConfig Property Map: Compute configuration for EKS Auto Mode.
createNodeRole Boolean: Whether to create an IAM role for the EKS Auto Mode node group if none is provided in computeConfig.

ClusterComputeConfig, ClusterComputeConfigArgs

NodePools List<string>

Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.

By default, the built-in system and general-purpose nodepools are enabled.

NodeRoleArn string

The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled.

NodePools []string

Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.

By default, the built-in system and general-purpose nodepools are enabled.

NodeRoleArn string

The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled.

nodePools List<String>

Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.

By default, the built-in system and general-purpose nodepools are enabled.

nodeRoleArn String

The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled.

nodePools string[]

Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.

By default, the built-in system and general-purpose nodepools are enabled.

nodeRoleArn string

The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled.

node_pools Sequence[str]

Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.

By default, the built-in system and general-purpose nodepools are enabled.

node_role_arn str

The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled.

nodePools List<String>

Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.

By default, the built-in system and general-purpose nodepools are enabled.

nodeRoleArn String

The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled.

ClusterNodeGroupOptions, ClusterNodeGroupOptionsArgs

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags Dictionary<string, string>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

BottlerocketSettings Dictionary<string, object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags Dictionary<string, string>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

ClusterIngressRuleId string

The ID of the ingress rule that gives node group access.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile Pulumi.Aws.Iam.InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

InstanceProfileName string

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

KeyName string

Name of the key pair to use for SSH access to worker nodes.

KubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

Labels Dictionary<string, string>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

LaunchTemplateTagSpecifications List<Pulumi.Aws.Ec2.Inputs.LaunchTemplateTagSpecification>

The tag specifications to apply to the launch template.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinRefreshPercentage int

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

NodeAssociatePublicIpAddress bool

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeDeleteOnTermination bool

Whether the root block device should be deleted on termination of the instance. Defaults to true.

NodeRootVolumeEncrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

NodeRootVolumeIops int

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeRootVolumeThroughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

NodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds List<string>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string

NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions List<NodeadmOptions>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

OperatingSystem Pulumi.Eks.OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

SpotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

Taints Dictionary<string, Taint>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags map[string]string

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string

BottlerocketSettings map[string]interface{}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags map[string]string

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

ClusterIngressRuleId string

The ID of the ingress rule that gives node group access.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

ExtraNodeSecurityGroups SecurityGroup

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

InstanceProfileName string

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

KeyName string

Name of the key pair to use for SSH access to worker nodes.

KubeletExtraArgs string

Labels map[string]string

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

LaunchTemplateTagSpecifications LaunchTemplateTagSpecification

The tag specifications to apply to the launch template.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinRefreshPercentage int

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

NodeAssociatePublicIpAddress bool

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeDeleteOnTermination bool

Whether the root block device should be deleted on termination of the instance. Defaults to true.

NodeRootVolumeEncrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

NodeRootVolumeIops int

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeRootVolumeThroughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

NodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

NodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds []string

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string

NodeUserDataOverride string

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions []NodeadmOptions

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

OperatingSystem OperatingSystem

Defaults to the current recommended OS.

SpotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

Taints map[string]Taint

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String,String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String

bottlerocketSettings Map<String,Object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String,String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

clusterIngressRuleId String

The ID of the ingress rule that gives node group access.

desiredCapacity Integer

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups List<SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instanceProfileName String

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

keyName String

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs String

labels Map<String,String>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launchTemplateTagSpecifications List<LaunchTemplateTagSpecification>

The tag specifications to apply to the launch template.

maxSize Integer

The maximum number of worker nodes running in the cluster. Defaults to 2.

minRefreshPercentage Integer

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

minSize Integer

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress Boolean

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination Boolean

Whether the root block device should be deleted on termination of the instance. Defaults to true.

nodeRootVolumeEncrypted Boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops Integer

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

nodeRootVolumeSize Integer

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput Integer

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

nodeRootVolumeType String

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

nodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String

nodeUserDataOverride String

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<NodeadmOptions>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem OperatingSystem

Defaults to the current recommended OS.

spotPrice String

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Map<String,Taint>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags {[key: string]: string}

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs string

bottlerocketSettings {[key: string]: any}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags {[key: string]: string}

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule pulumiAwsec2SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

clusterIngressRuleId string

The ID of the ingress rule that gives node group access.

desiredCapacity number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableDetailedMonitoring boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encryptRootBlockDevice boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignoreScalingChanges boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile pulumiAwsiamInstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instanceProfileName string

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

keyName string

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs string

labels {[key: string]: string}

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launchTemplateTagSpecifications pulumiAwstypesinputec2LaunchTemplateTagSpecification[]

The tag specifications to apply to the launch template.

maxSize number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minRefreshPercentage number

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

minSize number

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress boolean

nodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination boolean

Whether the root block device should be deleted on termination of the instance. Defaults to true.

nodeRootVolumeEncrypted boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops number

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

nodeRootVolumeSize number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput number

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

nodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds string[]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData string

nodeUserDataOverride string

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions NodeadmOptions[]

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem OperatingSystem

Defaults to the current recommended OS.

spotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints {[key: string]: Taint}

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

ami_type str

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

auto_scaling_group_tags Mapping[str, str]

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrap_extra_args str

bottlerocket_settings Mapping[str, Any]

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloud_formation_tags Mapping[str, str]

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

cluster_ingress_rule pulumi_aws.ec2.SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

cluster_ingress_rule_id str

The ID of the ingress rule that gives node group access.

desired_capacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

enable_detailed_monitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encrypt_root_block_device bool

Encrypt the root block device of the nodes in the node group.

extra_node_security_groups Sequence[pulumi_aws.ec2.SecurityGroup]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignore_scaling_changes bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instance_profile pulumi_aws.iam.InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instance_profile_name str

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instance_type str

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

key_name str

Name of the key pair to use for SSH access to worker nodes.

kubelet_extra_args str

labels Mapping[str, str]

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launch_template_tag_specifications Sequence[pulumi_aws.ec2.LaunchTemplateTagSpecificationArgs]

The tag specifications to apply to the launch template.

max_size int

The maximum number of worker nodes running in the cluster. Defaults to 2.

min_refresh_percentage int

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

min_size int

The minimum number of worker nodes running in the cluster. Defaults to 1.

node_associate_public_ip_address bool

node_public_key str

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

node_root_volume_delete_on_termination bool

Whether the root block device should be deleted on termination of the instance. Defaults to true.

node_root_volume_encrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

node_root_volume_iops int

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

node_root_volume_size int

The size in GiB of a cluster node's root volume. Defaults to 20.

node_root_volume_throughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

node_root_volume_type str

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

node_security_group pulumi_aws.ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

node_security_group_id str

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

node_subnet_ids Sequence[str]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

node_user_data str

node_user_data_override str

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadm_extra_options Sequence[NodeadmOptions]

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operating_system OperatingSystem

Defaults to the current recommended OS.

spot_price str

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Mapping[str, Taint]

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version str

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String

bottlerocketSettings Map<Any>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule aws:ec2:SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

clusterIngressRuleId String

The ID of the ingress rule that gives node group access.

desiredCapacity Number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile aws:iam:InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instanceProfileName String

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

keyName String

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs String

labels Map<String>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launchTemplateTagSpecifications List<Property Map>

The tag specifications to apply to the launch template.

maxSize Number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minRefreshPercentage Number

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

minSize Number

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress Boolean

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination Boolean

Whether the root block device should be deleted on termination of the instance. Defaults to true.

nodeRootVolumeEncrypted Boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops Number

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

nodeRootVolumeSize Number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput Number

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

nodeRootVolumeType String

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String

nodeUserDataOverride String

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<Property Map>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem "AL2" | "AL2023" | "Bottlerocket" | "AL2023"

Defaults to the current recommended OS.

spotPrice String

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Map<Property Map>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

CoreData, CoreDataArgs

Cluster Pulumi.Aws.Eks.Cluster: This type is defined in the AWS Classic package.
ClusterIamRole Pulumi.Aws.Iam.Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
Endpoint string: The EKS cluster's Kubernetes API server endpoint.
InstanceRoles List<Pulumi.Aws.Iam.Role>: The IAM instance roles for the cluster's nodes.
NodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
Provider Pulumi.Kubernetes.Provider: This type is defined in the pulumi package.
SubnetIds List<string>: List of subnet IDs for the EKS cluster.
VpcId string: ID of the cluster's VPC.
AccessEntries List<AccessEntry>: The access entries added to the cluster.
AwsProvider Pulumi.Aws.Provider: This type is defined in the pulumi package.
ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup: This type is defined in the AWS Classic package.
EksNodeAccess Pulumi.Kubernetes.Core.V1.ConfigMap: This type is defined in the Kubernetes package.
EncryptionConfig Pulumi.Aws.Eks.Inputs.ClusterEncryptionConfig: This type is defined in the AWS Classic package.
FargateProfile Pulumi.Aws.Eks.FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
Kubeconfig object: The kubeconfig file for the cluster.
NodeSecurityGroupTags Dictionary<string, string>: Tags attached to the security groups associated with the cluster's worker nodes.
OidcProvider Pulumi.Aws.Iam.OpenIdConnectProvider: This type is defined in the AWS Classic package.
PrivateSubnetIds List<string>: List of subnet IDs for the private subnets.
PublicSubnetIds List<string>: List of subnet IDs for the public subnets.
StorageClasses Dictionary<string, Pulumi.Kubernetes.Storage.V1.StorageClass>: The storage class used for persistent storage by the cluster.
Tags Dictionary<string, string>: A map of tags assigned to the EKS cluster.
VpcCni Pulumi.Eks.VpcCniAddon: The VPC CNI for the cluster.

Cluster Cluster: This type is defined in the AWS Classic package.
ClusterIamRole Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
Endpoint string: The EKS cluster's Kubernetes API server endpoint.
InstanceRoles Role: The IAM instance roles for the cluster's nodes.
NodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
Provider Provider: This type is defined in the pulumi package.
SubnetIds []string: List of subnet IDs for the EKS cluster.
VpcId string: ID of the cluster's VPC.
AccessEntries []AccessEntry: The access entries added to the cluster.
AwsProvider Provider: This type is defined in the pulumi package.
ClusterSecurityGroup SecurityGroup: This type is defined in the AWS Classic package.
EksNodeAccess ConfigMap: This type is defined in the Kubernetes package.
EncryptionConfig ClusterEncryptionConfig: This type is defined in the AWS Classic package.
FargateProfile FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
Kubeconfig interface{}: The kubeconfig file for the cluster.
NodeSecurityGroupTags map[string]string: Tags attached to the security groups associated with the cluster's worker nodes.
OidcProvider OpenIdConnectProvider: This type is defined in the AWS Classic package.
PrivateSubnetIds []string: List of subnet IDs for the private subnets.
PublicSubnetIds []string: List of subnet IDs for the public subnets.
StorageClasses StorageClass: The storage class used for persistent storage by the cluster.
Tags map[string]string: A map of tags assigned to the EKS cluster.
VpcCni VpcCniAddon: The VPC CNI for the cluster.

cluster Cluster: This type is defined in the AWS Classic package.
clusterIamRole Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint String: The EKS cluster's Kubernetes API server endpoint.
instanceRoles List<Role>: The IAM instance roles for the cluster's nodes.
nodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
provider Provider: This type is defined in the pulumi package.
subnetIds List<String>: List of subnet IDs for the EKS cluster.
vpcId String: ID of the cluster's VPC.
accessEntries List<AccessEntry>: The access entries added to the cluster.
awsProvider Provider: This type is defined in the pulumi package.
clusterSecurityGroup SecurityGroup: This type is defined in the AWS Classic package.
eksNodeAccess ConfigMap: This type is defined in the Kubernetes package.
encryptionConfig ClusterEncryptionConfig: This type is defined in the AWS Classic package.
fargateProfile FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Object: The kubeconfig file for the cluster.
nodeSecurityGroupTags Map<String,String>: Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider OpenIdConnectProvider: This type is defined in the AWS Classic package.
privateSubnetIds List<String>: List of subnet IDs for the private subnets.
publicSubnetIds List<String>: List of subnet IDs for the public subnets.
storageClasses Map<String,StorageClass>: The storage class used for persistent storage by the cluster.
tags Map<String,String>: A map of tags assigned to the EKS cluster.
vpcCni VpcCniAddon: The VPC CNI for the cluster.

cluster pulumiAwseksCluster: This type is defined in the AWS Classic package.
clusterIamRole pulumiAwsiamRole: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint string: The EKS cluster's Kubernetes API server endpoint.
instanceRoles pulumiAwsiamRole[]: The IAM instance roles for the cluster's nodes.
nodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
provider pulumiKubernetesProvider: This type is defined in the pulumi package.
subnetIds string[]: List of subnet IDs for the EKS cluster.
vpcId string: ID of the cluster's VPC.
accessEntries AccessEntry[]: The access entries added to the cluster.
awsProvider pulumiAwsProvider: This type is defined in the pulumi package.
clusterSecurityGroup pulumiAwsec2SecurityGroup: This type is defined in the AWS Classic package.
eksNodeAccess pulumiKubernetescorev1ConfigMap: This type is defined in the Kubernetes package.
encryptionConfig pulumiAwstypesinputeksClusterEncryptionConfig: This type is defined in the AWS Classic package.
fargateProfile pulumiAwseksFargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig any: The kubeconfig file for the cluster.
nodeSecurityGroupTags {[key: string]: string}: Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider pulumiAwsiamOpenIdConnectProvider: This type is defined in the AWS Classic package.
privateSubnetIds string[]: List of subnet IDs for the private subnets.
publicSubnetIds string[]: List of subnet IDs for the public subnets.
storageClasses {[key: string]: pulumiKubernetesstoragev1StorageClass}: The storage class used for persistent storage by the cluster.
tags {[key: string]: string}: A map of tags assigned to the EKS cluster.
vpcCni VpcCniAddon: The VPC CNI for the cluster.

cluster pulumi_aws.eks.Cluster: This type is defined in the AWS Classic package.
cluster_iam_role pulumi_aws.iam.Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint str: The EKS cluster's Kubernetes API server endpoint.
instance_roles Sequence[pulumi_aws.iam.Role]: The IAM instance roles for the cluster's nodes.
node_group_options ClusterNodeGroupOptions: The cluster's node group options.
provider pulumi_kubernetes.Provider: This type is defined in the pulumi package.
subnet_ids Sequence[str]: List of subnet IDs for the EKS cluster.
vpc_id str: ID of the cluster's VPC.
access_entries Sequence[AccessEntry]: The access entries added to the cluster.
aws_provider pulumi_aws.Provider: This type is defined in the pulumi package.
cluster_security_group pulumi_aws.ec2.SecurityGroup: This type is defined in the AWS Classic package.
eks_node_access pulumi_kubernetes.core.v1.ConfigMap: This type is defined in the Kubernetes package.
encryption_config pulumi_aws.eks.ClusterEncryptionConfigArgs: This type is defined in the AWS Classic package.
fargate_profile pulumi_aws.eks.FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Any: The kubeconfig file for the cluster.
node_security_group_tags Mapping[str, str]: Tags attached to the security groups associated with the cluster's worker nodes.
oidc_provider pulumi_aws.iam.OpenIdConnectProvider: This type is defined in the AWS Classic package.
private_subnet_ids Sequence[str]: List of subnet IDs for the private subnets.
public_subnet_ids Sequence[str]: List of subnet IDs for the public subnets.
storage_classes Mapping[str, pulumi_kubernetes.storage.v1.StorageClass]: The storage class used for persistent storage by the cluster.
tags Mapping[str, str]: A map of tags assigned to the EKS cluster.
vpc_cni VpcCniAddon: The VPC CNI for the cluster.

cluster aws:eks:Cluster: This type is defined in the AWS Classic package.
clusterIamRole aws:iam:Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint String: The EKS cluster's Kubernetes API server endpoint.
instanceRoles List<aws:iam:Role>: The IAM instance roles for the cluster's nodes.
nodeGroupOptions Property Map: The cluster's node group options.
provider pulumi:providers:kubernetes: This type is defined in the pulumi package.
subnetIds List<String>: List of subnet IDs for the EKS cluster.
vpcId String: ID of the cluster's VPC.
accessEntries List<Property Map>: The access entries added to the cluster.
awsProvider pulumi:providers:aws: This type is defined in the pulumi package.
clusterSecurityGroup aws:ec2:SecurityGroup: This type is defined in the AWS Classic package.
eksNodeAccess kubernetes:core/v1:ConfigMap: This type is defined in the Kubernetes package.
encryptionConfig Property Map: This type is defined in the AWS Classic package.
fargateProfile aws:eks:FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Any: The kubeconfig file for the cluster.
nodeSecurityGroupTags Map<String>: Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider aws:iam:OpenIdConnectProvider: This type is defined in the AWS Classic package.
privateSubnetIds List<String>: List of subnet IDs for the private subnets.
publicSubnetIds List<String>: List of subnet IDs for the public subnets.
storageClasses Map<kubernetes:storage.k8s.io/v1:StorageClass>: The storage class used for persistent storage by the cluster.
tags Map<String>: A map of tags assigned to the EKS cluster.
vpcCni eks:VpcCniAddon: The VPC CNI for the cluster.

CoreDnsAddonOptions, CoreDnsAddonOptionsArgs

ConfigurationValues Dictionary<string, object>

Custom configuration values for the coredns addon. This object must match the schema derived from describe-addon-configuration.

Enabled bool

Whether or not to create the coredns Addon in the cluster

The managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster uses the default node group, otherwise the self-managed addon is used.

ResolveConflictsOnCreate Pulumi.Eks.ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

ResolveConflictsOnUpdate Pulumi.Eks.ResolveConflictsOnUpdate

How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.

Version string

The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

ConfigurationValues map[string]interface{}

Custom configuration values for the coredns addon. This object must match the schema derived from describe-addon-configuration.

Enabled bool

Whether or not to create the coredns Addon in the cluster

The managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster uses the default node group, otherwise the self-managed addon is used.

ResolveConflictsOnCreate ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

ResolveConflictsOnUpdate ResolveConflictsOnUpdate

Version string

The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configurationValues Map<String,Object>

Custom configuration values for the coredns addon. This object must match the schema derived from describe-addon-configuration.

enabled Boolean

Whether or not to create the coredns Addon in the cluster

The managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster uses the default node group, otherwise the self-managed addon is used.

resolveConflictsOnCreate ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolveConflictsOnUpdate ResolveConflictsOnUpdate

version String

The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configurationValues {[key: string]: any}

Custom configuration values for the coredns addon. This object must match the schema derived from describe-addon-configuration.

enabled boolean

Whether or not to create the coredns Addon in the cluster

The managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster uses the default node group, otherwise the self-managed addon is used.

resolveConflictsOnCreate ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolveConflictsOnUpdate ResolveConflictsOnUpdate

version string

The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configuration_values Mapping[str, Any]

Custom configuration values for the coredns addon. This object must match the schema derived from describe-addon-configuration.

enabled bool

Whether or not to create the coredns Addon in the cluster

The managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster uses the default node group, otherwise the self-managed addon is used.

resolve_conflicts_on_create ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolve_conflicts_on_update ResolveConflictsOnUpdate

version str

The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configurationValues Map<Any>

Custom configuration values for the coredns addon. This object must match the schema derived from describe-addon-configuration.

enabled Boolean

Whether or not to create the coredns Addon in the cluster

The managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster uses the default node group, otherwise the self-managed addon is used.

resolveConflictsOnCreate "NONE" | "OVERWRITE"

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolveConflictsOnUpdate "NONE" | "OVERWRITE" | "PRESERVE"

version String

The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

CreationRoleProvider, CreationRoleProviderArgs

Provider Pulumi.Aws.Provider: This type is defined in the pulumi package.
Role Pulumi.Aws.Iam.Role: This type is defined in the AWS Classic package.

Provider Provider: This type is defined in the pulumi package.
Role Role: This type is defined in the AWS Classic package.

provider Provider: This type is defined in the pulumi package.
role Role: This type is defined in the AWS Classic package.

provider pulumiAwsProvider: This type is defined in the pulumi package.
role pulumiAwsiamRole: This type is defined in the AWS Classic package.

provider pulumi_aws.Provider: This type is defined in the pulumi package.
role pulumi_aws.iam.Role: This type is defined in the AWS Classic package.

provider pulumi:providers:aws: This type is defined in the pulumi package.
role aws:iam:Role: This type is defined in the AWS Classic package.

FargateProfile, FargateProfileArgs

PodExecutionRoleArn string: Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
Selectors List<Pulumi.Aws.Eks.Inputs.FargateProfileSelector>: Specify the namespace and label selectors to use for launching pods into Fargate.
SubnetIds List<string>: Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

PodExecutionRoleArn string: Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
Selectors FargateProfileSelector: Specify the namespace and label selectors to use for launching pods into Fargate.
SubnetIds []string: Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

podExecutionRoleArn String: Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
selectors List<FargateProfileSelector>: Specify the namespace and label selectors to use for launching pods into Fargate.
subnetIds List<String>: Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

podExecutionRoleArn string: Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
selectors pulumiAwstypesinputeksFargateProfileSelector[]: Specify the namespace and label selectors to use for launching pods into Fargate.
subnetIds string[]: Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

pod_execution_role_arn str: Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
selectors Sequence[pulumi_aws.eks.FargateProfileSelectorArgs]: Specify the namespace and label selectors to use for launching pods into Fargate.
subnet_ids Sequence[str]: Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

podExecutionRoleArn String: Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
selectors List<Property Map>: Specify the namespace and label selectors to use for launching pods into Fargate.
subnetIds List<String>: Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

KubeProxyAddonOptions, KubeProxyAddonOptionsArgs

ConfigurationValues Dictionary<string, object>: Custom configuration values for the kube-proxy addon. This object must match the schema derived from describe-addon-configuration.
Enabled bool: Whether or not to create the kube-proxy Addon in the cluster. Defaults to true, unless autoMode is enabled.
ResolveConflictsOnCreate Pulumi.Eks.ResolveConflictsOnCreate: How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.
ResolveConflictsOnUpdate Pulumi.Eks.ResolveConflictsOnUpdate: How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.
Version string: The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

ConfigurationValues map[string]interface{}: Custom configuration values for the kube-proxy addon. This object must match the schema derived from describe-addon-configuration.
Enabled bool: Whether or not to create the kube-proxy Addon in the cluster. Defaults to true, unless autoMode is enabled.
ResolveConflictsOnCreate ResolveConflictsOnCreate: How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.
ResolveConflictsOnUpdate ResolveConflictsOnUpdate: How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.
Version string: The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configurationValues Map<String,Object>: Custom configuration values for the kube-proxy addon. This object must match the schema derived from describe-addon-configuration.
enabled Boolean: Whether or not to create the kube-proxy Addon in the cluster. Defaults to true, unless autoMode is enabled.
resolveConflictsOnCreate ResolveConflictsOnCreate: How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.
resolveConflictsOnUpdate ResolveConflictsOnUpdate: How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.
version String: The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configurationValues {[key: string]: any}: Custom configuration values for the kube-proxy addon. This object must match the schema derived from describe-addon-configuration.
enabled boolean: Whether or not to create the kube-proxy Addon in the cluster. Defaults to true, unless autoMode is enabled.
resolveConflictsOnCreate ResolveConflictsOnCreate: How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.
resolveConflictsOnUpdate ResolveConflictsOnUpdate: How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.
version string: The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configuration_values Mapping[str, Any]: Custom configuration values for the kube-proxy addon. This object must match the schema derived from describe-addon-configuration.
enabled bool: Whether or not to create the kube-proxy Addon in the cluster. Defaults to true, unless autoMode is enabled.
resolve_conflicts_on_create ResolveConflictsOnCreate: How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.
resolve_conflicts_on_update ResolveConflictsOnUpdate: How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.
version str: The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

configurationValues Map<Any>: Custom configuration values for the kube-proxy addon. This object must match the schema derived from describe-addon-configuration.
enabled Boolean: Whether or not to create the kube-proxy Addon in the cluster. Defaults to true, unless autoMode is enabled.
resolveConflictsOnCreate "NONE" | "OVERWRITE": How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.
resolveConflictsOnUpdate "NONE" | "OVERWRITE" | "PRESERVE": How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs.
version String: The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions.

KubeconfigOptions, KubeconfigOptionsArgs

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profile_name str

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

role_arn str

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

NodeGroupData, NodeGroupDataArgs

AutoScalingGroup Pulumi.Aws.AutoScaling.Group: The AutoScalingGroup for the node group. This type is defined in the AWS Classic package.
ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>: The additional security groups for the node group that captures user-specific rules.
NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup: The security group for the node group to communicate with the cluster. This type is defined in the AWS Classic package.

AutoScalingGroup Group: The AutoScalingGroup for the node group. This type is defined in the AWS Classic package.
ExtraNodeSecurityGroups SecurityGroup: The additional security groups for the node group that captures user-specific rules.
NodeSecurityGroup SecurityGroup: The security group for the node group to communicate with the cluster. This type is defined in the AWS Classic package.

autoScalingGroup Group: The AutoScalingGroup for the node group. This type is defined in the AWS Classic package.
extraNodeSecurityGroups List<SecurityGroup>: The additional security groups for the node group that captures user-specific rules.
nodeSecurityGroup SecurityGroup: The security group for the node group to communicate with the cluster. This type is defined in the AWS Classic package.

autoScalingGroup pulumiAwsautoscalingGroup: The AutoScalingGroup for the node group. This type is defined in the AWS Classic package.
extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]: The additional security groups for the node group that captures user-specific rules.
nodeSecurityGroup pulumiAwsec2SecurityGroup: The security group for the node group to communicate with the cluster. This type is defined in the AWS Classic package.

auto_scaling_group pulumi_aws.autoscaling.Group: The AutoScalingGroup for the node group. This type is defined in the AWS Classic package.
extra_node_security_groups Sequence[pulumi_aws.ec2.SecurityGroup]: The additional security groups for the node group that captures user-specific rules.
node_security_group pulumi_aws.ec2.SecurityGroup: The security group for the node group to communicate with the cluster. This type is defined in the AWS Classic package.

autoScalingGroup aws:autoscaling:Group: The AutoScalingGroup for the node group. This type is defined in the AWS Classic package.
extraNodeSecurityGroups List<aws:ec2:SecurityGroup>: The additional security groups for the node group that captures user-specific rules.
nodeSecurityGroup aws:ec2:SecurityGroup: The security group for the node group to communicate with the cluster. This type is defined in the AWS Classic package.

NodeadmOptions, NodeadmOptionsArgs

Content string: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
ContentType string: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

Content string: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
ContentType string: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content String: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType String: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content string: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType string: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content str: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
content_type str: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content String: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType String: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

OperatingSystem, OperatingSystemArgs

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Bottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

OperatingSystemAL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

OperatingSystemAL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

OperatingSystemBottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

OperatingSystemRECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Bottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Bottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

BOTTLEROCKET

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

"AL2"

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

"AL2023"

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

"Bottlerocket"

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

"AL2023"

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

ResolveConflictsOnCreate, ResolveConflictsOnCreateArgs

None: NONEIf the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
Overwrite: OVERWRITEIf the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.

ResolveConflictsOnCreateNone: NONEIf the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
ResolveConflictsOnCreateOverwrite: OVERWRITEIf the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.

None: NONEIf the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
Overwrite: OVERWRITEIf the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.

None: NONEIf the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
Overwrite: OVERWRITEIf the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.

NONE: NONEIf the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
OVERWRITE: OVERWRITEIf the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.

"NONE": NONEIf the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
"OVERWRITE": OVERWRITEIf the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.

ResolveConflictsOnUpdate, ResolveConflictsOnUpdateArgs

None: NONEAmazon EKS doesn't change the value. The update might fail.
Overwrite: OVERWRITEAmazon EKS overwrites the changed value back to the Amazon EKS default value.
Preserve: PRESERVEAmazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.

ResolveConflictsOnUpdateNone: NONEAmazon EKS doesn't change the value. The update might fail.
ResolveConflictsOnUpdateOverwrite: OVERWRITEAmazon EKS overwrites the changed value back to the Amazon EKS default value.
ResolveConflictsOnUpdatePreserve: PRESERVEAmazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.

None: NONEAmazon EKS doesn't change the value. The update might fail.
Overwrite: OVERWRITEAmazon EKS overwrites the changed value back to the Amazon EKS default value.
Preserve: PRESERVEAmazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.

None: NONEAmazon EKS doesn't change the value. The update might fail.
Overwrite: OVERWRITEAmazon EKS overwrites the changed value back to the Amazon EKS default value.
Preserve: PRESERVEAmazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.

NONE: NONEAmazon EKS doesn't change the value. The update might fail.
OVERWRITE: OVERWRITEAmazon EKS overwrites the changed value back to the Amazon EKS default value.
PRESERVE: PRESERVEAmazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.

"NONE": NONEAmazon EKS doesn't change the value. The update might fail.
"OVERWRITE": OVERWRITEAmazon EKS overwrites the changed value back to the Amazon EKS default value.
"PRESERVE": PRESERVEAmazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.

RoleMapping, RoleMappingArgs

Groups List<string>: A list of groups within Kubernetes to which the role is mapped.
RoleArn string: The ARN of the IAM role to add.
Username string: The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

Groups []string: A list of groups within Kubernetes to which the role is mapped.
RoleArn string: The ARN of the IAM role to add.
Username string: The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups List<String>: A list of groups within Kubernetes to which the role is mapped.
roleArn String: The ARN of the IAM role to add.
username String: The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups string[]: A list of groups within Kubernetes to which the role is mapped.
roleArn string: The ARN of the IAM role to add.
username string: The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups Sequence[str]: A list of groups within Kubernetes to which the role is mapped.
role_arn str: The ARN of the IAM role to add.
username str: The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups List<String>: A list of groups within Kubernetes to which the role is mapped.
roleArn String: The ARN of the IAM role to add.
username String: The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

StorageClass, StorageClassArgs

Type string

The EBS volume type.

AllowVolumeExpansion bool

AllowVolumeExpansion shows whether the storage class allow volume expand.

Default bool

True if this storage class should be a default storage class for the cluster.

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

Encrypted bool

Denotes whether the EBS volume should be encrypted.

IopsPerGb int

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

KmsKeyId string

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

Metadata Pulumi.Kubernetes.Types.Inputs.Meta.V1.ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata This type is defined in the Kubernetes package.

MountOptions List<string>

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

ReclaimPolicy string

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

VolumeBindingMode string

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

Zones List<string>

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

Type string

The EBS volume type.

AllowVolumeExpansion bool

AllowVolumeExpansion shows whether the storage class allow volume expand.

Default bool

True if this storage class should be a default storage class for the cluster.

Encrypted bool

Denotes whether the EBS volume should be encrypted.

IopsPerGb int

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

KmsKeyId string

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

Metadata ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata This type is defined in the Kubernetes package.

MountOptions []string

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

ReclaimPolicy string

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

VolumeBindingMode string

Zones []string

type String

The EBS volume type.

allowVolumeExpansion Boolean

AllowVolumeExpansion shows whether the storage class allow volume expand.

default_ Boolean

True if this storage class should be a default storage class for the cluster.

encrypted Boolean

Denotes whether the EBS volume should be encrypted.

iopsPerGb Integer

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kmsKeyId String

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata This type is defined in the Kubernetes package.

mountOptions List<String>

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaimPolicy String

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volumeBindingMode String

zones List<String>

type string

The EBS volume type.

allowVolumeExpansion boolean

AllowVolumeExpansion shows whether the storage class allow volume expand.

default boolean

True if this storage class should be a default storage class for the cluster.

encrypted boolean

Denotes whether the EBS volume should be encrypted.

iopsPerGb number

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kmsKeyId string

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata pulumiKubernetestypesinputmetav1ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata This type is defined in the Kubernetes package.

mountOptions string[]

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaimPolicy string

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volumeBindingMode string

zones string[]

type str

The EBS volume type.

allow_volume_expansion bool

AllowVolumeExpansion shows whether the storage class allow volume expand.

default bool

True if this storage class should be a default storage class for the cluster.

encrypted bool

Denotes whether the EBS volume should be encrypted.

iops_per_gb int

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kms_key_id str

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata pulumi_kubernetes.meta.v1.ObjectMetaArgs

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata This type is defined in the Kubernetes package.

mount_options Sequence[str]

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaim_policy str

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volume_binding_mode str

zones Sequence[str]

type String

The EBS volume type.

allowVolumeExpansion Boolean

AllowVolumeExpansion shows whether the storage class allow volume expand.

default Boolean

True if this storage class should be a default storage class for the cluster.

encrypted Boolean

Denotes whether the EBS volume should be encrypted.

iopsPerGb Number

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kmsKeyId String

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata Property Map

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata This type is defined in the Kubernetes package.

mountOptions List<String>

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaimPolicy String

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volumeBindingMode String

zones List<String>

Taint, TaintArgs

Effect string: The effect of the taint.
Value string: The value of the taint.

Effect string: The effect of the taint.
Value string: The value of the taint.

effect String: The effect of the taint.
value String: The value of the taint.

effect string: The effect of the taint.
value string: The value of the taint.

effect str: The effect of the taint.
value str: The value of the taint.

effect String: The effect of the taint.
value String: The value of the taint.

UserMapping, UserMappingArgs

Groups List<string>: A list of groups within Kubernetes to which the user is mapped to.
UserArn string: The ARN of the IAM user to add.
Username string: The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

Groups []string: A list of groups within Kubernetes to which the user is mapped to.
UserArn string: The ARN of the IAM user to add.
Username string: The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups List<String>: A list of groups within Kubernetes to which the user is mapped to.
userArn String: The ARN of the IAM user to add.
username String: The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups string[]: A list of groups within Kubernetes to which the user is mapped to.
userArn string: The ARN of the IAM user to add.
username string: The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups Sequence[str]: A list of groups within Kubernetes to which the user is mapped to.
user_arn str: The ARN of the IAM user to add.
username str: The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups List<String>: A list of groups within Kubernetes to which the user is mapped to.
userArn String: The ARN of the IAM user to add.
username String: The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

VpcCniOptions, VpcCniOptionsArgs

AddonVersion string

The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used.

CniConfigureRpfilter bool

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

CniCustomNetworkCfg bool

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

CniExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

ConfigurationValues Dictionary<string, object>

Custom configuration values for the vpc-cni addon. This object must match the schema derived from describe-addon-configuration.

CustomNetworkConfig bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

DisableTcpEarlyDemux bool

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

EnableNetworkPolicy bool

Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.

See for more information: Kubernetes Network Policies.

EnablePodEni bool

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

EnablePrefixDelegation bool

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

EniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

EniMtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

ExternalSnat bool

Defaults to false.

LogFile string

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

LogLevel string

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

NodePortSupport bool

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

ResolveConflictsOnCreate Pulumi.Eks.ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

ResolveConflictsOnUpdate Pulumi.Eks.ResolveConflictsOnUpdate

SecurityContextPrivileged bool

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

ServiceAccountRoleArn string

The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role.

For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.

Note: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster in the Amazon EKS User Guide.

VethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

WarmEniTarget int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

WarmIpTarget int

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

WarmPrefixTarget int

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

AddonVersion string

The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used.

CniConfigureRpfilter bool

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

CniCustomNetworkCfg bool

CniExternalSnat bool

ConfigurationValues map[string]interface{}

Custom configuration values for the vpc-cni addon. This object must match the schema derived from describe-addon-configuration.

CustomNetworkConfig bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

DisableTcpEarlyDemux bool

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

EnableNetworkPolicy bool

Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.

See for more information: Kubernetes Network Policies.

EnablePodEni bool

EnablePrefixDelegation bool

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

EniConfigLabelDef string

Defaults to the official AWS CNI image in ECR.

EniMtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

ExternalSnat bool

Defaults to false.

LogFile string

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

LogLevel string

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

NodePortSupport bool

Defaults to true.

ResolveConflictsOnCreate ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

ResolveConflictsOnUpdate ResolveConflictsOnUpdate

SecurityContextPrivileged bool

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

ServiceAccountRoleArn string

For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.

VethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

WarmEniTarget int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

WarmIpTarget int

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

WarmPrefixTarget int

addonVersion String

The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used.

cniConfigureRpfilter Boolean

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cniCustomNetworkCfg Boolean

cniExternalSnat Boolean

configurationValues Map<String,Object>

Custom configuration values for the vpc-cni addon. This object must match the schema derived from describe-addon-configuration.

customNetworkConfig Boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux Boolean

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enableNetworkPolicy Boolean

Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.

See for more information: Kubernetes Network Policies.

enablePodEni Boolean

enablePrefixDelegation Boolean

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eniConfigLabelDef String

Defaults to the official AWS CNI image in ECR.

eniMtu Integer

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat Boolean

Defaults to false.

logFile String

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

logLevel String

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

nodePortSupport Boolean

Defaults to true.

resolveConflictsOnCreate ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolveConflictsOnUpdate ResolveConflictsOnUpdate

securityContextPrivileged Boolean

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

serviceAccountRoleArn String

For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.

vethPrefix String

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warmEniTarget Integer

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget Integer

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warmPrefixTarget Integer

addonVersion string

The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used.

cniConfigureRpfilter boolean

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cniCustomNetworkCfg boolean

cniExternalSnat boolean

configurationValues {[key: string]: any}

Custom configuration values for the vpc-cni addon. This object must match the schema derived from describe-addon-configuration.

customNetworkConfig boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux boolean

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enableNetworkPolicy boolean

Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.

See for more information: Kubernetes Network Policies.

enablePodEni boolean

enablePrefixDelegation boolean

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eniConfigLabelDef string

Defaults to the official AWS CNI image in ECR.

eniMtu number

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat boolean

Defaults to false.

logFile string

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

logLevel string

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

nodePortSupport boolean

Defaults to true.

resolveConflictsOnCreate ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolveConflictsOnUpdate ResolveConflictsOnUpdate

securityContextPrivileged boolean

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

serviceAccountRoleArn string

For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.

vethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warmEniTarget number

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget number

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warmPrefixTarget number

addon_version str

The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used.

cni_configure_rpfilter bool

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cni_custom_network_cfg bool

cni_external_snat bool

configuration_values Mapping[str, Any]

Custom configuration values for the vpc-cni addon. This object must match the schema derived from describe-addon-configuration.

custom_network_config bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disable_tcp_early_demux bool

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enable_network_policy bool

Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.

See for more information: Kubernetes Network Policies.

enable_pod_eni bool

enable_prefix_delegation bool

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eni_config_label_def str

Defaults to the official AWS CNI image in ECR.

eni_mtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

external_snat bool

Defaults to false.

log_file str

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

log_level str

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

node_port_support bool

Defaults to true.

resolve_conflicts_on_create ResolveConflictsOnCreate

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolve_conflicts_on_update ResolveConflictsOnUpdate

security_context_privileged bool

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

service_account_role_arn str

For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.

veth_prefix str

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warm_eni_target int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warm_ip_target int

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warm_prefix_target int

addonVersion String

The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used.

cniConfigureRpfilter Boolean

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cniCustomNetworkCfg Boolean

cniExternalSnat Boolean

configurationValues Map<Any>

Custom configuration values for the vpc-cni addon. This object must match the schema derived from describe-addon-configuration.

customNetworkConfig Boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux Boolean

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enableNetworkPolicy Boolean

Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.

See for more information: Kubernetes Network Policies.

enablePodEni Boolean

enablePrefixDelegation Boolean

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eniConfigLabelDef String

Defaults to the official AWS CNI image in ECR.

eniMtu Number

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat Boolean

Defaults to false.

logFile String

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

logLevel String

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

nodePortSupport Boolean

Defaults to true.

resolveConflictsOnCreate "NONE" | "OVERWRITE"

How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs.

resolveConflictsOnUpdate "NONE" | "OVERWRITE" | "PRESERVE"

securityContextPrivileged Boolean

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

serviceAccountRoleArn String

For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.

vethPrefix String

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warmEniTarget Number

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget Number

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warmPrefixTarget Number

Package Details

Repository: Amazon EKS pulumi/pulumi-eks
License: Apache-2.0

Amazon EKS v3.9.1 published on Monday, May 5, 2025 by Pulumi

pulumi/pulumi-eks

eks.Cluster

On this page

On this page

Example Usage

Provisioning a New EKS Cluster

Create Cluster Resource

Constructor syntax

Parameters

Cluster Resource Properties

Inputs

Outputs

Cluster Resource Methods

GetKubeconfig Method

Using GetKubeconfig

GetKubeconfig Result

Supporting Types

AccessEntry, AccessEntryArgs

AccessEntryType, AccessEntryTypeArgs

AccessPolicyAssociation, AccessPolicyAssociationArgs

AuthenticationMode, AuthenticationModeArgs

AutoModeOptions, AutoModeOptionsArgs

ClusterComputeConfig, ClusterComputeConfigArgs

ClusterNodeGroupOptions, ClusterNodeGroupOptionsArgs

CoreData, CoreDataArgs

CoreDnsAddonOptions, CoreDnsAddonOptionsArgs

CreationRoleProvider, CreationRoleProviderArgs

FargateProfile, FargateProfileArgs

KubeProxyAddonOptions, KubeProxyAddonOptionsArgs

KubeconfigOptions, KubeconfigOptionsArgs

NodeGroupData, NodeGroupDataArgs

NodeadmOptions, NodeadmOptionsArgs

OperatingSystem, OperatingSystemArgs

ResolveConflictsOnCreate, ResolveConflictsOnCreateArgs

ResolveConflictsOnUpdate, ResolveConflictsOnUpdateArgs

RoleMapping, RoleMappingArgs

StorageClass, StorageClassArgs

Taint, TaintArgs

UserMapping, UserMappingArgs

VpcCniOptions, VpcCniOptionsArgs

Package Details

On this page

On this page