Welcome to Pulumi Registry, your window into the cloud. Read the announcement.

Amazon EKS

v0.35.0 published on Wednesday, Nov 10, 2021 by Pulumi

Cluster

Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.

Create a Cluster Resource

new Cluster(name: string, args?: ClusterArgs, opts?: CustomResourceOptions);
@overload
def Cluster(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            cluster_security_group: Optional[pulumi_aws.ec2.SecurityGroup] = None,
            cluster_security_group_tags: Optional[Mapping[str, str]] = None,
            cluster_tags: Optional[Mapping[str, str]] = None,
            create_oidc_provider: Optional[bool] = None,
            creation_role_provider: Optional[CreationRoleProviderArgs] = None,
            desired_capacity: Optional[int] = None,
            enabled_cluster_log_types: Optional[Sequence[str]] = None,
            encrypt_root_block_device: Optional[bool] = None,
            encryption_config_key_arn: Optional[str] = None,
            endpoint_private_access: Optional[bool] = None,
            endpoint_public_access: Optional[bool] = None,
            fargate: Optional[Union[bool, FargateProfileArgs]] = None,
            gpu: Optional[bool] = None,
            instance_profile_name: Optional[str] = None,
            instance_role: Optional[pulumi_aws.iam.Role] = None,
            instance_roles: Optional[Sequence[pulumi_aws.iam.Role]] = None,
            instance_type: Optional[str] = None,
            kubernetes_service_ip_address_range: Optional[str] = None,
            max_size: Optional[int] = None,
            min_size: Optional[int] = None,
            name: Optional[str] = None,
            node_ami_id: Optional[str] = None,
            node_associate_public_ip_address: Optional[bool] = None,
            node_group_options: Optional[ClusterNodeGroupOptionsArgs] = None,
            node_public_key: Optional[str] = None,
            node_root_volume_size: Optional[int] = None,
            node_security_group_tags: Optional[Mapping[str, str]] = None,
            node_subnet_ids: Optional[Sequence[str]] = None,
            node_user_data: Optional[str] = None,
            private_subnet_ids: Optional[Sequence[str]] = None,
            provider_credential_opts: Optional[KubeconfigOptionsArgs] = None,
            proxy: Optional[str] = None,
            public_access_cidrs: Optional[Sequence[str]] = None,
            public_subnet_ids: Optional[Sequence[str]] = None,
            role_mappings: Optional[Sequence[RoleMappingArgs]] = None,
            service_role: Optional[pulumi_aws.iam.Role] = None,
            skip_default_node_group: Optional[bool] = None,
            storage_classes: Optional[Union[str, Mapping[str, StorageClassArgs]]] = None,
            subnet_ids: Optional[Sequence[str]] = None,
            tags: Optional[Mapping[str, str]] = None,
            use_default_vpc_cni: Optional[bool] = None,
            user_mappings: Optional[Sequence[UserMappingArgs]] = None,
            version: Optional[str] = None,
            vpc_cni_options: Optional[VpcCniOptionsArgs] = None,
            vpc_id: Optional[str] = None)
@overload
def Cluster(resource_name: str,
            args: Optional[ClusterArgs] = None,
            opts: Optional[ResourceOptions] = None)
func NewCluster(ctx *Context, name string, args *ClusterArgs, opts ...ResourceOption) (*Cluster, error)
public Cluster(string name, ClusterArgs? args = null, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Cluster Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Cluster resource accepts the following input properties:

ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
ClusterSecurityGroupTags Dictionary<string, string>
The tags to apply to the cluster security group.
ClusterTags Dictionary<string, string>
The tags to apply to the EKS cluster.
CreateOidcProvider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

CreationRoleProvider CreationRoleProviderArgs
The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EnabledClusterLogTypes List<string>
Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: [“api”, “audit”, “authenticator”, “controllerManager”, “scheduler”]. By default it is off.
EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
EncryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

EndpointPrivateAccess bool
Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.
EndpointPublicAccess bool
Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.
Fargate bool | FargateProfileArgs
Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.
Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

InstanceProfileName string
The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
InstanceRole Pulumi.Aws.Iam.Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceRoles List<Pulumi.Aws.Iam.Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceType string
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
KubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don’t specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn’t overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
Name string

The cluster’s physical resource name.

If not specified, the default is to use auto-naming for the cluster’s name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

NodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

NodeAssociatePublicIpAddress bool
Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodeGroupOptions ClusterNodeGroupOptionsArgs
The common configuration settings for NodeGroups.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeSize int
The size in GiB of a cluster node’s root volume. Defaults to 20.
NodeSecurityGroupTags Dictionary<string, string>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

NodeSubnetIds List<string>
The subnets to use for worker nodes. Defaults to the value of subnetIds.
NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
PrivateSubnetIds List<string>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

ProviderCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster’s kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

Proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

PublicAccessCidrs List<string>
Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
PublicSubnetIds List<string>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

RoleMappings List<RoleMappingArgs>
Optional mappings from AWS IAM roles to Kubernetes users and groups.
ServiceRole Pulumi.Aws.Iam.Role
IAM Service Role for EKS to use to manage the cluster.
SkipDefaultNodeGroup bool
If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.
StorageClasses string | Dictionary<string, StorageClassArgs>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

SubnetIds List<string>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Tags Dictionary<string, string>
Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
UseDefaultVpcCni bool
Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.
UserMappings List<UserMappingArgs>
Optional mappings from AWS IAM users to Kubernetes users and groups.
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
VpcCniOptions VpcCniOptionsArgs
The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
VpcId string
The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.
ClusterSecurityGroup SecurityGroup
The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
ClusterSecurityGroupTags map[string]string
The tags to apply to the cluster security group.
ClusterTags map[string]string
The tags to apply to the EKS cluster.
CreateOidcProvider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

CreationRoleProvider CreationRoleProviderArgs
The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EnabledClusterLogTypes []string
Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: [“api”, “audit”, “authenticator”, “controllerManager”, “scheduler”]. By default it is off.
EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
EncryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

EndpointPrivateAccess bool
Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.
EndpointPublicAccess bool
Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.
Fargate bool | FargateProfileArgs
Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.
Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

InstanceProfileName string
The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
InstanceRole Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceRoles Role

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceType string
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
KubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don’t specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn’t overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
Name string

The cluster’s physical resource name.

If not specified, the default is to use auto-naming for the cluster’s name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

NodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

NodeAssociatePublicIpAddress bool
Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodeGroupOptions ClusterNodeGroupOptionsArgs
The common configuration settings for NodeGroups.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeSize int
The size in GiB of a cluster node’s root volume. Defaults to 20.
NodeSecurityGroupTags map[string]string

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

NodeSubnetIds []string
The subnets to use for worker nodes. Defaults to the value of subnetIds.
NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
PrivateSubnetIds []string

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

ProviderCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster’s kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

Proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

PublicAccessCidrs []string
Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
PublicSubnetIds []string

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

RoleMappings []RoleMappingArgs
Optional mappings from AWS IAM roles to Kubernetes users and groups.
ServiceRole Role
IAM Service Role for EKS to use to manage the cluster.
SkipDefaultNodeGroup bool
If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.
StorageClasses string | map[string]StorageClassArgs

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

SubnetIds []string

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Tags map[string]string
Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
UseDefaultVpcCni bool
Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.
UserMappings []UserMappingArgs
Optional mappings from AWS IAM users to Kubernetes users and groups.
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
VpcCniOptions VpcCniOptionsArgs
The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
VpcId string
The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.
clusterSecurityGroup pulumiAwsec2SecurityGroup
The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
clusterSecurityGroupTags {[key: string]: string}
The tags to apply to the cluster security group.
clusterTags {[key: string]: string}
The tags to apply to the EKS cluster.
createOidcProvider boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

creationRoleProvider CreationRoleProviderArgs
The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
desiredCapacity number
The number of worker nodes that should be running in the cluster. Defaults to 2.
enabledClusterLogTypes string[]
Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: [“api”, “audit”, “authenticator”, “controllerManager”, “scheduler”]. By default it is off.
encryptRootBlockDevice boolean
Encrypt the root block device of the nodes in the node group.
encryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

endpointPrivateAccess boolean
Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.
endpointPublicAccess boolean
Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.
fargate boolean | FargateProfileArgs
Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.
gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

instanceProfileName string
The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
instanceRole pulumiAwsiamRole

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceRoles pulumiAwsiamRole[]

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType string
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
kubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don’t specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn’t overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
maxSize number
The maximum number of worker nodes running in the cluster. Defaults to 2.
minSize number
The minimum number of worker nodes running in the cluster. Defaults to 1.
name string

The cluster’s physical resource name.

If not specified, the default is to use auto-naming for the cluster’s name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

nodeAssociatePublicIpAddress boolean
Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodeGroupOptions ClusterNodeGroupOptionsArgs
The common configuration settings for NodeGroups.
nodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeSize number
The size in GiB of a cluster node’s root volume. Defaults to 20.
nodeSecurityGroupTags {[key: string]: string}

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds string[]
The subnets to use for worker nodes. Defaults to the value of subnetIds.
nodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
privateSubnetIds string[]

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

providerCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster’s kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

publicAccessCidrs string[]
Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
publicSubnetIds string[]

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

roleMappings RoleMappingArgs[]
Optional mappings from AWS IAM roles to Kubernetes users and groups.
serviceRole pulumiAwsiamRole
IAM Service Role for EKS to use to manage the cluster.
skipDefaultNodeGroup boolean
If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.
storageClasses string | {[key: string]: StorageClassArgs}

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

subnetIds string[]

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags {[key: string]: string}
Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
useDefaultVpcCni boolean
Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.
userMappings UserMappingArgs[]
Optional mappings from AWS IAM users to Kubernetes users and groups.
version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
vpcCniOptions VpcCniOptionsArgs
The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
vpcId string
The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.
cluster_security_group SecurityGroup
The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
cluster_security_group_tags Mapping[str, str]
The tags to apply to the cluster security group.
cluster_tags Mapping[str, str]
The tags to apply to the EKS cluster.
create_oidc_provider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

creation_role_provider CreationRoleProviderArgs
The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
desired_capacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
enabled_cluster_log_types Sequence[str]
Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: [“api”, “audit”, “authenticator”, “controllerManager”, “scheduler”]. By default it is off.
encrypt_root_block_device bool
Encrypt the root block device of the nodes in the node group.
encryption_config_key_arn str

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

endpoint_private_access bool
Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.
endpoint_public_access bool
Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.
fargate bool | FargateProfileArgs
Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.
gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

instance_profile_name str
The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
instance_role Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

instance_roles Role]

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instance_type str
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
kubernetes_service_ip_address_range str

The CIDR block to assign Kubernetes service IP addresses from. If you don’t specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn’t overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
max_size int
The maximum number of worker nodes running in the cluster. Defaults to 2.
min_size int
The minimum number of worker nodes running in the cluster. Defaults to 1.
name str

The cluster’s physical resource name.

If not specified, the default is to use auto-naming for the cluster’s name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

node_ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

node_associate_public_ip_address bool
Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
node_group_options ClusterNodeGroupOptionsArgs
The common configuration settings for NodeGroups.
node_public_key str
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
node_root_volume_size int
The size in GiB of a cluster node’s root volume. Defaults to 20.
node_security_group_tags Mapping[str, str]

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

node_subnet_ids Sequence[str]
The subnets to use for worker nodes. Defaults to the value of subnetIds.
node_user_data str
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
private_subnet_ids Sequence[str]

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

provider_credential_opts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster’s kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

proxy str

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

public_access_cidrs Sequence[str]
Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
public_subnet_ids Sequence[str]

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

role_mappings Sequence[RoleMappingArgs]
Optional mappings from AWS IAM roles to Kubernetes users and groups.
service_role Role
IAM Service Role for EKS to use to manage the cluster.
skip_default_node_group bool
If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.
storage_classes str | Mapping[str, StorageClassArgs]

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

subnet_ids Sequence[str]

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account’s default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Mapping[str, str]
Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
use_default_vpc_cni bool
Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.
user_mappings Sequence[UserMappingArgs]
Optional mappings from AWS IAM users to Kubernetes users and groups.
version str
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
vpc_cni_options VpcCniOptionsArgs
The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
vpc_id str
The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

Outputs

All input properties are implicitly available as output properties. Additionally, the Cluster resource produces the following output properties:

AwsProvider Pulumi.Aws.Provider
The AWS resource provider.
Core CoreData
The EKS cluster and its dependencies.
EksCluster Pulumi.Aws.Eks.Cluster
The EKS cluster.
EksClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule
The ingress rule that gives node group access to cluster API server.
Id string
The provider-assigned unique ID for this managed resource.
Kubeconfig object
A kubeconfig that can be used to connect to the EKS cluster.
NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
The security group for the cluster’s nodes.
Provider Pulumi.Kubernetes.Provider
A Kubernetes resource provider that can be used to deploy into this cluster.
DefaultNodeGroup NodeGroupData
The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.
AwsProvider Provider
The AWS resource provider.
Core CoreData
The EKS cluster and its dependencies.
EksCluster Cluster
The EKS cluster.
EksClusterIngressRule SecurityGroupRule
The ingress rule that gives node group access to cluster API server.
Id string
The provider-assigned unique ID for this managed resource.
Kubeconfig interface{}
A kubeconfig that can be used to connect to the EKS cluster.
NodeSecurityGroup SecurityGroup
The security group for the cluster’s nodes.
Provider Provider
A Kubernetes resource provider that can be used to deploy into this cluster.
DefaultNodeGroup NodeGroupData
The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.
awsProvider pulumiAwsProvider
The AWS resource provider.
core CoreData
The EKS cluster and its dependencies.
eksCluster pulumiAwseksCluster
The EKS cluster.
eksClusterIngressRule pulumiAwsec2SecurityGroupRule
The ingress rule that gives node group access to cluster API server.
id string
The provider-assigned unique ID for this managed resource.
kubeconfig any
A kubeconfig that can be used to connect to the EKS cluster.
nodeSecurityGroup pulumiAwsec2SecurityGroup
The security group for the cluster’s nodes.
provider pulumiKubernetesProvider
A Kubernetes resource provider that can be used to deploy into this cluster.
defaultNodeGroup NodeGroupData
The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.
aws_provider Provider
The AWS resource provider.
core CoreData
The EKS cluster and its dependencies.
eks_cluster Cluster
The EKS cluster.
eks_cluster_ingress_rule SecurityGroupRule
The ingress rule that gives node group access to cluster API server.
id str
The provider-assigned unique ID for this managed resource.
kubeconfig Any
A kubeconfig that can be used to connect to the EKS cluster.
node_security_group SecurityGroup
The security group for the cluster’s nodes.
provider Provider
A Kubernetes resource provider that can be used to deploy into this cluster.
default_node_group NodeGroupData
The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

Cluster Resource Methods

GetKubeconfig Method

Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in KubeconfigOptions.

The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.

See for more details:

Using GetKubeconfig

getKubeconfig(args?: Cluster.GetKubeconfigArgs): Output<Cluster.GetKubeconfigResult>
def get_kubeconfig(self,
                   profile_name: Optional[pulumi.Input[str]] = None,
                   role_arn: Optional[pulumi.Input[str]] = None) -> Output[str]
func (r *Cluster) GetKubeconfig(ctx *Context, args *ClusterGetKubeconfigArgs) (pulumi.StringOutput, error)
public Output<string> GetKubeconfig(Cluster.GetKubeconfigArgs? args)

The following arguments are supported:

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profile_name str

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

role_arn str

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

GetKubeconfig Result

Result string
Result string
result string
result str

Supporting Types

ClusterNodeGroupOptions

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

AutoScalingGroupTags Dictionary<string, string>

The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. Fror details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the –apiserver-endpoint, –b64-cluster-ca and –kubelet-extra-args flags are included automatically based on other configuration parameters.
CloudFormationTags Dictionary<string, string>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule
The ingress rule that gives node group access.
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

InstanceProfile Pulumi.Aws.Iam.InstanceProfile
The ingress rule that gives node group access.
InstanceType string
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
KeyName string
Name of the key pair to use for SSH access to worker nodes.
KubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the –kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels and taints properties will be applied to this list (using –node-labels and –register-with-taints respectively) after to the expicit kubeletExtraArgs.
Labels Dictionary<string, string>
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the –node-labels kubelet argument.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
NodeAssociatePublicIpAddress bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeSize int
The size in GiB of a cluster node’s root volume. Defaults to 20.
NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds List<string>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster’s subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

SpotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
Taints Dictionary<string, Taint>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the –register-with-taints kubelet argument
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

AutoScalingGroupTags map[string]string

The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. Fror details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the –apiserver-endpoint, –b64-cluster-ca and –kubelet-extra-args flags are included automatically based on other configuration parameters.
CloudFormationTags map[string]string

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule SecurityGroupRule
The ingress rule that gives node group access.
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
ExtraNodeSecurityGroups SecurityGroup

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

InstanceProfile InstanceProfile
The ingress rule that gives node group access.
InstanceType string
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
KeyName string
Name of the key pair to use for SSH access to worker nodes.
KubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the –kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels and taints properties will be applied to this list (using –node-labels and –register-with-taints respectively) after to the expicit kubeletExtraArgs.
Labels map[string]string
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the –node-labels kubelet argument.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
NodeAssociatePublicIpAddress bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeSize int
The size in GiB of a cluster node’s root volume. Defaults to 20.
NodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds []string

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster’s subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

SpotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
Taints map[string]Taint
Custom k8s node taints to be attached to each worker node. Adds the given taints to the –register-with-taints kubelet argument
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
amiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

autoScalingGroupTags {[key: string]: string}

The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. Fror details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the –apiserver-endpoint, –b64-cluster-ca and –kubelet-extra-args flags are included automatically based on other configuration parameters.
cloudFormationTags {[key: string]: string}

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule pulumiAwsec2SecurityGroupRule
The ingress rule that gives node group access.
desiredCapacity number
The number of worker nodes that should be running in the cluster. Defaults to 2.
encryptRootBlockDevice boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

instanceProfile pulumiAwsiamInstanceProfile
The ingress rule that gives node group access.
instanceType string
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
keyName string
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the –kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels and taints properties will be applied to this list (using –node-labels and –register-with-taints respectively) after to the expicit kubeletExtraArgs.
labels {[key: string]: string}
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the –node-labels kubelet argument.
maxSize number
The maximum number of worker nodes running in the cluster. Defaults to 2.
minSize number
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeSize number
The size in GiB of a cluster node’s root volume. Defaults to 20.
nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds string[]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster’s subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

spotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints {[key: string]: Taint}
Custom k8s node taints to be attached to each worker node. Adds the given taints to the –register-with-taints kubelet argument
version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

auto_scaling_group_tags Mapping[str, str]

The tags to apply to the NodeGroup’s AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrap_extra_args str
Additional args to pass directly to /etc/eks/bootstrap.sh. Fror details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the –apiserver-endpoint, –b64-cluster-ca and –kubelet-extra-args flags are included automatically based on other configuration parameters.
cloud_formation_tags Mapping[str, str]

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

cluster_ingress_rule SecurityGroupRule
The ingress rule that gives node group access.
desired_capacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
encrypt_root_block_device bool
Encrypt the root block device of the nodes in the node group.
extra_node_security_groups SecurityGroup]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

instance_profile InstanceProfile
The ingress rule that gives node group access.
instance_type str
The instance type to use for the cluster’s nodes. Defaults to “t2.medium”.
key_name str
Name of the key pair to use for SSH access to worker nodes.
kubelet_extra_args str
Extra args to pass to the Kubelet. Corresponds to the options passed in the –kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, ‘–port=10251 –address=0.0.0.0’. Note that the labels and taints properties will be applied to this list (using –node-labels and –register-with-taints respectively) after to the expicit kubeletExtraArgs.
labels Mapping[str, str]
Custom k8s node labels to be attached to each woker node. Adds the given key/value pairs to the –node-labels kubelet argument.
max_size int
The maximum number of worker nodes running in the cluster. Defaults to 2.
min_size int
The minimum number of worker nodes running in the cluster. Defaults to 1.
node_associate_public_ip_address bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
node_public_key str
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
node_root_volume_size int
The size in GiB of a cluster node’s root volume. Defaults to 20.
node_security_group SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

node_subnet_ids Sequence[str]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster’s subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

node_user_data str
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
node_user_data_override str

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

spot_price str
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Mapping[str, Taint]
Custom k8s node taints to be attached to each worker node. Adds the given taints to the –register-with-taints kubelet argument
version str
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

CoreData

Cluster Pulumi.Aws.Eks.Cluster
ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
Endpoint string
InstanceRoles List<Pulumi.Aws.Iam.Role>
NodeGroupOptions ClusterNodeGroupOptions
Provider Pulumi.Kubernetes.Provider
SubnetIds List<string>
VpcId string
AwsProvider Pulumi.Aws.Provider
EksNodeAccess Pulumi.Kubernetes.Core.V1.ConfigMap
EncryptionConfig Pulumi.Aws.Eks.Inputs.ClusterEncryptionConfig
FargateProfile Pulumi.Aws.Eks.FargateProfile
Kubeconfig object
NodeSecurityGroupTags Dictionary<string, string>
OidcProvider Pulumi.Aws.Iam.OpenIdConnectProvider
PrivateSubnetIds List<string>
PublicSubnetIds List<string>
StorageClasses Dictionary<string, Pulumi.Kubernetes.Storage.V1.StorageClass>
Tags Dictionary<string, string>
VpcCni Pulumi.Eks.VpcCni
Cluster Cluster
ClusterSecurityGroup SecurityGroup
Endpoint string
InstanceRoles Role
NodeGroupOptions ClusterNodeGroupOptions
Provider Provider
SubnetIds []string
VpcId string
AwsProvider Provider
EksNodeAccess ConfigMap
EncryptionConfig ClusterEncryptionConfig
FargateProfile FargateProfile
Kubeconfig interface{}
NodeSecurityGroupTags map[string]string
OidcProvider OpenIdConnectProvider
PrivateSubnetIds []string
PublicSubnetIds []string
StorageClasses StorageClass
Tags map[string]string
VpcCni VpcCni
cluster pulumiAwseksCluster
clusterSecurityGroup pulumiAwsec2SecurityGroup
endpoint string
instanceRoles pulumiAwsiamRole[]
nodeGroupOptions ClusterNodeGroupOptions
provider pulumiKubernetesProvider
subnetIds string[]
vpcId string
awsProvider pulumiAwsProvider
eksNodeAccess pulumiKubernetescorev1ConfigMap
encryptionConfig pulumiAwstypesinputeksClusterEncryptionConfig
fargateProfile pulumiAwseksFargateProfile
kubeconfig any
nodeSecurityGroupTags {[key: string]: string}
oidcProvider pulumiAwsiamOpenIdConnectProvider
privateSubnetIds string[]
publicSubnetIds string[]
storageClasses {[key: string]: pulumiKubernetesstoragev1StorageClass}
tags {[key: string]: string}
vpcCni VpcCni

CreationRoleProvider

Provider Pulumi.Aws.Provider
Role Pulumi.Aws.Iam.Role
Provider Provider
Role Role
provider pulumiAwsProvider
role pulumiAwsiamRole
provider Provider
role Role

FargateProfile

PodExecutionRoleArn string
Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
Selectors List<Pulumi.Aws.Eks.Inputs.FargateProfileSelector>
Specify the namespace and label selectors to use for launching pods into Fargate.
SubnetIds List<string>
Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.
PodExecutionRoleArn string
Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
Selectors FargateProfileSelector
Specify the namespace and label selectors to use for launching pods into Fargate.
SubnetIds []string
Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.
podExecutionRoleArn string
Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
selectors pulumiAwstypesinputeksFargateProfileSelector[]
Specify the namespace and label selectors to use for launching pods into Fargate.
subnetIds string[]
Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.
pod_execution_role_arn str
Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.
selectors FargateProfileSelectorArgs]
Specify the namespace and label selectors to use for launching pods into Fargate.
subnet_ids Sequence[str]
Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

KubeconfigOptions

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profile_name str

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

role_arn str

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

NodeGroupData

AutoScalingGroupName string
The AutoScalingGroup name for the node group.
CfnStack Pulumi.Aws.CloudFormation.Stack
The CloudFormation Stack which defines the Node AutoScalingGroup.
ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>
The additional security groups for the node group that captures user-specific rules.
NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
The security group for the node group to communicate with the cluster.
AutoScalingGroupName string
The AutoScalingGroup name for the node group.
CfnStack Stack
The CloudFormation Stack which defines the Node AutoScalingGroup.
ExtraNodeSecurityGroups SecurityGroup
The additional security groups for the node group that captures user-specific rules.
NodeSecurityGroup SecurityGroup
The security group for the node group to communicate with the cluster.
autoScalingGroupName string
The AutoScalingGroup name for the node group.
cfnStack pulumiAwscloudformationStack
The CloudFormation Stack which defines the Node AutoScalingGroup.
extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]
The additional security groups for the node group that captures user-specific rules.
nodeSecurityGroup pulumiAwsec2SecurityGroup
The security group for the node group to communicate with the cluster.
auto_scaling_group_name str
The AutoScalingGroup name for the node group.
cfn_stack Stack
The CloudFormation Stack which defines the Node AutoScalingGroup.
extra_node_security_groups SecurityGroup]
The additional security groups for the node group that captures user-specific rules.
node_security_group SecurityGroup
The security group for the node group to communicate with the cluster.

RoleMapping

Groups List<string>
A list of groups within Kubernetes to which the role is mapped.
RoleArn string
The ARN of the IAM role to add.
Username string
The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.
Groups []string
A list of groups within Kubernetes to which the role is mapped.
RoleArn string
The ARN of the IAM role to add.
Username string
The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.
groups string[]
A list of groups within Kubernetes to which the role is mapped.
roleArn string
The ARN of the IAM role to add.
username string
The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.
groups Sequence[str]
A list of groups within Kubernetes to which the role is mapped.
role_arn str
The ARN of the IAM role to add.
username str
The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

StorageClass

Type string
The EBS volume type.
AllowVolumeExpansion bool
AllowVolumeExpansion shows whether the storage class allow volume expand.
Default bool

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

Encrypted bool
Denotes whether the EBS volume should be encrypted.
IopsPerGb int
I/O operations per second per GiB for “io1” volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.
KmsKeyId string
The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.
Metadata Pulumi.Kubernetes.Types.Inputs.Meta.V1.ObjectMeta
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
MountOptions List<string>
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [“ro”, “soft”]. Not validated - mount of the PVs will simply fail if one is invalid.
ReclaimPolicy string
Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
VolumeBindingMode string
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.
Zones List<string>
The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.
Type string
The EBS volume type.
AllowVolumeExpansion bool
AllowVolumeExpansion shows whether the storage class allow volume expand.
Default bool

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

Encrypted bool
Denotes whether the EBS volume should be encrypted.
IopsPerGb int
I/O operations per second per GiB for “io1” volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.
KmsKeyId string
The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.
Metadata ObjectMeta
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
MountOptions []string
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [“ro”, “soft”]. Not validated - mount of the PVs will simply fail if one is invalid.
ReclaimPolicy string
Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
VolumeBindingMode string
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.
Zones []string
The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.
type string
The EBS volume type.
allowVolumeExpansion boolean
AllowVolumeExpansion shows whether the storage class allow volume expand.
default boolean

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

encrypted boolean
Denotes whether the EBS volume should be encrypted.
iopsPerGb number
I/O operations per second per GiB for “io1” volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.
kmsKeyId string
The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.
metadata pulumiKubernetestypesinputmetav1ObjectMeta
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
mountOptions string[]
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [“ro”, “soft”]. Not validated - mount of the PVs will simply fail if one is invalid.
reclaimPolicy string
Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
volumeBindingMode string
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.
zones string[]
The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.
type str
The EBS volume type.
allow_volume_expansion bool
AllowVolumeExpansion shows whether the storage class allow volume expand.
default bool

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

encrypted bool
Denotes whether the EBS volume should be encrypted.
iops_per_gb int
I/O operations per second per GiB for “io1” volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.
kms_key_id str
The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.
metadata ObjectMetaArgs
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
mount_options Sequence[str]
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [“ro”, “soft”]. Not validated - mount of the PVs will simply fail if one is invalid.
reclaim_policy str
Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
volume_binding_mode str
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.
zones Sequence[str]
The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

Taint

Effect string
The effect of the taint.
Value string
The value of the taint.
Effect string
The effect of the taint.
Value string
The value of the taint.
effect string
The effect of the taint.
value string
The value of the taint.
effect str
The effect of the taint.
value str
The value of the taint.

UserMapping

Groups List<string>
A list of groups within Kubernetes to which the user is mapped to.
UserArn string
The ARN of the IAM user to add.
Username string
The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.
Groups []string
A list of groups within Kubernetes to which the user is mapped to.
UserArn string
The ARN of the IAM user to add.
Username string
The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.
groups string[]
A list of groups within Kubernetes to which the user is mapped to.
userArn string
The ARN of the IAM user to add.
username string
The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.
groups Sequence[str]
A list of groups within Kubernetes to which the user is mapped to.
user_arn str
The ARN of the IAM user to add.
username str
The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

VpcCniOptions

CniConfigureRpfilter bool
Specifies whether ipamd should configure rp filter for primary interface. Default is false.
CniCustomNetworkCfg bool
Specifies that your pods may use subnets and security groups that are independent of your worker node’s VPC configuration. By default, pods share the same subnet and security groups as the worker node’s primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node’s ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false
CniExternalSnat bool
Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false
CustomNetworkConfig bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster’s resourcesVpcConfig.

Defaults to false.

DisableTcpEarlyDemux bool
Allows the kubelet’s liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.
EnablePodEni bool
Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.
EniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

EniMtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

ExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

Image string

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

InitImage string

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

LogFile string

Specifies the file path used for logs.

Defaults to “stdout” to emit Pod logs for kubectl logs.

LogLevel string

Specifies the log level used for logs.

Defaults to “DEBUG” Valid values: “DEBUG”, “INFO”, “WARN”, “ERROR”, or “FATAL”.

NodePortSupport bool

Specifies whether NodePort services are enabled on a worker node’s primary network interface. This requires additional iptables rules and that the kernel’s reverse path filter on the primary interface is set to loose.

Defaults to true.

SecurityContextPrivileged bool
Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default
VethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to “eni”.

WarmEniTarget int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

WarmIpTarget int
Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.
CniConfigureRpfilter bool
Specifies whether ipamd should configure rp filter for primary interface. Default is false.
CniCustomNetworkCfg bool
Specifies that your pods may use subnets and security groups that are independent of your worker node’s VPC configuration. By default, pods share the same subnet and security groups as the worker node’s primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node’s ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false
CniExternalSnat bool
Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false
CustomNetworkConfig bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster’s resourcesVpcConfig.

Defaults to false.

DisableTcpEarlyDemux bool
Allows the kubelet’s liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.
EnablePodEni bool
Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.
EniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

EniMtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

ExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

Image string

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

InitImage string

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

LogFile string

Specifies the file path used for logs.

Defaults to “stdout” to emit Pod logs for kubectl logs.

LogLevel string

Specifies the log level used for logs.

Defaults to “DEBUG” Valid values: “DEBUG”, “INFO”, “WARN”, “ERROR”, or “FATAL”.

NodePortSupport bool

Specifies whether NodePort services are enabled on a worker node’s primary network interface. This requires additional iptables rules and that the kernel’s reverse path filter on the primary interface is set to loose.

Defaults to true.

SecurityContextPrivileged bool
Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default
VethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to “eni”.

WarmEniTarget int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

WarmIpTarget int
Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.
cniConfigureRpfilter boolean
Specifies whether ipamd should configure rp filter for primary interface. Default is false.
cniCustomNetworkCfg boolean
Specifies that your pods may use subnets and security groups that are independent of your worker node’s VPC configuration. By default, pods share the same subnet and security groups as the worker node’s primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node’s ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false
cniExternalSnat boolean
Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false
customNetworkConfig boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster’s resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux boolean
Allows the kubelet’s liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.
enablePodEni boolean
Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.
eniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

eniMtu number

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

image string

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

initImage string

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

logFile string

Specifies the file path used for logs.

Defaults to “stdout” to emit Pod logs for kubectl logs.

logLevel string

Specifies the log level used for logs.

Defaults to “DEBUG” Valid values: “DEBUG”, “INFO”, “WARN”, “ERROR”, or “FATAL”.

nodePortSupport boolean

Specifies whether NodePort services are enabled on a worker node’s primary network interface. This requires additional iptables rules and that the kernel’s reverse path filter on the primary interface is set to loose.

Defaults to true.

securityContextPrivileged boolean
Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default
vethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to “eni”.

warmEniTarget number

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget number
Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.
cni_configure_rpfilter bool
Specifies whether ipamd should configure rp filter for primary interface. Default is false.
cni_custom_network_cfg bool
Specifies that your pods may use subnets and security groups that are independent of your worker node’s VPC configuration. By default, pods share the same subnet and security groups as the worker node’s primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node’s ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false
cni_external_snat bool
Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false
custom_network_config bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster’s resourcesVpcConfig.

Defaults to false.

disable_tcp_early_demux bool
Allows the kubelet’s liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.
enable_pod_eni bool
Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.
eni_config_label_def str

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

eni_mtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

external_snat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

image str

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

init_image str

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

log_file str

Specifies the file path used for logs.

Defaults to “stdout” to emit Pod logs for kubectl logs.

log_level str

Specifies the log level used for logs.

Defaults to “DEBUG” Valid values: “DEBUG”, “INFO”, “WARN”, “ERROR”, or “FATAL”.

node_port_support bool

Specifies whether NodePort services are enabled on a worker node’s primary network interface. This requires additional iptables rules and that the kernel’s reverse path filter on the primary interface is set to loose.

Defaults to true.

security_context_privileged bool
Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default
veth_prefix str

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to “eni”.

warm_eni_target int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warm_ip_target int
Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

Package Details

Repository
https://github.com/pulumi/pulumi-eks
License
Apache-2.0