Amazon EKS

Pulumi Official
Package maintained by Pulumi
v0.40.0 published on Saturday, May 14, 2022 by Pulumi

Cluster

Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.

Create a Cluster Resource

new Cluster(name: string, args?: ClusterArgs, opts?: CustomResourceOptions);
@overload
def Cluster(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            cluster_security_group: Optional[pulumi_aws.ec2.SecurityGroup] = None,
            cluster_security_group_tags: Optional[Mapping[str, str]] = None,
            cluster_tags: Optional[Mapping[str, str]] = None,
            create_oidc_provider: Optional[bool] = None,
            creation_role_provider: Optional[CreationRoleProviderArgs] = None,
            desired_capacity: Optional[int] = None,
            enabled_cluster_log_types: Optional[Sequence[str]] = None,
            encrypt_root_block_device: Optional[bool] = None,
            encryption_config_key_arn: Optional[str] = None,
            endpoint_private_access: Optional[bool] = None,
            endpoint_public_access: Optional[bool] = None,
            fargate: Optional[Union[bool, FargateProfileArgs]] = None,
            gpu: Optional[bool] = None,
            instance_profile_name: Optional[str] = None,
            instance_role: Optional[pulumi_aws.iam.Role] = None,
            instance_roles: Optional[Sequence[pulumi_aws.iam.Role]] = None,
            instance_type: Optional[str] = None,
            kubernetes_service_ip_address_range: Optional[str] = None,
            max_size: Optional[int] = None,
            min_size: Optional[int] = None,
            name: Optional[str] = None,
            node_ami_id: Optional[str] = None,
            node_associate_public_ip_address: Optional[bool] = None,
            node_group_options: Optional[ClusterNodeGroupOptionsArgs] = None,
            node_public_key: Optional[str] = None,
            node_root_volume_delete_on_termination: Optional[bool] = None,
            node_root_volume_encrypted: Optional[bool] = None,
            node_root_volume_iops: Optional[int] = None,
            node_root_volume_size: Optional[int] = None,
            node_root_volume_throughput: Optional[int] = None,
            node_root_volume_type: Optional[str] = None,
            node_security_group_tags: Optional[Mapping[str, str]] = None,
            node_subnet_ids: Optional[Sequence[str]] = None,
            node_user_data: Optional[str] = None,
            private_subnet_ids: Optional[Sequence[str]] = None,
            provider_credential_opts: Optional[KubeconfigOptionsArgs] = None,
            proxy: Optional[str] = None,
            public_access_cidrs: Optional[Sequence[str]] = None,
            public_subnet_ids: Optional[Sequence[str]] = None,
            role_mappings: Optional[Sequence[RoleMappingArgs]] = None,
            service_role: Optional[pulumi_aws.iam.Role] = None,
            skip_default_node_group: Optional[bool] = None,
            storage_classes: Optional[Union[str, Mapping[str, StorageClassArgs]]] = None,
            subnet_ids: Optional[Sequence[str]] = None,
            tags: Optional[Mapping[str, str]] = None,
            use_default_vpc_cni: Optional[bool] = None,
            user_mappings: Optional[Sequence[UserMappingArgs]] = None,
            version: Optional[str] = None,
            vpc_cni_options: Optional[VpcCniOptionsArgs] = None,
            vpc_id: Optional[str] = None)
@overload
def Cluster(resource_name: str,
            args: Optional[ClusterArgs] = None,
            opts: Optional[ResourceOptions] = None)
func NewCluster(ctx *Context, name string, args *ClusterArgs, opts ...ResourceOption) (*Cluster, error)
public Cluster(string name, ClusterArgs? args = null, CustomResourceOptions? opts = null)
public Cluster(String name, ClusterArgs args)
public Cluster(String name, ClusterArgs args, CustomResourceOptions options)
type: eks:Cluster
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ClusterArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Cluster Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Cluster resource accepts the following input properties:

ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

ClusterSecurityGroupTags Dictionary<string, string>

The tags to apply to the cluster security group.

ClusterTags Dictionary<string, string>

The tags to apply to the EKS cluster.

CreateOidcProvider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
  • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
  • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
CreationRoleProvider CreationRoleProviderArgs

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnabledClusterLogTypes List<string>

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

EncryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

  • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
EndpointPrivateAccess bool

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

EndpointPublicAccess bool

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

Fargate bool | FargateProfileArgs

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
InstanceProfileName string

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

InstanceRole Pulumi.Aws.Iam.Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceRoles List<Pulumi.Aws.Iam.Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

KubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

Name string

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

NodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
NodeAssociatePublicIpAddress bool

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodeGroupOptions ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeDeleteOnTermination bool

Whether to delete a cluster node's root volume on termination. Defaults to true.

NodeRootVolumeEncrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

NodeRootVolumeIops int

Provisioned IOPS for a cluster node's root volume. Only valid for io1 volumes.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeRootVolumeThroughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. Only valid for gp3 volumes.

NodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is gp2.

NodeSecurityGroupTags Dictionary<string, string>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

NodeSubnetIds List<string>

The subnets to use for worker nodes. Defaults to the value of subnetIds.

NodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

PrivateSubnetIds List<string>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

ProviderCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
Proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

  • "http://proxy.example.com:3128"
  • "https://proxy.example.com"
  • "http://username:password@proxy.example.com:3128"
PublicAccessCidrs List<string>

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

PublicSubnetIds List<string>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

RoleMappings List<RoleMappingArgs>

Optional mappings from AWS IAM roles to Kubernetes users and groups.

ServiceRole Pulumi.Aws.Iam.Role

IAM Service Role for EKS to use to manage the cluster.

SkipDefaultNodeGroup bool

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

StorageClasses string | Dictionary<string, StorageClassArgs>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

SubnetIds List<string>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Tags Dictionary<string, string>

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

UseDefaultVpcCni bool

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

UserMappings List<UserMappingArgs>

Optional mappings from AWS IAM users to Kubernetes users and groups.

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

VpcCniOptions VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

VpcId string

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

ClusterSecurityGroup SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

ClusterSecurityGroupTags map[string]string

The tags to apply to the cluster security group.

ClusterTags map[string]string

The tags to apply to the EKS cluster.

CreateOidcProvider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
  • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
  • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
CreationRoleProvider CreationRoleProviderArgs

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnabledClusterLogTypes []string

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

EncryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

  • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
EndpointPrivateAccess bool

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

EndpointPublicAccess bool

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

Fargate bool | FargateProfileArgs

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
InstanceProfileName string

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

InstanceRole Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceRoles Role

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

KubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

Name string

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

NodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
NodeAssociatePublicIpAddress bool

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodeGroupOptions ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeDeleteOnTermination bool

Whether to delete a cluster node's root volume on termination. Defaults to true.

NodeRootVolumeEncrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

NodeRootVolumeIops int

Provisioned IOPS for a cluster node's root volume. Only valid for io1 volumes.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeRootVolumeThroughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. Only valid for gp3 volumes.

NodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is gp2.

NodeSecurityGroupTags map[string]string

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

NodeSubnetIds []string

The subnets to use for worker nodes. Defaults to the value of subnetIds.

NodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

PrivateSubnetIds []string

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

ProviderCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
Proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

  • "http://proxy.example.com:3128"
  • "https://proxy.example.com"
  • "http://username:password@proxy.example.com:3128"
PublicAccessCidrs []string

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

PublicSubnetIds []string

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

RoleMappings []RoleMappingArgs

Optional mappings from AWS IAM roles to Kubernetes users and groups.

ServiceRole Role

IAM Service Role for EKS to use to manage the cluster.

SkipDefaultNodeGroup bool

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

StorageClasses string | map[string]StorageClassArgs

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

SubnetIds []string

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Tags map[string]string

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

UseDefaultVpcCni bool

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

UserMappings []UserMappingArgs

Optional mappings from AWS IAM users to Kubernetes users and groups.

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

VpcCniOptions VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

VpcId string

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

clusterSecurityGroup SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

clusterSecurityGroupTags Map<String,String>

The tags to apply to the cluster security group.

clusterTags Map<String,String>

The tags to apply to the EKS cluster.

createOidcProvider Boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
  • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
  • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
creationRoleProvider CreationRoleProviderArgs

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

desiredCapacity Integer

The number of worker nodes that should be running in the cluster. Defaults to 2.

enabledClusterLogTypes List<String>

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

encryptionConfigKeyArn String

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

  • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
endpointPrivateAccess Boolean

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpointPublicAccess Boolean

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate Boolean | FargateProfileArgs

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instanceProfileName String

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instanceRole Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceRoles List<Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

kubernetesServiceIpAddressRange String

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
maxSize Integer

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize Integer

The minimum number of worker nodes running in the cluster. Defaults to 1.

name String

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
nodeAssociatePublicIpAddress Boolean

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

nodeGroupOptions ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination Boolean

Whether to delete a cluster node's root volume on termination. Defaults to true.

nodeRootVolumeEncrypted Boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops Integer

Provisioned IOPS for a cluster node's root volume. Only valid for io1 volumes.

nodeRootVolumeSize Integer

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput Integer

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. Only valid for gp3 volumes.

nodeRootVolumeType String

Configured EBS type for a cluster node's root volume. Default is gp2.

nodeSecurityGroupTags Map<String,String>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds List<String>

The subnets to use for worker nodes. Defaults to the value of subnetIds.

nodeUserData String

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

privateSubnetIds List<String>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

providerCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
proxy String

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

  • "http://proxy.example.com:3128"
  • "https://proxy.example.com"
  • "http://username:password@proxy.example.com:3128"
publicAccessCidrs List<String>

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

publicSubnetIds List<String>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

roleMappings List<RoleMappingArgs>

Optional mappings from AWS IAM roles to Kubernetes users and groups.

serviceRole Role

IAM Service Role for EKS to use to manage the cluster.

skipDefaultNodeGroup Boolean

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

storageClasses String | Map<String,StorageClassArgs>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

subnetIds List<String>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Map<String,String>

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

useDefaultVpcCni Boolean

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

userMappings List<UserMappingArgs>

Optional mappings from AWS IAM users to Kubernetes users and groups.

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpcCniOptions VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpcId String

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

clusterSecurityGroup pulumiAwsec2SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

clusterSecurityGroupTags {[key: string]: string}

The tags to apply to the cluster security group.

clusterTags {[key: string]: string}

The tags to apply to the EKS cluster.

createOidcProvider boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
  • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
  • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
creationRoleProvider CreationRoleProviderArgs

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

desiredCapacity number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enabledClusterLogTypes string[]

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryptRootBlockDevice boolean

Encrypt the root block device of the nodes in the node group.

encryptionConfigKeyArn string

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

  • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
endpointPrivateAccess boolean

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpointPublicAccess boolean

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate boolean | FargateProfileArgs

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instanceProfileName string

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instanceRole pulumiAwsiamRole

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceRoles pulumiAwsiamRole[]

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType string

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

kubernetesServiceIpAddressRange string

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
maxSize number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize number

The minimum number of worker nodes running in the cluster. Defaults to 1.

name string

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
nodeAssociatePublicIpAddress boolean

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

nodeGroupOptions ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

nodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination boolean

Whether to delete a cluster node's root volume on termination. Defaults to true.

nodeRootVolumeEncrypted boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops number

Provisioned IOPS for a cluster node's root volume. Only valid for io1 volumes.

nodeRootVolumeSize number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput number

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. Only valid for gp3 volumes.

nodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is gp2.

nodeSecurityGroupTags {[key: string]: string}

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds string[]

The subnets to use for worker nodes. Defaults to the value of subnetIds.

nodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

privateSubnetIds string[]

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

providerCredentialOpts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
proxy string

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

  • "http://proxy.example.com:3128"
  • "https://proxy.example.com"
  • "http://username:password@proxy.example.com:3128"
publicAccessCidrs string[]

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

publicSubnetIds string[]

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

roleMappings RoleMappingArgs[]

Optional mappings from AWS IAM roles to Kubernetes users and groups.

serviceRole pulumiAwsiamRole

IAM Service Role for EKS to use to manage the cluster.

skipDefaultNodeGroup boolean

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

storageClasses string | {[key: string]: StorageClassArgs}

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

subnetIds string[]

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags {[key: string]: string}

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

useDefaultVpcCni boolean

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

userMappings UserMappingArgs[]

Optional mappings from AWS IAM users to Kubernetes users and groups.

version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpcCniOptions VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpcId string

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

cluster_security_group SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

cluster_security_group_tags Mapping[str, str]

The tags to apply to the cluster security group.

cluster_tags Mapping[str, str]

The tags to apply to the EKS cluster.

create_oidc_provider bool

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
  • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
  • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
creation_role_provider CreationRoleProviderArgs

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

desired_capacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

enabled_cluster_log_types Sequence[str]

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encrypt_root_block_device bool

Encrypt the root block device of the nodes in the node group.

encryption_config_key_arn str

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

  • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
endpoint_private_access bool

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpoint_public_access bool

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate bool | FargateProfileArgs

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instance_profile_name str

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instance_role Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

instance_roles Role]

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instance_type str

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

kubernetes_service_ip_address_range str

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
max_size int

The maximum number of worker nodes running in the cluster. Defaults to 2.

min_size int

The minimum number of worker nodes running in the cluster. Defaults to 1.

name str

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

node_ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
node_associate_public_ip_address bool

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

node_group_options ClusterNodeGroupOptionsArgs

The common configuration settings for NodeGroups.

node_public_key str

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

node_root_volume_delete_on_termination bool

Whether to delete a cluster node's root volume on termination. Defaults to true.

node_root_volume_encrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

node_root_volume_iops int

Provisioned IOPS for a cluster node's root volume. Only valid for io1 volumes.

node_root_volume_size int

The size in GiB of a cluster node's root volume. Defaults to 20.

node_root_volume_throughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. Only valid for gp3 volumes.

node_root_volume_type str

Configured EBS type for a cluster node's root volume. Default is gp2.

node_security_group_tags Mapping[str, str]

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

node_subnet_ids Sequence[str]

The subnets to use for worker nodes. Defaults to the value of subnetIds.

node_user_data str

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

private_subnet_ids Sequence[str]

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

provider_credential_opts KubeconfigOptionsArgs

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
proxy str

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

  • "http://proxy.example.com:3128"
  • "https://proxy.example.com"
  • "http://username:password@proxy.example.com:3128"
public_access_cidrs Sequence[str]

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

public_subnet_ids Sequence[str]

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

role_mappings Sequence[RoleMappingArgs]

Optional mappings from AWS IAM roles to Kubernetes users and groups.

service_role Role

IAM Service Role for EKS to use to manage the cluster.

skip_default_node_group bool

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

storage_classes str | Mapping[str, StorageClassArgs]

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

subnet_ids Sequence[str]

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Mapping[str, str]

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

use_default_vpc_cni bool

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

user_mappings Sequence[UserMappingArgs]

Optional mappings from AWS IAM users to Kubernetes users and groups.

version str

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpc_cni_options VpcCniOptionsArgs

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpc_id str

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

clusterSecurityGroup aws:ec2:SecurityGroup

The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

clusterSecurityGroupTags Map<String>

The tags to apply to the cluster security group.

clusterTags Map<String>

The tags to apply to the EKS cluster.

createOidcProvider Boolean

Indicates whether an IAM OIDC Provider is created for the EKS cluster.

The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

See for more details:

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
  • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
  • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
creationRoleProvider Property Map

The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

desiredCapacity Number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enabledClusterLogTypes List<String>

Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

encryptionConfigKeyArn String

KMS Key ARN to use with the encryption configuration for the cluster.

Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

  • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
endpointPrivateAccess Boolean

Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

endpointPublicAccess Boolean

Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

fargate Boolean | Property Map

Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and nodeAmiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instanceProfileName String

The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

instanceRole aws:iam:Role

This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceRoles List<aws:iam:Role>

This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

Note: options instanceRole and instanceRoles are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

kubernetesServiceIpAddressRange String

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
maxSize Number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize Number

The minimum number of worker nodes running in the cluster. Defaults to 1.

name String

The cluster's physical resource name.

If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

nodeAmiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: nodeAmiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
nodeAssociatePublicIpAddress Boolean

Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

nodeGroupOptions Property Map

The common configuration settings for NodeGroups.

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination Boolean

Whether to delete a cluster node's root volume on termination. Defaults to true.

nodeRootVolumeEncrypted Boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops Number

Provisioned IOPS for a cluster node's root volume. Only valid for io1 volumes.

nodeRootVolumeSize Number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput Number

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. Only valid for gp3 volumes.

nodeRootVolumeType String

Configured EBS type for a cluster node's root volume. Default is gp2.

nodeSecurityGroupTags Map<String>

The tags to apply to the default nodeSecurityGroup created by the cluster.

Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

nodeSubnetIds List<String>

The subnets to use for worker nodes. Defaults to the value of subnetIds.

nodeUserData String

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

privateSubnetIds List<String>

The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

Also consider setting nodeAssociatePublicIpAddress: true for fully private workers.

providerCredentialOpts Property Map

The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

This is required for certain auth scenarios. For example:

  • Creating and using a new AWS provider instance, or
  • Setting the AWS_PROFILE environment variable, or
  • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

See for more details:

  • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
  • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
proxy String

The HTTP(S) proxy to use within a proxied environment.

The proxy is used during cluster creation, and OIDC configuration.

This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

This option is required iff the proxy environment variables are not set.

Format: ://: Auth Format: ://:@:

Ex:

  • "http://proxy.example.com:3128"
  • "https://proxy.example.com"
  • "http://username:password@proxy.example.com:3128"
publicAccessCidrs List<String>

Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

publicSubnetIds List<String>

The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

Worker network architecture options:

  • Private-only: Only set privateSubnetIds.
    • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
  • Public-only: Only set publicSubnetIds.
    • Default workers to run in a public subnet.
  • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
    • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

roleMappings List<Property Map>

Optional mappings from AWS IAM roles to Kubernetes users and groups.

serviceRole aws:iam:Role

IAM Service Role for EKS to use to manage the cluster.

skipDefaultNodeGroup Boolean

If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

storageClasses String | Map<Property Map>

An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

subnetIds List<String>

The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

tags Map<String>

Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

useDefaultVpcCni Boolean

Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

userMappings List<Property Map>

Optional mappings from AWS IAM users to Kubernetes users and groups.

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

vpcCniOptions Property Map

The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

vpcId String

The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

Outputs

All input properties are implicitly available as output properties. Additionally, the Cluster resource produces the following output properties:

AwsProvider Pulumi.Aws.Provider

The AWS resource provider.

Core CoreData

The EKS cluster and its dependencies.

EksCluster Pulumi.Aws.Eks.Cluster

The EKS cluster.

EksClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

The ingress rule that gives node group access to cluster API server.

Id string

The provider-assigned unique ID for this managed resource.

Kubeconfig object

A kubeconfig that can be used to connect to the EKS cluster.

NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the cluster's nodes.

Provider Pulumi.Kubernetes.Provider

A Kubernetes resource provider that can be used to deploy into this cluster.

DefaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

AwsProvider Provider

The AWS resource provider.

Core CoreData

The EKS cluster and its dependencies.

EksCluster Cluster

The EKS cluster.

EksClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access to cluster API server.

Id string

The provider-assigned unique ID for this managed resource.

Kubeconfig interface{}

A kubeconfig that can be used to connect to the EKS cluster.

NodeSecurityGroup SecurityGroup

The security group for the cluster's nodes.

Provider Provider

A Kubernetes resource provider that can be used to deploy into this cluster.

DefaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

awsProvider Provider

The AWS resource provider.

core CoreData

The EKS cluster and its dependencies.

eksCluster Cluster

The EKS cluster.

eksClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access to cluster API server.

id String

The provider-assigned unique ID for this managed resource.

kubeconfig Object

A kubeconfig that can be used to connect to the EKS cluster.

nodeSecurityGroup SecurityGroup

The security group for the cluster's nodes.

provider Provider

A Kubernetes resource provider that can be used to deploy into this cluster.

defaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

awsProvider pulumiAwsProvider

The AWS resource provider.

core CoreData

The EKS cluster and its dependencies.

eksCluster pulumiAwseksCluster

The EKS cluster.

eksClusterIngressRule pulumiAwsec2SecurityGroupRule

The ingress rule that gives node group access to cluster API server.

id string

The provider-assigned unique ID for this managed resource.

kubeconfig any

A kubeconfig that can be used to connect to the EKS cluster.

nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the cluster's nodes.

provider pulumiKubernetesProvider

A Kubernetes resource provider that can be used to deploy into this cluster.

defaultNodeGroup NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

aws_provider Provider

The AWS resource provider.

core CoreData

The EKS cluster and its dependencies.

eks_cluster Cluster

The EKS cluster.

eks_cluster_ingress_rule SecurityGroupRule

The ingress rule that gives node group access to cluster API server.

id str

The provider-assigned unique ID for this managed resource.

kubeconfig Any

A kubeconfig that can be used to connect to the EKS cluster.

node_security_group SecurityGroup

The security group for the cluster's nodes.

provider Provider

A Kubernetes resource provider that can be used to deploy into this cluster.

default_node_group NodeGroupData

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

awsProvider pulumi:providers:aws

The AWS resource provider.

core Property Map

The EKS cluster and its dependencies.

eksCluster aws:eks:Cluster

The EKS cluster.

eksClusterIngressRule aws:ec2:SecurityGroupRule

The ingress rule that gives node group access to cluster API server.

id String

The provider-assigned unique ID for this managed resource.

kubeconfig Any

A kubeconfig that can be used to connect to the EKS cluster.

nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the cluster's nodes.

provider pulumi:providers:kubernetes

A Kubernetes resource provider that can be used to deploy into this cluster.

defaultNodeGroup Property Map

The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

Cluster Resource Methods

GetKubeconfig Method

Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in KubeconfigOptions.

The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
  • https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
  • https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

Using GetKubeconfig

getKubeconfig(args?: Cluster.GetKubeconfigArgs): Output<Cluster.GetKubeconfigResult>
def get_kubeconfig(self,
                   profile_name: Optional[pulumi.Input[str]] = None,
                   role_arn: Optional[pulumi.Input[str]] = None) -> Output[str]
func (r *Cluster) GetKubeconfig(ctx *Context, args *ClusterGetKubeconfigArgs) (pulumi.StringOutput, error)
public Output<string> GetKubeconfig(Cluster.GetKubeconfigArgs? args)

The following arguments are supported:

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profile_name str

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

role_arn str

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

GetKubeconfig Result

Result string
Result string
result String
result string
result str
result String

Supporting Types

ClusterNodeGroupOptions

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags Dictionary<string, string>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

CloudFormationTags Dictionary<string, string>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

The ingress rule that gives node group access.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
InstanceProfile Pulumi.Aws.Iam.InstanceProfile

The ingress rule that gives node group access.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

KeyName string

Name of the key pair to use for SSH access to worker nodes.

KubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

Labels Dictionary<string, string>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

NodeAssociatePublicIpAddress bool

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds List<string>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

SpotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

Taints Dictionary<string, Taint>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags map[string]string

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

CloudFormationTags map[string]string

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

ExtraNodeSecurityGroups SecurityGroup

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
InstanceProfile InstanceProfile

The ingress rule that gives node group access.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

KeyName string

Name of the key pair to use for SSH access to worker nodes.

KubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

Labels map[string]string

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

NodeAssociatePublicIpAddress bool

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds []string

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

SpotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

Taints map[string]Taint

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String,String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

cloudFormationTags Map<String,String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule SecurityGroupRule

The ingress rule that gives node group access.

desiredCapacity Integer

The number of worker nodes that should be running in the cluster. Defaults to 2.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups List<SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instanceProfile InstanceProfile

The ingress rule that gives node group access.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

keyName String

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs String

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels Map<String,String>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

maxSize Integer

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize Integer

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress Boolean

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeSize Integer

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

nodeUserDataOverride String

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

spotPrice String

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Map<String,Taint>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags {[key: string]: string}

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs string

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

cloudFormationTags {[key: string]: string}

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule pulumiAwsec2SecurityGroupRule

The ingress rule that gives node group access.

desiredCapacity number

The number of worker nodes that should be running in the cluster. Defaults to 2.

encryptRootBlockDevice boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instanceProfile pulumiAwsiamInstanceProfile

The ingress rule that gives node group access.

instanceType string

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

keyName string

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels {[key: string]: string}

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

maxSize number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize number

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress boolean

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

nodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeSize number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds string[]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

nodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

spotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints {[key: string]: Taint}

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
ami_type str

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

auto_scaling_group_tags Mapping[str, str]

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrap_extra_args str

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

cloud_formation_tags Mapping[str, str]

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

cluster_ingress_rule SecurityGroupRule

The ingress rule that gives node group access.

desired_capacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

encrypt_root_block_device bool

Encrypt the root block device of the nodes in the node group.

extra_node_security_groups SecurityGroup]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instance_profile InstanceProfile

The ingress rule that gives node group access.

instance_type str

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

key_name str

Name of the key pair to use for SSH access to worker nodes.

kubelet_extra_args str

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels Mapping[str, str]

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

max_size int

The maximum number of worker nodes running in the cluster. Defaults to 2.

min_size int

The minimum number of worker nodes running in the cluster. Defaults to 1.

node_associate_public_ip_address bool

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

node_public_key str

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

node_root_volume_size int

The size in GiB of a cluster node's root volume. Defaults to 20.

node_security_group SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

node_subnet_ids Sequence[str]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

node_user_data str

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

node_user_data_override str

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

spot_price str

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Mapping[str, Taint]

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version str

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

cloudFormationTags Map<String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule aws:ec2:SecurityGroupRule

The ingress rule that gives node group access.

desiredCapacity Number

The number of worker nodes that should be running in the cluster. Defaults to 2.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
instanceProfile aws:iam:InstanceProfile

The ingress rule that gives node group access.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t2.medium".

keyName String

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs String

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels Map<String>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

maxSize Number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minSize Number

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress Boolean

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeSize Number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

nodeUserDataOverride String

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

spotPrice String

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Map<Property Map>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

CoreData

Cluster Pulumi.Aws.Eks.Cluster
ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
Endpoint string
InstanceRoles List<Pulumi.Aws.Iam.Role>
NodeGroupOptions ClusterNodeGroupOptions
Provider Pulumi.Kubernetes.Provider
SubnetIds List<string>
VpcId string
AwsProvider Pulumi.Aws.Provider
EksNodeAccess Pulumi.Kubernetes.Core.V1.ConfigMap
EncryptionConfig Pulumi.Aws.Eks.Inputs.ClusterEncryptionConfig
FargateProfile Pulumi.Aws.Eks.FargateProfile
Kubeconfig object
NodeSecurityGroupTags Dictionary<string, string>
OidcProvider Pulumi.Aws.Iam.OpenIdConnectProvider
PrivateSubnetIds List<string>
PublicSubnetIds List<string>
StorageClasses Dictionary<string, Pulumi.Kubernetes.Storage.V1.StorageClass>
Tags Dictionary<string, string>
VpcCni Pulumi.Eks.VpcCni
Cluster Cluster
ClusterSecurityGroup SecurityGroup
Endpoint string
InstanceRoles Role
NodeGroupOptions ClusterNodeGroupOptions
Provider Provider
SubnetIds []string
VpcId string
AwsProvider Provider
EksNodeAccess ConfigMap
EncryptionConfig ClusterEncryptionConfig
FargateProfile FargateProfile
Kubeconfig interface{}
NodeSecurityGroupTags map[string]string
OidcProvider OpenIdConnectProvider
PrivateSubnetIds []string
PublicSubnetIds []string
StorageClasses StorageClass
Tags map[string]string
VpcCni VpcCni
cluster Cluster
clusterSecurityGroup SecurityGroup
endpoint String
instanceRoles List<Role>
nodeGroupOptions ClusterNodeGroupOptions
provider Provider
subnetIds List<String>
vpcId String
awsProvider Provider
eksNodeAccess ConfigMap
encryptionConfig ClusterEncryptionConfig
fargateProfile FargateProfile
kubeconfig Object
nodeSecurityGroupTags Map<String,String>
oidcProvider OpenIdConnectProvider
privateSubnetIds List<String>
publicSubnetIds List<String>
storageClasses Map<String,StorageClass>
tags Map<String,String>
vpcCni VpcCni
cluster pulumiAwseksCluster
clusterSecurityGroup pulumiAwsec2SecurityGroup
endpoint string
instanceRoles pulumiAwsiamRole[]
nodeGroupOptions ClusterNodeGroupOptions
provider pulumiKubernetesProvider
subnetIds string[]
vpcId string
awsProvider pulumiAwsProvider
eksNodeAccess pulumiKubernetescorev1ConfigMap
encryptionConfig pulumiAwstypesinputeksClusterEncryptionConfig
fargateProfile pulumiAwseksFargateProfile
kubeconfig any
nodeSecurityGroupTags {[key: string]: string}
oidcProvider pulumiAwsiamOpenIdConnectProvider
privateSubnetIds string[]
publicSubnetIds string[]
storageClasses {[key: string]: pulumiKubernetesstoragev1StorageClass}
tags {[key: string]: string}
vpcCni VpcCni
cluster aws:eks:Cluster
clusterSecurityGroup aws:ec2:SecurityGroup
endpoint String
instanceRoles List<aws:iam:Role>
nodeGroupOptions Property Map
provider pulumi:providers:kubernetes
subnetIds List<String>
vpcId String
awsProvider pulumi:providers:aws
eksNodeAccess kubernetes:core/v1:ConfigMap
encryptionConfig Property Map
fargateProfile aws:eks:FargateProfile
kubeconfig Any
nodeSecurityGroupTags Map<String>
oidcProvider aws:iam:OpenIdConnectProvider
privateSubnetIds List<String>
publicSubnetIds List<String>
storageClasses Map<kubernetes:storage.k8s.io/v1:StorageClass>
tags Map<String>
vpcCni eks:VpcCni

CreationRoleProvider

Provider Pulumi.Aws.Provider
Role Pulumi.Aws.Iam.Role
Provider Provider
Role Role
provider Provider
role Role
provider pulumiAwsProvider
role pulumiAwsiamRole
provider Provider
role Role
provider pulumi:providers:aws
role aws:iam:Role

FargateProfile

PodExecutionRoleArn string

Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

Selectors List<Pulumi.Aws.Eks.Inputs.FargateProfileSelector>

Specify the namespace and label selectors to use for launching pods into Fargate.

SubnetIds List<string>

Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

PodExecutionRoleArn string

Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

Selectors FargateProfileSelector

Specify the namespace and label selectors to use for launching pods into Fargate.

SubnetIds []string

Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

podExecutionRoleArn String

Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

selectors List<FargateProfileSelector>

Specify the namespace and label selectors to use for launching pods into Fargate.

subnetIds List<String>

Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

podExecutionRoleArn string

Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

selectors pulumiAwstypesinputeksFargateProfileSelector[]

Specify the namespace and label selectors to use for launching pods into Fargate.

subnetIds string[]

Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

pod_execution_role_arn str

Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

selectors FargateProfileSelectorArgs]

Specify the namespace and label selectors to use for launching pods into Fargate.

subnet_ids Sequence[str]

Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

podExecutionRoleArn String

Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

selectors List<Property Map>

Specify the namespace and label selectors to use for launching pods into Fargate.

subnetIds List<String>

Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

KubeconfigOptions

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

ProfileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

RoleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName string

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn string

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profile_name str

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

role_arn str

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

profileName String

AWS credential profile name to always use instead of the default AWS credential provider chain.

The profile is passed to kubeconfig as an authentication environment setting.

roleArn String

Role ARN to assume instead of the default AWS credential provider chain.

The role is passed to kubeconfig as an authentication exec argument.

NodeGroupData

AutoScalingGroupName string

The AutoScalingGroup name for the node group.

CfnStack Pulumi.Aws.CloudFormation.Stack

The CloudFormation Stack which defines the Node AutoScalingGroup.

ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

The additional security groups for the node group that captures user-specific rules.

NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the node group to communicate with the cluster.

AutoScalingGroupName string

The AutoScalingGroup name for the node group.

CfnStack Stack

The CloudFormation Stack which defines the Node AutoScalingGroup.

ExtraNodeSecurityGroups SecurityGroup

The additional security groups for the node group that captures user-specific rules.

NodeSecurityGroup SecurityGroup

The security group for the node group to communicate with the cluster.

autoScalingGroupName String

The AutoScalingGroup name for the node group.

cfnStack Stack

The CloudFormation Stack which defines the Node AutoScalingGroup.

extraNodeSecurityGroups List<SecurityGroup>

The additional security groups for the node group that captures user-specific rules.

nodeSecurityGroup SecurityGroup

The security group for the node group to communicate with the cluster.

autoScalingGroupName string

The AutoScalingGroup name for the node group.

cfnStack pulumiAwscloudformationStack

The CloudFormation Stack which defines the Node AutoScalingGroup.

extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

The additional security groups for the node group that captures user-specific rules.

nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the node group to communicate with the cluster.

auto_scaling_group_name str

The AutoScalingGroup name for the node group.

cfn_stack Stack

The CloudFormation Stack which defines the Node AutoScalingGroup.

extra_node_security_groups SecurityGroup]

The additional security groups for the node group that captures user-specific rules.

node_security_group SecurityGroup

The security group for the node group to communicate with the cluster.

autoScalingGroupName String

The AutoScalingGroup name for the node group.

cfnStack aws:cloudformation:Stack

The CloudFormation Stack which defines the Node AutoScalingGroup.

extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

The additional security groups for the node group that captures user-specific rules.

nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the node group to communicate with the cluster.

RoleMapping

Groups List<string>

A list of groups within Kubernetes to which the role is mapped.

RoleArn string

The ARN of the IAM role to add.

Username string

The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

Groups []string

A list of groups within Kubernetes to which the role is mapped.

RoleArn string

The ARN of the IAM role to add.

Username string

The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups List<String>

A list of groups within Kubernetes to which the role is mapped.

roleArn String

The ARN of the IAM role to add.

username String

The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups string[]

A list of groups within Kubernetes to which the role is mapped.

roleArn string

The ARN of the IAM role to add.

username string

The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups Sequence[str]

A list of groups within Kubernetes to which the role is mapped.

role_arn str

The ARN of the IAM role to add.

username str

The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

groups List<String>

A list of groups within Kubernetes to which the role is mapped.

roleArn String

The ARN of the IAM role to add.

username String

The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

StorageClass

Type string

The EBS volume type.

AllowVolumeExpansion bool

AllowVolumeExpansion shows whether the storage class allow volume expand.

Default bool

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

Encrypted bool

Denotes whether the EBS volume should be encrypted.

IopsPerGb int

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

KmsKeyId string

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

Metadata Pulumi.Kubernetes.Types.Inputs.Meta.V1.ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

MountOptions List<string>

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

ReclaimPolicy string

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

VolumeBindingMode string

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

Zones List<string>

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

Type string

The EBS volume type.

AllowVolumeExpansion bool

AllowVolumeExpansion shows whether the storage class allow volume expand.

Default bool

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

Encrypted bool

Denotes whether the EBS volume should be encrypted.

IopsPerGb int

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

KmsKeyId string

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

Metadata ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

MountOptions []string

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

ReclaimPolicy string

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

VolumeBindingMode string

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

Zones []string

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

type String

The EBS volume type.

allowVolumeExpansion Boolean

AllowVolumeExpansion shows whether the storage class allow volume expand.

default_ Boolean

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

encrypted Boolean

Denotes whether the EBS volume should be encrypted.

iopsPerGb Integer

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kmsKeyId String

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

mountOptions List<String>

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaimPolicy String

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volumeBindingMode String

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

zones List<String>

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

type string

The EBS volume type.

allowVolumeExpansion boolean

AllowVolumeExpansion shows whether the storage class allow volume expand.

default boolean

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

encrypted boolean

Denotes whether the EBS volume should be encrypted.

iopsPerGb number

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kmsKeyId string

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata pulumiKubernetestypesinputmetav1ObjectMeta

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

mountOptions string[]

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaimPolicy string

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volumeBindingMode string

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

zones string[]

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

type str

The EBS volume type.

allow_volume_expansion bool

AllowVolumeExpansion shows whether the storage class allow volume expand.

default bool

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

encrypted bool

Denotes whether the EBS volume should be encrypted.

iops_per_gb int

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kms_key_id str

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata ObjectMetaArgs

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

mount_options Sequence[str]

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaim_policy str

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volume_binding_mode str

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

zones Sequence[str]

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

type String

The EBS volume type.

allowVolumeExpansion Boolean

AllowVolumeExpansion shows whether the storage class allow volume expand.

default Boolean

True if this storage class should be a default storage class for the cluster.

Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

encrypted Boolean

Denotes whether the EBS volume should be encrypted.

iopsPerGb Number

I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

kmsKeyId String

The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

metadata Property Map

Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

mountOptions List<String>

Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

reclaimPolicy String

Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

volumeBindingMode String

VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

zones List<String>

The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

Taint

Effect string

The effect of the taint.

Value string

The value of the taint.

Effect string

The effect of the taint.

Value string

The value of the taint.

effect String

The effect of the taint.

value String

The value of the taint.

effect string

The effect of the taint.

value string

The value of the taint.

effect str

The effect of the taint.

value str

The value of the taint.

effect String

The effect of the taint.

value String

The value of the taint.

UserMapping

Groups List<string>

A list of groups within Kubernetes to which the user is mapped to.

UserArn string

The ARN of the IAM user to add.

Username string

The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

Groups []string

A list of groups within Kubernetes to which the user is mapped to.

UserArn string

The ARN of the IAM user to add.

Username string

The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups List<String>

A list of groups within Kubernetes to which the user is mapped to.

userArn String

The ARN of the IAM user to add.

username String

The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups string[]

A list of groups within Kubernetes to which the user is mapped to.

userArn string

The ARN of the IAM user to add.

username string

The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups Sequence[str]

A list of groups within Kubernetes to which the user is mapped to.

user_arn str

The ARN of the IAM user to add.

username str

The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

groups List<String>

A list of groups within Kubernetes to which the user is mapped to.

userArn String

The ARN of the IAM user to add.

username String

The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

VpcCniOptions

CniConfigureRpfilter bool

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

CniCustomNetworkCfg bool

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

CniExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

CustomNetworkConfig bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

DisableTcpEarlyDemux bool

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

EnableIpv6 bool

VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

EnablePodEni bool

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

EnablePrefixDelegation bool

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

EniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

EniMtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

ExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

Image string

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

InitImage string

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

LogFile string

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

LogLevel string

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

NodePortSupport bool

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

SecurityContextPrivileged bool

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

VethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

WarmEniTarget int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

WarmIpTarget int

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

WarmPrefixTarget int

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

CniConfigureRpfilter bool

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

CniCustomNetworkCfg bool

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

CniExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

CustomNetworkConfig bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

DisableTcpEarlyDemux bool

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

EnableIpv6 bool

VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

EnablePodEni bool

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

EnablePrefixDelegation bool

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

EniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

EniMtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

ExternalSnat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

Image string

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

InitImage string

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

LogFile string

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

LogLevel string

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

NodePortSupport bool

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

SecurityContextPrivileged bool

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

VethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

WarmEniTarget int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

WarmIpTarget int

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

WarmPrefixTarget int

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

cniConfigureRpfilter Boolean

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cniCustomNetworkCfg Boolean

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

cniExternalSnat Boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

customNetworkConfig Boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux Boolean

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enableIpv6 Boolean

VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

enablePodEni Boolean

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

enablePrefixDelegation Boolean

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eniConfigLabelDef String

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

eniMtu Integer

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat Boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

image String

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

initImage String

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

logFile String

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

logLevel String

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

nodePortSupport Boolean

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

securityContextPrivileged Boolean

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

vethPrefix String

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warmEniTarget Integer

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget Integer

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warmPrefixTarget Integer

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

cniConfigureRpfilter boolean

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cniCustomNetworkCfg boolean

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

cniExternalSnat boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

customNetworkConfig boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux boolean

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enableIpv6 boolean

VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

enablePodEni boolean

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

enablePrefixDelegation boolean

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eniConfigLabelDef string

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

eniMtu number

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

image string

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

initImage string

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

logFile string

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

logLevel string

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

nodePortSupport boolean

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

securityContextPrivileged boolean

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

vethPrefix string

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warmEniTarget number

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget number

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warmPrefixTarget number

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

cni_configure_rpfilter bool

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cni_custom_network_cfg bool

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

cni_external_snat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

custom_network_config bool

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disable_tcp_early_demux bool

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enable_ipv6 bool

VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

enable_pod_eni bool

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

enable_prefix_delegation bool

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eni_config_label_def str

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

eni_mtu int

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

external_snat bool

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

image str

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

init_image str

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

log_file str

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

log_level str

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

node_port_support bool

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

security_context_privileged bool

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

veth_prefix str

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warm_eni_target int

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warm_ip_target int

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warm_prefix_target int

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

cniConfigureRpfilter Boolean

Specifies whether ipamd should configure rp filter for primary interface. Default is false.

cniCustomNetworkCfg Boolean

Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

cniExternalSnat Boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

customNetworkConfig Boolean

Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

Defaults to false.

disableTcpEarlyDemux Boolean

Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

enableIpv6 Boolean

VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

enablePodEni Boolean

Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

enablePrefixDelegation Boolean

IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

eniConfigLabelDef String

Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

Defaults to the official AWS CNI image in ECR.

eniMtu Number

Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

Defaults to 9001.

externalSnat Boolean

Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

Defaults to false.

image String

Specifies the container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI image in ECR.

initImage String

Specifies the init container image to use in the AWS CNI cluster DaemonSet.

Defaults to the official AWS CNI init container image in ECR.

logFile String

Specifies the file path used for logs.

Defaults to "stdout" to emit Pod logs for kubectl logs.

logLevel String

Specifies the log level used for logs.

Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

nodePortSupport Boolean

Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

Defaults to true.

securityContextPrivileged Boolean

Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

vethPrefix String

Specifies the veth prefix used to generate the host-side veth device name for the CNI.

The prefix can be at most 4 characters long.

Defaults to "eni".

warmEniTarget Number

Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

Defaults to 1.

warmIpTarget Number

Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

warmPrefixTarget Number

WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

Package Details

Repository
https://github.com/pulumi/pulumi-eks
License
Apache-2.0