1. Packages
  2. Amazon EKS
  3. API Docs
  4. Cluster
Amazon EKS v2.0.0 published on Thursday, Nov 9, 2023 by Pulumi

eks.Cluster

Explore with Pulumi AI

eks logo
Amazon EKS v2.0.0 published on Thursday, Nov 9, 2023 by Pulumi

    Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.

    Create Cluster Resource

    new Cluster(name: string, args?: ClusterArgs, opts?: CustomResourceOptions);
    @overload
    def Cluster(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                cluster_security_group: Optional[pulumi_aws.ec2.SecurityGroup] = None,
                cluster_security_group_tags: Optional[Mapping[str, str]] = None,
                cluster_tags: Optional[Mapping[str, str]] = None,
                create_oidc_provider: Optional[bool] = None,
                creation_role_provider: Optional[CreationRoleProviderArgs] = None,
                default_addons_to_remove: Optional[Sequence[str]] = None,
                desired_capacity: Optional[int] = None,
                enabled_cluster_log_types: Optional[Sequence[str]] = None,
                encryption_config_key_arn: Optional[str] = None,
                endpoint_private_access: Optional[bool] = None,
                endpoint_public_access: Optional[bool] = None,
                fargate: Optional[Union[bool, FargateProfileArgs]] = None,
                gpu: Optional[bool] = None,
                instance_profile_name: Optional[str] = None,
                instance_role: Optional[pulumi_aws.iam.Role] = None,
                instance_roles: Optional[Sequence[pulumi_aws.iam.Role]] = None,
                instance_type: Optional[str] = None,
                kubernetes_service_ip_address_range: Optional[str] = None,
                max_size: Optional[int] = None,
                min_size: Optional[int] = None,
                name: Optional[str] = None,
                node_ami_id: Optional[str] = None,
                node_associate_public_ip_address: Optional[bool] = None,
                node_group_options: Optional[ClusterNodeGroupOptionsArgs] = None,
                node_public_key: Optional[str] = None,
                node_root_volume_encrypted: Optional[bool] = None,
                node_root_volume_size: Optional[int] = None,
                node_security_group_tags: Optional[Mapping[str, str]] = None,
                node_subnet_ids: Optional[Sequence[str]] = None,
                node_user_data: Optional[str] = None,
                private_subnet_ids: Optional[Sequence[str]] = None,
                provider_credential_opts: Optional[KubeconfigOptionsArgs] = None,
                proxy: Optional[str] = None,
                public_access_cidrs: Optional[Sequence[str]] = None,
                public_subnet_ids: Optional[Sequence[str]] = None,
                role_mappings: Optional[Sequence[RoleMappingArgs]] = None,
                service_role: Optional[pulumi_aws.iam.Role] = None,
                skip_default_node_group: Optional[bool] = None,
                storage_classes: Optional[Union[str, Mapping[str, StorageClassArgs]]] = None,
                subnet_ids: Optional[Sequence[str]] = None,
                tags: Optional[Mapping[str, str]] = None,
                use_default_vpc_cni: Optional[bool] = None,
                user_mappings: Optional[Sequence[UserMappingArgs]] = None,
                version: Optional[str] = None,
                vpc_cni_options: Optional[VpcCniOptionsArgs] = None,
                vpc_id: Optional[str] = None)
    @overload
    def Cluster(resource_name: str,
                args: Optional[ClusterArgs] = None,
                opts: Optional[ResourceOptions] = None)
    func NewCluster(ctx *Context, name string, args *ClusterArgs, opts ...ResourceOption) (*Cluster, error)
    public Cluster(string name, ClusterArgs? args = null, CustomResourceOptions? opts = null)
    public Cluster(String name, ClusterArgs args)
    public Cluster(String name, ClusterArgs args, CustomResourceOptions options)
    
    type: eks:Cluster
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ClusterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ClusterArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ClusterArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ClusterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ClusterArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Cluster Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Cluster resource accepts the following input properties:

    ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

    The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

    ClusterSecurityGroupTags Dictionary<string, string>

    The tags to apply to the cluster security group.

    ClusterTags Dictionary<string, string>

    The tags to apply to the EKS cluster.

    CreateOidcProvider bool

    Indicates whether an IAM OIDC Provider is created for the EKS cluster.

    The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

    See for more details:

    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
    • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
    • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
    CreationRoleProvider CreationRoleProvider

    The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

    DefaultAddonsToRemove List<string>

    List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

    DesiredCapacity int

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    EnabledClusterLogTypes List<string>

    Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

    EncryptionConfigKeyArn string

    KMS Key ARN to use with the encryption configuration for the cluster.

    Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

    • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
    EndpointPrivateAccess bool

    Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

    EndpointPublicAccess bool

    Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

    Fargate bool | FargateProfile

    Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

    Gpu bool

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and nodeAmiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    InstanceProfileName string

    The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

    InstanceRole Pulumi.Aws.Iam.Role

    This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    InstanceRoles List<Pulumi.Aws.Iam.Role>

    This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    InstanceType string

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    KubernetesServiceIpAddressRange string

    The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

    The block must meet the following requirements:

    • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
    • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
    • Between /24 and /12.
    MaxSize int

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    MinSize int

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    Name string

    The cluster's physical resource name.

    If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

    See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

    NodeAmiId string

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: nodeAmiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    NodeAssociatePublicIpAddress bool

    Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    NodeGroupOptions ClusterNodeGroupOptions

    The common configuration settings for NodeGroups.

    NodePublicKey string

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    NodeRootVolumeEncrypted bool

    Encrypt the root block device of the nodes in the node group.

    NodeRootVolumeSize int

    The size in GiB of a cluster node's root volume. Defaults to 20.

    NodeSecurityGroupTags Dictionary<string, string>

    The tags to apply to the default nodeSecurityGroup created by the cluster.

    Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

    NodeSubnetIds List<string>

    The subnets to use for worker nodes. Defaults to the value of subnetIds.

    NodeUserData string

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    PrivateSubnetIds List<string>

    The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

    ProviderCredentialOpts KubeconfigOptions

    The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

    This is required for certain auth scenarios. For example:

    • Creating and using a new AWS provider instance, or
    • Setting the AWS_PROFILE environment variable, or
    • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

    See for more details:

    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    Proxy string

    The HTTP(S) proxy to use within a proxied environment.

    The proxy is used during cluster creation, and OIDC configuration.

    This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

    This option is required iff the proxy environment variables are not set.

    Format: ://: Auth Format: ://:@:

    Ex:

    • "http://proxy.example.com:3128"
    • "https://proxy.example.com"
    • "http://username:password@proxy.example.com:3128"
    PublicAccessCidrs List<string>

    Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

    PublicSubnetIds List<string>

    The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    RoleMappings List<RoleMapping>

    Optional mappings from AWS IAM roles to Kubernetes users and groups.

    ServiceRole Pulumi.Aws.Iam.Role

    IAM Service Role for EKS to use to manage the cluster.

    SkipDefaultNodeGroup bool

    If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

    StorageClasses string | Dictionary<string, StorageClassArgs>

    An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    SubnetIds List<string>

    The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

    Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Tags Dictionary<string, string>

    Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

    UseDefaultVpcCni bool

    Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

    UserMappings List<UserMapping>

    Optional mappings from AWS IAM users to Kubernetes users and groups.

    Version string

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    VpcCniOptions VpcCniOptions

    The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

    VpcId string

    The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

    ClusterSecurityGroup SecurityGroup

    The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

    ClusterSecurityGroupTags map[string]string

    The tags to apply to the cluster security group.

    ClusterTags map[string]string

    The tags to apply to the EKS cluster.

    CreateOidcProvider bool

    Indicates whether an IAM OIDC Provider is created for the EKS cluster.

    The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

    See for more details:

    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
    • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
    • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
    CreationRoleProvider CreationRoleProviderArgs

    The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

    DefaultAddonsToRemove []string

    List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

    DesiredCapacity int

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    EnabledClusterLogTypes []string

    Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

    EncryptionConfigKeyArn string

    KMS Key ARN to use with the encryption configuration for the cluster.

    Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

    • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
    EndpointPrivateAccess bool

    Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

    EndpointPublicAccess bool

    Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

    Fargate bool | FargateProfileArgs

    Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

    Gpu bool

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and nodeAmiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    InstanceProfileName string

    The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

    InstanceRole Role

    This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    InstanceRoles Role

    This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    InstanceType string

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    KubernetesServiceIpAddressRange string

    The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

    The block must meet the following requirements:

    • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
    • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
    • Between /24 and /12.
    MaxSize int

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    MinSize int

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    Name string

    The cluster's physical resource name.

    If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

    See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

    NodeAmiId string

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: nodeAmiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    NodeAssociatePublicIpAddress bool

    Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    NodeGroupOptions ClusterNodeGroupOptionsArgs

    The common configuration settings for NodeGroups.

    NodePublicKey string

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    NodeRootVolumeEncrypted bool

    Encrypt the root block device of the nodes in the node group.

    NodeRootVolumeSize int

    The size in GiB of a cluster node's root volume. Defaults to 20.

    NodeSecurityGroupTags map[string]string

    The tags to apply to the default nodeSecurityGroup created by the cluster.

    Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

    NodeSubnetIds []string

    The subnets to use for worker nodes. Defaults to the value of subnetIds.

    NodeUserData string

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    PrivateSubnetIds []string

    The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

    ProviderCredentialOpts KubeconfigOptionsArgs

    The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

    This is required for certain auth scenarios. For example:

    • Creating and using a new AWS provider instance, or
    • Setting the AWS_PROFILE environment variable, or
    • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

    See for more details:

    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    Proxy string

    The HTTP(S) proxy to use within a proxied environment.

    The proxy is used during cluster creation, and OIDC configuration.

    This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

    This option is required iff the proxy environment variables are not set.

    Format: ://: Auth Format: ://:@:

    Ex:

    • "http://proxy.example.com:3128"
    • "https://proxy.example.com"
    • "http://username:password@proxy.example.com:3128"
    PublicAccessCidrs []string

    Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

    PublicSubnetIds []string

    The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    RoleMappings []RoleMappingArgs

    Optional mappings from AWS IAM roles to Kubernetes users and groups.

    ServiceRole Role

    IAM Service Role for EKS to use to manage the cluster.

    SkipDefaultNodeGroup bool

    If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

    StorageClasses string | map[string]StorageClassArgs

    An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    SubnetIds []string

    The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

    Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Tags map[string]string

    Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

    UseDefaultVpcCni bool

    Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

    UserMappings []UserMappingArgs

    Optional mappings from AWS IAM users to Kubernetes users and groups.

    Version string

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    VpcCniOptions VpcCniOptionsArgs

    The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

    VpcId string

    The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

    clusterSecurityGroup SecurityGroup

    The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

    clusterSecurityGroupTags Map<String,String>

    The tags to apply to the cluster security group.

    clusterTags Map<String,String>

    The tags to apply to the EKS cluster.

    createOidcProvider Boolean

    Indicates whether an IAM OIDC Provider is created for the EKS cluster.

    The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

    See for more details:

    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
    • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
    • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
    creationRoleProvider CreationRoleProvider

    The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

    defaultAddonsToRemove List<String>

    List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

    desiredCapacity Integer

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    enabledClusterLogTypes List<String>

    Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

    encryptionConfigKeyArn String

    KMS Key ARN to use with the encryption configuration for the cluster.

    Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

    • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
    endpointPrivateAccess Boolean

    Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

    endpointPublicAccess Boolean

    Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

    fargate Boolean | FargateProfile

    Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

    gpu Boolean

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and nodeAmiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instanceProfileName String

    The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

    instanceRole Role

    This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instanceRoles List<Role>

    This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instanceType String

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    kubernetesServiceIpAddressRange String

    The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

    The block must meet the following requirements:

    • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
    • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
    • Between /24 and /12.
    maxSize Integer

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    minSize Integer

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    name String

    The cluster's physical resource name.

    If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

    See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

    nodeAmiId String

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: nodeAmiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    nodeAssociatePublicIpAddress Boolean

    Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    nodeGroupOptions ClusterNodeGroupOptions

    The common configuration settings for NodeGroups.

    nodePublicKey String

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    nodeRootVolumeEncrypted Boolean

    Encrypt the root block device of the nodes in the node group.

    nodeRootVolumeSize Integer

    The size in GiB of a cluster node's root volume. Defaults to 20.

    nodeSecurityGroupTags Map<String,String>

    The tags to apply to the default nodeSecurityGroup created by the cluster.

    Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

    nodeSubnetIds List<String>

    The subnets to use for worker nodes. Defaults to the value of subnetIds.

    nodeUserData String

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    privateSubnetIds List<String>

    The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

    providerCredentialOpts KubeconfigOptions

    The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

    This is required for certain auth scenarios. For example:

    • Creating and using a new AWS provider instance, or
    • Setting the AWS_PROFILE environment variable, or
    • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

    See for more details:

    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    proxy String

    The HTTP(S) proxy to use within a proxied environment.

    The proxy is used during cluster creation, and OIDC configuration.

    This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

    This option is required iff the proxy environment variables are not set.

    Format: ://: Auth Format: ://:@:

    Ex:

    • "http://proxy.example.com:3128"
    • "https://proxy.example.com"
    • "http://username:password@proxy.example.com:3128"
    publicAccessCidrs List<String>

    Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

    publicSubnetIds List<String>

    The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    roleMappings List<RoleMapping>

    Optional mappings from AWS IAM roles to Kubernetes users and groups.

    serviceRole Role

    IAM Service Role for EKS to use to manage the cluster.

    skipDefaultNodeGroup Boolean

    If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

    storageClasses String | Map<String,StorageClassArgs>

    An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    subnetIds List<String>

    The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

    Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    tags Map<String,String>

    Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

    useDefaultVpcCni Boolean

    Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

    userMappings List<UserMapping>

    Optional mappings from AWS IAM users to Kubernetes users and groups.

    version String

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    vpcCniOptions VpcCniOptions

    The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

    vpcId String

    The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

    clusterSecurityGroup pulumiAwsec2SecurityGroup

    The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

    clusterSecurityGroupTags {[key: string]: string}

    The tags to apply to the cluster security group.

    clusterTags {[key: string]: string}

    The tags to apply to the EKS cluster.

    createOidcProvider boolean

    Indicates whether an IAM OIDC Provider is created for the EKS cluster.

    The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

    See for more details:

    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
    • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
    • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
    creationRoleProvider CreationRoleProvider

    The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

    defaultAddonsToRemove string[]

    List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

    desiredCapacity number

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    enabledClusterLogTypes string[]

    Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

    encryptionConfigKeyArn string

    KMS Key ARN to use with the encryption configuration for the cluster.

    Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

    • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
    endpointPrivateAccess boolean

    Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

    endpointPublicAccess boolean

    Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

    fargate boolean | FargateProfile

    Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

    gpu boolean

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and nodeAmiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instanceProfileName string

    The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

    instanceRole pulumiAwsiamRole

    This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instanceRoles pulumiAwsiamRole[]

    This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instanceType string

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    kubernetesServiceIpAddressRange string

    The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

    The block must meet the following requirements:

    • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
    • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
    • Between /24 and /12.
    maxSize number

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    minSize number

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    name string

    The cluster's physical resource name.

    If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

    See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

    nodeAmiId string

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: nodeAmiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    nodeAssociatePublicIpAddress boolean

    Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    nodeGroupOptions ClusterNodeGroupOptions

    The common configuration settings for NodeGroups.

    nodePublicKey string

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    nodeRootVolumeEncrypted boolean

    Encrypt the root block device of the nodes in the node group.

    nodeRootVolumeSize number

    The size in GiB of a cluster node's root volume. Defaults to 20.

    nodeSecurityGroupTags {[key: string]: string}

    The tags to apply to the default nodeSecurityGroup created by the cluster.

    Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

    nodeSubnetIds string[]

    The subnets to use for worker nodes. Defaults to the value of subnetIds.

    nodeUserData string

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    privateSubnetIds string[]

    The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

    providerCredentialOpts KubeconfigOptions

    The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

    This is required for certain auth scenarios. For example:

    • Creating and using a new AWS provider instance, or
    • Setting the AWS_PROFILE environment variable, or
    • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

    See for more details:

    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    proxy string

    The HTTP(S) proxy to use within a proxied environment.

    The proxy is used during cluster creation, and OIDC configuration.

    This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

    This option is required iff the proxy environment variables are not set.

    Format: ://: Auth Format: ://:@:

    Ex:

    • "http://proxy.example.com:3128"
    • "https://proxy.example.com"
    • "http://username:password@proxy.example.com:3128"
    publicAccessCidrs string[]

    Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

    publicSubnetIds string[]

    The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    roleMappings RoleMapping[]

    Optional mappings from AWS IAM roles to Kubernetes users and groups.

    serviceRole pulumiAwsiamRole

    IAM Service Role for EKS to use to manage the cluster.

    skipDefaultNodeGroup boolean

    If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

    storageClasses string | {[key: string]: StorageClassArgs}

    An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    subnetIds string[]

    The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

    Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    tags {[key: string]: string}

    Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

    useDefaultVpcCni boolean

    Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

    userMappings UserMapping[]

    Optional mappings from AWS IAM users to Kubernetes users and groups.

    version string

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    vpcCniOptions VpcCniOptions

    The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

    vpcId string

    The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

    cluster_security_group SecurityGroup

    The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

    cluster_security_group_tags Mapping[str, str]

    The tags to apply to the cluster security group.

    cluster_tags Mapping[str, str]

    The tags to apply to the EKS cluster.

    create_oidc_provider bool

    Indicates whether an IAM OIDC Provider is created for the EKS cluster.

    The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

    See for more details:

    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
    • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
    • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
    creation_role_provider CreationRoleProviderArgs

    The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

    default_addons_to_remove Sequence[str]

    List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

    desired_capacity int

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    enabled_cluster_log_types Sequence[str]

    Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

    encryption_config_key_arn str

    KMS Key ARN to use with the encryption configuration for the cluster.

    Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

    • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
    endpoint_private_access bool

    Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

    endpoint_public_access bool

    Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

    fargate bool | FargateProfileArgs

    Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

    gpu bool

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and nodeAmiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instance_profile_name str

    The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

    instance_role Role

    This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instance_roles Role]

    This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instance_type str

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    kubernetes_service_ip_address_range str

    The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

    The block must meet the following requirements:

    • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
    • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
    • Between /24 and /12.
    max_size int

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    min_size int

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    name str

    The cluster's physical resource name.

    If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

    See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

    node_ami_id str

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: nodeAmiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    node_associate_public_ip_address bool

    Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    node_group_options ClusterNodeGroupOptionsArgs

    The common configuration settings for NodeGroups.

    node_public_key str

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    node_root_volume_encrypted bool

    Encrypt the root block device of the nodes in the node group.

    node_root_volume_size int

    The size in GiB of a cluster node's root volume. Defaults to 20.

    node_security_group_tags Mapping[str, str]

    The tags to apply to the default nodeSecurityGroup created by the cluster.

    Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

    node_subnet_ids Sequence[str]

    The subnets to use for worker nodes. Defaults to the value of subnetIds.

    node_user_data str

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    private_subnet_ids Sequence[str]

    The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

    provider_credential_opts KubeconfigOptionsArgs

    The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

    This is required for certain auth scenarios. For example:

    • Creating and using a new AWS provider instance, or
    • Setting the AWS_PROFILE environment variable, or
    • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

    See for more details:

    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    proxy str

    The HTTP(S) proxy to use within a proxied environment.

    The proxy is used during cluster creation, and OIDC configuration.

    This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

    This option is required iff the proxy environment variables are not set.

    Format: ://: Auth Format: ://:@:

    Ex:

    • "http://proxy.example.com:3128"
    • "https://proxy.example.com"
    • "http://username:password@proxy.example.com:3128"
    public_access_cidrs Sequence[str]

    Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

    public_subnet_ids Sequence[str]

    The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    role_mappings Sequence[RoleMappingArgs]

    Optional mappings from AWS IAM roles to Kubernetes users and groups.

    service_role Role

    IAM Service Role for EKS to use to manage the cluster.

    skip_default_node_group bool

    If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

    storage_classes str | Mapping[str, StorageClassArgs]

    An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    subnet_ids Sequence[str]

    The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

    Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    tags Mapping[str, str]

    Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

    use_default_vpc_cni bool

    Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

    user_mappings Sequence[UserMappingArgs]

    Optional mappings from AWS IAM users to Kubernetes users and groups.

    version str

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    vpc_cni_options VpcCniOptionsArgs

    The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

    vpc_id str

    The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

    clusterSecurityGroup aws:ec2:SecurityGroup

    The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.

    clusterSecurityGroupTags Map<String>

    The tags to apply to the cluster security group.

    clusterTags Map<String>

    The tags to apply to the EKS cluster.

    createOidcProvider Boolean

    Indicates whether an IAM OIDC Provider is created for the EKS cluster.

    The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.

    See for more details:

    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
    • https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
    • https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
    creationRoleProvider Property Map

    The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given [system:masters] permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

    defaultAddonsToRemove List<String>

    List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.

    desiredCapacity Number

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    enabledClusterLogTypes List<String>

    Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.

    encryptionConfigKeyArn String

    KMS Key ARN to use with the encryption configuration for the cluster.

    Only available on Kubernetes 1.13+ clusters created after March 6, 2020. See for more details:

    • https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
    endpointPrivateAccess Boolean

    Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is false.

    endpointPublicAccess Boolean

    Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true.

    fargate Boolean | Property Map

    Add support for launching pods in Fargate. Defaults to launching pods in the default namespace. If specified, the default node group is skipped as though skipDefaultNodeGroup: true had been passed.

    gpu Boolean

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and nodeAmiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instanceProfileName String

    The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.

    instanceRole aws:iam:Role

    This enables the simple case of only registering a single IAM instance role with the cluster, that is required to be shared by all node groups in their instance profiles.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instanceRoles List<aws:iam:Role>

    This enables the advanced case of registering many IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of instanceRole.

    Note: options instanceRole and instanceRoles are mutually exclusive.

    instanceType String

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    kubernetesServiceIpAddressRange String

    The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.

    The block must meet the following requirements:

    • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
    • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
    • Between /24 and /12.
    maxSize Number

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    minSize Number

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    name String

    The cluster's physical resource name.

    If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format ${name}-eksCluster-0123abcd.

    See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming

    nodeAmiId String

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: nodeAmiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    nodeAssociatePublicIpAddress Boolean

    Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    nodeGroupOptions Property Map

    The common configuration settings for NodeGroups.

    nodePublicKey String

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    nodeRootVolumeEncrypted Boolean

    Encrypt the root block device of the nodes in the node group.

    nodeRootVolumeSize Number

    The size in GiB of a cluster node's root volume. Defaults to 20.

    nodeSecurityGroupTags Map<String>

    The tags to apply to the default nodeSecurityGroup created by the cluster.

    Note: The nodeSecurityGroupTags option and the node group option nodeSecurityGroup are mutually exclusive.

    nodeSubnetIds List<String>

    The subnets to use for worker nodes. Defaults to the value of subnetIds.

    nodeUserData String

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    privateSubnetIds List<String>

    The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    Also consider setting nodeAssociatePublicIpAddress: false for fully private workers.

    providerCredentialOpts Property Map

    The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.

    This is required for certain auth scenarios. For example:

    • Creating and using a new AWS provider instance, or
    • Setting the AWS_PROFILE environment variable, or
    • Using a named profile configured on the AWS provider via: pulumi config set aws:profile <profileName>

    See for more details:

    • https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/#Provider
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
    • https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    proxy String

    The HTTP(S) proxy to use within a proxied environment.

    The proxy is used during cluster creation, and OIDC configuration.

    This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.

    This option is required iff the proxy environment variables are not set.

    Format: ://: Auth Format: ://:@:

    Ex:

    • "http://proxy.example.com:3128"
    • "https://proxy.example.com"
    • "http://username:password@proxy.example.com:3128"
    publicAccessCidrs List<String>

    Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.

    publicSubnetIds List<String>

    The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    Worker network architecture options:

    • Private-only: Only set privateSubnetIds.
      • Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
    • Public-only: Only set publicSubnetIds.
      • Default workers to run in a public subnet.
    • Mixed (recommended): Set both privateSubnetIds and publicSubnetIds.
      • Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    roleMappings List<Property Map>

    Optional mappings from AWS IAM roles to Kubernetes users and groups.

    serviceRole aws:iam:Role

    IAM Service Role for EKS to use to manage the cluster.

    skipDefaultNodeGroup Boolean

    If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless fargate input is provided.

    storageClasses String | Map<Property Map>

    An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    subnetIds List<String>

    The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.

    If vpcId is not set, the cluster will use the AWS account's default VPC subnets.

    If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.

    Note: The use of subnetIds, along with publicSubnetIds and/or privateSubnetIds is mutually exclusive. The use of publicSubnetIds and privateSubnetIds is encouraged.

    tags Map<String>

    Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.

    useDefaultVpcCni Boolean

    Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with vpcCniOptions.

    userMappings List<Property Map>

    Optional mappings from AWS IAM users to Kubernetes users and groups.

    version String

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    vpcCniOptions Property Map

    The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.

    vpcId String

    The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Cluster resource produces the following output properties:

    AwsProvider Pulumi.Aws.Provider

    The AWS resource provider.

    Core CoreData

    The EKS cluster and its dependencies.

    EksCluster Pulumi.Aws.Eks.Cluster

    The EKS cluster.

    EksClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

    The ingress rule that gives node group access to cluster API server.

    Kubeconfig object

    A kubeconfig that can be used to connect to the EKS cluster.

    KubeconfigJson string

    A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

    NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

    The security group for the cluster's nodes.

    DefaultNodeGroup NodeGroupData

    The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

    AwsProvider Provider

    The AWS resource provider.

    Core CoreData

    The EKS cluster and its dependencies.

    EksCluster Cluster

    The EKS cluster.

    EksClusterIngressRule SecurityGroupRule

    The ingress rule that gives node group access to cluster API server.

    Kubeconfig interface{}

    A kubeconfig that can be used to connect to the EKS cluster.

    KubeconfigJson string

    A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

    NodeSecurityGroup SecurityGroup

    The security group for the cluster's nodes.

    DefaultNodeGroup NodeGroupData

    The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

    awsProvider Provider

    The AWS resource provider.

    core CoreData

    The EKS cluster and its dependencies.

    eksCluster Cluster

    The EKS cluster.

    eksClusterIngressRule SecurityGroupRule

    The ingress rule that gives node group access to cluster API server.

    kubeconfig Object

    A kubeconfig that can be used to connect to the EKS cluster.

    kubeconfigJson String

    A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

    nodeSecurityGroup SecurityGroup

    The security group for the cluster's nodes.

    defaultNodeGroup NodeGroupData

    The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

    awsProvider pulumiAwsProvider

    The AWS resource provider.

    core CoreData

    The EKS cluster and its dependencies.

    eksCluster pulumiAwseksCluster

    The EKS cluster.

    eksClusterIngressRule pulumiAwsec2SecurityGroupRule

    The ingress rule that gives node group access to cluster API server.

    kubeconfig any

    A kubeconfig that can be used to connect to the EKS cluster.

    kubeconfigJson string

    A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

    nodeSecurityGroup pulumiAwsec2SecurityGroup

    The security group for the cluster's nodes.

    defaultNodeGroup NodeGroupData

    The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

    aws_provider Provider

    The AWS resource provider.

    core CoreData

    The EKS cluster and its dependencies.

    eks_cluster Cluster

    The EKS cluster.

    eks_cluster_ingress_rule SecurityGroupRule

    The ingress rule that gives node group access to cluster API server.

    kubeconfig Any

    A kubeconfig that can be used to connect to the EKS cluster.

    kubeconfig_json str

    A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

    node_security_group SecurityGroup

    The security group for the cluster's nodes.

    default_node_group NodeGroupData

    The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

    awsProvider pulumi:providers:aws

    The AWS resource provider.

    core Property Map

    The EKS cluster and its dependencies.

    eksCluster aws:eks:Cluster

    The EKS cluster.

    eksClusterIngressRule aws:ec2:SecurityGroupRule

    The ingress rule that gives node group access to cluster API server.

    kubeconfig Any

    A kubeconfig that can be used to connect to the EKS cluster.

    kubeconfigJson String

    A kubeconfig that can be used to connect to the EKS cluster as a JSON string.

    nodeSecurityGroup aws:ec2:SecurityGroup

    The security group for the cluster's nodes.

    defaultNodeGroup Property Map

    The default Node Group configuration, or undefined if skipDefaultNodeGroup was specified.

    Cluster Resource Methods

    GetKubeconfig Method

    Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in KubeconfigOptions.

    The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
    • https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
    • https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

    Using GetKubeconfig

    getKubeconfig(args?: Cluster.GetKubeconfigArgs): Output<Cluster.GetKubeconfigResult>
    def get_kubeconfig(self,
                       profile_name: Optional[pulumi.Input[str]] = None,
                       role_arn: Optional[pulumi.Input[str]] = None) -> Output[str]
    func (r *Cluster) GetKubeconfig(ctx *Context, args *ClusterGetKubeconfigArgs) (pulumi.StringOutput, error)
    public Output<string> GetKubeconfig(Cluster.GetKubeconfigArgs? args)

    The following arguments are supported:

    ProfileName string

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    RoleArn string

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    ProfileName string

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    RoleArn string

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profileName String

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    roleArn String

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profileName string

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    roleArn string

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profile_name str

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    role_arn str

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profileName String

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    roleArn String

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    GetKubeconfig Result

    Result string
    Result string
    result String
    result string
    result str
    result String

    Supporting Types

    ClusterNodeGroupOptions, ClusterNodeGroupOptionsArgs

    AmiId string

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: amiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    AmiType string

    The AMI Type to use for the worker nodes.

    Only applicable when setting an AMI ID that is of type arm64.

    Note: amiType and gpu are mutually exclusive.

    AutoScalingGroupTags Dictionary<string, string>

    The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

    Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    BootstrapExtraArgs string

    Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

    CloudFormationTags Dictionary<string, string>

    The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

    The ingress rule that gives node group access.

    DesiredCapacity int

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    EncryptRootBlockDevice bool

    Encrypt the root block device of the nodes in the node group.

    ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

    Extra security groups to attach on all nodes in this worker node group.

    This additional set of security groups captures any user application rules that will be needed for the nodes.

    Gpu bool

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and amiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    InstanceProfile Pulumi.Aws.Iam.InstanceProfile

    The ingress rule that gives node group access.

    InstanceType string

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    KeyName string

    Name of the key pair to use for SSH access to worker nodes.

    KubeletExtraArgs string

    Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

    Labels Dictionary<string, string>

    Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

    MaxSize int

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    MinSize int

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    NodeAssociatePublicIpAddress bool

    Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    NodePublicKey string

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    NodeRootVolumeSize int

    The size in GiB of a cluster node's root volume. Defaults to 20.

    NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

    The security group for the worker node group to communicate with the cluster.

    This security group requires specific inbound and outbound rules.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

    Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

    NodeSubnetIds List<string>

    The set of subnets to override and use for the worker node group.

    Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

    NodeUserData string

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    NodeUserDataOverride string

    User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

    SpotPrice string

    Bidding price for spot instance. If set, only spot instances will be added as worker node.

    Taints Dictionary<string, Taint>

    Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

    Version string

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    AmiId string

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: amiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    AmiType string

    The AMI Type to use for the worker nodes.

    Only applicable when setting an AMI ID that is of type arm64.

    Note: amiType and gpu are mutually exclusive.

    AutoScalingGroupTags map[string]string

    The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

    Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    BootstrapExtraArgs string

    Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

    CloudFormationTags map[string]string

    The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    ClusterIngressRule SecurityGroupRule

    The ingress rule that gives node group access.

    DesiredCapacity int

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    EncryptRootBlockDevice bool

    Encrypt the root block device of the nodes in the node group.

    ExtraNodeSecurityGroups SecurityGroup

    Extra security groups to attach on all nodes in this worker node group.

    This additional set of security groups captures any user application rules that will be needed for the nodes.

    Gpu bool

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and amiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    InstanceProfile InstanceProfile

    The ingress rule that gives node group access.

    InstanceType string

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    KeyName string

    Name of the key pair to use for SSH access to worker nodes.

    KubeletExtraArgs string

    Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

    Labels map[string]string

    Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

    MaxSize int

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    MinSize int

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    NodeAssociatePublicIpAddress bool

    Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    NodePublicKey string

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    NodeRootVolumeSize int

    The size in GiB of a cluster node's root volume. Defaults to 20.

    NodeSecurityGroup SecurityGroup

    The security group for the worker node group to communicate with the cluster.

    This security group requires specific inbound and outbound rules.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

    Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

    NodeSubnetIds []string

    The set of subnets to override and use for the worker node group.

    Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

    NodeUserData string

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    NodeUserDataOverride string

    User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

    SpotPrice string

    Bidding price for spot instance. If set, only spot instances will be added as worker node.

    Taints map[string]Taint

    Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

    Version string

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    amiId String

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: amiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    amiType String

    The AMI Type to use for the worker nodes.

    Only applicable when setting an AMI ID that is of type arm64.

    Note: amiType and gpu are mutually exclusive.

    autoScalingGroupTags Map<String,String>

    The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

    Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    bootstrapExtraArgs String

    Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

    cloudFormationTags Map<String,String>

    The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    clusterIngressRule SecurityGroupRule

    The ingress rule that gives node group access.

    desiredCapacity Integer

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    encryptRootBlockDevice Boolean

    Encrypt the root block device of the nodes in the node group.

    extraNodeSecurityGroups List<SecurityGroup>

    Extra security groups to attach on all nodes in this worker node group.

    This additional set of security groups captures any user application rules that will be needed for the nodes.

    gpu Boolean

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and amiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instanceProfile InstanceProfile

    The ingress rule that gives node group access.

    instanceType String

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    keyName String

    Name of the key pair to use for SSH access to worker nodes.

    kubeletExtraArgs String

    Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

    labels Map<String,String>

    Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

    maxSize Integer

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    minSize Integer

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    nodeAssociatePublicIpAddress Boolean

    Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    nodePublicKey String

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    nodeRootVolumeSize Integer

    The size in GiB of a cluster node's root volume. Defaults to 20.

    nodeSecurityGroup SecurityGroup

    The security group for the worker node group to communicate with the cluster.

    This security group requires specific inbound and outbound rules.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

    Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

    nodeSubnetIds List<String>

    The set of subnets to override and use for the worker node group.

    Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

    nodeUserData String

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    nodeUserDataOverride String

    User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

    spotPrice String

    Bidding price for spot instance. If set, only spot instances will be added as worker node.

    taints Map<String,Taint>

    Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

    version String

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    amiId string

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: amiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    amiType string

    The AMI Type to use for the worker nodes.

    Only applicable when setting an AMI ID that is of type arm64.

    Note: amiType and gpu are mutually exclusive.

    autoScalingGroupTags {[key: string]: string}

    The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

    Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    bootstrapExtraArgs string

    Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

    cloudFormationTags {[key: string]: string}

    The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    clusterIngressRule pulumiAwsec2SecurityGroupRule

    The ingress rule that gives node group access.

    desiredCapacity number

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    encryptRootBlockDevice boolean

    Encrypt the root block device of the nodes in the node group.

    extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

    Extra security groups to attach on all nodes in this worker node group.

    This additional set of security groups captures any user application rules that will be needed for the nodes.

    gpu boolean

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and amiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instanceProfile pulumiAwsiamInstanceProfile

    The ingress rule that gives node group access.

    instanceType string

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    keyName string

    Name of the key pair to use for SSH access to worker nodes.

    kubeletExtraArgs string

    Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

    labels {[key: string]: string}

    Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

    maxSize number

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    minSize number

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    nodeAssociatePublicIpAddress boolean

    Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    nodePublicKey string

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    nodeRootVolumeSize number

    The size in GiB of a cluster node's root volume. Defaults to 20.

    nodeSecurityGroup pulumiAwsec2SecurityGroup

    The security group for the worker node group to communicate with the cluster.

    This security group requires specific inbound and outbound rules.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

    Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

    nodeSubnetIds string[]

    The set of subnets to override and use for the worker node group.

    Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

    nodeUserData string

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    nodeUserDataOverride string

    User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

    spotPrice string

    Bidding price for spot instance. If set, only spot instances will be added as worker node.

    taints {[key: string]: Taint}

    Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

    version string

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    ami_id str

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: amiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    ami_type str

    The AMI Type to use for the worker nodes.

    Only applicable when setting an AMI ID that is of type arm64.

    Note: amiType and gpu are mutually exclusive.

    auto_scaling_group_tags Mapping[str, str]

    The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

    Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    bootstrap_extra_args str

    Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

    cloud_formation_tags Mapping[str, str]

    The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    cluster_ingress_rule SecurityGroupRule

    The ingress rule that gives node group access.

    desired_capacity int

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    encrypt_root_block_device bool

    Encrypt the root block device of the nodes in the node group.

    extra_node_security_groups SecurityGroup]

    Extra security groups to attach on all nodes in this worker node group.

    This additional set of security groups captures any user application rules that will be needed for the nodes.

    gpu bool

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and amiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instance_profile InstanceProfile

    The ingress rule that gives node group access.

    instance_type str

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    key_name str

    Name of the key pair to use for SSH access to worker nodes.

    kubelet_extra_args str

    Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

    labels Mapping[str, str]

    Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

    max_size int

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    min_size int

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    node_associate_public_ip_address bool

    Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    node_public_key str

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    node_root_volume_size int

    The size in GiB of a cluster node's root volume. Defaults to 20.

    node_security_group SecurityGroup

    The security group for the worker node group to communicate with the cluster.

    This security group requires specific inbound and outbound rules.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

    Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

    node_subnet_ids Sequence[str]

    The set of subnets to override and use for the worker node group.

    Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

    node_user_data str

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    node_user_data_override str

    User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

    spot_price str

    Bidding price for spot instance. If set, only spot instances will be added as worker node.

    taints Mapping[str, Taint]

    Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

    version str

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    amiId String

    The AMI ID to use for the worker nodes.

    Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

    Note: amiId and gpu are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
    amiType String

    The AMI Type to use for the worker nodes.

    Only applicable when setting an AMI ID that is of type arm64.

    Note: amiType and gpu are mutually exclusive.

    autoScalingGroupTags Map<String>

    The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

    Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    bootstrapExtraArgs String

    Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

    cloudFormationTags Map<String>

    The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

    Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

    clusterIngressRule aws:ec2:SecurityGroupRule

    The ingress rule that gives node group access.

    desiredCapacity Number

    The number of worker nodes that should be running in the cluster. Defaults to 2.

    encryptRootBlockDevice Boolean

    Encrypt the root block device of the nodes in the node group.

    extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

    Extra security groups to attach on all nodes in this worker node group.

    This additional set of security groups captures any user application rules that will be needed for the nodes.

    gpu Boolean

    Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

    Defaults to false.

    Note: gpu and amiId are mutually exclusive.

    See for more details:

    • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
    • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
    instanceProfile aws:iam:InstanceProfile

    The ingress rule that gives node group access.

    instanceType String

    The instance type to use for the cluster's nodes. Defaults to "t2.medium".

    keyName String

    Name of the key pair to use for SSH access to worker nodes.

    kubeletExtraArgs String

    Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

    labels Map<String>

    Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

    maxSize Number

    The maximum number of worker nodes running in the cluster. Defaults to 2.

    minSize Number

    The minimum number of worker nodes running in the cluster. Defaults to 1.

    nodeAssociatePublicIpAddress Boolean

    Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

    nodePublicKey String

    Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

    nodeRootVolumeSize Number

    The size in GiB of a cluster node's root volume. Defaults to 20.

    nodeSecurityGroup aws:ec2:SecurityGroup

    The security group for the worker node group to communicate with the cluster.

    This security group requires specific inbound and outbound rules.

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

    Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive.

    nodeSubnetIds List<String>

    The set of subnets to override and use for the worker node group.

    Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

    nodeUserData String

    Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

    nodeUserDataOverride String

    User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

    See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

    spotPrice String

    Bidding price for spot instance. If set, only spot instances will be added as worker node.

    taints Map<Property Map>

    Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

    version String

    Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

    CoreData, CoreDataArgs

    Cluster Pulumi.Aws.Eks.Cluster
    ClusterIamRole Pulumi.Aws.Iam.Role

    The IAM Role attached to the EKS Cluster

    ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
    Endpoint string
    InstanceRoles List<Pulumi.Aws.Iam.Role>
    NodeGroupOptions ClusterNodeGroupOptions
    Provider Pulumi.Kubernetes.Provider
    SubnetIds List<string>
    VpcId string
    AwsProvider Pulumi.Aws.Provider
    EksNodeAccess Pulumi.Kubernetes.Core.V1.ConfigMap
    EncryptionConfig Pulumi.Aws.Eks.Inputs.ClusterEncryptionConfig
    FargateProfile Pulumi.Aws.Eks.FargateProfile
    Kubeconfig object
    NodeSecurityGroupTags Dictionary<string, string>
    OidcProvider Pulumi.Aws.Iam.OpenIdConnectProvider
    PrivateSubnetIds List<string>
    PublicSubnetIds List<string>
    StorageClasses Dictionary<string, Pulumi.Kubernetes.Storage.V1.StorageClass>
    Tags Dictionary<string, string>
    VpcCni Pulumi.Eks.VpcCni
    Cluster Cluster
    ClusterIamRole Role

    The IAM Role attached to the EKS Cluster

    ClusterSecurityGroup SecurityGroup
    Endpoint string
    InstanceRoles Role
    NodeGroupOptions ClusterNodeGroupOptions
    Provider Provider
    SubnetIds []string
    VpcId string
    AwsProvider Provider
    EksNodeAccess ConfigMap
    EncryptionConfig ClusterEncryptionConfig
    FargateProfile FargateProfile
    Kubeconfig interface{}
    NodeSecurityGroupTags map[string]string
    OidcProvider OpenIdConnectProvider
    PrivateSubnetIds []string
    PublicSubnetIds []string
    StorageClasses StorageClass
    Tags map[string]string
    VpcCni VpcCni
    cluster Cluster
    clusterIamRole Role

    The IAM Role attached to the EKS Cluster

    clusterSecurityGroup SecurityGroup
    endpoint String
    instanceRoles List<Role>
    nodeGroupOptions ClusterNodeGroupOptions
    provider Provider
    subnetIds List<String>
    vpcId String
    awsProvider Provider
    eksNodeAccess ConfigMap
    encryptionConfig ClusterEncryptionConfig
    fargateProfile FargateProfile
    kubeconfig Object
    nodeSecurityGroupTags Map<String,String>
    oidcProvider OpenIdConnectProvider
    privateSubnetIds List<String>
    publicSubnetIds List<String>
    storageClasses Map<String,StorageClass>
    tags Map<String,String>
    vpcCni VpcCni
    cluster pulumiAwseksCluster
    clusterIamRole pulumiAwsiamRole

    The IAM Role attached to the EKS Cluster

    clusterSecurityGroup pulumiAwsec2SecurityGroup
    endpoint string
    instanceRoles pulumiAwsiamRole[]
    nodeGroupOptions ClusterNodeGroupOptions
    provider pulumiKubernetesProvider
    subnetIds string[]
    vpcId string
    awsProvider pulumiAwsProvider
    eksNodeAccess pulumiKubernetescorev1ConfigMap
    encryptionConfig pulumiAwstypesinputeksClusterEncryptionConfig
    fargateProfile pulumiAwseksFargateProfile
    kubeconfig any
    nodeSecurityGroupTags {[key: string]: string}
    oidcProvider pulumiAwsiamOpenIdConnectProvider
    privateSubnetIds string[]
    publicSubnetIds string[]
    storageClasses {[key: string]: pulumiKubernetesstoragev1StorageClass}
    tags {[key: string]: string}
    vpcCni VpcCni
    cluster Cluster
    cluster_iam_role Role

    The IAM Role attached to the EKS Cluster

    cluster_security_group SecurityGroup
    endpoint str
    instance_roles Role]
    node_group_options ClusterNodeGroupOptions
    provider Provider
    subnet_ids Sequence[str]
    vpc_id str
    aws_provider Provider
    eks_node_access ConfigMap
    encryption_config ClusterEncryptionConfigArgs
    fargate_profile FargateProfile
    kubeconfig Any
    node_security_group_tags Mapping[str, str]
    oidc_provider OpenIdConnectProvider
    private_subnet_ids Sequence[str]
    public_subnet_ids Sequence[str]
    storage_classes StorageClass]
    tags Mapping[str, str]
    vpc_cni VpcCni
    cluster aws:eks:Cluster
    clusterIamRole aws:iam:Role

    The IAM Role attached to the EKS Cluster

    clusterSecurityGroup aws:ec2:SecurityGroup
    endpoint String
    instanceRoles List<aws:iam:Role>
    nodeGroupOptions Property Map
    provider pulumi:providers:kubernetes
    subnetIds List<String>
    vpcId String
    awsProvider pulumi:providers:aws
    eksNodeAccess kubernetes:core/v1:ConfigMap
    encryptionConfig Property Map
    fargateProfile aws:eks:FargateProfile
    kubeconfig Any
    nodeSecurityGroupTags Map<String>
    oidcProvider aws:iam:OpenIdConnectProvider
    privateSubnetIds List<String>
    publicSubnetIds List<String>
    storageClasses Map<kubernetes:storage.k8s.io/v1:StorageClass>
    tags Map<String>
    vpcCni eks:VpcCni

    CreationRoleProvider, CreationRoleProviderArgs

    Provider Pulumi.Aws.Provider
    Role Pulumi.Aws.Iam.Role
    Provider Provider
    Role Role
    provider Provider
    role Role
    provider pulumiAwsProvider
    role pulumiAwsiamRole
    provider Provider
    role Role
    provider pulumi:providers:aws
    role aws:iam:Role

    FargateProfile, FargateProfileArgs

    PodExecutionRoleArn string

    Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

    Selectors List<Pulumi.Aws.Eks.Inputs.FargateProfileSelector>

    Specify the namespace and label selectors to use for launching pods into Fargate.

    SubnetIds List<string>

    Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

    PodExecutionRoleArn string

    Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

    Selectors FargateProfileSelector

    Specify the namespace and label selectors to use for launching pods into Fargate.

    SubnetIds []string

    Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

    podExecutionRoleArn String

    Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

    selectors List<FargateProfileSelector>

    Specify the namespace and label selectors to use for launching pods into Fargate.

    subnetIds List<String>

    Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

    podExecutionRoleArn string

    Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

    selectors pulumiAwstypesinputeksFargateProfileSelector[]

    Specify the namespace and label selectors to use for launching pods into Fargate.

    subnetIds string[]

    Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

    pod_execution_role_arn str

    Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

    selectors FargateProfileSelectorArgs]

    Specify the namespace and label selectors to use for launching pods into Fargate.

    subnet_ids Sequence[str]

    Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

    podExecutionRoleArn String

    Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy policy attached.

    selectors List<Property Map>

    Specify the namespace and label selectors to use for launching pods into Fargate.

    subnetIds List<String>

    Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster.

    KubeconfigOptions, KubeconfigOptionsArgs

    ProfileName string

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    RoleArn string

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    ProfileName string

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    RoleArn string

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profileName String

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    roleArn String

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profileName string

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    roleArn string

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profile_name str

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    role_arn str

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    profileName String

    AWS credential profile name to always use instead of the default AWS credential provider chain.

    The profile is passed to kubeconfig as an authentication environment setting.

    roleArn String

    Role ARN to assume instead of the default AWS credential provider chain.

    The role is passed to kubeconfig as an authentication exec argument.

    NodeGroupData, NodeGroupDataArgs

    AutoScalingGroupName string

    The AutoScalingGroup name for the node group.

    CfnStack Pulumi.Aws.CloudFormation.Stack

    The CloudFormation Stack which defines the Node AutoScalingGroup.

    ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

    The additional security groups for the node group that captures user-specific rules.

    NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

    The security group for the node group to communicate with the cluster.

    AutoScalingGroupName string

    The AutoScalingGroup name for the node group.

    CfnStack Stack

    The CloudFormation Stack which defines the Node AutoScalingGroup.

    ExtraNodeSecurityGroups SecurityGroup

    The additional security groups for the node group that captures user-specific rules.

    NodeSecurityGroup SecurityGroup

    The security group for the node group to communicate with the cluster.

    autoScalingGroupName String

    The AutoScalingGroup name for the node group.

    cfnStack Stack

    The CloudFormation Stack which defines the Node AutoScalingGroup.

    extraNodeSecurityGroups List<SecurityGroup>

    The additional security groups for the node group that captures user-specific rules.

    nodeSecurityGroup SecurityGroup

    The security group for the node group to communicate with the cluster.

    autoScalingGroupName string

    The AutoScalingGroup name for the node group.

    cfnStack pulumiAwscloudformationStack

    The CloudFormation Stack which defines the Node AutoScalingGroup.

    extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

    The additional security groups for the node group that captures user-specific rules.

    nodeSecurityGroup pulumiAwsec2SecurityGroup

    The security group for the node group to communicate with the cluster.

    auto_scaling_group_name str

    The AutoScalingGroup name for the node group.

    cfn_stack Stack

    The CloudFormation Stack which defines the Node AutoScalingGroup.

    extra_node_security_groups SecurityGroup]

    The additional security groups for the node group that captures user-specific rules.

    node_security_group SecurityGroup

    The security group for the node group to communicate with the cluster.

    autoScalingGroupName String

    The AutoScalingGroup name for the node group.

    cfnStack aws:cloudformation:Stack

    The CloudFormation Stack which defines the Node AutoScalingGroup.

    extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

    The additional security groups for the node group that captures user-specific rules.

    nodeSecurityGroup aws:ec2:SecurityGroup

    The security group for the node group to communicate with the cluster.

    RoleMapping, RoleMappingArgs

    Groups List<string>

    A list of groups within Kubernetes to which the role is mapped.

    RoleArn string

    The ARN of the IAM role to add.

    Username string

    The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

    Groups []string

    A list of groups within Kubernetes to which the role is mapped.

    RoleArn string

    The ARN of the IAM role to add.

    Username string

    The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

    groups List<String>

    A list of groups within Kubernetes to which the role is mapped.

    roleArn String

    The ARN of the IAM role to add.

    username String

    The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

    groups string[]

    A list of groups within Kubernetes to which the role is mapped.

    roleArn string

    The ARN of the IAM role to add.

    username string

    The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

    groups Sequence[str]

    A list of groups within Kubernetes to which the role is mapped.

    role_arn str

    The ARN of the IAM role to add.

    username str

    The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

    groups List<String>

    A list of groups within Kubernetes to which the role is mapped.

    roleArn String

    The ARN of the IAM role to add.

    username String

    The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.

    StorageClass, StorageClassArgs

    Type string

    The EBS volume type.

    AllowVolumeExpansion bool

    AllowVolumeExpansion shows whether the storage class allow volume expand.

    Default bool

    True if this storage class should be a default storage class for the cluster.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

    Encrypted bool

    Denotes whether the EBS volume should be encrypted.

    IopsPerGb int

    I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

    KmsKeyId string

    The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

    Metadata Pulumi.Kubernetes.Types.Inputs.Meta.V1.ObjectMeta

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

    MountOptions List<string>

    Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

    ReclaimPolicy string

    Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

    VolumeBindingMode string

    VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

    Zones List<string>

    The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

    Type string

    The EBS volume type.

    AllowVolumeExpansion bool

    AllowVolumeExpansion shows whether the storage class allow volume expand.

    Default bool

    True if this storage class should be a default storage class for the cluster.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

    Encrypted bool

    Denotes whether the EBS volume should be encrypted.

    IopsPerGb int

    I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

    KmsKeyId string

    The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

    Metadata ObjectMeta

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

    MountOptions []string

    Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

    ReclaimPolicy string

    Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

    VolumeBindingMode string

    VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

    Zones []string

    The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

    type String

    The EBS volume type.

    allowVolumeExpansion Boolean

    AllowVolumeExpansion shows whether the storage class allow volume expand.

    default_ Boolean

    True if this storage class should be a default storage class for the cluster.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

    encrypted Boolean

    Denotes whether the EBS volume should be encrypted.

    iopsPerGb Integer

    I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

    kmsKeyId String

    The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

    metadata ObjectMeta

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

    mountOptions List<String>

    Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

    reclaimPolicy String

    Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

    volumeBindingMode String

    VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

    zones List<String>

    The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

    type string

    The EBS volume type.

    allowVolumeExpansion boolean

    AllowVolumeExpansion shows whether the storage class allow volume expand.

    default boolean

    True if this storage class should be a default storage class for the cluster.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

    encrypted boolean

    Denotes whether the EBS volume should be encrypted.

    iopsPerGb number

    I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

    kmsKeyId string

    The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

    metadata pulumiKubernetestypesinputmetav1ObjectMeta

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

    mountOptions string[]

    Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

    reclaimPolicy string

    Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

    volumeBindingMode string

    VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

    zones string[]

    The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

    type str

    The EBS volume type.

    allow_volume_expansion bool

    AllowVolumeExpansion shows whether the storage class allow volume expand.

    default bool

    True if this storage class should be a default storage class for the cluster.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

    encrypted bool

    Denotes whether the EBS volume should be encrypted.

    iops_per_gb int

    I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

    kms_key_id str

    The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

    metadata ObjectMetaArgs

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

    mount_options Sequence[str]

    Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

    reclaim_policy str

    Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

    volume_binding_mode str

    VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

    zones Sequence[str]

    The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

    type String

    The EBS volume type.

    allowVolumeExpansion Boolean

    AllowVolumeExpansion shows whether the storage class allow volume expand.

    default Boolean

    True if this storage class should be a default storage class for the cluster.

    Note: As of Kubernetes v1.11+ on EKS, a default gp2 storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html

    Please note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without storageClassName explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass

    encrypted Boolean

    Denotes whether the EBS volume should be encrypted.

    iopsPerGb Number

    I/O operations per second per GiB for "io1" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS.

    kmsKeyId String

    The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS.

    metadata Property Map

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

    mountOptions List<String>

    Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.

    reclaimPolicy String

    Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.

    volumeBindingMode String

    VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature.

    zones List<String>

    The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time.

    Taint, TaintArgs

    Effect string

    The effect of the taint.

    Value string

    The value of the taint.

    Effect string

    The effect of the taint.

    Value string

    The value of the taint.

    effect String

    The effect of the taint.

    value String

    The value of the taint.

    effect string

    The effect of the taint.

    value string

    The value of the taint.

    effect str

    The effect of the taint.

    value str

    The value of the taint.

    effect String

    The effect of the taint.

    value String

    The value of the taint.

    UserMapping, UserMappingArgs

    Groups List<string>

    A list of groups within Kubernetes to which the user is mapped to.

    UserArn string

    The ARN of the IAM user to add.

    Username string

    The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

    Groups []string

    A list of groups within Kubernetes to which the user is mapped to.

    UserArn string

    The ARN of the IAM user to add.

    Username string

    The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

    groups List<String>

    A list of groups within Kubernetes to which the user is mapped to.

    userArn String

    The ARN of the IAM user to add.

    username String

    The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

    groups string[]

    A list of groups within Kubernetes to which the user is mapped to.

    userArn string

    The ARN of the IAM user to add.

    username string

    The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

    groups Sequence[str]

    A list of groups within Kubernetes to which the user is mapped to.

    user_arn str

    The ARN of the IAM user to add.

    username str

    The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

    groups List<String>

    A list of groups within Kubernetes to which the user is mapped to.

    userArn String

    The ARN of the IAM user to add.

    username String

    The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.

    VpcCniOptions, VpcCniOptionsArgs

    CniConfigureRpfilter bool

    Specifies whether ipamd should configure rp filter for primary interface. Default is false.

    CniCustomNetworkCfg bool

    Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

    CniExternalSnat bool

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

    CustomNetworkConfig bool

    Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

    Defaults to false.

    DisableTcpEarlyDemux bool

    Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

    EnableIpv6 bool

    VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

    EnablePodEni bool

    Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

    EnablePrefixDelegation bool

    IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

    EniConfigLabelDef string

    Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

    Defaults to the official AWS CNI image in ECR.

    EniMtu int

    Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

    Defaults to 9001.

    ExternalSnat bool

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

    Defaults to false.

    Image string

    Specifies the container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI image in ECR.

    InitImage string

    Specifies the init container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI init container image in ECR.

    LogFile string

    Specifies the file path used for logs.

    Defaults to "stdout" to emit Pod logs for kubectl logs.

    LogLevel string

    Specifies the log level used for logs.

    Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

    NodePortSupport bool

    Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

    Defaults to true.

    SecurityContextPrivileged bool

    Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

    VethPrefix string

    Specifies the veth prefix used to generate the host-side veth device name for the CNI.

    The prefix can be at most 4 characters long.

    Defaults to "eni".

    WarmEniTarget int

    Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

    Defaults to 1.

    WarmIpTarget int

    Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

    WarmPrefixTarget int

    WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

    CniConfigureRpfilter bool

    Specifies whether ipamd should configure rp filter for primary interface. Default is false.

    CniCustomNetworkCfg bool

    Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

    CniExternalSnat bool

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

    CustomNetworkConfig bool

    Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

    Defaults to false.

    DisableTcpEarlyDemux bool

    Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

    EnableIpv6 bool

    VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

    EnablePodEni bool

    Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

    EnablePrefixDelegation bool

    IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

    EniConfigLabelDef string

    Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

    Defaults to the official AWS CNI image in ECR.

    EniMtu int

    Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

    Defaults to 9001.

    ExternalSnat bool

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

    Defaults to false.

    Image string

    Specifies the container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI image in ECR.

    InitImage string

    Specifies the init container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI init container image in ECR.

    LogFile string

    Specifies the file path used for logs.

    Defaults to "stdout" to emit Pod logs for kubectl logs.

    LogLevel string

    Specifies the log level used for logs.

    Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

    NodePortSupport bool

    Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

    Defaults to true.

    SecurityContextPrivileged bool

    Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

    VethPrefix string

    Specifies the veth prefix used to generate the host-side veth device name for the CNI.

    The prefix can be at most 4 characters long.

    Defaults to "eni".

    WarmEniTarget int

    Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

    Defaults to 1.

    WarmIpTarget int

    Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

    WarmPrefixTarget int

    WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

    cniConfigureRpfilter Boolean

    Specifies whether ipamd should configure rp filter for primary interface. Default is false.

    cniCustomNetworkCfg Boolean

    Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

    cniExternalSnat Boolean

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

    customNetworkConfig Boolean

    Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

    Defaults to false.

    disableTcpEarlyDemux Boolean

    Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

    enableIpv6 Boolean

    VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

    enablePodEni Boolean

    Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

    enablePrefixDelegation Boolean

    IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

    eniConfigLabelDef String

    Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

    Defaults to the official AWS CNI image in ECR.

    eniMtu Integer

    Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

    Defaults to 9001.

    externalSnat Boolean

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

    Defaults to false.

    image String

    Specifies the container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI image in ECR.

    initImage String

    Specifies the init container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI init container image in ECR.

    logFile String

    Specifies the file path used for logs.

    Defaults to "stdout" to emit Pod logs for kubectl logs.

    logLevel String

    Specifies the log level used for logs.

    Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

    nodePortSupport Boolean

    Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

    Defaults to true.

    securityContextPrivileged Boolean

    Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

    vethPrefix String

    Specifies the veth prefix used to generate the host-side veth device name for the CNI.

    The prefix can be at most 4 characters long.

    Defaults to "eni".

    warmEniTarget Integer

    Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

    Defaults to 1.

    warmIpTarget Integer

    Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

    warmPrefixTarget Integer

    WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

    cniConfigureRpfilter boolean

    Specifies whether ipamd should configure rp filter for primary interface. Default is false.

    cniCustomNetworkCfg boolean

    Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

    cniExternalSnat boolean

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

    customNetworkConfig boolean

    Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

    Defaults to false.

    disableTcpEarlyDemux boolean

    Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

    enableIpv6 boolean

    VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

    enablePodEni boolean

    Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

    enablePrefixDelegation boolean

    IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

    eniConfigLabelDef string

    Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

    Defaults to the official AWS CNI image in ECR.

    eniMtu number

    Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

    Defaults to 9001.

    externalSnat boolean

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

    Defaults to false.

    image string

    Specifies the container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI image in ECR.

    initImage string

    Specifies the init container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI init container image in ECR.

    logFile string

    Specifies the file path used for logs.

    Defaults to "stdout" to emit Pod logs for kubectl logs.

    logLevel string

    Specifies the log level used for logs.

    Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

    nodePortSupport boolean

    Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

    Defaults to true.

    securityContextPrivileged boolean

    Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

    vethPrefix string

    Specifies the veth prefix used to generate the host-side veth device name for the CNI.

    The prefix can be at most 4 characters long.

    Defaults to "eni".

    warmEniTarget number

    Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

    Defaults to 1.

    warmIpTarget number

    Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

    warmPrefixTarget number

    WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

    cni_configure_rpfilter bool

    Specifies whether ipamd should configure rp filter for primary interface. Default is false.

    cni_custom_network_cfg bool

    Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

    cni_external_snat bool

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

    custom_network_config bool

    Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

    Defaults to false.

    disable_tcp_early_demux bool

    Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

    enable_ipv6 bool

    VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

    enable_pod_eni bool

    Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

    enable_prefix_delegation bool

    IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

    eni_config_label_def str

    Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

    Defaults to the official AWS CNI image in ECR.

    eni_mtu int

    Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

    Defaults to 9001.

    external_snat bool

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

    Defaults to false.

    image str

    Specifies the container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI image in ECR.

    init_image str

    Specifies the init container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI init container image in ECR.

    log_file str

    Specifies the file path used for logs.

    Defaults to "stdout" to emit Pod logs for kubectl logs.

    log_level str

    Specifies the log level used for logs.

    Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

    node_port_support bool

    Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

    Defaults to true.

    security_context_privileged bool

    Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

    veth_prefix str

    Specifies the veth prefix used to generate the host-side veth device name for the CNI.

    The prefix can be at most 4 characters long.

    Defaults to "eni".

    warm_eni_target int

    Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

    Defaults to 1.

    warm_ip_target int

    Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

    warm_prefix_target int

    WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

    cniConfigureRpfilter Boolean

    Specifies whether ipamd should configure rp filter for primary interface. Default is false.

    cniCustomNetworkCfg Boolean

    Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is false

    cniExternalSnat Boolean

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is false

    customNetworkConfig Boolean

    Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's resourcesVpcConfig.

    Defaults to false.

    disableTcpEarlyDemux Boolean

    Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency.

    enableIpv6 Boolean

    VPC CNI can operate in either IPv4 or IPv6 mode. Setting ENABLE_IPv6 to true. will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode, so ENABLE_PREFIX_DELEGATION needs to set to true if VPC CNI is configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances.

    enablePodEni Boolean

    Specifies whether to allow IPAMD to add the vpc.amazonaws.com/has-trunk-attached label to the node if the instance has capacity to attach an additional ENI. Default is false. If using liveness and readiness probes, you will also need to disable TCP early demux.

    enablePrefixDelegation Boolean

    IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true.

    eniConfigLabelDef String

    Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))

    Defaults to the official AWS CNI image in ECR.

    eniMtu Number

    Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.

    Defaults to 9001.

    externalSnat Boolean

    Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.

    Defaults to false.

    image String

    Specifies the container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI image in ECR.

    initImage String

    Specifies the init container image to use in the AWS CNI cluster DaemonSet.

    Defaults to the official AWS CNI init container image in ECR.

    logFile String

    Specifies the file path used for logs.

    Defaults to "stdout" to emit Pod logs for kubectl logs.

    logLevel String

    Specifies the log level used for logs.

    Defaults to "DEBUG" Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL".

    nodePortSupport Boolean

    Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.

    Defaults to true.

    securityContextPrivileged Boolean

    Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default

    vethPrefix String

    Specifies the veth prefix used to generate the host-side veth device name for the CNI.

    The prefix can be at most 4 characters long.

    Defaults to "eni".

    warmEniTarget Number

    Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.

    Defaults to 1.

    warmIpTarget Number

    Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node.

    warmPrefixTarget Number

    WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md

    Package Details

    Repository
    Amazon EKS pulumi/pulumi-eks
    License
    Apache-2.0
    eks logo
    Amazon EKS v2.0.0 published on Thursday, Nov 9, 2023 by Pulumi