class Cluster (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.EKS.Cluster |
 Java | software.amazon.awscdk.services.eks.Cluster |
 Python | aws_cdk.aws_eks.Cluster |
 TypeScript (source) | @aws-cdk/aws-eks » Cluster |
Implements
IConstruct, IConstruct, IDependable, IResource, ICluster, IConnectable
A Cluster represents a managed Kubernetes Service (EKS).
This is a fully managed cluster of API Servers (control-plane) The user is still required to create the worker nodes.
Example
declare const vpc: ec2.Vpc;
new eks.Cluster(this, 'HelloEKS', {
version: eks.KubernetesVersion.V1_21,
vpc,
vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }],
});
Initializer
new Cluster(scope: Construct, id: string, props: ClusterProps)
Parameters
- scope
Construct— a Construct, most likely a cdk.Stack created. - id
string— the id of the Construct to create. - props
Cluster— properties in the IClusterProps interface.Props
Initiates an EKS Cluster with the supplied arguments.
Construct Props
| Name | Type | Description |
|---|---|---|
| version | Kubernetes | The Kubernetes version to run in the cluster. |
| alb | Alb | Install the AWS Load Balancer Controller onto the cluster. |
| cluster | { [string]: string } | Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. |
| cluster | ISecurity | A security group to associate with the Cluster Handler's Lambdas. |
| cluster | Cluster[] | The cluster log types which you want to enable. |
| cluster | string | Name for the cluster. |
| core | Core | Controls the "eks.amazonaws.com/compute-type" annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS. |
| default | number | Number of instances to allocate as an initial capacity for this cluster. |
| default | Instance | The instance type to use for the default capacity. |
| default | Default | The default capacity type for the cluster. |
| endpoint | Endpoint | Configure access to the Kubernetes API server endpoint.. |
| kubectl | { [string]: string } | Environment variables for the kubectl execution. |
| kubectl | IRole | The IAM role to pass to the Kubectl Lambda Handler. |
| kubectl | ILayer | An AWS Lambda Layer which includes kubectl, Helm and the AWS CLI. |
| kubectl | Size | Amount of memory to allocate to the provider's lambda function. |
| masters | IRole | An IAM role that will be added to the system:masters Kubernetes RBAC group. |
| on | ILayer | An AWS Lambda Layer which includes the NPM dependency proxy-agent. |
| output | boolean | Determines whether a CloudFormation output with the name of the cluster will be synthesized. |
| output | boolean | Determines whether a CloudFormation output with the aws eks update-kubeconfig command will be synthesized. |
| output | boolean | Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if mastersRole is specified). |
| place | boolean | If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the vpcSubnets selection strategy. |
| prune? | boolean | Indicates whether Kubernetes resources added through addManifest() can be automatically pruned. |
| role? | IRole | Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. |
| secrets | IKey | KMS secret for envelope encryption for Kubernetes secrets. |
| security | ISecurity | Security Group to use for Control Plane ENIs. |
| service | string | The CIDR block to assign Kubernetes service IP addresses from. |
| tags? | { [string]: string } | The tags assigned to the EKS cluster. |
| vpc? | IVpc | The VPC in which to create the Cluster. |
| vpc | Subnet[] | Where to place EKS Control Plane ENIs. |
version
Type:
Kubernetes
The Kubernetes version to run in the cluster.
albController?
Type:
Alb
(optional, default: The controller is not installed.)
Install the AWS Load Balancer Controller onto the cluster.
See also: https://kubernetes-sigs.github.io/aws-load-balancer-controller
clusterHandlerEnvironment?
Type:
{ [string]: string }
(optional, default: No environment variables.)
Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle.
clusterHandlerSecurityGroup?
Type:
ISecurity
(optional, default: No security group.)
A security group to associate with the Cluster Handler's Lambdas.
The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
Requires placeClusterHandlerInVpc to be set to true.
clusterLogging?
Type:
Cluster[]
(optional, default: none)
The cluster log types which you want to enable.
clusterName?
Type:
string
(optional, default: Automatically generated name)
Name for the cluster.
coreDnsComputeType?
Type:
Core
(optional, default: CoreDnsComputeType.EC2 (for FargateCluster the default is FARGATE))
Controls the "eks.amazonaws.com/compute-type" annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS.
defaultCapacity?
Type:
number
(optional, default: 2)
Number of instances to allocate as an initial capacity for this cluster.
Instance type can be configured through defaultCapacityInstanceType,
which defaults to m5.large.
Use cluster.addAutoScalingGroupCapacity to add additional customized capacity. Set this
to 0 is you wish to avoid the initial capacity allocation.
defaultCapacityInstance?
Type:
Instance
(optional, default: m5.large)
The instance type to use for the default capacity.
This will only be taken
into account if defaultCapacity is > 0.
defaultCapacityType?
Type:
Default
(optional, default: NODEGROUP)
The default capacity type for the cluster.
endpointAccess?
Type:
Endpoint
(optional, default: EndpointAccess.PUBLIC_AND_PRIVATE)
Configure access to the Kubernetes API server endpoint..
See also: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
kubectlEnvironment?
Type:
{ [string]: string }
(optional, default: No environment variables.)
Environment variables for the kubectl execution.
Only relevant for kubectl enabled clusters.
kubectlLambdaRole?
Type:
IRole
(optional, default: Default Lambda IAM Execution Role)
The IAM role to pass to the Kubectl Lambda Handler.
kubectlLayer?
Type:
ILayer
(optional, default: the layer provided by the aws-lambda-layer-kubectl SAR app.)
An AWS Lambda Layer which includes kubectl, Helm and the AWS CLI.
By default, the provider will use the layer included in the "aws-lambda-layer-kubectl" SAR application which is available in all commercial regions.
To deploy the layer locally, visit https://github.com/aws-samples/aws-lambda-layer-kubectl/blob/master/cdk/README.md for instructions on how to prepare the .zip file and then define it in your app as follows:
const layer = new lambda.LayerVersion(this, 'kubectl-layer', {
code: lambda.Code.fromAsset(`${__dirname}/layer.zip`),
compatibleRuntimes: [lambda.Runtime.PROVIDED],
});
See also: https://github.com/aws-samples/aws-lambda-layer-kubectl
kubectlMemory?
Type:
Size
(optional, default: Size.gibibytes(1))
Amount of memory to allocate to the provider's lambda function.
mastersRole?
Type:
IRole
(optional, default: a role that assumable by anyone with permissions in the same
account will automatically be defined)
An IAM role that will be added to the system:masters Kubernetes RBAC group.
See also: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
onEventLayer?
Type:
ILayer
(optional, default: a layer bundled with this module.)
An AWS Lambda Layer which includes the NPM dependency proxy-agent.
This layer is used by the onEvent handler to route AWS SDK requests through a proxy.
By default, the provider will use the layer included in the "aws-lambda-layer-node-proxy-agent" SAR application which is available in all commercial regions.
To deploy the layer locally define it in your app as follows:
const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', {
code: lambda.Code.fromAsset(`${__dirname}/layer.zip`),
compatibleRuntimes: [lambda.Runtime.NODEJS_14_X],
});
outputClusterName?
Type:
boolean
(optional, default: false)
Determines whether a CloudFormation output with the name of the cluster will be synthesized.
outputConfigCommand?
Type:
boolean
(optional, default: true)
Determines whether a CloudFormation output with the aws eks update-kubeconfig command will be synthesized.
This command will include the cluster name and, if applicable, the ARN of the masters IAM role.
outputMastersRoleArn?
Type:
boolean
(optional, default: false)
Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if mastersRole is specified).
placeClusterHandlerInVpc?
Type:
boolean
(optional, default: false)
If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the vpcSubnets selection strategy.
prune?
Type:
boolean
(optional, default: true)
Indicates whether Kubernetes resources added through addManifest() can be automatically pruned.
When this is enabled (default), prune labels will be
allocated and injected to each resource. These labels will then be used
when issuing the kubectl apply operation with the --prune switch.
role?
Type:
IRole
(optional, default: A role is automatically created for you)
Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.
secretsEncryptionKey?
Type:
IKey
(optional, default: By default, Kubernetes stores all secret object data within etcd and
all etcd volumes used by Amazon EKS are encrypted at the disk-level
using AWS-Managed encryption keys.)
KMS secret for envelope encryption for Kubernetes secrets.
securityGroup?
Type:
ISecurity
(optional, default: A security group is automatically created)
Security Group to use for Control Plane ENIs.
serviceIpv4Cidr?
Type:
string
(optional, default: Kubernetes assigns addresses from either the
10.100.0.0/16 or 172.20.0.0/16 CIDR blocks)
The CIDR block to assign Kubernetes service IP addresses from.
tags?
Type:
{ [string]: string }
(optional, default: none)
The tags assigned to the EKS cluster.
vpc?
Type:
IVpc
(optional, default: a VPC with default configuration will be created and can be accessed through cluster.vpc.)
The VPC in which to create the Cluster.
vpcSubnets?
Type:
Subnet[]
(optional, default: All public and private subnets)
Where to place EKS Control Plane ENIs.
If you want to create public load balancers, this must include public subnets.
For example, to only select private subnets, supply the following:
vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }]
Properties
| Name | Type | Description |
|---|---|---|
| admin | Role | An IAM role with administrative permissions to create or update the cluster. |
| aws | Aws | Lazily creates the AwsAuth resource, which manages AWS authentication mapping. |
| cluster | string | The AWS generated ARN for the Cluster resource. |
| cluster | string | The certificate-authority-data for your cluster. |
| cluster | string | Amazon Resource Name (ARN) or alias of the customer master key (CMK). |
| cluster | string | The endpoint URL for the Cluster. |
| cluster | string | The Name of the created EKS Cluster. |
| cluster | string | If this cluster is kubectl-enabled, returns the OpenID Connect issuer. |
| cluster | string | If this cluster is kubectl-enabled, returns the OpenID Connect issuer url. |
| cluster | ISecurity | The cluster security group that was created by Amazon EKS for the cluster. |
| cluster | string | The id of the cluster security group that was created by Amazon EKS for the cluster. |
| connections | Connections | Manages connection rules (Security Group Rules) for the cluster. |
| env | Resource | The environment this resource belongs to. |
| node | Construct | The construct tree node associated with this construct. |
| open | IOpen | An OpenIdConnectProvider resource associated with this cluster, and which can be used to link this cluster to AWS IAM. |
| prune | boolean | Determines if Kubernetes resources can be pruned automatically. |
| role | IRole | IAM role assumed by the EKS Control Plane. |
| stack | Stack | The stack in which this resource is defined. |
| vpc | IVpc | The VPC in which this Cluster was created. |
| alb | Alb | The ALB Controller construct defined for this cluster. |
| cluster | ISecurity | A security group to associate with the Cluster Handler's Lambdas. |
| default | Auto | The auto scaling group that hosts the default capacity for this cluster. |
| default | Nodegroup | The node group that hosts the default capacity for this cluster. |
| kubectl | { [string]: string } | Custom environment variables when running kubectl against this cluster. |
| kubectl | IRole | An IAM role that can perform kubectl operations against this cluster. |
| kubectl | ILayer | The AWS Lambda layer that contains kubectl, helm and the AWS CLI. |
| kubectl | Size | The amount of memory allocated to the kubectl provider's lambda function. |
| kubectl | ISubnet[] | Subnets to host the kubectl compute resources. |
| kubectl | IRole | An IAM role that can perform kubectl operations against this cluster. |
| kubectl | ISecurity | A security group to use for kubectl execution. |
| on | ILayer | The AWS Lambda layer that contains the NPM dependency proxy-agent. |
adminRole
Type:
Role
An IAM role with administrative permissions to create or update the cluster.
This role also has systems:master permissions.
awsAuth
Type:
Aws
Lazily creates the AwsAuth resource, which manages AWS authentication mapping.
clusterArn
Type:
string
The AWS generated ARN for the Cluster resource.
For example, arn:aws:eks:us-west-2:666666666666:cluster/prod
clusterCertificateAuthorityData
Type:
string
The certificate-authority-data for your cluster.
clusterEncryptionConfigKeyArn
Type:
string
Amazon Resource Name (ARN) or alias of the customer master key (CMK).
clusterEndpoint
Type:
string
The endpoint URL for the Cluster.
This is the URL inside the kubeconfig file to use with kubectl
For example, https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com
clusterName
Type:
string
The Name of the created EKS Cluster.
clusterOpenIdConnectIssuer
Type:
string
If this cluster is kubectl-enabled, returns the OpenID Connect issuer.
This is because the values is only be retrieved by the API and not exposed
by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the
stock CfnCluster), this is undefined.
clusterOpenIdConnectIssuerUrl
Type:
string
If this cluster is kubectl-enabled, returns the OpenID Connect issuer url.
This is because the values is only be retrieved by the API and not exposed
by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the
stock CfnCluster), this is undefined.
clusterSecurityGroup
Type:
ISecurity
The cluster security group that was created by Amazon EKS for the cluster.
clusterSecurityGroupId
Type:
string
The id of the cluster security group that was created by Amazon EKS for the cluster.
connections
Type:
Connections
Manages connection rules (Security Group Rules) for the cluster.
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
node
Type:
Construct
The construct tree node associated with this construct.
openIdConnectProvider
Type:
IOpen
An OpenIdConnectProvider resource associated with this cluster, and which can be used to link this cluster to AWS IAM.
A provider will only be defined if this property is accessed (lazy initialization).
prune
Type:
boolean
Determines if Kubernetes resources can be pruned automatically.
role
Type:
IRole
IAM role assumed by the EKS Control Plane.
stack
Type:
Stack
The stack in which this resource is defined.
vpc
Type:
IVpc
The VPC in which this Cluster was created.
albController?
Type:
Alb
(optional)
The ALB Controller construct defined for this cluster.
Will be undefined if albController wasn't configured.
clusterHandlerSecurityGroup?
Type:
ISecurity
(optional, default: No security group.)
A security group to associate with the Cluster Handler's Lambdas.
The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
Requires placeClusterHandlerInVpc to be set to true.
defaultCapacity?
Type:
Auto
(optional)
The auto scaling group that hosts the default capacity for this cluster.
This will be undefined if the defaultCapacityType is not EC2 or
defaultCapacityType is EC2 but default capacity is set to 0.
defaultNodegroup?
Type:
Nodegroup
(optional)
The node group that hosts the default capacity for this cluster.
This will be undefined if the defaultCapacityType is EC2 or
defaultCapacityType is NODEGROUP but default capacity is set to 0.
kubectlEnvironment?
Type:
{ [string]: string }
(optional)
Custom environment variables when running kubectl against this cluster.
kubectlLambdaRole?
Type:
IRole
(optional, default: if not specified, the default role created by a lambda function will
be used.)
An IAM role that can perform kubectl operations against this cluster.
The role should be mapped to the system:masters Kubernetes RBAC role.
This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster.
kubectlLayer?
Type:
ILayer
(optional)
The AWS Lambda layer that contains kubectl, helm and the AWS CLI.
If undefined, a SAR app that contains this layer will be used.
kubectlMemory?
Type:
Size
(optional)
The amount of memory allocated to the kubectl provider's lambda function.
kubectlPrivateSubnets?
Type:
ISubnet[]
(optional, default: If not specified, the k8s endpoint is expected to be accessible
publicly.)
Subnets to host the kubectl compute resources.
kubectlRole?
Type:
IRole
(optional)
An IAM role that can perform kubectl operations against this cluster.
The role should be mapped to the system:masters Kubernetes RBAC role.
kubectlSecurityGroup?
Type:
ISecurity
(optional, default: If not specified, the k8s endpoint is expected to be accessible
publicly.)
A security group to use for kubectl execution.
onEventLayer?
Type:
ILayer
(optional)
The AWS Lambda layer that contains the NPM dependency proxy-agent.
If undefined, a SAR app that contains this layer will be used.
Methods
| Name | Description |
|---|---|
| add | Add nodes to this EKS cluster. |
| add | Defines a CDK8s chart in this cluster. |
| add | Adds a Fargate profile to this cluster. |
| add | Defines a Helm chart in this cluster. |
| add | Defines a Kubernetes resource in this cluster. |
| add | Add managed nodegroup to this Amazon EKS cluster. |
| add | Creates a new service account with corresponding IAM Role (IRSA). |
| apply | Apply the given removal policy to this resource. |
| connect | Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster. |
| get | Fetch the load balancer address of an ingress backed by a load balancer. |
| get | Fetch the load balancer address of a service of type 'LoadBalancer'. |
| to | Returns a string representation of this construct. |
| static from | Import an existing cluster. |
addAutoScalingGroupCapacity(id, options)
public addAutoScalingGroupCapacity(id: string, options: AutoScalingGroupCapacityOptions): AutoScalingGroup
Parameters
- id
string - options
AutoScaling Group Capacity Options
Returns
Add nodes to this EKS cluster.
The nodes will automatically be configured with the right VPC and AMI for the instance type and Kubernetes version.
Note that if you specify updateType: RollingUpdate or updateType: ReplacingUpdate, your nodes might be replaced at deploy
time without notice in case the recommended AMI for your machine image type has been updated by AWS.
The default behavior for updateType is None, which means only new instances will be launched using the new AMI.
Spot instances will be labeled lifecycle=Ec2Spot and tainted with PreferNoSchedule.
In addition, the spot interrupt handler
daemon will be installed on all spot instances to handle
EC2 Spot Instance Termination Notices.
addCdk8sChart(id, chart, options?)
public addCdk8sChart(id: string, chart: Construct, options?: KubernetesManifestOptions): KubernetesManifest
Parameters
- id
string— logical id of this chart. - chart
Construct— the cdk8s chart. - options
KubernetesManifest Options
Returns
Defines a CDK8s chart in this cluster.
addFargateProfile(id, options)
public addFargateProfile(id: string, options: FargateProfileOptions): FargateProfile
Parameters
- id
string— the id of this profile. - options
Fargate— profile options.Profile Options
Returns
Adds a Fargate profile to this cluster.
See also: https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html
addHelmChart(id, options)
public addHelmChart(id: string, options: HelmChartOptions): HelmChart
Parameters
- id
string— logical id of this chart. - options
Helm— options of this chart.Chart Options
Returns
Defines a Helm chart in this cluster.
addManifest(id, ...manifest)
public addManifest(id: string, ...manifest: { [string]: any }[]): KubernetesManifest
Parameters
- id
string— logical id of this manifest. - manifest
{ [string]: any }— a list of Kubernetes resource specifications.
Returns
Defines a Kubernetes resource in this cluster.
The manifest will be applied/deleted using kubectl as needed.
addNodegroupCapacity(id, options?)
public addNodegroupCapacity(id: string, options?: NodegroupOptions): Nodegroup
Parameters
- id
string— The ID of the nodegroup. - options
Nodegroup— options for creating a new nodegroup.Options
Returns
Add managed nodegroup to this Amazon EKS cluster.
This method will create a new managed nodegroup and add into the capacity.
See also: https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
addServiceAccount(id, options?)
public addServiceAccount(id: string, options?: ServiceAccountOptions): ServiceAccount
Parameters
- id
string - options
ServiceAccount Options
Returns
Creates a new service account with corresponding IAM Role (IRSA).
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
connectAutoScalingGroupCapacity(autoScalingGroup, options)
public connectAutoScalingGroupCapacity(autoScalingGroup: AutoScalingGroup, options: AutoScalingGroupOptions): void
Parameters
- autoScalingGroup
Auto— [disable-awslint:ref-via-interface].Scaling Group - options
Auto— options for adding auto scaling groups, like customizing the bootstrap script.Scaling Group Options
Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster.
The AutoScalingGroup must be running an EKS-optimized AMI containing the /etc/eks/bootstrap.sh script. This method will configure Security Groups, add the right policies to the instance role, apply the right tags, and add the required user data to the instance's launch configuration.
Spot instances will be labeled lifecycle=Ec2Spot and tainted with PreferNoSchedule.
If kubectl is enabled, the
spot interrupt handler
daemon will be installed on all spot instances to handle
EC2 Spot Instance Termination Notices.
Prefer to use addAutoScalingGroupCapacity if possible.
See also: https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
getIngressLoadBalancerAddress(ingressName, options?)
public getIngressLoadBalancerAddress(ingressName: string, options?: IngressLoadBalancerAddressOptions): string
Parameters
- ingressName
string— The name of the ingress. - options
Ingress— Additional operation options.Load Balancer Address Options
Returns
string
Fetch the load balancer address of an ingress backed by a load balancer.
getServiceLoadBalancerAddress(serviceName, options?)
public getServiceLoadBalancerAddress(serviceName: string, options?: ServiceLoadBalancerAddressOptions): string
Parameters
- serviceName
string— The name of the service. - options
Service— Additional operation options.Load Balancer Address Options
Returns
string
Fetch the load balancer address of a service of type 'LoadBalancer'.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
static fromClusterAttributes(scope, id, attrs)
public static fromClusterAttributes(scope: Construct, id: string, attrs: ClusterAttributes): ICluster
Parameters
- scope
Construct— the construct scope, in most cases 'this'. - id
string— the id or name to import as. - attrs
Cluster— the cluster properties to use for importing information.Attributes
Returns
Import an existing cluster.