ClusterOptions

class aws_cdk.aws_eks.ClusterOptions(*, version, cluster_name=None, output_cluster_name=None, output_config_command=None, role=None, security_group=None, vpc=None, vpc_subnets=None, alb_controller=None, cluster_handler_environment=None, cluster_handler_security_group=None, core_dns_compute_type=None, endpoint_access=None, kubectl_environment=None, kubectl_layer=None, kubectl_memory=None, masters_role=None, on_event_layer=None, output_masters_role_arn=None, place_cluster_handler_in_vpc=None, prune=None, secrets_encryption_key=None, service_ipv4_cidr=None)

Bases: CommonClusterOptions

Options for EKS clusters.

Parameters:
  • version (KubernetesVersion) – The Kubernetes version to run in the cluster.

  • cluster_name (Optional[str]) – Name for the cluster. Default: - Automatically generated name

  • output_cluster_name (Optional[bool]) – Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false

  • output_config_command (Optional[bool]) – Determines whether a CloudFormation output with the aws eks update-kubeconfig command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true

  • role (Optional[IRole]) – Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you

  • security_group (Optional[ISecurityGroup]) – Security Group to use for Control Plane ENIs. Default: - A security group is automatically created

  • vpc (Optional[IVpc]) – The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through cluster.vpc.

  • vpc_subnets (Optional[Sequence[Union[SubnetSelection, Dict[str, Any]]]]) – Where to place EKS Control Plane ENIs. If you want to create public load balancers, this must include public subnets. For example, to only select private subnets, supply the following: vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }] Default: - All public and private subnets

  • alb_controller (Union[AlbControllerOptions, Dict[str, Any], None]) – Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.

  • cluster_handler_environment (Optional[Mapping[str, str]]) – Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.

  • cluster_handler_security_group (Optional[ISecurityGroup]) – A security group to associate with the Cluster Handler’s Lambdas. The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API. Requires placeClusterHandlerInVpc to be set to true. Default: - No security group.

  • core_dns_compute_type (Optional[CoreDnsComputeType]) – Controls the “eks.amazonaws.com/compute-type” annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS. Default: CoreDnsComputeType.EC2 (for FargateCluster the default is FARGATE)

  • endpoint_access (Optional[EndpointAccess]) – Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE

  • kubectl_environment (Optional[Mapping[str, str]]) – Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.

  • kubectl_layer (Optional[ILayerVersion]) – An AWS Lambda Layer which includes kubectl, Helm and the AWS CLI. By default, the provider will use the layer included in the “aws-lambda-layer-kubectl” SAR application which is available in all commercial regions. To deploy the layer locally, visit https://github.com/aws-samples/aws-lambda-layer-kubectl/blob/master/cdk/README.md for instructions on how to prepare the .zip file and then define it in your app as follows:: const layer = new lambda.LayerVersion(this, ‘kubectl-layer’, { code: lambda.Code.fromAsset(${__dirname}/layer.zip), compatibleRuntimes: [lambda.Runtime.PROVIDED], }); Default: - the layer provided by the aws-lambda-layer-kubectl SAR app.

  • kubectl_memory (Optional[Size]) – Amount of memory to allocate to the provider’s lambda function. Default: Size.gibibytes(1)

  • masters_role (Optional[IRole]) – An IAM role that will be added to the system:masters Kubernetes RBAC group. Default: - a role that assumable by anyone with permissions in the same account will automatically be defined

  • on_event_layer (Optional[ILayerVersion]) – An AWS Lambda Layer which includes the NPM dependency proxy-agent. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the “aws-lambda-layer-node-proxy-agent” SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, ‘proxy-agent-layer’, { code: lambda.Code.fromAsset(${__dirname}/layer.zip), compatibleRuntimes: [lambda.Runtime.NODEJS_14_X], }); Default: - a layer bundled with this module.

  • output_masters_role_arn (Optional[bool]) – Determines whether a CloudFormation output with the ARN of the “masters” IAM role will be synthesized (if mastersRole is specified). Default: false

  • place_cluster_handler_in_vpc (Optional[bool]) – If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the vpcSubnets selection strategy. Default: false

  • prune (Optional[bool]) – Indicates whether Kubernetes resources added through addManifest() can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the kubectl apply operation with the --prune switch. Default: true

  • secrets_encryption_key (Optional[IKey]) – KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.

  • service_ipv4_cidr (Optional[str]) – The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
import aws_cdk.aws_ec2 as ec2
import aws_cdk.aws_eks as eks
import aws_cdk.aws_iam as iam
import aws_cdk.aws_kms as kms
import aws_cdk.aws_lambda as lambda_
import aws_cdk.core as cdk

# alb_controller_version: eks.AlbControllerVersion
# endpoint_access: eks.EndpointAccess
# key: kms.Key
# kubernetes_version: eks.KubernetesVersion
# layer_version: lambda.LayerVersion
# policy: Any
# role: iam.Role
# security_group: ec2.SecurityGroup
# size: cdk.Size
# subnet: ec2.Subnet
# subnet_filter: ec2.SubnetFilter
# vpc: ec2.Vpc

cluster_options = eks.ClusterOptions(
    version=kubernetes_version,

    # the properties below are optional
    alb_controller=eks.AlbControllerOptions(
        version=alb_controller_version,

        # the properties below are optional
        policy=policy,
        repository="repository"
    ),
    cluster_handler_environment={
        "cluster_handler_environment_key": "clusterHandlerEnvironment"
    },
    cluster_handler_security_group=security_group,
    cluster_name="clusterName",
    core_dns_compute_type=eks.CoreDnsComputeType.EC2,
    endpoint_access=endpoint_access,
    kubectl_environment={
        "kubectl_environment_key": "kubectlEnvironment"
    },
    kubectl_layer=layer_version,
    kubectl_memory=size,
    masters_role=role,
    on_event_layer=layer_version,
    output_cluster_name=False,
    output_config_command=False,
    output_masters_role_arn=False,
    place_cluster_handler_in_vpc=False,
    prune=False,
    role=role,
    secrets_encryption_key=key,
    security_group=security_group,
    service_ipv4_cidr="serviceIpv4Cidr",
    vpc=vpc,
    vpc_subnets=[ec2.SubnetSelection(
        availability_zones=["availabilityZones"],
        one_per_az=False,
        subnet_filters=[subnet_filter],
        subnet_group_name="subnetGroupName",
        subnet_name="subnetName",
        subnets=[subnet],
        subnet_type=ec2.SubnetType.ISOLATED
    )]
)

Attributes

alb_controller

Install the AWS Load Balancer Controller onto the cluster.

Default:
  • The controller is not installed.

See:

https://kubernetes-sigs.github.io/aws-load-balancer-controller

cluster_handler_environment

Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle.

Default:
  • No environment variables.

cluster_handler_security_group

A security group to associate with the Cluster Handler’s Lambdas.

The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API.

Requires placeClusterHandlerInVpc to be set to true.

Default:
  • No security group.

cluster_name

Name for the cluster.

Default:
  • Automatically generated name

core_dns_compute_type

Controls the “eks.amazonaws.com/compute-type” annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS.

Default:

CoreDnsComputeType.EC2 (for FargateCluster the default is FARGATE)

endpoint_access

Configure access to the Kubernetes API server endpoint..

Default:

EndpointAccess.PUBLIC_AND_PRIVATE

See:

https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

kubectl_environment

Environment variables for the kubectl execution.

Only relevant for kubectl enabled clusters.

Default:
  • No environment variables.

kubectl_layer

An AWS Lambda Layer which includes kubectl, Helm and the AWS CLI.

By default, the provider will use the layer included in the “aws-lambda-layer-kubectl” SAR application which is available in all commercial regions.

To deploy the layer locally, visit https://github.com/aws-samples/aws-lambda-layer-kubectl/blob/master/cdk/README.md for instructions on how to prepare the .zip file and then define it in your app as follows:

layer = lambda_.LayerVersion(self, "kubectl-layer",
    code=lambda_.Code.from_asset(f"{__dirname}/layer.zip"),
    compatible_runtimes=[lambda_.Runtime.PROVIDED]
)
Default:
  • the layer provided by the aws-lambda-layer-kubectl SAR app.

See:

https://github.com/aws-samples/aws-lambda-layer-kubectl

kubectl_memory

Amount of memory to allocate to the provider’s lambda function.

Default:

Size.gibibytes(1)

masters_role

An IAM role that will be added to the system:masters Kubernetes RBAC group.

Default:

  • a role that assumable by anyone with permissions in the same

account will automatically be defined

See:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

on_event_layer

An AWS Lambda Layer which includes the NPM dependency proxy-agent.

This layer is used by the onEvent handler to route AWS SDK requests through a proxy.

By default, the provider will use the layer included in the “aws-lambda-layer-node-proxy-agent” SAR application which is available in all commercial regions.

To deploy the layer locally define it in your app as follows:

layer = lambda_.LayerVersion(self, "proxy-agent-layer",
    code=lambda_.Code.from_asset(f"{__dirname}/layer.zip"),
    compatible_runtimes=[lambda_.Runtime.NODEJS_14_X]
)
Default:
  • a layer bundled with this module.

output_cluster_name

Determines whether a CloudFormation output with the name of the cluster will be synthesized.

Default:

false

output_config_command

Determines whether a CloudFormation output with the aws eks update-kubeconfig command will be synthesized.

This command will include the cluster name and, if applicable, the ARN of the masters IAM role.

Default:

true

output_masters_role_arn

Determines whether a CloudFormation output with the ARN of the “masters” IAM role will be synthesized (if mastersRole is specified).

Default:

false

place_cluster_handler_in_vpc

If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the vpcSubnets selection strategy.

Default:

false

prune

Indicates whether Kubernetes resources added through addManifest() can be automatically pruned.

When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the kubectl apply operation with the --prune switch.

Default:

true

role

Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.

Default:
  • A role is automatically created for you

secrets_encryption_key

KMS secret for envelope encryption for Kubernetes secrets.

Default:

  • By default, Kubernetes stores all secret object data within etcd and

all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.

security_group

Security Group to use for Control Plane ENIs.

Default:
  • A security group is automatically created

service_ipv4_cidr

The CIDR block to assign Kubernetes service IP addresses from.

Default:

  • Kubernetes assigns addresses from either the

10.100.0.0/16 or 172.20.0.0/16 CIDR blocks

See:

https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-serviceIpv4Cidr

version

The Kubernetes version to run in the cluster.

vpc

The VPC in which to create the Cluster.

Default:
  • a VPC with default configuration will be created and can be accessed through cluster.vpc.

vpc_subnets

Where to place EKS Control Plane ENIs.

If you want to create public load balancers, this must include public subnets.

For example, to only select private subnets, supply the following:

vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }]

Default:
  • All public and private subnets