Cluster

class aws_cdk.aws_eks.Cluster(scope, id, *, bootstrap_cluster_creator_admin_permissions=None, default_capacity=None, default_capacity_instance=None, default_capacity_type=None, kubectl_lambda_role=None, tags=None, alb_controller=None, authentication_mode=None, awscli_layer=None, cluster_handler_environment=None, cluster_handler_security_group=None, cluster_logging=None, core_dns_compute_type=None, endpoint_access=None, ip_family=None, kubectl_environment=None, kubectl_layer=None, kubectl_memory=None, masters_role=None, on_event_layer=None, output_masters_role_arn=None, place_cluster_handler_in_vpc=None, prune=None, secrets_encryption_key=None, service_ipv4_cidr=None, version, cluster_name=None, output_cluster_name=None, output_config_command=None, role=None, security_group=None, vpc=None, vpc_subnets=None)

Bases: Resource

A Cluster represents a managed Kubernetes Service (EKS).

This is a fully managed cluster of API Servers (control-plane) The user is still required to create the worker nodes.

ExampleMetadata:

infused

Example:

# or
# vpc: ec2.Vpc
eks.Cluster(self, "MyCluster",
    kubectl_memory=Size.gibibytes(4),
    version=eks.KubernetesVersion.V1_31
)
eks.Cluster.from_cluster_attributes(self, "MyCluster",
    kubectl_memory=Size.gibibytes(4),
    vpc=vpc,
    cluster_name="cluster-name"
)

Initiates an EKS Cluster with the supplied arguments.

Parameters:
  • scope (Construct) – a Construct, most likely a cdk.Stack created.

  • id (str) – the id of the Construct to create.

  • bootstrap_cluster_creator_admin_permissions (Optional[bool]) – Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true

  • default_capacity (Union[int, float, None]) – Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through defaultCapacityInstanceType, which defaults to m5.large. Use cluster.addAutoScalingGroupCapacity to add additional customized capacity. Set this to 0 is you wish to avoid the initial capacity allocation. Default: 2

  • default_capacity_instance (Optional[InstanceType]) – The instance type to use for the default capacity. This will only be taken into account if defaultCapacity is > 0. Default: m5.large

  • default_capacity_type (Optional[DefaultCapacityType]) – The default capacity type for the cluster. Default: NODEGROUP

  • kubectl_lambda_role (Optional[IRole]) – The IAM role to pass to the Kubectl Lambda Handler. Default: - Default Lambda IAM Execution Role

  • tags (Optional[Mapping[str, str]]) – The tags assigned to the EKS cluster. Default: - none

  • alb_controller (Union[AlbControllerOptions, Dict[str, Any], None]) – Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.

  • authentication_mode (Optional[AuthenticationMode]) – The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP

  • awscli_layer (Optional[ILayerVersion]) – An AWS Lambda layer that contains the aws CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x

  • cluster_handler_environment (Optional[Mapping[str, str]]) – Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.

  • cluster_handler_security_group (Optional[ISecurityGroup]) – A security group to associate with the Cluster Handler’s Lambdas. The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API. Requires placeClusterHandlerInVpc to be set to true. Default: - No security group.

  • cluster_logging (Optional[Sequence[ClusterLoggingTypes]]) – The cluster log types which you want to enable. Default: - none

  • core_dns_compute_type (Optional[CoreDnsComputeType]) – Controls the “eks.amazonaws.com/compute-type” annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS. Default: CoreDnsComputeType.EC2 (for FargateCluster the default is FARGATE)

  • endpoint_access (Optional[EndpointAccess]) – Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE

  • ip_family (Optional[IpFamily]) – Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4

  • kubectl_environment (Optional[Mapping[str, str]]) – Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.

  • kubectl_layer (Optional[ILayerVersion]) – An AWS Lambda Layer which includes kubectl and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the @aws-cdk/layer-kubectl-vXX packages, that works with the version of Kubernetes you have chosen. If you don’t supply this value kubectl 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.

  • kubectl_memory (Optional[Size]) – Amount of memory to allocate to the provider’s lambda function. Default: Size.gibibytes(1)

  • masters_role (Optional[IRole]) – An IAM role that will be added to the system:masters Kubernetes RBAC group. Default: - no masters role.

  • on_event_layer (Optional[ILayerVersion]) – An AWS Lambda Layer which includes the NPM dependency proxy-agent. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the “aws-lambda-layer-node-proxy-agent” SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, ‘proxy-agent-layer’, { code: lambda.Code.fromAsset(${__dirname}/layer.zip), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.

  • output_masters_role_arn (Optional[bool]) – Determines whether a CloudFormation output with the ARN of the “masters” IAM role will be synthesized (if mastersRole is specified). Default: false

  • place_cluster_handler_in_vpc (Optional[bool]) – If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the vpcSubnets selection strategy. Default: false

  • prune (Optional[bool]) – Indicates whether Kubernetes resources added through addManifest() can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the kubectl apply operation with the --prune switch. Default: true

  • secrets_encryption_key (Optional[IKey]) – KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.

  • service_ipv4_cidr (Optional[str]) – The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks

  • version (KubernetesVersion) – The Kubernetes version to run in the cluster.

  • cluster_name (Optional[str]) – Name for the cluster. Default: - Automatically generated name

  • output_cluster_name (Optional[bool]) – Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false

  • output_config_command (Optional[bool]) – Determines whether a CloudFormation output with the aws eks update-kubeconfig command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true

  • role (Optional[IRole]) – Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you

  • security_group (Optional[ISecurityGroup]) – Security Group to use for Control Plane ENIs. Default: - A security group is automatically created

  • vpc (Optional[IVpc]) – The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through cluster.vpc.

  • vpc_subnets (Optional[Sequence[Union[SubnetSelection, Dict[str, Any]]]]) – Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }] Default: - All public and private subnets

Methods

add_auto_scaling_group_capacity(id, *, instance_type, bootstrap_enabled=None, bootstrap_options=None, machine_image_type=None, map_role=None, spot_interrupt_handler=None, allow_all_outbound=None, associate_public_ip_address=None, auto_scaling_group_name=None, block_devices=None, capacity_rebalance=None, cooldown=None, default_instance_warmup=None, desired_capacity=None, group_metrics=None, health_check=None, ignore_unmodified_size_properties=None, instance_monitoring=None, key_name=None, key_pair=None, max_capacity=None, max_instance_lifetime=None, min_capacity=None, new_instances_protected_from_scale_in=None, notifications=None, signals=None, spot_price=None, ssm_session_permissions=None, termination_policies=None, termination_policy_custom_lambda_function_arn=None, update_policy=None, vpc_subnets=None)

Add nodes to this EKS cluster.

The nodes will automatically be configured with the right VPC and AMI for the instance type and Kubernetes version.

Note that if you specify updateType: RollingUpdate or updateType: ReplacingUpdate, your nodes might be replaced at deploy time without notice in case the recommended AMI for your machine image type has been updated by AWS. The default behavior for updateType is None, which means only new instances will be launched using the new AMI.

Spot instances will be labeled lifecycle=Ec2Spot and tainted with PreferNoSchedule. In addition, the spot interrupt handler daemon will be installed on all spot instances to handle EC2 Spot Instance Termination Notices.

Parameters:
  • id (str) –

  • instance_type (InstanceType) – Instance type of the instances to start.

  • bootstrap_enabled (Optional[bool]) – Configures the EC2 user-data script for instances in this autoscaling group to bootstrap the node (invoke /etc/eks/bootstrap.sh) and associate it with the EKS cluster. If you wish to provide a custom user data script, set this to false and manually invoke autoscalingGroup.addUserData(). Default: true

  • bootstrap_options (Union[BootstrapOptions, Dict[str, Any], None]) – EKS node bootstrapping options. Default: - none

  • machine_image_type (Optional[MachineImageType]) – Machine image type. Default: MachineImageType.AMAZON_LINUX_2

  • map_role (Optional[bool]) – Will automatically update the aws-auth ConfigMap to map the IAM instance role to RBAC. This cannot be explicitly set to true if the cluster has kubectl disabled. Default: - true if the cluster has kubectl enabled (which is the default).

  • spot_interrupt_handler (Optional[bool]) – Installs the AWS spot instance interrupt handler on the cluster if it’s not already added. Only relevant if spotPrice is used. Default: true

  • allow_all_outbound (Optional[bool]) – Whether the instances can initiate connections to anywhere by default. Default: true

  • associate_public_ip_address (Optional[bool]) – Whether instances in the Auto Scaling Group should have public IP addresses associated with them. launchTemplate and mixedInstancesPolicy must not be specified when this property is specified Default: - Use subnet setting.

  • auto_scaling_group_name (Optional[str]) – The name of the Auto Scaling group. This name must be unique per Region per account. Default: - Auto generated by CloudFormation

  • block_devices (Optional[Sequence[Union[BlockDevice, Dict[str, Any]]]]) – Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes. Each instance that is launched has an associated root device volume, either an Amazon EBS volume or an instance store volume. You can use block device mappings to specify additional EBS volumes or instance store volumes to attach to an instance when it is launched. launchTemplate and mixedInstancesPolicy must not be specified when this property is specified Default: - Uses the block device mapping of the AMI

  • capacity_rebalance (Optional[bool]) – Indicates whether Capacity Rebalancing is enabled. When you turn on Capacity Rebalancing, Amazon EC2 Auto Scaling attempts to launch a Spot Instance whenever Amazon EC2 notifies that a Spot Instance is at an elevated risk of interruption. After launching a new instance, it then terminates an old instance. Default: false

  • cooldown (Optional[Duration]) – Default scaling cooldown for this AutoScalingGroup. Default: Duration.minutes(5)

  • default_instance_warmup (Optional[Duration]) – The amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state. To optimize the performance of scaling policies that scale continuously, such as target tracking and step scaling policies, we strongly recommend that you enable the default instance warmup, even if its value is set to 0 seconds Default instance warmup will not be added if no value is specified Default: None

  • desired_capacity (Union[int, float, None]) – Initial amount of instances in the fleet. If this is set to a number, every deployment will reset the amount of instances to this number. It is recommended to leave this value blank. Default: minCapacity, and leave unchanged during deployment

  • group_metrics (Optional[Sequence[GroupMetrics]]) – Enable monitoring for group metrics, these metrics describe the group rather than any of its instances. To report all group metrics use GroupMetrics.all() Group metrics are reported in a granularity of 1 minute at no additional charge. Default: - no group metrics will be reported

  • health_check (Optional[HealthCheck]) – Configuration for health checks. Default: - HealthCheck.ec2 with no grace period

  • ignore_unmodified_size_properties (Optional[bool]) – If the ASG has scheduled actions, don’t reset unchanged group sizes. Only used if the ASG has scheduled actions (which may scale your ASG up or down regardless of cdk deployments). If true, the size of the group will only be reset if it has been changed in the CDK app. If false, the sizes will always be changed back to what they were in the CDK app on deployment. Default: true

  • instance_monitoring (Optional[Monitoring]) – Controls whether instances in this group are launched with detailed or basic monitoring. When detailed monitoring is enabled, Amazon CloudWatch generates metrics every minute and your account is charged a fee. When you disable detailed monitoring, CloudWatch generates metrics every 5 minutes. launchTemplate and mixedInstancesPolicy must not be specified when this property is specified Default: - Monitoring.DETAILED

  • key_name (Optional[str]) – (deprecated) Name of SSH keypair to grant access to instances. launchTemplate and mixedInstancesPolicy must not be specified when this property is specified You can either specify keyPair or keyName, not both. Default: - No SSH access will be possible.

  • key_pair (Optional[IKeyPair]) – The SSH keypair to grant access to the instance. Feature flag AUTOSCALING_GENERATE_LAUNCH_TEMPLATE must be enabled to use this property. launchTemplate and mixedInstancesPolicy must not be specified when this property is specified. You can either specify keyPair or keyName, not both. Default: - No SSH access will be possible.

  • max_capacity (Union[int, float, None]) – Maximum number of instances in the fleet. Default: desiredCapacity

  • max_instance_lifetime (Optional[Duration]) – The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value, leave this property undefined. Default: none

  • min_capacity (Union[int, float, None]) – Minimum number of instances in the fleet. Default: 1

  • new_instances_protected_from_scale_in (Optional[bool]) – Whether newly-launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. By default, Auto Scaling can terminate an instance at any time after launch when scaling in an Auto Scaling Group, subject to the group’s termination policy. However, you may wish to protect newly-launched instances from being scaled in if they are going to run critical applications that should not be prematurely terminated. This flag must be enabled if the Auto Scaling Group will be associated with an ECS Capacity Provider with managed termination protection. Default: false

  • notifications (Optional[Sequence[Union[NotificationConfiguration, Dict[str, Any]]]]) – Configure autoscaling group to send notifications about fleet changes to an SNS topic(s). Default: - No fleet change notifications will be sent.

  • signals (Optional[Signals]) – Configure waiting for signals during deployment. Use this to pause the CloudFormation deployment to wait for the instances in the AutoScalingGroup to report successful startup during creation and updates. The UserData script needs to invoke cfn-signal with a success or failure code after it is done setting up the instance. Without waiting for signals, the CloudFormation deployment will proceed as soon as the AutoScalingGroup has been created or updated but before the instances in the group have been started. For example, to have instances wait for an Elastic Load Balancing health check before they signal success, add a health-check verification by using the cfn-init helper script. For an example, see the verify_instance_health command in the Auto Scaling rolling updates sample template: https://github.com/awslabs/aws-cloudformation-templates/blob/master/aws/services/AutoScaling/AutoScalingRollingUpdates.yaml Default: - Do not wait for signals

  • spot_price (Optional[str]) – The maximum hourly price (in USD) to be paid for any Spot Instance launched to fulfill the request. Spot Instances are launched when the price you specify exceeds the current Spot market price. launchTemplate and mixedInstancesPolicy must not be specified when this property is specified Default: none

  • ssm_session_permissions (Optional[bool]) – Add SSM session permissions to the instance role. Setting this to true adds the necessary permissions to connect to the instance using SSM Session Manager. You can do this from the AWS Console. NOTE: Setting this flag to true may not be enough by itself. You must also use an AMI that comes with the SSM Agent, or install the SSM Agent yourself. See Working with SSM Agent in the SSM Developer Guide. Default: false

  • termination_policies (Optional[Sequence[TerminationPolicy]]) – A policy or a list of policies that are used to select the instances to terminate. The policies are executed in the order that you list them. Default: - TerminationPolicy.DEFAULT

  • termination_policy_custom_lambda_function_arn (Optional[str]) – A lambda function Arn that can be used as a custom termination policy to select the instances to terminate. This property must be specified if the TerminationPolicy.CUSTOM_LAMBDA_FUNCTION is used. Default: - No lambda function Arn will be supplied

  • update_policy (Optional[UpdatePolicy]) – What to do when an AutoScalingGroup’s instance configuration is changed. This is applied when any of the settings on the ASG are changed that affect how the instances should be created (VPC, instance type, startup scripts, etc.). It indicates how the existing instances should be replaced with new instances matching the new config. By default, nothing is done and only new instances are launched with the new config. Default: - UpdatePolicy.rollingUpdate() if using init, UpdatePolicy.none() otherwise

  • vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – Where to place instances within the VPC. Default: - All Private subnets.

Return type:

AutoScalingGroup

add_cdk8s_chart(id, chart, *, ingress_alb=None, ingress_alb_scheme=None, prune=None, skip_validation=None)

Defines a CDK8s chart in this cluster.

Parameters:
  • id (str) – logical id of this chart.

  • chart (Construct) – the cdk8s chart.

  • ingress_alb (Optional[bool]) – Automatically detect Ingress resources in the manifest and annotate them so they are picked up by an ALB Ingress Controller. Default: false

  • ingress_alb_scheme (Optional[AlbScheme]) – Specify the ALB scheme that should be applied to Ingress resources. Only applicable if ingressAlb is set to true. Default: AlbScheme.INTERNAL

  • prune (Optional[bool]) – When a resource is removed from a Kubernetes manifest, it no longer appears in the manifest, and there is no way to know that this resource needs to be deleted. To address this, kubectl apply has a --prune option which will query the cluster for all resources with a specific label and will remove all the labeld resources that are not part of the applied manifest. If this option is disabled and a resource is removed, it will become “orphaned” and will not be deleted from the cluster. When this option is enabled (default), the construct will inject a label to all Kubernetes resources included in this manifest which will be used to prune resources when the manifest changes via kubectl apply --prune. The label name will be aws.cdk.eks/prune-<ADDR> where <ADDR> is the 42-char unique address of this construct in the construct tree. Value is empty. Default: - based on the prune option of the cluster, which is true unless otherwise specified.

  • skip_validation (Optional[bool]) – A flag to signify if the manifest validation should be skipped. Default: false

Return type:

KubernetesManifest

Returns:

a KubernetesManifest construct representing the chart.

add_fargate_profile(id, *, selectors, fargate_profile_name=None, pod_execution_role=None, subnet_selection=None, vpc=None)

Adds a Fargate profile to this cluster.

Parameters:
  • id (str) – the id of this profile.

  • selectors (Sequence[Union[Selector, Dict[str, Any]]]) – The selectors to match for pods to use this Fargate profile. Each selector must have an associated namespace. Optionally, you can also specify labels for a namespace. At least one selector is required and you may specify up to five selectors.

  • fargate_profile_name (Optional[str]) – The name of the Fargate profile. Default: - generated

  • pod_execution_role (Optional[IRole]) – The pod execution role to use for pods that match the selectors in the Fargate profile. The pod execution role allows Fargate infrastructure to register with your cluster as a node, and it provides read access to Amazon ECR image repositories. Default: - a role will be automatically created

  • subnet_selection (Union[SubnetSelection, Dict[str, Any], None]) – Select which subnets to launch your pods into. At this time, pods running on Fargate are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are allowed. You must specify the VPC to customize the subnet selection Default: - all private subnets of the VPC are selected.

  • vpc (Optional[IVpc]) – The VPC from which to select subnets to launch your pods into. By default, all private subnets are selected. You can customize this using subnetSelection. Default: - all private subnets used by the EKS cluster

See:

https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html

Return type:

FargateProfile

add_helm_chart(id, *, atomic=None, chart=None, chart_asset=None, create_namespace=None, namespace=None, release=None, repository=None, skip_crds=None, timeout=None, values=None, version=None, wait=None)

Defines a Helm chart in this cluster.

Parameters:
  • id (str) – logical id of this chart.

  • atomic (Optional[bool]) – Whether or not Helm should treat this operation as atomic; if set, upgrade process rolls back changes made in case of failed upgrade. The –wait flag will be set automatically if –atomic is used. Default: false

  • chart (Optional[str]) – The name of the chart. Either this or chartAsset must be specified. Default: - No chart name. Implies chartAsset is used.

  • chart_asset (Optional[Asset]) – The chart in the form of an asset. Either this or chart must be specified. Default: - No chart asset. Implies chart is used.

  • create_namespace (Optional[bool]) – create namespace if not exist. Default: true

  • namespace (Optional[str]) – The Kubernetes namespace scope of the requests. Default: default

  • release (Optional[str]) – The name of the release. Default: - If no release name is given, it will use the last 53 characters of the node’s unique id.

  • repository (Optional[str]) – The repository which contains the chart. For example: https://charts.helm.sh/stable/ Default: - No repository will be used, which means that the chart needs to be an absolute URL.

  • skip_crds (Optional[bool]) – if set, no CRDs will be installed. Default: - CRDs are installed if not already present

  • timeout (Optional[Duration]) – Amount of time to wait for any individual Kubernetes operation. Maximum 15 minutes. Default: Duration.minutes(5)

  • values (Optional[Mapping[str, Any]]) – The values to be used by the chart. For nested values use a nested dictionary. For example: values: { installationCRDs: true, webhook: { port: 9443 } } Default: - No values are provided to the chart.

  • version (Optional[str]) – The chart version to install. Default: - If this is not specified, the latest version is installed

  • wait (Optional[bool]) – Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. Default: - Helm will not wait before marking release as successful

Return type:

HelmChart

Returns:

a HelmChart construct

add_manifest(id, *manifest)

Defines a Kubernetes resource in this cluster.

The manifest will be applied/deleted using kubectl as needed.

Parameters:
  • id (str) – logical id of this manifest.

  • manifest (Mapping[str, Any]) – a list of Kubernetes resource specifications.

Return type:

KubernetesManifest

Returns:

a KubernetesResource object.

add_nodegroup_capacity(id, *, ami_type=None, capacity_type=None, desired_size=None, disk_size=None, force_update=None, instance_types=None, labels=None, launch_template_spec=None, max_size=None, max_unavailable=None, max_unavailable_percentage=None, min_size=None, nodegroup_name=None, node_role=None, release_version=None, remote_access=None, subnets=None, tags=None, taints=None)

Add managed nodegroup to this Amazon EKS cluster.

This method will create a new managed nodegroup and add into the capacity.

Parameters:
  • id (str) – The ID of the nodegroup.

  • ami_type (Optional[NodegroupAmiType]) – The AMI type for your node group. If you explicitly specify the launchTemplate with custom AMI, do not specify this property, or the node group deployment will fail. In other cases, you will need to specify correct amiType for the nodegroup. Default: - auto-determined from the instanceTypes property when launchTemplateSpec property is not specified

  • capacity_type (Optional[CapacityType]) – The capacity type of the nodegroup. Default: - ON_DEMAND

  • desired_size (Union[int, float, None]) – The current number of worker nodes that the managed node group should maintain. If not specified, the nodewgroup will initially create minSize instances. Default: 2

  • disk_size (Union[int, float, None]) – The root device disk size (in GiB) for your node group instances. Default: 20

  • force_update (Optional[bool]) – Force the update if the existing node group’s pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node. Default: true

  • instance_types (Optional[Sequence[InstanceType]]) – The instance types to use for your node group. Default: t3.medium will be used according to the cloudformation document.

  • labels (Optional[Mapping[str, str]]) – The Kubernetes labels to be applied to the nodes in the node group when they are created. Default: - None

  • launch_template_spec (Union[LaunchTemplateSpec, Dict[str, Any], None]) – Launch template specification used for the nodegroup. Default: - no launch template

  • max_size (Union[int, float, None]) – The maximum number of worker nodes that the managed node group can scale out to. Managed node groups can support up to 100 nodes by default. Default: - desiredSize

  • max_unavailable (Union[int, float, None]) – The maximum number of nodes unavailable at once during a version update. Nodes will be updated in parallel. The maximum number is 100. This value or maxUnavailablePercentage is required to have a value for custom update configurations to be applied. Default: 1

  • max_unavailable_percentage (Union[int, float, None]) – The maximum percentage of nodes unavailable during a version update. This percentage of nodes will be updated in parallel, up to 100 nodes at once. This value or maxUnavailable is required to have a value for custom update configurations to be applied. Default: undefined - node groups will update instances one at a time

  • min_size (Union[int, float, None]) – The minimum number of worker nodes that the managed node group can scale in to. This number must be greater than or equal to zero. Default: 1

  • nodegroup_name (Optional[str]) – Name of the Nodegroup. Default: - resource ID

  • node_role (Optional[IRole]) – The IAM role to associate with your node group. The Amazon EKS worker node kubelet daemon makes calls to AWS APIs on your behalf. Worker nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch worker nodes and register them into a cluster, you must create an IAM role for those worker nodes to use when they are launched. Default: - None. Auto-generated if not specified.

  • release_version (Optional[str]) – The AMI version of the Amazon EKS-optimized AMI to use with your node group (for example, 1.14.7-YYYYMMDD). Default: - The latest available AMI version for the node group’s current Kubernetes version is used.

  • remote_access (Union[NodegroupRemoteAccess, Dict[str, Any], None]) – The remote access (SSH) configuration to use with your node group. Disabled by default, however, if you specify an Amazon EC2 SSH key but do not specify a source security group when you create a managed node group, then port 22 on the worker nodes is opened to the internet (0.0.0.0/0) Default: - disabled

  • subnets (Union[SubnetSelection, Dict[str, Any], None]) – The subnets to use for the Auto Scaling group that is created for your node group. By specifying the SubnetSelection, the selected subnets will automatically apply required tags i.e. kubernetes.io/cluster/CLUSTER_NAME with a value of shared, where CLUSTER_NAME is replaced with the name of your cluster. Default: - private subnets

  • tags (Optional[Mapping[str, str]]) – The metadata to apply to the node group to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Node group tags do not propagate to any other resources associated with the node group, such as the Amazon EC2 instances or subnets. Default: - None

  • taints (Optional[Sequence[Union[TaintSpec, Dict[str, Any]]]]) – The Kubernetes taints to be applied to the nodes in the node group when they are created. Default: - None

See:

https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html

Return type:

Nodegroup

add_service_account(id, *, annotations=None, identity_type=None, labels=None, name=None, namespace=None)

Creates a new service account with corresponding IAM Role (IRSA).

Parameters:
Return type:

ServiceAccount

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy) –

Return type:

None

connect_auto_scaling_group_capacity(auto_scaling_group, *, bootstrap_enabled=None, bootstrap_options=None, machine_image_type=None, map_role=None, spot_interrupt_handler=None)

Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster.

The AutoScalingGroup must be running an EKS-optimized AMI containing the /etc/eks/bootstrap.sh script. This method will configure Security Groups, add the right policies to the instance role, apply the right tags, and add the required user data to the instance’s launch configuration.

Spot instances will be labeled lifecycle=Ec2Spot and tainted with PreferNoSchedule. If kubectl is enabled, the spot interrupt handler daemon will be installed on all spot instances to handle EC2 Spot Instance Termination Notices.

Prefer to use addAutoScalingGroupCapacity if possible.

Parameters:
  • auto_scaling_group (AutoScalingGroup) – [disable-awslint:ref-via-interface].

  • bootstrap_enabled (Optional[bool]) – Configures the EC2 user-data script for instances in this autoscaling group to bootstrap the node (invoke /etc/eks/bootstrap.sh) and associate it with the EKS cluster. If you wish to provide a custom user data script, set this to false and manually invoke autoscalingGroup.addUserData(). Default: true

  • bootstrap_options (Union[BootstrapOptions, Dict[str, Any], None]) – Allows options for node bootstrapping through EC2 user data. Default: - default options

  • machine_image_type (Optional[MachineImageType]) – Allow options to specify different machine image type. Default: MachineImageType.AMAZON_LINUX_2

  • map_role (Optional[bool]) – Will automatically update the aws-auth ConfigMap to map the IAM instance role to RBAC. This cannot be explicitly set to true if the cluster has kubectl disabled. Default: - true if the cluster has kubectl enabled (which is the default).

  • spot_interrupt_handler (Optional[bool]) – Installs the AWS spot instance interrupt handler on the cluster if it’s not already added. Only relevant if spotPrice is configured on the auto-scaling group. Default: true

See:

https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html

Return type:

None

get_ingress_load_balancer_address(ingress_name, *, namespace=None, timeout=None)

Fetch the load balancer address of an ingress backed by a load balancer.

Parameters:
  • ingress_name (str) – The name of the ingress.

  • namespace (Optional[str]) – The namespace the service belongs to. Default: ‘default’

  • timeout (Optional[Duration]) – Timeout for waiting on the load balancer address. Default: Duration.minutes(5)

Return type:

str

get_service_load_balancer_address(service_name, *, namespace=None, timeout=None)

Fetch the load balancer address of a service of type ‘LoadBalancer’.

Parameters:
  • service_name (str) – The name of the service.

  • namespace (Optional[str]) – The namespace the service belongs to. Default: ‘default’

  • timeout (Optional[Duration]) – Timeout for waiting on the load balancer address. Default: Duration.minutes(5)

Return type:

str

grant_access(id, principal, access_policies)

Grants the specified IAM principal access to the EKS cluster based on the provided access policies.

This method creates an AccessEntry construct that grants the specified IAM principal the access permissions defined by the provided IAccessPolicy array. This allows the IAM principal to perform the actions permitted by the access policies within the EKS cluster.

Parameters:
  • id (str) –

    • The ID of the AccessEntry construct to be created.

  • principal (str) –

    • The IAM principal (role or user) to be granted access to the EKS cluster.

  • access_policies (Sequence[IAccessPolicy]) –

    • An array of IAccessPolicy objects that define the access permissions to be granted to the IAM principal.

Return type:

None

to_string()

Returns a string representation of this construct.

Return type:

str

Attributes

admin_role

An IAM role with administrative permissions to create or update the cluster.

This role also has systems:master permissions.

alb_controller

The ALB Controller construct defined for this cluster.

Will be undefined if albController wasn’t configured.

authentication_mode

The authentication mode for the Amazon EKS cluster.

The authentication mode determines how users and applications authenticate to the Kubernetes API server.

Default:

CONFIG_MAP.

Property:

{AuthenticationMode} [authenticationMode] - The authentication mode for the Amazon EKS cluster.

aws_auth

Lazily creates the AwsAuth resource, which manages AWS authentication mapping.

awscli_layer

An AWS Lambda layer that contains the aws CLI.

If not defined, a default layer will be used containing the AWS CLI 1.x.

cluster_arn

The AWS generated ARN for the Cluster resource.

For example, arn:aws:eks:us-west-2:666666666666:cluster/prod

cluster_certificate_authority_data

The certificate-authority-data for your cluster.

cluster_encryption_config_key_arn

Amazon Resource Name (ARN) or alias of the customer master key (CMK).

cluster_endpoint

The endpoint URL for the Cluster.

This is the URL inside the kubeconfig file to use with kubectl

For example, https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com

cluster_handler_security_group

A security group to associate with the Cluster Handler’s Lambdas.

The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API.

Requires placeClusterHandlerInVpc to be set to true.

Default:
  • No security group.

cluster_name

The Name of the created EKS Cluster.

cluster_open_id_connect_issuer

If this cluster is kubectl-enabled, returns the OpenID Connect issuer.

This is because the values is only be retrieved by the API and not exposed by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the stock CfnCluster), this is undefined.

Attribute:

true

cluster_open_id_connect_issuer_url

If this cluster is kubectl-enabled, returns the OpenID Connect issuer url.

This is because the values is only be retrieved by the API and not exposed by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the stock CfnCluster), this is undefined.

Attribute:

true

cluster_security_group

The cluster security group that was created by Amazon EKS for the cluster.

cluster_security_group_id

The id of the cluster security group that was created by Amazon EKS for the cluster.

connections

Manages connection rules (Security Group Rules) for the cluster.

Memberof:

Cluster

Type:

{ec2.Connections}

default_capacity

The auto scaling group that hosts the default capacity for this cluster.

This will be undefined if the defaultCapacityType is not EC2 or defaultCapacityType is EC2 but default capacity is set to 0.

default_nodegroup

The node group that hosts the default capacity for this cluster.

This will be undefined if the defaultCapacityType is EC2 or defaultCapacityType is NODEGROUP but default capacity is set to 0.

eks_pod_identity_agent

Retrieves the EKS Pod Identity Agent addon for the EKS cluster.

The EKS Pod Identity Agent is responsible for managing the temporary credentials used by pods in the cluster to access AWS resources. It runs as a DaemonSet on each node and provides the necessary credentials to the pods based on their associated service account.

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

ip_family

Specify which IP family is used to assign Kubernetes pod and service IP addresses.

Default:
  • IpFamily.IP_V4

See:

https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily

kubectl_environment

Custom environment variables when running kubectl against this cluster.

kubectl_lambda_role

An IAM role that can perform kubectl operations against this cluster.

The role should be mapped to the system:masters Kubernetes RBAC role.

This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster.

Default:

  • if not specified, the default role created by a lambda function will

be used.

kubectl_layer

An AWS Lambda layer that includes kubectl and helm.

If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8

kubectl_memory

The amount of memory allocated to the kubectl provider’s lambda function.

kubectl_private_subnets

Subnets to host the kubectl compute resources.

Default:

  • If not specified, the k8s endpoint is expected to be accessible

publicly.

kubectl_role

An IAM role that can perform kubectl operations against this cluster.

The role should be mapped to the system:masters Kubernetes RBAC role.

kubectl_security_group

A security group to use for kubectl execution.

Default:

  • If not specified, the k8s endpoint is expected to be accessible

publicly.

node

The tree node.

on_event_layer

The AWS Lambda layer that contains the NPM dependency proxy-agent.

If undefined, a SAR app that contains this layer will be used.

open_id_connect_provider

An OpenIdConnectProvider resource associated with this cluster, and which can be used to link this cluster to AWS IAM.

A provider will only be defined if this property is accessed (lazy initialization).

prune

Determines if Kubernetes resources can be pruned automatically.

role

IAM role assumed by the EKS Control Plane.

stack

The stack in which this resource is defined.

vpc

The VPC in which this Cluster was created.

Static Methods

classmethod from_cluster_attributes(scope, id, *, cluster_name, awscli_layer=None, cluster_certificate_authority_data=None, cluster_encryption_config_key_arn=None, cluster_endpoint=None, cluster_handler_security_group_id=None, cluster_security_group_id=None, ip_family=None, kubectl_environment=None, kubectl_lambda_role=None, kubectl_layer=None, kubectl_memory=None, kubectl_private_subnet_ids=None, kubectl_provider=None, kubectl_role_arn=None, kubectl_security_group_id=None, on_event_layer=None, open_id_connect_provider=None, prune=None, security_group_ids=None, vpc=None)

Import an existing cluster.

Parameters:
  • scope (Construct) – the construct scope, in most cases ‘this’.

  • id (str) – the id or name to import as.

  • cluster_name (str) – The physical name of the Cluster.

  • awscli_layer (Optional[ILayerVersion]) – An AWS Lambda layer that contains the aws CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x

  • cluster_certificate_authority_data (Optional[str]) – The certificate-authority-data for your cluster. Default: - if not specified cluster.clusterCertificateAuthorityData will throw an error

  • cluster_encryption_config_key_arn (Optional[str]) – Amazon Resource Name (ARN) or alias of the customer master key (CMK). Default: - if not specified cluster.clusterEncryptionConfigKeyArn will throw an error

  • cluster_endpoint (Optional[str]) – The API Server endpoint URL. Default: - if not specified cluster.clusterEndpoint will throw an error.

  • cluster_handler_security_group_id (Optional[str]) – A security group id to associate with the Cluster Handler’s Lambdas. The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API. Default: - No security group.

  • cluster_security_group_id (Optional[str]) – The cluster security group that was created by Amazon EKS for the cluster. Default: - if not specified cluster.clusterSecurityGroupId will throw an error

  • ip_family (Optional[IpFamily]) – Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4

  • kubectl_environment (Optional[Mapping[str, str]]) – Environment variables to use when running kubectl against this cluster. Default: - no additional variables

  • kubectl_lambda_role (Optional[IRole]) – An IAM role that can perform kubectl operations against this cluster. The role should be mapped to the system:masters Kubernetes RBAC role. This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster. Default: - if not specified, the default role created by a lambda function will be used.

  • kubectl_layer (Optional[ILayerVersion]) – An AWS Lambda Layer which includes kubectl and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the @aws-cdk/layer-kubectl-vXX packages, that works with the version of Kubernetes you have chosen. If you don’t supply this value kubectl 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20 and helm 3.8.

  • kubectl_memory (Optional[Size]) – Amount of memory to allocate to the provider’s lambda function. Default: Size.gibibytes(1)

  • kubectl_private_subnet_ids (Optional[Sequence[str]]) – Subnets to host the kubectl compute resources. If not specified, the k8s endpoint is expected to be accessible publicly. Default: - k8s endpoint is expected to be accessible publicly

  • kubectl_provider (Optional[IKubectlProvider]) – KubectlProvider for issuing kubectl commands. Default: - Default CDK provider

  • kubectl_role_arn (Optional[str]) – An IAM role with cluster administrator and “system:masters” permissions. Default: - if not specified, it not be possible to issue kubectl commands against an imported cluster.

  • kubectl_security_group_id (Optional[str]) – A security group to use for kubectl execution. If not specified, the k8s endpoint is expected to be accessible publicly. Default: - k8s endpoint is expected to be accessible publicly

  • on_event_layer (Optional[ILayerVersion]) – An AWS Lambda Layer which includes the NPM dependency proxy-agent. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. The handler expects the layer to include the following node_modules: proxy-agent Default: - a layer bundled with this module.

  • open_id_connect_provider (Optional[IOpenIdConnectProvider]) – An Open ID Connect provider for this cluster that can be used to configure service accounts. You can either import an existing provider using iam.OpenIdConnectProvider.fromProviderArn, or create a new provider using new eks.OpenIdConnectProvider Default: - if not specified cluster.openIdConnectProvider and cluster.addServiceAccount will throw an error.

  • prune (Optional[bool]) – Indicates whether Kubernetes resources added through addManifest() can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the kubectl apply operation with the --prune switch. Default: true

  • security_group_ids (Optional[Sequence[str]]) – Additional security groups associated with this cluster. Default: - if not specified, no additional security groups will be considered in cluster.connections.

  • vpc (Optional[IVpc]) – The VPC in which this Cluster was created. Default: - if not specified cluster.vpc will throw an error

Return type:

ICluster

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct) –

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct) –

Return type:

bool