AWS::EKS::Cluster
Creates an Amazon EKS control plane.
The Amazon EKS control plane consists of control plane instances that run the Kubernetes
software, such as etcd and the API server. The control plane runs in an
account managed by AWS, and the Kubernetes API is exposed via the Amazon EKS API server
endpoint. Each Amazon EKS cluster control plane is single-tenant and unique and runs
on its
own set of Amazon EC2 instances.
The cluster control plane is provisioned across multiple Availability Zones and
fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions
elastic network interfaces in your VPC
subnets to provide connectivity from the control plane instances to the worker nodes
(for example, to support kubectl exec, logs, and
proxy data flows).
Amazon EKS worker nodes run in your AWS account and connect to your cluster's control plane via the Kubernetes API server endpoint and a certificate file that is created for your cluster.
You can use the endpointPublicAccess and
endpointPrivateAccess parameters to enable or disable public and
private access to your cluster's Kubernetes API server endpoint. By default, public
access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster
Endpoint Access Control in the
Amazon EKS User Guide
.
You can use the logging parameter to enable or disable exporting the
Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster
control
plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS
Cluster Control Plane Logs in the
Amazon EKS User Guide
.
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported
control plane logs. For more information, see Amazon CloudWatch Pricing
Cluster creation typically takes between 10 and 15 minutes. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch worker nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS Worker Nodes in the Amazon EKS User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EKS::Cluster", "Properties" : { "EncryptionConfig" :[ EncryptionConfig, ... ], "Name" :String, "ResourcesVpcConfig" :ResourcesVpcConfig, "RoleArn" :String, "Version" :String} }
YAML
Type: AWS::EKS::Cluster Properties: EncryptionConfig:- EncryptionConfigName:StringResourcesVpcConfig:ResourcesVpcConfigRoleArn:StringVersion:String
Properties
EncryptionConfig-
The encryption configuration for the cluster.
Required: No
Type: List of EncryptionConfig
Maximum:
1Update requires: Replacement
Name-
The unique name to give to your cluster.
Required: No
Type: String
Minimum:
1Maximum:
100Pattern:
^[0-9A-Za-z][A-Za-z0-9\-_]*Update requires: Replacement
ResourcesVpcConfig-
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.
Required: Yes
Type: ResourcesVpcConfig
Update requires: Replacement
RoleArn-
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see Amazon EKS Service IAM Role in the Amazon EKS User Guide .
Required: Yes
Type: String
Update requires: Replacement
Version-
The desired Kubernetes version for your cluster. If you don't specify a value here, the latest version available in Amazon EKS is used.
Required: No
Type: String
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example:
{ "Ref": "myCluster" }
For the Amazon EKS cluster myCluster, Ref returns
the name of the cluster.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The ARN of the cluster, such as
arn:aws:eks:us-west-2:666666666666:cluster/prod. CertificateAuthorityData-
The
certificate-authority-datafor your cluster. ClusterSecurityGroupId-
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control plane to data plane communication.
This parameter is only returned by Amazon EKS clusters that support managed node groups. For more information, see Managed Node Groups in the Amazon EKS User Guide.
EncryptionConfigKeyArn-
Amazon Resource Name (ARN) or alias of the customer master key (CMK).
Endpoint-
The endpoint for your Kubernetes API server, such as
https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com.
Examples
Create a Cluster
The following example creates an Amazon EKS cluster called prod.
JSON
{ "Resources": { "myCluster": { "Type": "AWS::EKS::Cluster", "Properties": { "Name": "prod", "Version": "1.14", "RoleArn": "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI", "ResourcesVpcConfig": { "SecurityGroupIds": [ "sg-6979fe18" ], "SubnetIds": [ "subnet-6782e71e", "subnet-e7e761ac" ] } } } } }
YAML
Resources: myCluster: Type: 'AWS::EKS::Cluster' Properties: Name: prod Version: '1.14' RoleArn: >- arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI ResourcesVpcConfig: SecurityGroupIds: - sg-6979fe18 SubnetIds: - subnet-6782e71e - subnet-e7e761ac
See also
-
Clusters in the Amazon EKS User Guide .
-
CreateCluster in the Amazon EKS API Reference .
