class aws_cdk.aws_eks.ICluster(*args, **kwds)

Bases: IResource, IConnectable, Protocol

An EKS cluster.


add_cdk8s_chart(id, chart, *, ingress_alb=None, ingress_alb_scheme=None, prune=None, skip_validation=None)

Defines a CDK8s chart in this cluster.

  • id (str) – logical id of this chart.

  • chart (Construct) – the cdk8s chart.

  • ingress_alb (Optional[bool]) – Automatically detect Ingress resources in the manifest and annotate them so they are picked up by an ALB Ingress Controller. Default: false

  • ingress_alb_scheme (Optional[AlbScheme]) – Specify the ALB scheme that should be applied to Ingress resources. Only applicable if ingressAlb is set to true. Default: AlbScheme.INTERNAL

  • prune (Optional[bool]) – When a resource is removed from a Kubernetes manifest, it no longer appears in the manifest, and there is no way to know that this resource needs to be deleted. To address this, kubectl apply has a --prune option which will query the cluster for all resources with a specific label and will remove all the labeld resources that are not part of the applied manifest. If this option is disabled and a resource is removed, it will become “orphaned” and will not be deleted from the cluster. When this option is enabled (default), the construct will inject a label to all Kubernetes resources included in this manifest which will be used to prune resources when the manifest changes via kubectl apply --prune. The label name will be aws.cdk.eks/prune-<ADDR> where <ADDR> is the 42-char unique address of this construct in the construct tree. Value is empty. Default: - based on the prune option of the cluster, which is true unless otherwise specified.

  • skip_validation (Optional[bool]) – A flag to signify if the manifest validation should be skipped. Default: false

Return type:



a KubernetesManifest construct representing the chart.

add_helm_chart(id, *, chart=None, chart_asset=None, create_namespace=None, namespace=None, release=None, repository=None, timeout=None, values=None, version=None, wait=None)

Defines a Helm chart in this cluster.

  • id (str) – logical id of this chart.

  • chart (Optional[str]) – The name of the chart. Either this or chartAsset must be specified. Default: - No chart name. Implies chartAsset is used.

  • chart_asset (Optional[Asset]) – The chart in the form of an asset. Either this or chart must be specified. Default: - No chart asset. Implies chart is used.

  • create_namespace (Optional[bool]) – create namespace if not exist. Default: true

  • namespace (Optional[str]) – The Kubernetes namespace scope of the requests. Default: default

  • release (Optional[str]) – The name of the release. Default: - If no release name is given, it will use the last 53 characters of the node’s unique id.

  • repository (Optional[str]) – The repository which contains the chart. For example: https://kubernetes-charts.storage.googleapis.com/ Default: - No repository will be used, which means that the chart needs to be an absolute URL.

  • timeout (Optional[Duration]) – Amount of time to wait for any individual Kubernetes operation. Maximum 15 minutes. Default: Duration.minutes(5)

  • values (Optional[Mapping[str, Any]]) – The values to be used by the chart. Default: - No values are provided to the chart.

  • version (Optional[str]) – The chart version to install. Default: - If this is not specified, the latest version is installed

  • wait (Optional[bool]) – Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. Default: - Helm will not wait before marking release as successful

Return type:



a HelmChart construct

add_manifest(id, *manifest)

Defines a Kubernetes resource in this cluster.

The manifest will be applied/deleted using kubectl as needed.

  • id (str) – logical id of this manifest.

  • manifest (Mapping[str, Any]) – a list of Kubernetes resource specifications.

Return type:



a KubernetesManifest object.

add_service_account(id, *, annotations=None, labels=None, name=None, namespace=None)

Creates a new service account with corresponding IAM Role (IRSA).

Return type:



Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


policy (RemovalPolicy) –

Return type:


connect_auto_scaling_group_capacity(auto_scaling_group, *, bootstrap_enabled=None, bootstrap_options=None, machine_image_type=None, map_role=None, spot_interrupt_handler=None)

Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster.

The AutoScalingGroup must be running an EKS-optimized AMI containing the /etc/eks/bootstrap.sh script. This method will configure Security Groups, add the right policies to the instance role, apply the right tags, and add the required user data to the instance’s launch configuration.

Spot instances will be labeled lifecycle=Ec2Spot and tainted with PreferNoSchedule. If kubectl is enabled, the spot interrupt handler daemon will be installed on all spot instances to handle EC2 Spot Instance Termination Notices.

Prefer to use addAutoScalingGroupCapacity if possible.

  • auto_scaling_group (AutoScalingGroup) – [disable-awslint:ref-via-interface].

  • bootstrap_enabled (Optional[bool]) – Configures the EC2 user-data script for instances in this autoscaling group to bootstrap the node (invoke /etc/eks/bootstrap.sh) and associate it with the EKS cluster. If you wish to provide a custom user data script, set this to false and manually invoke autoscalingGroup.addUserData(). Default: true

  • bootstrap_options (Union[BootstrapOptions, Dict[str, Any], None]) – Allows options for node bootstrapping through EC2 user data. Default: - default options

  • machine_image_type (Optional[MachineImageType]) – Allow options to specify different machine image type. Default: MachineImageType.AMAZON_LINUX_2

  • map_role (Optional[bool]) – Will automatically update the aws-auth ConfigMap to map the IAM instance role to RBAC. This cannot be explicitly set to true if the cluster has kubectl disabled. Default: - true if the cluster has kubectl enabled (which is the default).

  • spot_interrupt_handler (Optional[bool]) – Installs the AWS spot instance interrupt handler on the cluster if it’s not already added. Only relevant if spotPrice is configured on the auto-scaling group. Default: true



Return type:








The unique ARN assigned to the service by AWS in the form of arn




The certificate-authority-data for your cluster.




Amazon Resource Name (ARN) or alias of the customer master key (CMK).




The API Server endpoint URL.




A security group to associate with the Cluster Handler’s Lambdas.

The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API.

Requires placeClusterHandlerInVpc to be set to true.

  • No security group.




The physical name of the Cluster.




The cluster security group that was created by Amazon EKS for the cluster.




The id of the cluster security group that was created by Amazon EKS for the cluster.




The network connections associated with this resource.


The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


Custom environment variables when running kubectl against this cluster.


An IAM role that can perform kubectl operations against this cluster.

The role should be mapped to the system:masters Kubernetes RBAC role.

This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster.


An AWS Lambda layer that includes kubectl, helm and the aws CLI.

If not defined, a default layer will be used.


Amount of memory to allocate to the provider’s lambda function.


Subnets to host the kubectl compute resources.

If this is undefined, the k8s endpoint is expected to be accessible publicly.


Kubectl Provider for issuing kubectl commands against it.

If not defined, a default provider will be used


An IAM role that can perform kubectl operations against this cluster.

The role should be mapped to the system:masters Kubernetes RBAC role.


A security group to use for kubectl execution.

If this is undefined, the k8s endpoint is expected to be accessible publicly.


The construct tree node for this construct.


An AWS Lambda layer that includes the NPM dependency proxy-agent.

If not defined, a default layer will be used.


The Open ID Connect Provider of the cluster used to configure Service Accounts.


Indicates whether Kubernetes resources can be automatically pruned.

When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the kubectl apply operation with the --prune switch.


The stack in which this resource is defined.


The VPC in which this Cluster was created.