Cluster
- class aws_cdk.aws_eks.Cluster(scope, id, *, bootstrap_cluster_creator_admin_permissions=None, default_capacity=None, default_capacity_instance=None, default_capacity_type=None, kubectl_lambda_role=None, tags=None, alb_controller=None, authentication_mode=None, awscli_layer=None, cluster_handler_environment=None, cluster_handler_security_group=None, cluster_logging=None, core_dns_compute_type=None, endpoint_access=None, ip_family=None, kubectl_environment=None, kubectl_layer=None, kubectl_memory=None, masters_role=None, on_event_layer=None, output_masters_role_arn=None, place_cluster_handler_in_vpc=None, prune=None, secrets_encryption_key=None, service_ipv4_cidr=None, version, cluster_name=None, output_cluster_name=None, output_config_command=None, role=None, security_group=None, vpc=None, vpc_subnets=None)
Bases:
Resource
A Cluster represents a managed Kubernetes Service (EKS).
This is a fully managed cluster of API Servers (control-plane) The user is still required to create the worker nodes.
- ExampleMetadata:
infused
Example:
# or # vpc: ec2.Vpc eks.Cluster(self, "MyCluster", kubectl_memory=Size.gibibytes(4), version=eks.KubernetesVersion.V1_30 ) eks.Cluster.from_cluster_attributes(self, "MyCluster", kubectl_memory=Size.gibibytes(4), vpc=vpc, cluster_name="cluster-name" )
Initiates an EKS Cluster with the supplied arguments.
- Parameters:
scope (
Construct
) – a Construct, most likely a cdk.Stack created.id (
str
) – the id of the Construct to create.bootstrap_cluster_creator_admin_permissions (
Optional
[bool
]) – Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: truedefault_capacity (
Union
[int
,float
,None
]) – Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured throughdefaultCapacityInstanceType
, which defaults tom5.large
. Usecluster.addAutoScalingGroupCapacity
to add additional customized capacity. Set this to0
is you wish to avoid the initial capacity allocation. Default: 2default_capacity_instance (
Optional
[InstanceType
]) – The instance type to use for the default capacity. This will only be taken into account ifdefaultCapacity
is > 0. Default: m5.largedefault_capacity_type (
Optional
[DefaultCapacityType
]) – The default capacity type for the cluster. Default: NODEGROUPkubectl_lambda_role (
Optional
[IRole
]) – The IAM role to pass to the Kubectl Lambda Handler. Default: - Default Lambda IAM Execution Roletags (
Optional
[Mapping
[str
,str
]]) – The tags assigned to the EKS cluster. Default: - nonealb_controller (
Union
[AlbControllerOptions
,Dict
[str
,Any
],None
]) – Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.authentication_mode (
Optional
[AuthenticationMode
]) – The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAPawscli_layer (
Optional
[ILayerVersion
]) – An AWS Lambda layer that contains theaws
CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.xcluster_handler_environment (
Optional
[Mapping
[str
,str
]]) – Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.cluster_handler_security_group (
Optional
[ISecurityGroup
]) – A security group to associate with the Cluster Handler’s Lambdas. The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API. RequiresplaceClusterHandlerInVpc
to be set to true. Default: - No security group.cluster_logging (
Optional
[Sequence
[ClusterLoggingTypes
]]) – The cluster log types which you want to enable. Default: - nonecore_dns_compute_type (
Optional
[CoreDnsComputeType
]) – Controls the “eks.amazonaws.com/compute-type” annotation in the CoreDNS configuration on your cluster to determine which compute type to use for CoreDNS. Default: CoreDnsComputeType.EC2 (forFargateCluster
the default is FARGATE)endpoint_access (
Optional
[EndpointAccess
]) – Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATEip_family (
Optional
[IpFamily
]) – Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4kubectl_environment (
Optional
[Mapping
[str
,str
]]) – Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.kubectl_layer (
Optional
[ILayerVersion
]) – An AWS Lambda Layer which includeskubectl
and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the@aws-cdk/layer-kubectl-vXX
packages, that works with the version of Kubernetes you have chosen. If you don’t supply this valuekubectl
1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.kubectl_memory (
Optional
[Size
]) – Amount of memory to allocate to the provider’s lambda function. Default: Size.gibibytes(1)masters_role (
Optional
[IRole
]) – An IAM role that will be added to thesystem:masters
Kubernetes RBAC group. Default: - no masters role.on_event_layer (
Optional
[ILayerVersion
]) – An AWS Lambda Layer which includes the NPM dependencyproxy-agent
. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the “aws-lambda-layer-node-proxy-agent” SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, ‘proxy-agent-layer’, { code: lambda.Code.fromAsset(${__dirname}/layer.zip), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.output_masters_role_arn (
Optional
[bool
]) – Determines whether a CloudFormation output with the ARN of the “masters” IAM role will be synthesized (ifmastersRole
is specified). Default: falseplace_cluster_handler_in_vpc (
Optional
[bool
]) – If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to thevpcSubnets
selection strategy. Default: falseprune (
Optional
[bool
]) – Indicates whether Kubernetes resources added throughaddManifest()
can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing thekubectl apply
operation with the--prune
switch. Default: truesecrets_encryption_key (
Optional
[IKey
]) – KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.service_ipv4_cidr (
Optional
[str
]) – The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocksversion (
KubernetesVersion
) – The Kubernetes version to run in the cluster.cluster_name (
Optional
[str
]) – Name for the cluster. Default: - Automatically generated nameoutput_cluster_name (
Optional
[bool
]) – Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: falseoutput_config_command (
Optional
[bool
]) – Determines whether a CloudFormation output with theaws eks update-kubeconfig
command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: truerole (
Optional
[IRole
]) – Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for yousecurity_group (
Optional
[ISecurityGroup
]) – Security Group to use for Control Plane ENIs. Default: - A security group is automatically createdvpc (
Optional
[IVpc
]) – The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed throughcluster.vpc
.vpc_subnets (
Optional
[Sequence
[Union
[SubnetSelection
,Dict
[str
,Any
]]]]) – Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following:vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]
Default: - All public and private subnets
Methods
- add_auto_scaling_group_capacity(id, *, instance_type, bootstrap_enabled=None, bootstrap_options=None, machine_image_type=None, map_role=None, spot_interrupt_handler=None, allow_all_outbound=None, associate_public_ip_address=None, auto_scaling_group_name=None, block_devices=None, capacity_rebalance=None, cooldown=None, default_instance_warmup=None, desired_capacity=None, group_metrics=None, health_check=None, ignore_unmodified_size_properties=None, instance_monitoring=None, key_name=None, key_pair=None, max_capacity=None, max_instance_lifetime=None, min_capacity=None, new_instances_protected_from_scale_in=None, notifications=None, signals=None, spot_price=None, ssm_session_permissions=None, termination_policies=None, termination_policy_custom_lambda_function_arn=None, update_policy=None, vpc_subnets=None)
Add nodes to this EKS cluster.
The nodes will automatically be configured with the right VPC and AMI for the instance type and Kubernetes version.
Note that if you specify
updateType: RollingUpdate
orupdateType: ReplacingUpdate
, your nodes might be replaced at deploy time without notice in case the recommended AMI for your machine image type has been updated by AWS. The default behavior forupdateType
isNone
, which means only new instances will be launched using the new AMI.Spot instances will be labeled
lifecycle=Ec2Spot
and tainted withPreferNoSchedule
. In addition, the spot interrupt handler daemon will be installed on all spot instances to handle EC2 Spot Instance Termination Notices.- Parameters:
id (
str
) –instance_type (
InstanceType
) – Instance type of the instances to start.bootstrap_enabled (
Optional
[bool
]) – Configures the EC2 user-data script for instances in this autoscaling group to bootstrap the node (invoke/etc/eks/bootstrap.sh
) and associate it with the EKS cluster. If you wish to provide a custom user data script, set this tofalse
and manually invokeautoscalingGroup.addUserData()
. Default: truebootstrap_options (
Union
[BootstrapOptions
,Dict
[str
,Any
],None
]) – EKS node bootstrapping options. Default: - nonemachine_image_type (
Optional
[MachineImageType
]) – Machine image type. Default: MachineImageType.AMAZON_LINUX_2map_role (
Optional
[bool
]) – Will automatically update the aws-auth ConfigMap to map the IAM instance role to RBAC. This cannot be explicitly set totrue
if the cluster has kubectl disabled. Default: - true if the cluster has kubectl enabled (which is the default).spot_interrupt_handler (
Optional
[bool
]) – Installs the AWS spot instance interrupt handler on the cluster if it’s not already added. Only relevant ifspotPrice
is used. Default: trueallow_all_outbound (
Optional
[bool
]) – Whether the instances can initiate connections to anywhere by default. Default: trueassociate_public_ip_address (
Optional
[bool
]) – Whether instances in the Auto Scaling Group should have public IP addresses associated with them.launchTemplate
andmixedInstancesPolicy
must not be specified when this property is specified Default: - Use subnet setting.auto_scaling_group_name (
Optional
[str
]) – The name of the Auto Scaling group. This name must be unique per Region per account. Default: - Auto generated by CloudFormationblock_devices (
Optional
[Sequence
[Union
[BlockDevice
,Dict
[str
,Any
]]]]) – Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes. Each instance that is launched has an associated root device volume, either an Amazon EBS volume or an instance store volume. You can use block device mappings to specify additional EBS volumes or instance store volumes to attach to an instance when it is launched.launchTemplate
andmixedInstancesPolicy
must not be specified when this property is specified Default: - Uses the block device mapping of the AMIcapacity_rebalance (
Optional
[bool
]) – Indicates whether Capacity Rebalancing is enabled. When you turn on Capacity Rebalancing, Amazon EC2 Auto Scaling attempts to launch a Spot Instance whenever Amazon EC2 notifies that a Spot Instance is at an elevated risk of interruption. After launching a new instance, it then terminates an old instance. Default: falsecooldown (
Optional
[Duration
]) – Default scaling cooldown for this AutoScalingGroup. Default: Duration.minutes(5)default_instance_warmup (
Optional
[Duration
]) – The amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state. To optimize the performance of scaling policies that scale continuously, such as target tracking and step scaling policies, we strongly recommend that you enable the default instance warmup, even if its value is set to 0 seconds Default instance warmup will not be added if no value is specified Default: Nonedesired_capacity (
Union
[int
,float
,None
]) – Initial amount of instances in the fleet. If this is set to a number, every deployment will reset the amount of instances to this number. It is recommended to leave this value blank. Default: minCapacity, and leave unchanged during deploymentgroup_metrics (
Optional
[Sequence
[GroupMetrics
]]) – Enable monitoring for group metrics, these metrics describe the group rather than any of its instances. To report all group metrics useGroupMetrics.all()
Group metrics are reported in a granularity of 1 minute at no additional charge. Default: - no group metrics will be reportedhealth_check (
Optional
[HealthCheck
]) – Configuration for health checks. Default: - HealthCheck.ec2 with no grace periodignore_unmodified_size_properties (
Optional
[bool
]) – If the ASG has scheduled actions, don’t reset unchanged group sizes. Only used if the ASG has scheduled actions (which may scale your ASG up or down regardless of cdk deployments). If true, the size of the group will only be reset if it has been changed in the CDK app. If false, the sizes will always be changed back to what they were in the CDK app on deployment. Default: trueinstance_monitoring (
Optional
[Monitoring
]) – Controls whether instances in this group are launched with detailed or basic monitoring. When detailed monitoring is enabled, Amazon CloudWatch generates metrics every minute and your account is charged a fee. When you disable detailed monitoring, CloudWatch generates metrics every 5 minutes.launchTemplate
andmixedInstancesPolicy
must not be specified when this property is specified Default: - Monitoring.DETAILEDkey_name (
Optional
[str
]) – (deprecated) Name of SSH keypair to grant access to instances.launchTemplate
andmixedInstancesPolicy
must not be specified when this property is specified You can either specifykeyPair
orkeyName
, not both. Default: - No SSH access will be possible.key_pair (
Optional
[IKeyPair
]) – The SSH keypair to grant access to the instance. Feature flagAUTOSCALING_GENERATE_LAUNCH_TEMPLATE
must be enabled to use this property.launchTemplate
andmixedInstancesPolicy
must not be specified when this property is specified. You can either specifykeyPair
orkeyName
, not both. Default: - No SSH access will be possible.max_capacity (
Union
[int
,float
,None
]) – Maximum number of instances in the fleet. Default: desiredCapacitymax_instance_lifetime (
Optional
[Duration
]) – The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value, leave this property undefined. Default: nonemin_capacity (
Union
[int
,float
,None
]) – Minimum number of instances in the fleet. Default: 1new_instances_protected_from_scale_in (
Optional
[bool
]) – Whether newly-launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. By default, Auto Scaling can terminate an instance at any time after launch when scaling in an Auto Scaling Group, subject to the group’s termination policy. However, you may wish to protect newly-launched instances from being scaled in if they are going to run critical applications that should not be prematurely terminated. This flag must be enabled if the Auto Scaling Group will be associated with an ECS Capacity Provider with managed termination protection. Default: falsenotifications (
Optional
[Sequence
[Union
[NotificationConfiguration
,Dict
[str
,Any
]]]]) – Configure autoscaling group to send notifications about fleet changes to an SNS topic(s). Default: - No fleet change notifications will be sent.signals (
Optional
[Signals
]) – Configure waiting for signals during deployment. Use this to pause the CloudFormation deployment to wait for the instances in the AutoScalingGroup to report successful startup during creation and updates. The UserData script needs to invokecfn-signal
with a success or failure code after it is done setting up the instance. Without waiting for signals, the CloudFormation deployment will proceed as soon as the AutoScalingGroup has been created or updated but before the instances in the group have been started. For example, to have instances wait for an Elastic Load Balancing health check before they signal success, add a health-check verification by using the cfn-init helper script. For an example, see the verify_instance_health command in the Auto Scaling rolling updates sample template: https://github.com/awslabs/aws-cloudformation-templates/blob/master/aws/services/AutoScaling/AutoScalingRollingUpdates.yaml Default: - Do not wait for signalsspot_price (
Optional
[str
]) – The maximum hourly price (in USD) to be paid for any Spot Instance launched to fulfill the request. Spot Instances are launched when the price you specify exceeds the current Spot market price.launchTemplate
andmixedInstancesPolicy
must not be specified when this property is specified Default: nonessm_session_permissions (
Optional
[bool
]) – Add SSM session permissions to the instance role. Setting this totrue
adds the necessary permissions to connect to the instance using SSM Session Manager. You can do this from the AWS Console. NOTE: Setting this flag totrue
may not be enough by itself. You must also use an AMI that comes with the SSM Agent, or install the SSM Agent yourself. See Working with SSM Agent in the SSM Developer Guide. Default: falsetermination_policies (
Optional
[Sequence
[TerminationPolicy
]]) – A policy or a list of policies that are used to select the instances to terminate. The policies are executed in the order that you list them. Default: -TerminationPolicy.DEFAULT
termination_policy_custom_lambda_function_arn (
Optional
[str
]) – A lambda function Arn that can be used as a custom termination policy to select the instances to terminate. This property must be specified if the TerminationPolicy.CUSTOM_LAMBDA_FUNCTION is used. Default: - No lambda function Arn will be suppliedupdate_policy (
Optional
[UpdatePolicy
]) – What to do when an AutoScalingGroup’s instance configuration is changed. This is applied when any of the settings on the ASG are changed that affect how the instances should be created (VPC, instance type, startup scripts, etc.). It indicates how the existing instances should be replaced with new instances matching the new config. By default, nothing is done and only new instances are launched with the new config. Default: -UpdatePolicy.rollingUpdate()
if usinginit
,UpdatePolicy.none()
otherwisevpc_subnets (
Union
[SubnetSelection
,Dict
[str
,Any
],None
]) – Where to place instances within the VPC. Default: - All Private subnets.
- Return type:
- add_cdk8s_chart(id, chart, *, ingress_alb=None, ingress_alb_scheme=None, prune=None, skip_validation=None)
Defines a CDK8s chart in this cluster.
- Parameters:
id (
str
) – logical id of this chart.chart (
Construct
) – the cdk8s chart.ingress_alb (
Optional
[bool
]) – Automatically detectIngress
resources in the manifest and annotate them so they are picked up by an ALB Ingress Controller. Default: falseingress_alb_scheme (
Optional
[AlbScheme
]) – Specify the ALB scheme that should be applied toIngress
resources. Only applicable ifingressAlb
is set totrue
. Default: AlbScheme.INTERNALprune (
Optional
[bool
]) – When a resource is removed from a Kubernetes manifest, it no longer appears in the manifest, and there is no way to know that this resource needs to be deleted. To address this,kubectl apply
has a--prune
option which will query the cluster for all resources with a specific label and will remove all the labeld resources that are not part of the applied manifest. If this option is disabled and a resource is removed, it will become “orphaned” and will not be deleted from the cluster. When this option is enabled (default), the construct will inject a label to all Kubernetes resources included in this manifest which will be used to prune resources when the manifest changes viakubectl apply --prune
. The label name will beaws.cdk.eks/prune-<ADDR>
where<ADDR>
is the 42-char unique address of this construct in the construct tree. Value is empty. Default: - based on the prune option of the cluster, which istrue
unless otherwise specified.skip_validation (
Optional
[bool
]) – A flag to signify if the manifest validation should be skipped. Default: false
- Return type:
- Returns:
a
KubernetesManifest
construct representing the chart.
- add_fargate_profile(id, *, selectors, fargate_profile_name=None, pod_execution_role=None, subnet_selection=None, vpc=None)
Adds a Fargate profile to this cluster.
- Parameters:
id (
str
) – the id of this profile.selectors (
Sequence
[Union
[Selector
,Dict
[str
,Any
]]]) – The selectors to match for pods to use this Fargate profile. Each selector must have an associated namespace. Optionally, you can also specify labels for a namespace. At least one selector is required and you may specify up to five selectors.fargate_profile_name (
Optional
[str
]) – The name of the Fargate profile. Default: - generatedpod_execution_role (
Optional
[IRole
]) – The pod execution role to use for pods that match the selectors in the Fargate profile. The pod execution role allows Fargate infrastructure to register with your cluster as a node, and it provides read access to Amazon ECR image repositories. Default: - a role will be automatically createdsubnet_selection (
Union
[SubnetSelection
,Dict
[str
,Any
],None
]) – Select which subnets to launch your pods into. At this time, pods running on Fargate are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are allowed. You must specify the VPC to customize the subnet selection Default: - all private subnets of the VPC are selected.vpc (
Optional
[IVpc
]) – The VPC from which to select subnets to launch your pods into. By default, all private subnets are selected. You can customize this usingsubnetSelection
. Default: - all private subnets used by the EKS cluster
- See:
https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html
- Return type:
- add_helm_chart(id, *, atomic=None, chart=None, chart_asset=None, create_namespace=None, namespace=None, release=None, repository=None, skip_crds=None, timeout=None, values=None, version=None, wait=None)
Defines a Helm chart in this cluster.
- Parameters:
id (
str
) – logical id of this chart.atomic (
Optional
[bool
]) – Whether or not Helm should treat this operation as atomic; if set, upgrade process rolls back changes made in case of failed upgrade. The –wait flag will be set automatically if –atomic is used. Default: falsechart (
Optional
[str
]) – The name of the chart. Either this orchartAsset
must be specified. Default: - No chart name. ImplieschartAsset
is used.chart_asset (
Optional
[Asset
]) – The chart in the form of an asset. Either this orchart
must be specified. Default: - No chart asset. Implieschart
is used.create_namespace (
Optional
[bool
]) – create namespace if not exist. Default: truenamespace (
Optional
[str
]) – The Kubernetes namespace scope of the requests. Default: defaultrelease (
Optional
[str
]) – The name of the release. Default: - If no release name is given, it will use the last 53 characters of the node’s unique id.repository (
Optional
[str
]) – The repository which contains the chart. For example: https://charts.helm.sh/stable/ Default: - No repository will be used, which means that the chart needs to be an absolute URL.skip_crds (
Optional
[bool
]) – if set, no CRDs will be installed. Default: - CRDs are installed if not already presenttimeout (
Optional
[Duration
]) – Amount of time to wait for any individual Kubernetes operation. Maximum 15 minutes. Default: Duration.minutes(5)values (
Optional
[Mapping
[str
,Any
]]) – The values to be used by the chart. For nested values use a nested dictionary. For example: values: { installationCRDs: true, webhook: { port: 9443 } } Default: - No values are provided to the chart.version (
Optional
[str
]) – The chart version to install. Default: - If this is not specified, the latest version is installedwait (
Optional
[bool
]) – Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. Default: - Helm will not wait before marking release as successful
- Return type:
- Returns:
a
HelmChart
construct
- add_manifest(id, *manifest)
Defines a Kubernetes resource in this cluster.
The manifest will be applied/deleted using kubectl as needed.
- Parameters:
id (
str
) – logical id of this manifest.manifest (
Mapping
[str
,Any
]) – a list of Kubernetes resource specifications.
- Return type:
- Returns:
a
KubernetesResource
object.
- add_nodegroup_capacity(id, *, ami_type=None, capacity_type=None, desired_size=None, disk_size=None, force_update=None, instance_types=None, labels=None, launch_template_spec=None, max_size=None, max_unavailable=None, max_unavailable_percentage=None, min_size=None, nodegroup_name=None, node_role=None, release_version=None, remote_access=None, subnets=None, tags=None, taints=None)
Add managed nodegroup to this Amazon EKS cluster.
This method will create a new managed nodegroup and add into the capacity.
- Parameters:
id (
str
) – The ID of the nodegroup.ami_type (
Optional
[NodegroupAmiType
]) – The AMI type for your node group. If you explicitly specify the launchTemplate with custom AMI, do not specify this property, or the node group deployment will fail. In other cases, you will need to specify correct amiType for the nodegroup. Default: - auto-determined from the instanceTypes property when launchTemplateSpec property is not specifiedcapacity_type (
Optional
[CapacityType
]) – The capacity type of the nodegroup. Default: - ON_DEMANDdesired_size (
Union
[int
,float
,None
]) – The current number of worker nodes that the managed node group should maintain. If not specified, the nodewgroup will initially createminSize
instances. Default: 2disk_size (
Union
[int
,float
,None
]) – The root device disk size (in GiB) for your node group instances. Default: 20force_update (
Optional
[bool
]) – Force the update if the existing node group’s pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node. Default: trueinstance_types (
Optional
[Sequence
[InstanceType
]]) – The instance types to use for your node group. Default: t3.medium will be used according to the cloudformation document.labels (
Optional
[Mapping
[str
,str
]]) – The Kubernetes labels to be applied to the nodes in the node group when they are created. Default: - Nonelaunch_template_spec (
Union
[LaunchTemplateSpec
,Dict
[str
,Any
],None
]) – Launch template specification used for the nodegroup. Default: - no launch templatemax_size (
Union
[int
,float
,None
]) – The maximum number of worker nodes that the managed node group can scale out to. Managed node groups can support up to 100 nodes by default. Default: - desiredSizemax_unavailable (
Union
[int
,float
,None
]) – The maximum number of nodes unavailable at once during a version update. Nodes will be updated in parallel. The maximum number is 100. This value ormaxUnavailablePercentage
is required to have a value for custom update configurations to be applied. Default: 1max_unavailable_percentage (
Union
[int
,float
,None
]) – The maximum percentage of nodes unavailable during a version update. This percentage of nodes will be updated in parallel, up to 100 nodes at once. This value ormaxUnavailable
is required to have a value for custom update configurations to be applied. Default: undefined - node groups will update instances one at a timemin_size (
Union
[int
,float
,None
]) – The minimum number of worker nodes that the managed node group can scale in to. This number must be greater than or equal to zero. Default: 1nodegroup_name (
Optional
[str
]) – Name of the Nodegroup. Default: - resource IDnode_role (
Optional
[IRole
]) – The IAM role to associate with your node group. The Amazon EKS worker node kubelet daemon makes calls to AWS APIs on your behalf. Worker nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch worker nodes and register them into a cluster, you must create an IAM role for those worker nodes to use when they are launched. Default: - None. Auto-generated if not specified.release_version (
Optional
[str
]) – The AMI version of the Amazon EKS-optimized AMI to use with your node group (for example,1.14.7-YYYYMMDD
). Default: - The latest available AMI version for the node group’s current Kubernetes version is used.remote_access (
Union
[NodegroupRemoteAccess
,Dict
[str
,Any
],None
]) – The remote access (SSH) configuration to use with your node group. Disabled by default, however, if you specify an Amazon EC2 SSH key but do not specify a source security group when you create a managed node group, then port 22 on the worker nodes is opened to the internet (0.0.0.0/0) Default: - disabledsubnets (
Union
[SubnetSelection
,Dict
[str
,Any
],None
]) – The subnets to use for the Auto Scaling group that is created for your node group. By specifying the SubnetSelection, the selected subnets will automatically apply required tags i.e.kubernetes.io/cluster/CLUSTER_NAME
with a value ofshared
, whereCLUSTER_NAME
is replaced with the name of your cluster. Default: - private subnetstags (
Optional
[Mapping
[str
,str
]]) – The metadata to apply to the node group to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Node group tags do not propagate to any other resources associated with the node group, such as the Amazon EC2 instances or subnets. Default: - Nonetaints (
Optional
[Sequence
[Union
[TaintSpec
,Dict
[str
,Any
]]]]) – The Kubernetes taints to be applied to the nodes in the node group when they are created. Default: - None
- See:
https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
- Return type:
- add_service_account(id, *, annotations=None, identity_type=None, labels=None, name=None, namespace=None)
Creates a new service account with corresponding IAM Role (IRSA).
- Parameters:
id (
str
) –annotations (
Optional
[Mapping
[str
,str
]]) – Additional annotations of the service account. Default: - no additional annotationsidentity_type (
Optional
[IdentityType
]) – The identity type to use for the service account. Default: IdentityType.IRSAlabels (
Optional
[Mapping
[str
,str
]]) – Additional labels of the service account. Default: - no additional labelsname (
Optional
[str
]) – The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.namespace (
Optional
[str
]) – The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: “default”
- Return type:
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
) –- Return type:
None
- connect_auto_scaling_group_capacity(auto_scaling_group, *, bootstrap_enabled=None, bootstrap_options=None, machine_image_type=None, map_role=None, spot_interrupt_handler=None)
Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster.
The AutoScalingGroup must be running an EKS-optimized AMI containing the /etc/eks/bootstrap.sh script. This method will configure Security Groups, add the right policies to the instance role, apply the right tags, and add the required user data to the instance’s launch configuration.
Spot instances will be labeled
lifecycle=Ec2Spot
and tainted withPreferNoSchedule
. If kubectl is enabled, the spot interrupt handler daemon will be installed on all spot instances to handle EC2 Spot Instance Termination Notices.Prefer to use
addAutoScalingGroupCapacity
if possible.- Parameters:
auto_scaling_group (
AutoScalingGroup
) – [disable-awslint:ref-via-interface].bootstrap_enabled (
Optional
[bool
]) – Configures the EC2 user-data script for instances in this autoscaling group to bootstrap the node (invoke/etc/eks/bootstrap.sh
) and associate it with the EKS cluster. If you wish to provide a custom user data script, set this tofalse
and manually invokeautoscalingGroup.addUserData()
. Default: truebootstrap_options (
Union
[BootstrapOptions
,Dict
[str
,Any
],None
]) – Allows options for node bootstrapping through EC2 user data. Default: - default optionsmachine_image_type (
Optional
[MachineImageType
]) – Allow options to specify different machine image type. Default: MachineImageType.AMAZON_LINUX_2map_role (
Optional
[bool
]) – Will automatically update the aws-auth ConfigMap to map the IAM instance role to RBAC. This cannot be explicitly set totrue
if the cluster has kubectl disabled. Default: - true if the cluster has kubectl enabled (which is the default).spot_interrupt_handler (
Optional
[bool
]) – Installs the AWS spot instance interrupt handler on the cluster if it’s not already added. Only relevant ifspotPrice
is configured on the auto-scaling group. Default: true
- See:
https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
- Return type:
None
- get_ingress_load_balancer_address(ingress_name, *, namespace=None, timeout=None)
Fetch the load balancer address of an ingress backed by a load balancer.
- Parameters:
ingress_name (
str
) – The name of the ingress.namespace (
Optional
[str
]) – The namespace the service belongs to. Default: ‘default’timeout (
Optional
[Duration
]) – Timeout for waiting on the load balancer address. Default: Duration.minutes(5)
- Return type:
str
- get_service_load_balancer_address(service_name, *, namespace=None, timeout=None)
Fetch the load balancer address of a service of type ‘LoadBalancer’.
- Parameters:
service_name (
str
) – The name of the service.namespace (
Optional
[str
]) – The namespace the service belongs to. Default: ‘default’timeout (
Optional
[Duration
]) – Timeout for waiting on the load balancer address. Default: Duration.minutes(5)
- Return type:
str
- grant_access(id, principal, access_policies)
Grants the specified IAM principal access to the EKS cluster based on the provided access policies.
This method creates an
AccessEntry
construct that grants the specified IAM principal the access permissions defined by the providedIAccessPolicy
array. This allows the IAM principal to perform the actions permitted by the access policies within the EKS cluster.- Parameters:
id (
str
) –The ID of the
AccessEntry
construct to be created.
principal (
str
) –The IAM principal (role or user) to be granted access to the EKS cluster.
access_policies (
Sequence
[IAccessPolicy
]) –An array of
IAccessPolicy
objects that define the access permissions to be granted to the IAM principal.
- Return type:
None
- to_string()
Returns a string representation of this construct.
- Return type:
str
Attributes
- admin_role
An IAM role with administrative permissions to create or update the cluster.
This role also has
systems:master
permissions.
- alb_controller
The ALB Controller construct defined for this cluster.
Will be undefined if
albController
wasn’t configured.
- authentication_mode
The authentication mode for the Amazon EKS cluster.
The authentication mode determines how users and applications authenticate to the Kubernetes API server.
- Default:
CONFIG_MAP.
- Property:
{AuthenticationMode} [authenticationMode] - The authentication mode for the Amazon EKS cluster.
- aws_auth
Lazily creates the AwsAuth resource, which manages AWS authentication mapping.
- awscli_layer
An AWS Lambda layer that contains the
aws
CLI.If not defined, a default layer will be used containing the AWS CLI 1.x.
- cluster_arn
The AWS generated ARN for the Cluster resource.
For example,
arn:aws:eks:us-west-2:666666666666:cluster/prod
- cluster_certificate_authority_data
The certificate-authority-data for your cluster.
- cluster_encryption_config_key_arn
Amazon Resource Name (ARN) or alias of the customer master key (CMK).
- cluster_endpoint
The endpoint URL for the Cluster.
This is the URL inside the kubeconfig file to use with kubectl
For example,
https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com
- cluster_handler_security_group
A security group to associate with the Cluster Handler’s Lambdas.
The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API.
Requires
placeClusterHandlerInVpc
to be set to true.- Default:
No security group.
- cluster_name
The Name of the created EKS Cluster.
- cluster_open_id_connect_issuer
If this cluster is kubectl-enabled, returns the OpenID Connect issuer.
This is because the values is only be retrieved by the API and not exposed by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the stock
CfnCluster
), this isundefined
.- Attribute:
true
- cluster_open_id_connect_issuer_url
If this cluster is kubectl-enabled, returns the OpenID Connect issuer url.
This is because the values is only be retrieved by the API and not exposed by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the stock
CfnCluster
), this isundefined
.- Attribute:
true
- cluster_security_group
The cluster security group that was created by Amazon EKS for the cluster.
- cluster_security_group_id
The id of the cluster security group that was created by Amazon EKS for the cluster.
- connections
Manages connection rules (Security Group Rules) for the cluster.
- Memberof:
Cluster
- Type:
{ec2.Connections}
- default_capacity
The auto scaling group that hosts the default capacity for this cluster.
This will be
undefined
if thedefaultCapacityType
is notEC2
ordefaultCapacityType
isEC2
but default capacity is set to 0.
- default_nodegroup
The node group that hosts the default capacity for this cluster.
This will be
undefined
if thedefaultCapacityType
isEC2
ordefaultCapacityType
isNODEGROUP
but default capacity is set to 0.
- eks_pod_identity_agent
Retrieves the EKS Pod Identity Agent addon for the EKS cluster.
The EKS Pod Identity Agent is responsible for managing the temporary credentials used by pods in the cluster to access AWS resources. It runs as a DaemonSet on each node and provides the necessary credentials to the pods based on their associated service account.
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- ip_family
Specify which IP family is used to assign Kubernetes pod and service IP addresses.
- kubectl_environment
Custom environment variables when running
kubectl
against this cluster.
- kubectl_lambda_role
An IAM role that can perform kubectl operations against this cluster.
The role should be mapped to the
system:masters
Kubernetes RBAC role.This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster.
- Default:
if not specified, the default role created by a lambda function will
be used.
- kubectl_layer
An AWS Lambda layer that includes
kubectl
andhelm
.If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
- kubectl_memory
The amount of memory allocated to the kubectl provider’s lambda function.
- kubectl_private_subnets
Subnets to host the
kubectl
compute resources.- Default:
If not specified, the k8s endpoint is expected to be accessible
publicly.
- kubectl_role
An IAM role that can perform kubectl operations against this cluster.
The role should be mapped to the
system:masters
Kubernetes RBAC role.
- kubectl_security_group
A security group to use for
kubectl
execution.- Default:
If not specified, the k8s endpoint is expected to be accessible
publicly.
- node
The tree node.
- on_event_layer
The AWS Lambda layer that contains the NPM dependency
proxy-agent
.If undefined, a SAR app that contains this layer will be used.
- open_id_connect_provider
An
OpenIdConnectProvider
resource associated with this cluster, and which can be used to link this cluster to AWS IAM.A provider will only be defined if this property is accessed (lazy initialization).
- prune
Determines if Kubernetes resources can be pruned automatically.
- role
IAM role assumed by the EKS Control Plane.
- stack
The stack in which this resource is defined.
- vpc
The VPC in which this Cluster was created.
Static Methods
- classmethod from_cluster_attributes(scope, id, *, cluster_name, awscli_layer=None, cluster_certificate_authority_data=None, cluster_encryption_config_key_arn=None, cluster_endpoint=None, cluster_handler_security_group_id=None, cluster_security_group_id=None, ip_family=None, kubectl_environment=None, kubectl_lambda_role=None, kubectl_layer=None, kubectl_memory=None, kubectl_private_subnet_ids=None, kubectl_provider=None, kubectl_role_arn=None, kubectl_security_group_id=None, on_event_layer=None, open_id_connect_provider=None, prune=None, security_group_ids=None, vpc=None)
Import an existing cluster.
- Parameters:
scope (
Construct
) – the construct scope, in most cases ‘this’.id (
str
) – the id or name to import as.cluster_name (
str
) – The physical name of the Cluster.awscli_layer (
Optional
[ILayerVersion
]) – An AWS Lambda layer that contains theaws
CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.xcluster_certificate_authority_data (
Optional
[str
]) – The certificate-authority-data for your cluster. Default: - if not specifiedcluster.clusterCertificateAuthorityData
will throw an errorcluster_encryption_config_key_arn (
Optional
[str
]) – Amazon Resource Name (ARN) or alias of the customer master key (CMK). Default: - if not specifiedcluster.clusterEncryptionConfigKeyArn
will throw an errorcluster_endpoint (
Optional
[str
]) – The API Server endpoint URL. Default: - if not specifiedcluster.clusterEndpoint
will throw an error.cluster_handler_security_group_id (
Optional
[str
]) – A security group id to associate with the Cluster Handler’s Lambdas. The Cluster Handler’s Lambdas are responsible for calling AWS’s EKS API. Default: - No security group.cluster_security_group_id (
Optional
[str
]) – The cluster security group that was created by Amazon EKS for the cluster. Default: - if not specifiedcluster.clusterSecurityGroupId
will throw an errorip_family (
Optional
[IpFamily
]) – Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4kubectl_environment (
Optional
[Mapping
[str
,str
]]) – Environment variables to use when runningkubectl
against this cluster. Default: - no additional variableskubectl_lambda_role (
Optional
[IRole
]) – An IAM role that can perform kubectl operations against this cluster. The role should be mapped to thesystem:masters
Kubernetes RBAC role. This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster. Default: - if not specified, the default role created by a lambda function will be used.kubectl_layer (
Optional
[ILayerVersion
]) – An AWS Lambda Layer which includeskubectl
and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the@aws-cdk/layer-kubectl-vXX
packages, that works with the version of Kubernetes you have chosen. If you don’t supply this valuekubectl
1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20 and helm 3.8.kubectl_memory (
Optional
[Size
]) – Amount of memory to allocate to the provider’s lambda function. Default: Size.gibibytes(1)kubectl_private_subnet_ids (
Optional
[Sequence
[str
]]) – Subnets to host thekubectl
compute resources. If not specified, the k8s endpoint is expected to be accessible publicly. Default: - k8s endpoint is expected to be accessible publiclykubectl_provider (
Optional
[IKubectlProvider
]) – KubectlProvider for issuing kubectl commands. Default: - Default CDK providerkubectl_role_arn (
Optional
[str
]) – An IAM role with cluster administrator and “system:masters” permissions. Default: - if not specified, it not be possible to issuekubectl
commands against an imported cluster.kubectl_security_group_id (
Optional
[str
]) – A security group to use forkubectl
execution. If not specified, the k8s endpoint is expected to be accessible publicly. Default: - k8s endpoint is expected to be accessible publiclyon_event_layer (
Optional
[ILayerVersion
]) – An AWS Lambda Layer which includes the NPM dependencyproxy-agent
. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. The handler expects the layer to include the following node_modules: proxy-agent Default: - a layer bundled with this module.open_id_connect_provider (
Optional
[IOpenIdConnectProvider
]) – An Open ID Connect provider for this cluster that can be used to configure service accounts. You can either import an existing provider usingiam.OpenIdConnectProvider.fromProviderArn
, or create a new provider usingnew eks.OpenIdConnectProvider
Default: - if not specifiedcluster.openIdConnectProvider
andcluster.addServiceAccount
will throw an error.prune (
Optional
[bool
]) – Indicates whether Kubernetes resources added throughaddManifest()
can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing thekubectl apply
operation with the--prune
switch. Default: truesecurity_group_ids (
Optional
[Sequence
[str
]]) – Additional security groups associated with this cluster. Default: - if not specified, no additional security groups will be considered incluster.connections
.vpc (
Optional
[IVpc
]) – The VPC in which this Cluster was created. Default: - if not specifiedcluster.vpc
will throw an error
- Return type:
- classmethod is_construct(x)
Checks if
x
is a construct.Use this method instead of
instanceof
to properly detectConstruct
instances, even when the construct library is symlinked.Explanation: in JavaScript, multiple copies of the
constructs
library on disk are seen as independent, completely different libraries. As a consequence, the classConstruct
in each copy of theconstructs
library is seen as a different class, and an instance of one class will not test asinstanceof
the other class.npm install
will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of theconstructs
library can be accidentally installed, andinstanceof
will behave unpredictably. It is safest to avoid usinginstanceof
, and using this type-testing method instead.- Parameters:
x (
Any
) – Any object.- Return type:
bool
- Returns:
true if
x
is an object created from a class which extendsConstruct
.
- classmethod is_owned_resource(construct)
Returns true if the construct was created by CDK, and false otherwise.
- Parameters:
construct (
IConstruct
) –- Return type:
bool
- classmethod is_resource(construct)
Check whether the given construct is a Resource.
- Parameters:
construct (
IConstruct
) –- Return type:
bool