Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . eks ]

create-cluster

Description

Creates an Amazon EKS control plane.

The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by AWS, and the Kubernetes API is exposed via the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single-tenant and unique and runs on its own set of Amazon EC2 instances.

The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the worker nodes (for example, to support kubectl exec , logs , and proxy data flows).

Amazon EKS worker nodes run in your AWS account and connect to your cluster's control plane via the Kubernetes API server endpoint and a certificate file that is created for your cluster.

You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the * Amazon EKS User Guide * .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see Amazon CloudWatch Pricing .

Cluster creation typically takes between 10 and 15 minutes. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch worker nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS Worker Nodes in the Amazon EKS User Guide .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  create-cluster
--name <value>
--role-arn <value>
--resources-vpc-config <value>
[--kubernetes-network-config <value>]
[--logging <value>]
[--client-request-token <value>]
[--tags <value>]
[--encryption-config <value>]
[--kubernetes-version <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--name (string)

The unique name to give to your cluster.

--role-arn (string)

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see Amazon EKS Service IAM Role in the * Amazon EKS User Guide * .

--resources-vpc-config (structure)

The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.

subnetIds -> (list)

Specify subnets for your Amazon EKS worker nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.

(string)

securityGroupIds -> (list)

Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane. If you don't specify a security group, the default security group for your VPC is used.

(string)

endpointPublicAccess -> (boolean)

Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

endpointPrivateAccess -> (boolean)

Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

publicAccessCidrs -> (list)

The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that you specify the necessary CIDR blocks. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

(string)

Shorthand Syntax:

subnetIds=string,string,securityGroupIds=string,string,endpointPublicAccess=boolean,endpointPrivateAccess=boolean,publicAccessCidrs=string,string

JSON Syntax:

{
  "subnetIds": ["string", ...],
  "securityGroupIds": ["string", ...],
  "endpointPublicAccess": true|false,
  "endpointPrivateAccess": true|false,
  "publicAccessCidrs": ["string", ...]
}

--kubernetes-network-config (structure)

The Kubernetes network configuration for the cluster.

serviceIpv4Cidr -> (string)

The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.

Warning

You can only specify a custom CIDR block when you create a cluster and can't change this value once the cluster is created.

Shorthand Syntax:

serviceIpv4Cidr=string

JSON Syntax:

{
  "serviceIpv4Cidr": "string"
}

--logging (structure)

Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the * Amazon EKS User Guide * .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see Amazon CloudWatch Pricing .

clusterLogging -> (list)

The cluster control plane logging configuration for your cluster.

(structure)

An object representing the enabled or disabled Kubernetes control plane logs for your cluster.

types -> (list)

The available cluster control plane log types.

(string)

enabled -> (boolean)

If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.

JSON Syntax:

{
  "clusterLogging": [
    {
      "types": ["api"|"audit"|"authenticator"|"controllerManager"|"scheduler", ...],
      "enabled": true|false
    }
    ...
  ]
}

--client-request-token (string)

Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

--tags (map)

The metadata to apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define.

key -> (string)

value -> (string)

Shorthand Syntax:

KeyName1=string,KeyName2=string

JSON Syntax:

{"string": "string"
  ...}

--encryption-config (list)

The encryption configuration for the cluster.

(structure)

The encryption configuration for the cluster.

resources -> (list)

Specifies the resources to be encrypted. The only supported value is "secrets".

(string)

provider -> (structure)

AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.

keyArn -> (string)

Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide .

Shorthand Syntax:

resources=string,string,provider={keyArn=string} ...

JSON Syntax:

[
  {
    "resources": ["string", ...],
    "provider": {
      "keyArn": "string"
    }
  }
  ...
]

--kubernetes-version (string)

The desired Kubernetes version for your cluster. If you don't specify a value here, the latest version available in Amazon EKS is used.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Examples

To create a new cluster

This example command creates a cluster named prod in your default region.

Command:

aws eks create-cluster --name prod \
--role-arn arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI \
--resources-vpc-config subnetIds=subnet-6782e71e,subnet-e7e761ac,securityGroupIds=sg-6979fe18

Output:

{
    "cluster": {
        "name": "prod",
        "arn": "arn:aws:eks:us-west-2:012345678910:cluster/prod",
        "createdAt": 1527808069.147,
        "version": "1.10",
        "roleArn": "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI",
        "resourcesVpcConfig": {
            "subnetIds": [
                "subnet-6782e71e",
                "subnet-e7e761ac"
            ],
            "securityGroupIds": [
                "sg-6979fe18"
            ],
            "vpcId": "vpc-950809ec"
        },
        "status": "CREATING",
        "certificateAuthority": {}
    }
}

To create a new cluster with private endpoint access and logging enabled

This example command creates a cluster named example in your default region with public endpoint access disabled, private endpoint access enabled, and all logging types enabled.

Command:

aws eks create-cluster --name example --kubernetes-version 1.12 \
--role-arn arn:aws:iam::012345678910:role/example-cluster-ServiceRole-1XWBQWYSFRE2Q \
--resources-vpc-config subnetIds=subnet-0a188dccd2f9a632f,subnet-09290d93da4278664,subnet-0f21dd86e0e91134a,subnet-0173dead68481a583,subnet-051f70a57ed6fcab6,subnet-01322339c5c7de9b4,securityGroupIds=sg-0c5b580845a031c10,endpointPublicAccess=false,endpointPrivateAccess=true \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

Output:

{
    "cluster": {
        "name": "example",
        "arn": "arn:aws:eks:us-west-2:012345678910:cluster/example",
        "createdAt": 1565804921.901,
        "version": "1.12",
        "roleArn": "arn:aws:iam::012345678910:role/example-cluster-ServiceRole-1XWBQWYSFRE2Q",
        "resourcesVpcConfig": {
            "subnetIds": [
                "subnet-0a188dccd2f9a632f",
                "subnet-09290d93da4278664",
                "subnet-0f21dd86e0e91134a",
                "subnet-0173dead68481a583",
                "subnet-051f70a57ed6fcab6",
                "subnet-01322339c5c7de9b4"
            ],
            "securityGroupIds": [
                "sg-0c5b580845a031c10"
            ],
            "vpcId": "vpc-0f622c01f68d4afec",
            "endpointPublicAccess": false,
            "endpointPrivateAccess": true
        },
        "logging": {
            "clusterLogging": [
                {
                    "types": [
                        "api",
                        "audit",
                        "authenticator",
                        "controllerManager",
                        "scheduler"
                    ],
                    "enabled": true
                }
            ]
        },
        "status": "CREATING",
        "certificateAuthority": {},
        "platformVersion": "eks.3"
    }
}

Output

cluster -> (structure)

The full description of your new cluster.

name -> (string)

The name of the cluster.

arn -> (string)

The Amazon Resource Name (ARN) of the cluster.

createdAt -> (timestamp)

The Unix epoch timestamp in seconds for when the cluster was created.

version -> (string)

The Kubernetes server version for the cluster.

endpoint -> (string)

The endpoint for your Kubernetes API server.

roleArn -> (string)

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.

resourcesVpcConfig -> (structure)

The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide .

subnetIds -> (list)

The subnets associated with your cluster.

(string)

securityGroupIds -> (list)

The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane.

(string)

clusterSecurityGroupId -> (string)

The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.

vpcId -> (string)

The VPC associated with your cluster.

endpointPublicAccess -> (boolean)

This parameter indicates whether the Amazon EKS public API server endpoint is enabled. If the Amazon EKS public API server endpoint is disabled, your cluster's Kubernetes API server can only receive requests that originate from within the cluster VPC.

endpointPrivateAccess -> (boolean)

This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

publicAccessCidrs -> (list)

The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the listed CIDR blocks is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that the necessary CIDR blocks are listed. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

(string)

kubernetesNetworkConfig -> (structure)

Network configuration settings for your cluster.

serviceIpv4Cidr -> (string)

The CIDR block that Kubernetes service IP addresses are assigned from. If you didn't specify a CIDR block, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it cannot be changed.

logging -> (structure)

The logging configuration for your cluster.

clusterLogging -> (list)

The cluster control plane logging configuration for your cluster.

(structure)

An object representing the enabled or disabled Kubernetes control plane logs for your cluster.

types -> (list)

The available cluster control plane log types.

(string)

enabled -> (boolean)

If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.

identity -> (structure)

The identity provider information for the cluster.

oidc -> (structure)

The OpenID Connect identity provider information for the cluster.

issuer -> (string)

The issuer URL for the OpenID Connect identity provider.

status -> (string)

The current status of the cluster.

certificateAuthority -> (structure)

The certificate-authority-data for your cluster.

data -> (string)

The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.

clientRequestToken -> (string)

Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

platformVersion -> (string)

The platform version of your Amazon EKS cluster. For more information, see Platform Versions in the * Amazon EKS User Guide * .

tags -> (map)

The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags do not propagate to any other resources associated with the cluster.

key -> (string)

value -> (string)

encryptionConfig -> (list)

The encryption configuration for the cluster.

(structure)

The encryption configuration for the cluster.

resources -> (list)

Specifies the resources to be encrypted. The only supported value is "secrets".

(string)

provider -> (structure)

AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.

keyArn -> (string)

Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide .