AWS::EKS::Cluster - AWS CloudFormation

AWS::EKS::Cluster

Creates an Amazon EKS control plane.

The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by AWS, and the Kubernetes API is exposed by the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single tenant and unique. It runs on its own set of Amazon EC2 instances.

The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support kubectl exec, logs, and proxy data flows).

Amazon EKS nodes run in your AWS account and connect to your cluster's control plane over the Kubernetes API server endpoint and a certificate file that is created for your cluster.

You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .

You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the Amazon EKS User Guide .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.

In most cases, it takes several minutes to create a cluster. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Allowing users to access your cluster and Launching Amazon EKS nodes in the Amazon EKS User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AccessConfig

The access configuration for the cluster.

Required: No

Type: AccessConfig

Update requires: No interruption

BootstrapSelfManagedAddons

If you set this value to False when creating a cluster, the default networking add-ons will not be installed.

The default networking addons include vpc-cni, coredns, and kube-proxy.

Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.

Required: No

Type: Boolean

Update requires: Replacement

EncryptionConfig

The encryption configuration for the cluster.

Required: No

Type: Array of EncryptionConfig

Maximum: 1

Update requires: Replacement

KubernetesNetworkConfig

The Kubernetes network configuration for the cluster.

Required: No

Type: KubernetesNetworkConfig

Update requires: Replacement

Logging

The logging configuration for your cluster.

Required: No

Type: Logging

Update requires: No interruption

Name

The unique name to give to your cluster.

Required: No

Type: String

Pattern: ^[0-9A-Za-z][A-Za-z0-9\-_]*

Minimum: 1

Maximum: 100

Update requires: Replacement

OutpostConfig

An object representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This object isn't available for clusters on the AWS cloud.

Required: No

Type: OutpostConfig

Update requires: Replacement

ResourcesVpcConfig

The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.

Required: Yes

Type: ResourcesVpcConfig

Update requires: No interruption

RoleArn

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see Amazon EKS Service IAM Role in the Amazon EKS User Guide .

Required: Yes

Type: String

Update requires: Replacement

Tags

The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags don't propagate to any other resources associated with the cluster.

Note

You must have the eks:TagResource and eks:UntagResource permissions for your IAM principal to manage the AWS CloudFormation stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.

Required: No

Type: Array of Tag

Update requires: No interruption

UpgradePolicy

This value indicates if extended support is enabled or disabled for the cluster.

Learn more about EKS Extended Support in the EKS User Guide.

Required: No

Type: UpgradePolicy

Update requires: No interruption

Version

The desired Kubernetes version for your cluster. If you don't specify a value here, the default version available in Amazon EKS is used.

Note

The default version might not be the latest version available.

Required: No

Type: String

Pattern: 1\.\d\d

Update requires: No interruption

ZonalShiftConfig

Property description not available.

Required: No

Type: ZonalShiftConfig

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example:

{ "Ref": "myCluster" }

For the Amazon EKS cluster myCluster, Ref returns the name of the cluster.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The ARN of the cluster, such as arn:aws:eks:us-west-2:666666666666:cluster/prod.

CertificateAuthorityData

The certificate-authority-data for your cluster.

ClusterSecurityGroupId

The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control plane to data plane communication.

This parameter is only returned by Amazon EKS clusters that support managed node groups. For more information, see Managed node groups in the Amazon EKS User Guide.

EncryptionConfigKeyArn

Amazon Resource Name (ARN) or alias of the customer master key (CMK).

Endpoint

The endpoint for your Kubernetes API server, such as https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com.

Id

The ID of your local Amazon EKS cluster on an AWS Outpost. This property isn't available for an Amazon EKS cluster on the AWS cloud.

KubernetesNetworkConfig.ServiceIpv6Cidr

The CIDR block that Kubernetes Service IP addresses are assigned from if you created a 1.21 or later cluster with version >1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns Service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.

OpenIdConnectIssuerUrl

The issuer URL for the OIDC identity provider of the cluster, such as https://oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E. If you need to remove https:// from this output value, you can include the following code in your template.

!Select [1, !Split ["//", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]]

Examples

Create a cluster

The following example creates an Amazon EKS cluster named Prod.

JSON

{ "EKSCluster": { "Type": "AWS::EKS::Cluster", "Properties": { "Name": "Prod", "Version": "1.20", "RoleArn": "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI", "ResourcesVpcConfig": { "SecurityGroupIds": [ "sg-6979fe18" ], "SubnetIds": [ "subnet-6782e71e", "subnet-e7e761ac" ], "EndpointPublicAccess": false, "EndpointPrivateAccess": true, "PublicAccessCidrs": [ "1.1.1.2/32" ] }, "Logging": { "ClusterLogging": { "EnabledTypes": [ { "Type": "api" }, { "Type": "audit" } ] } }, "Tags": [ { "Key": "key", "Value": "val" } ] } } }

YAML

EKSCluster: Type: AWS::EKS::Cluster Properties: Name: Prod Version: "1.20" RoleArn: "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI" ResourcesVpcConfig: SecurityGroupIds: - sg-6979fe18 SubnetIds: - subnet-6782e71e - subnet-e7e761ac EndpointPublicAccess: false EndpointPrivateAccess: true PublicAccessCidrs: [ "1.1.1.2/32" ] Logging: ClusterLogging: EnabledTypes: - Type: api - Type: audit Tags: - Key: "key" Value: "val"

See also