UpdateClusterConfig - Amazon EKS

UpdateClusterConfig

Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate"/>.

You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the Amazon EKS User Guide .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.

You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .

You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .

You can also use this API operation to enable or disable ARC zonal shift. If zonal shift is enabled, AWS configures zonal autoshift for the cluster.

Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.

Request Syntax

POST /clusters/name/update-config HTTP/1.1 Content-type: application/json { "accessConfig": { "authenticationMode": "string" }, "clientRequestToken": "string", "logging": { "clusterLogging": [ { "enabled": boolean, "types": [ "string" ] } ] }, "resourcesVpcConfig": { "endpointPrivateAccess": boolean, "endpointPublicAccess": boolean, "publicAccessCidrs": [ "string" ], "securityGroupIds": [ "string" ], "subnetIds": [ "string" ] }, "upgradePolicy": { "supportType": "string" }, "zonalShiftConfig": { "enabled": boolean } }

URI Request Parameters

The request uses the following URI parameters.

name

The name of the Amazon EKS cluster to update.

Required: Yes

Request Body

The request accepts the following data in JSON format.

accessConfig

The access configuration for the cluster.

Type: UpdateAccessConfigRequest object

Required: No

clientRequestToken

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

Type: String

Required: No

logging

Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS cluster control plane logs in the Amazon EKS User Guide .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.

Type: Logging object

Required: No

resourcesVpcConfig

An object representing the VPC configuration to use for an Amazon EKS cluster.

Type: VpcConfigRequest object

Required: No

upgradePolicy

You can enable or disable extended support for clusters currently on standard support. You cannot disable extended support once it starts. You must enable extended support before your cluster exits standard support.

Type: UpgradePolicyRequest object

Required: No

zonalShiftConfig

Enable or disable ARC zonal shift for the cluster. If zonal shift is enabled, AWS configures zonal autoshift for the cluster.

Zonal shift is a feature of Amazon Application Recovery Controller (ARC). ARC zonal shift is designed to be a temporary measure that allows you to move traffic for a resource away from an impaired AZ until the zonal shift expires or you cancel it. You can extend the zonal shift if necessary.

You can start a zonal shift for an EKS cluster, or you can allow AWS to do it for you by enabling zonal autoshift. This shift updates the flow of east-to-west network traffic in your cluster to only consider network endpoints for Pods running on worker nodes in healthy AZs. Additionally, any ALB or NLB handling ingress traffic for applications in your EKS cluster will automatically route traffic to targets in the healthy AZs. For more information about zonal shift in EKS, see Learn about Amazon Application Recovery Controller (ARC) Zonal Shift in Amazon EKS in the Amazon EKS User Guide .

Type: ZonalShiftConfigRequest object

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "update": { "createdAt": number, "errors": [ { "errorCode": "string", "errorMessage": "string", "resourceIds": [ "string" ] } ], "id": "string", "params": [ { "type": "string", "value": "string" } ], "status": "string", "type": "string" } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

update

An object representing an asynchronous update.

Type: Update object

Errors

For information about the errors that are common to all actions, see Common Errors.

ClientException

These errors are usually caused by a client action. Actions can include using an action or resource on behalf of an IAM principal that doesn't have permissions to use the action or resource or specifying an identifier that is not valid.

HTTP Status Code: 400

InvalidParameterException

The specified parameter is invalid. Review the available parameters for the API request.

HTTP Status Code: 400

InvalidRequestException

The request is invalid given the state of the cluster. Check the state of the cluster and the associated operations.

HTTP Status Code: 400

ResourceInUseException

The specified resource is in use.

HTTP Status Code: 409

ResourceNotFoundException

The specified resource could not be found. You can view your available clusters with ListClusters. You can view your available managed node groups with ListNodegroups. Amazon EKS clusters and node groups are AWS Region specific.

HTTP Status Code: 404

ServerException

These errors are usually caused by a server-side issue.

HTTP Status Code: 500

Examples

In the following example or examples, the Authorization header contents (AUTHPARAMS) must be replaced with an AWS Signature Version 4 signature. For more information about creating these signatures, see Signature Version 4 Signing Process in the Amazon EKS General Reference.

You need to learn how to sign HTTP requests only if you intend to manually create them. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

Example

The following example disables the Amazon EKS public API server endpoint for the my-cluster cluster.

Sample Request

POST /clusters/my-cluster/update-config HTTP/1.1 Host: eks.us-west-2.amazonaws.com Accept-Encoding: identity User-Agent: aws-cli/1.16.56 Python/3.7.0 Darwin/17.7.0 botocore/1.12.46 X-Amz-Date: 20190228T215632Z Authorization: AUTHPARAMS { "resourcesVpcConfig": { "endpointPublicAccess": false }, "clientRequestToken": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }

Sample Response

HTTP/1.1 200 OK Date: Thu, 28 Feb 2019 21:56:33 GMT Content-Type: application/json Content-Length: 254 x-amzn-RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx x-amz-apigw-id: V1LanEMJPHcFvTg= X-Amzn-Trace-Id: Root=1-xxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx Connection: keep-alive { "update": { "id": "71abb011-b524-4983-b17f-c30baa1b5530", "status": "InProgress", "type": "EndpointAccessUpdate", "params": [ { "type": "EndpointPublicAccess", "value": "false" }, { "type": "EndpointPrivateAccess", "value": "true" } ], "createdAt": 1551390993.374, "errors": [] } }

Example

The following example enables exporting all cluster control plane logs to CloudWatch Logs.

Sample Request

POST /clusters/my-cluster/update-config HTTP/1.1 Host: eks.us-west-2.amazonaws.com Accept-Encoding: identity User-Agent: aws-cli/1.16.120 Python/3.7.0 Darwin/18.2.0 botocore/1.12.110 X-Amz-Date: 20190322T162335Z Authorization: AUTHPARAMS { "logging": { "clusterLogging": [ { "types": [ "api", "audit", "authenticator", "controllerManager", "scheduler" ], "enabled": true } ] }, "clientRequestToken": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }

Sample Response

HTTP/1.1 200 OK Date: Fri, 22 Mar 2019 16:23:34 GMT Content-Type: application/json Content-Length: 313 x-amzn-RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx x-amz-apigw-id: W87Q5HlCvHcFxDA= X-Amzn-Trace-Id: Root=1-xxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx Connection: keep-alive { "update": { "id": "883405c8-65c6-4758-8cee-2a7c1340a6d9", "status": "InProgress", "type": "LoggingUpdate", "params": [ { "type": "ClusterLogging", "value": "{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":true}]}" } ], "createdAt": 1553271814.684, "errors": [] } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: