[ aws . eks ]

create-cluster

Description

Creates an Amazon EKS control plane.

The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by Amazon Web Services, and the Kubernetes API is exposed by the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single tenant and unique. It runs on its own set of Amazon EC2 instances.

The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support kubectl exec , logs , and proxy data flows).

Amazon EKS nodes run in your Amazon Web Services account and connect to your cluster’s control plane over the Kubernetes API server endpoint and a certificate file that is created for your cluster.

You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster’s Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .

You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren’t exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the * Amazon EKS User Guide * .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing .

In most cases, it takes several minutes to create a cluster. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Allowing users to access your cluster and Launching Amazon EKS nodes in the Amazon EKS User Guide .

See also: AWS API Documentation

Synopsis

  create-cluster
--name <value>
--role-arn <value>
--resources-vpc-config <value>
[--kubernetes-network-config <value>]
[--logging <value>]
[--client-request-token <value>]
[--tags <value>]
[--encryption-config <value>]
[--outpost-config <value>]
[--access-config <value>]
[--bootstrap-self-managed-addons | --no-bootstrap-self-managed-addons]
[--upgrade-policy <value>]
[--zonal-shift-config <value>]
[--kubernetes-version <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--name (string)

The unique name to give to your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can’t be longer than 100 characters. The name must be unique within the Amazon Web Services Region and Amazon Web Services account that you’re creating the cluster in.

--role-arn (string)

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf. For more information, see Amazon EKS Service IAM Role in the * Amazon EKS User Guide * .

--resources-vpc-config (structure)

The VPC configuration that’s used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.

subnetIds -> (list)

Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.

(string)

securityGroupIds -> (list)

Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don’t specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see Amazon EKS security group considerations in the * Amazon EKS User Guide * .

(string)

endpointPublicAccess -> (boolean)

Set this value to false to disable public access to your cluster’s Kubernetes API server endpoint. If you disable public access, your cluster’s Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .

endpointPrivateAccess -> (boolean)

Set this value to true to enable private access for your cluster’s Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster’s VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .

publicAccessCidrs -> (list)

The CIDR blocks that are allowed access to your cluster’s public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you’ve disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and Fargate Pod in the cluster. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .

(string)

Shorthand Syntax:

subnetIds=string,string,securityGroupIds=string,string,endpointPublicAccess=boolean,endpointPrivateAccess=boolean,publicAccessCidrs=string,string

JSON Syntax:

{
  "subnetIds": ["string", ...],
  "securityGroupIds": ["string", ...],
  "endpointPublicAccess": true|false,
  "endpointPrivateAccess": true|false,
  "publicAccessCidrs": ["string", ...]
}

--kubernetes-network-config (structure)

The Kubernetes network configuration for the cluster.

serviceIpv4Cidr -> (string)

Don’t specify a value if you select ipv6 for ipFamily . The CIDR block to assign Kubernetes service IP addresses from. If you don’t specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. The block must meet the following requirements:

  • Within one of the following private IP address blocks: 10.0.0.0/8 , 172.16.0.0/12 , or 192.168.0.0/16 .
  • Doesn’t overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12 .

Warning

You can only specify a custom CIDR block when you create a cluster. You can’t change this value after the cluster is created.

ipFamily -> (string)

Specify which IP family is used to assign Kubernetes pod and service IP addresses. If you don’t specify a value, ipv4 is used by default. You can only specify an IP family when you create a cluster and can’t change this value once the cluster is created. If you specify ipv6 , the VPC and subnets that you specify for cluster creation must have both IPv4 and IPv6 CIDR blocks assigned to them. You can’t specify ipv6 for clusters in China Regions.

You can only specify ipv6 for 1.21 and later clusters that use version 1.10.1 or later of the Amazon VPC CNI add-on. If you specify ipv6 , then ensure that your VPC meets the requirements listed in the considerations listed in Assigning IPv6 addresses to pods and services in the Amazon EKS User Guide. Kubernetes assigns services IPv6 addresses from the unique local address range (fc00::/7) . You can’t specify a custom IPv6 CIDR block. Pod addresses are assigned from the subnet’s IPv6 CIDR.

Shorthand Syntax:

serviceIpv4Cidr=string,ipFamily=string

JSON Syntax:

{
  "serviceIpv4Cidr": "string",
  "ipFamily": "ipv4"|"ipv6"
}

--logging (structure)

Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren’t exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the * Amazon EKS User Guide * .

Note

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing .

clusterLogging -> (list)

The cluster control plane logging configuration for your cluster.

(structure)

An object representing the enabled or disabled Kubernetes control plane logs for your cluster.

types -> (list)

The available cluster control plane log types.

(string)

enabled -> (boolean)

If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn’t enabled, that log type doesn’t export its control plane logs. Each individual log type can be enabled or disabled independently.

JSON Syntax:

{
  "clusterLogging": [
    {
      "types": ["api"|"audit"|"authenticator"|"controllerManager"|"scheduler", ...],
      "enabled": true|false
    }
    ...
  ]
}

--client-request-token (string)

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

--tags (map)

Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don’t propagate to any other cluster or Amazon Web Services resources.

key -> (string)

One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

value -> (string)

The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

Shorthand Syntax:

KeyName1=string,KeyName2=string

JSON Syntax:

{"string": "string"
  ...}

--encryption-config (list)

The encryption configuration for the cluster.

(structure)

The encryption configuration for the cluster.

resources -> (list)

Specifies the resources to be encrypted. The only supported value is secrets .

(string)

provider -> (structure)

Key Management Service (KMS) key. Either the ARN or the alias can be used.

keyArn -> (string)

Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .

Shorthand Syntax:

resources=string,string,provider={keyArn=string} ...

JSON Syntax:

[
  {
    "resources": ["string", ...],
    "provider": {
      "keyArn": "string"
    }
  }
  ...
]

--outpost-config (structure)

An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. Before creating a local cluster on an Outpost, review Local clusters for Amazon EKS on Amazon Web Services Outposts in the Amazon EKS User Guide . This object isn’t available for creating Amazon EKS clusters on the Amazon Web Services cloud.

outpostArns -> (list)

The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. Only a single Outpost ARN is supported.

(string)

controlPlaneInstanceType -> (string)

The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. Choose an instance type based on the number of nodes that your cluster will have. For more information, see Capacity considerations in the Amazon EKS User Guide .

The instance type that you specify is used for all Kubernetes control plane instances. The instance type can’t be changed after cluster creation. The control plane is not automatically scaled by Amazon EKS.

controlPlanePlacement -> (structure)

An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .

groupName -> (string)

The name of the placement group for the Kubernetes control plane instances. This setting can’t be changed after cluster creation.

Shorthand Syntax:

outpostArns=string,string,controlPlaneInstanceType=string,controlPlanePlacement={groupName=string}

JSON Syntax:

{
  "outpostArns": ["string", ...],
  "controlPlaneInstanceType": "string",
  "controlPlanePlacement": {
    "groupName": "string"
  }
}

--access-config (structure)

The access configuration for the cluster.

bootstrapClusterCreatorAdminPermissions -> (boolean)

Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time. The default value is true .

authenticationMode -> (string)

The desired authentication mode for the cluster. If you create a cluster by using the EKS API, Amazon Web Services SDKs, or CloudFormation, the default is CONFIG_MAP . If you create the cluster by using the Amazon Web Services Management Console, the default value is API_AND_CONFIG_MAP .

Shorthand Syntax:

bootstrapClusterCreatorAdminPermissions=boolean,authenticationMode=string

JSON Syntax:

{
  "bootstrapClusterCreatorAdminPermissions": true|false,
  "authenticationMode": "API"|"API_AND_CONFIG_MAP"|"CONFIG_MAP"
}

--bootstrap-self-managed-addons | --no-bootstrap-self-managed-addons (boolean)

If you set this value to False when creating a cluster, the default networking add-ons will not be installed.

The default networking addons include vpc-cni, coredns, and kube-proxy.

Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.

--upgrade-policy (structure)

New clusters, by default, have extended support enabled. You can disable extended support when creating a cluster by setting this value to STANDARD .

supportType -> (string)

If the cluster is set to EXTENDED , it will enter extended support at the end of standard support. If the cluster is set to STANDARD , it will be automatically upgraded at the end of standard support.

Shorthand Syntax:

supportType=string

JSON Syntax:

{
  "supportType": "STANDARD"|"EXTENDED"
}

--zonal-shift-config (structure)

Enable or disable ARC zonal shift for the cluster. If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.

Zonal shift is a feature of Amazon Application Recovery Controller (ARC). ARC zonal shift is designed to be a temporary measure that allows you to move traffic for a resource away from an impaired AZ until the zonal shift expires or you cancel it. You can extend the zonal shift if necessary.

You can start a zonal shift for an EKS cluster, or you can allow Amazon Web Services to do it for you by enabling zonal autoshift . This shift updates the flow of east-to-west network traffic in your cluster to only consider network endpoints for Pods running on worker nodes in healthy AZs. Additionally, any ALB or NLB handling ingress traffic for applications in your EKS cluster will automatically route traffic to targets in the healthy AZs. For more information about zonal shift in EKS, see Learn about Amazon Application Recovery Controller (ARC) Zonal Shift in Amazon EKS in the * Amazon EKS User Guide * .

enabled -> (boolean)

If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.

Shorthand Syntax:

enabled=boolean

JSON Syntax:

{
  "enabled": true|false
}

--kubernetes-version (string)

The desired Kubernetes version for your cluster. If you don’t specify a value here, the default version available in Amazon EKS is used.

Note

The default version might not be the latest version available.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

To create a new cluster

This example command creates a cluster named prod in your default region.

Command:

aws eks create-cluster --name prod \
--role-arn arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI \
--resources-vpc-config subnetIds=subnet-6782e71e,subnet-e7e761ac,securityGroupIds=sg-6979fe18

Output:

{
    "cluster": {
        "name": "prod",
        "arn": "arn:aws:eks:us-west-2:012345678910:cluster/prod",
        "createdAt": 1527808069.147,
        "version": "1.10",
        "roleArn": "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI",
        "resourcesVpcConfig": {
            "subnetIds": [
                "subnet-6782e71e",
                "subnet-e7e761ac"
            ],
            "securityGroupIds": [
                "sg-6979fe18"
            ],
            "vpcId": "vpc-950809ec"
        },
        "status": "CREATING",
        "certificateAuthority": {}
    }
}

To create a new cluster with private endpoint access and logging enabled

This example command creates a cluster named example in your default region with public endpoint access disabled, private endpoint access enabled, and all logging types enabled.

Command:

aws eks create-cluster --name example --kubernetes-version 1.12 \
--role-arn arn:aws:iam::012345678910:role/example-cluster-ServiceRole-1XWBQWYSFRE2Q \
--resources-vpc-config subnetIds=subnet-0a188dccd2f9a632f,subnet-09290d93da4278664,subnet-0f21dd86e0e91134a,subnet-0173dead68481a583,subnet-051f70a57ed6fcab6,subnet-01322339c5c7de9b4,securityGroupIds=sg-0c5b580845a031c10,endpointPublicAccess=false,endpointPrivateAccess=true \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

Output:

{
    "cluster": {
        "name": "example",
        "arn": "arn:aws:eks:us-west-2:012345678910:cluster/example",
        "createdAt": 1565804921.901,
        "version": "1.12",
        "roleArn": "arn:aws:iam::012345678910:role/example-cluster-ServiceRole-1XWBQWYSFRE2Q",
        "resourcesVpcConfig": {
            "subnetIds": [
                "subnet-0a188dccd2f9a632f",
                "subnet-09290d93da4278664",
                "subnet-0f21dd86e0e91134a",
                "subnet-0173dead68481a583",
                "subnet-051f70a57ed6fcab6",
                "subnet-01322339c5c7de9b4"
            ],
            "securityGroupIds": [
                "sg-0c5b580845a031c10"
            ],
            "vpcId": "vpc-0f622c01f68d4afec",
            "endpointPublicAccess": false,
            "endpointPrivateAccess": true
        },
        "logging": {
            "clusterLogging": [
                {
                    "types": [
                        "api",
                        "audit",
                        "authenticator",
                        "controllerManager",
                        "scheduler"
                    ],
                    "enabled": true
                }
            ]
        },
        "status": "CREATING",
        "certificateAuthority": {},
        "platformVersion": "eks.3"
    }
}

Output

cluster -> (structure)

The full description of your new cluster.

name -> (string)

The name of your cluster.

arn -> (string)

The Amazon Resource Name (ARN) of the cluster.

createdAt -> (timestamp)

The Unix epoch timestamp at object creation.

version -> (string)

The Kubernetes server version for the cluster.

endpoint -> (string)

The endpoint for your Kubernetes API server.

roleArn -> (string)

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.

resourcesVpcConfig -> (structure)

The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide .

subnetIds -> (list)

The subnets associated with your cluster.

(string)

securityGroupIds -> (list)

The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.

(string)

clusterSecurityGroupId -> (string)

The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.

vpcId -> (string)

The VPC associated with your cluster.

endpointPublicAccess -> (boolean)

Whether the public API server endpoint is enabled.

endpointPrivateAccess -> (boolean)

This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster’s VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .

publicAccessCidrs -> (list)

The CIDR blocks that are allowed access to your cluster’s public Kubernetes API server endpoint.

(string)

kubernetesNetworkConfig -> (structure)

The Kubernetes network configuration for the cluster.

serviceIpv4Cidr -> (string)

The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn’t specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can’t be changed.

serviceIpv6Cidr -> (string)

The CIDR block that Kubernetes pod and service IP addresses are assigned from if you created a 1.21 or later cluster with version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7 ) because you can’t specify a custom IPv6 CIDR block when you create the cluster.

ipFamily -> (string)

The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4 , unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.

logging -> (structure)

The logging configuration for your cluster.

clusterLogging -> (list)

The cluster control plane logging configuration for your cluster.

(structure)

An object representing the enabled or disabled Kubernetes control plane logs for your cluster.

types -> (list)

The available cluster control plane log types.

(string)

enabled -> (boolean)

If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn’t enabled, that log type doesn’t export its control plane logs. Each individual log type can be enabled or disabled independently.

identity -> (structure)

The identity provider information for the cluster.

oidc -> (structure)

An object representing the OpenID Connect identity provider information.

issuer -> (string)

The issuer URL for the OIDC identity provider.

status -> (string)

The current status of the cluster.

certificateAuthority -> (structure)

The certificate-authority-data for your cluster.

data -> (string)

The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.

clientRequestToken -> (string)

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

platformVersion -> (string)

The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the * Amazon EKS User Guide * . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the * Amazon EKS User Guide * .

tags -> (map)

Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don’t propagate to any other cluster or Amazon Web Services resources.

key -> (string)

One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

value -> (string)

The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

encryptionConfig -> (list)

The encryption configuration for the cluster.

(structure)

The encryption configuration for the cluster.

resources -> (list)

Specifies the resources to be encrypted. The only supported value is secrets .

(string)

provider -> (structure)

Key Management Service (KMS) key. Either the ARN or the alias can be used.

keyArn -> (string)

Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .

connectorConfig -> (structure)

The configuration used to connect to a cluster for registration.

activationId -> (string)

A unique ID associated with the cluster for registration purposes.

activationCode -> (string)

A unique code associated with the cluster for registration purposes.

activationExpiry -> (timestamp)

The expiration time of the connected cluster. The cluster’s YAML file must be applied through the native provider.

provider -> (string)

The cluster’s cloud service provider.

roleArn -> (string)

The Amazon Resource Name (ARN) of the role to communicate with services from the connected Kubernetes cluster.

id -> (string)

The ID of your local Amazon EKS cluster on an Amazon Web Services Outpost. This property isn’t available for an Amazon EKS cluster on the Amazon Web Services cloud.

health -> (structure)

An object representing the health of your Amazon EKS cluster.

issues -> (list)

An object representing the health issues of your Amazon EKS cluster.

(structure)

An issue with your Amazon EKS cluster.

code -> (string)

The error code of the issue.

message -> (string)

A description of the issue.

resourceIds -> (list)

The resource IDs that the issue relates to.

(string)

outpostConfig -> (structure)

An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn’t available for clusters on the Amazon Web Services cloud.

outpostArns -> (list)

The ARN of the Outpost that you specified for use with your local Amazon EKS cluster on Outposts.

(string)

controlPlaneInstanceType -> (string)

The Amazon EC2 instance type used for the control plane. The instance type is the same for all control plane instances.

controlPlanePlacement -> (structure)

An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .

groupName -> (string)

The name of the placement group for the Kubernetes control plane instances.

accessConfig -> (structure)

The access configuration for the cluster.

bootstrapClusterCreatorAdminPermissions -> (boolean)

Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.

authenticationMode -> (string)

The current authentication mode of the cluster.

upgradePolicy -> (structure)

This value indicates if extended support is enabled or disabled for the cluster.

supportType -> (string)

If the cluster is set to EXTENDED , it will enter extended support at the end of standard support. If the cluster is set to STANDARD , it will be automatically upgraded at the end of standard support.

zonalShiftConfig -> (structure)

The configuration for zonal shift for the cluster.

enabled -> (boolean)

Whether the zonal shift is enabled.