@aws-sdk/client-eks

import type { AccessScopeType, AddonIssueCode, AddonStatus, AMITypes, ArgoCdRole, AuthenticationMode, CapabilityDeletePropagationPolicy, CapabilityIssueCode, CapabilityStatus, CapabilityType, CapacityTypes, Category, ClusterIssueCode, ClusterStatus, ClusterVersionStatus, ConfigStatus, ConnectorConfigProvider, EksAnywhereSubscriptionLicenseType, EksAnywhereSubscriptionStatus, EksAnywhereSubscriptionTermUnit, ErrorCode, FargateProfileIssueCode, FargateProfileStatus, InsightsRefreshStatus, InsightStatusValue, IpFamily, LogType, NodegroupIssueCode, NodegroupStatus, NodegroupUpdateStrategies, ProvisionedControlPlaneTier, RepairAction, ResolveConflicts, SsoIdentityType, SupportType, TaintEffect, UpdateParamType, UpdateStatus, UpdateType, VersionStatus, WarmPoolState } from "./enums"; /** * The access configuration for the cluster. * @public */ export interface AccessConfigResponse { /** * Specifies whether or not the cluster creator IAM principal was set as a cluster * admin access entry during cluster creation time. * @public */ bootstrapClusterCreatorAdminPermissions?: boolean | undefined; /** * The current authentication mode of the cluster. * @public */ authenticationMode?: AuthenticationMode | undefined; } /** * An access entry allows an IAM principal (user or role) to access your cluster. * Access entries can replace the need to maintain the <code>aws-auth</code> * <code>ConfigMap</code> for authentication. For more information about access entries, * see <a href="https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html">Access * entries</a> in the Amazon EKS User Guide. * @public */ export interface AccessEntry { /** * The name of your cluster. * @public */ clusterName?: string | undefined; /** * The ARN of the IAM principal for the access entry. If you ever delete the IAM * principal with this ARN, the access entry isn't automatically deleted. We recommend * that you delete the access entry with an ARN for an IAM principal that you delete. * If you don't delete the access entry and ever recreate the IAM principal, even if it * has the same ARN, the access entry won't work. This is because even though the ARN * is the same for the recreated IAM principal, the <code>roleID</code> or * <code>userID</code> (you can see this with the Security Token Service * <code>GetCallerIdentity</code> API) is different for the recreated IAM principal * than it was for the original IAM principal. Even though you don't see the IAM * principal's <code>roleID</code> or <code>userID</code> for an access entry, Amazon EKS stores * it with the access entry. * @public */ principalArn?: string | undefined; /** * A <code>name</code> that you've specified in a Kubernetes <code>RoleBinding</code> or * <code>ClusterRoleBinding</code> object so that Kubernetes authorizes the * <code>principalARN</code> access to cluster objects. * @public */ kubernetesGroups?: string[] | undefined; /** * The ARN of the access entry. * @public */ accessEntryArn?: string | undefined; /** * The Unix epoch timestamp at object creation. * @public */ createdAt?: Date | undefined; /** * The Unix epoch timestamp for the last modification to the object. * @public */ modifiedAt?: Date | undefined; /** * Metadata that assists with categorization and organization. * Each tag consists of a key and an optional value. You define both. Tags don't * propagate to any other cluster or Amazon Web Services resources. * @public */ tags?: Record<string, string> | undefined; /** * The <code>name</code> of a user that can authenticate to your cluster. * @public */ username?: string | undefined; /** * The type of the access entry. * @public */ type?: string | undefined; } /** * An access policy includes permissions that allow Amazon EKS to authorize an * IAM principal to work with Kubernetes objects on your cluster. The policies are * managed by Amazon EKS, but they're not IAM policies. You can't view the permissions in the * policies using the API. The permissions for many of the policies are similar to the * Kubernetes <code>cluster-admin</code>, <code>admin</code>, <code>edit</code>, and * <code>view</code> cluster roles. For more information about these cluster roles, see * <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles">User-facing roles</a> in the Kubernetes documentation. To view the contents of the * policies, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions">Access * policy permissions</a> in the Amazon EKS User Guide. * @public */ export interface AccessPolicy { /** * The name of the access policy. * @public */ name?: string | undefined; /** * The ARN of the access policy. * @public */ arn?: string | undefined; } /** * The scope of an <code>AccessPolicy</code> that's associated to an * <code>AccessEntry</code>. * @public */ export interface AccessScope { /** * The scope type of an access policy. * @public */ type?: AccessScopeType | undefined; /** * A Kubernetes <code>namespace</code> that an access policy is scoped to. A value is required * if you specified <code>namespace</code> for <code>Type</code>. * @public */ namespaces?: string[] | undefined; } /** * An issue related to an add-on. * @public */ export interface AddonIssue { /** * A code that describes the type of issue. * @public */ code?: AddonIssueCode | undefined; /** * A message that provides details about the issue and what might cause it. * @public */ message?: string | undefined; /** * The resource IDs of the issue. * @public */ resourceIds?: string[] | undefined; } /** * The health of the add-on. * @public */ export interface AddonHealth { /** * An object representing the health issues for an add-on. * @public */ issues?: AddonIssue[] | undefined; } /** * Information about an Amazon EKS add-on from the Amazon Web Services Marketplace. * @public */ export interface MarketplaceInformation { /** * The product ID from the Amazon Web Services Marketplace. * @public */ productId?: string | undefined; /** * The product URL from the Amazon Web Services Marketplace. * @public */ productUrl?: string | undefined; } /** * The namespace configuration response object containing information about the namespace where an addon is installed. * @public */ export interface AddonNamespaceConfigResponse { /** * The name of the Kubernetes namespace where the addon is installed. * @public */ namespace?: string | undefined; } /** * An Amazon EKS add-on. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html">Amazon EKS add-ons</a> in the * Amazon EKS User Guide. * @public */ export interface Addon { /** * The name of the add-on. * @public */ addonName?: string | undefined; /** * The name of your cluster. * @public */ clusterName?: string | undefined; /** * The status of the add-on. * @public */ status?: AddonStatus | undefined; /** * The version of the add-on. * @public */ addonVersion?: string | undefined; /** * An object that represents the health of the add-on. * @public */ health?: AddonHealth | undefined; /** * The Amazon Resource Name (ARN) of the add-on. * @public */ addonArn?: string | undefined; /** * The Unix epoch timestamp at object creation. * @public */ createdAt?: Date | undefined; /** * The Unix epoch timestamp for the last modification to the object. * @public */ modifiedAt?: Date | undefined; /** * The Amazon Resource Name (ARN) of the IAM role that's bound to the Kubernetes <code>ServiceAccount</code> * object that the add-on uses. * @public */ serviceAccountRoleArn?: string | undefined; /** * Metadata that assists with categorization and organization. * Each tag consists of a key and an optional value. You define both. Tags don't * propagate to any other cluster or Amazon Web Services resources. * @public */ tags?: Record<string, string> | undefined; /** * The publisher of the add-on. * @public */ publisher?: string | undefined; /** * The owner of the add-on. * @public */ owner?: string | undefined; /** * Information about an Amazon EKS add-on from the Amazon Web Services Marketplace. * @public */ marketplaceInformation?: MarketplaceInformation | undefined; /** * The configuration values that you provided. * @public */ configurationValues?: string | undefined; /** * An array of EKS Pod Identity associations owned by the add-on. Each association maps a role to a service * account in a namespace in the cluster. * For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on * using EKS Pod Identity</a> in the Amazon EKS User Guide. * @public */ podIdentityAssociations?: string[] | undefined; /** * The namespace configuration for the addon. This specifies the Kubernetes namespace where the addon is installed. * @public */ namespaceConfig?: AddonNamespaceConfigResponse | undefined; } /** * The summary information about the Amazon EKS add-on compatibility for the next Kubernetes * version for an insight check in the <code>UPGRADE_READINESS</code> category. * @public */ export interface AddonCompatibilityDetail { /** * The name of the Amazon EKS add-on. * @public */ name?: string | undefined; /** * The list of compatible Amazon EKS add-on versions for the next Kubernetes version. * @public */ compatibleVersions?: string[] | undefined; } /** * Compatibility information. * @public */ export interface Compatibility { /** * The supported Kubernetes version of the cluster. * @public */ clusterVersion?: string | undefined; /** * The supported compute platform. * @public */ platformVersions?: string[] | undefined; /** * The supported default version. * @public */ defaultVersion?: boolean | undefined; } /** * Information about an add-on version. * @public */ export interface AddonVersionInfo { /** * The version of the add-on. * @public */ addonVersion?: string | undefined; /** * The architectures that the version supports. * @public */ architecture?: string[] | undefined; /** * Indicates the compute type of the add-on version. * @public */ computeTypes?: string[] | undefined; /** * An object representing the compatibilities of a version. * @public */ compatibilities?: Compatibility[] | undefined; /** * Whether the add-on requires configuration. * @public */ requiresConfiguration?: boolean | undefined; /** * Indicates if the add-on requires IAM Permissions to operate, such as networking * permissions. * @public */ requiresIamPermissions?: boolean | undefined; } /** * Information about an add-on. * @public */ export interface AddonInfo { /** * The name of the add-on. * @public */ addonName?: string | undefined; /** * The type of the add-on. * @public */ type?: string | undefined; /** * An object representing information about available add-on versions and compatible * Kubernetes versions. * @public */ addonVersions?: AddonVersionInfo[] | undefined; /** * The publisher of the add-on. * @public */ publisher?: string | undefined; /** * The owner of the add-on. * @public */ owner?: string | undefined; /** * Information about the add-on from the Amazon Web Services Marketplace. * @public */ marketplaceInformation?: MarketplaceInformation | undefined; /** * The default Kubernetes namespace where this addon is typically installed if no custom namespace is specified. * @public */ defaultNamespace?: string | undefined; } /** * The namespace configuration request object for specifying a custom namespace when creating an addon. * @public */ export interface AddonNamespaceConfigRequest { /** * The name of the Kubernetes namespace to install the addon in. Must be a valid RFC 1123 DNS label. * @public */ namespace?: string | undefined; } /** * A type of EKS Pod Identity association owned by an Amazon EKS add-on. * Each association maps a role to a service account in a namespace in * the cluster. * For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on * using EKS Pod Identity</a> in the Amazon EKS User Guide. * @public */ export interface AddonPodIdentityAssociations { /** * The name of a Kubernetes Service Account. * @public */ serviceAccount: string | undefined; /** * The ARN of an IAM Role. * @public */ roleArn: string | undefined; } /** * Information about how to configure IAM for an add-on. * @public */ export interface AddonPodIdentityConfiguration { /** * The Kubernetes Service Account name used by the add-on. * @public */ serviceAccount?: string | undefined; /** * A suggested IAM Policy for the add-on. * @public */ recommendedManagedPolicies?: string[] | undefined; } /** * Configuration for integrating Argo CD with IAM Identity CenterIAM; Identity Center. This allows you to use your organization's identity provider for authentication to Argo CD. * @public */ export interface ArgoCdAwsIdcConfigRequest { /** * The Amazon Resource Name (ARN) of the IAM Identity CenterIAM; Identity Center instance to use for authentication. * @public */ idcInstanceArn: string | undefined; /** * The Region where your IAM Identity CenterIAM; Identity Center instance is located. * @public */ idcRegion?: string | undefined; } /** * The response object containing IAM Identity CenterIAM; Identity Center configuration details for an Argo CD capability. * @public */ export interface ArgoCdAwsIdcConfigResponse { /** * The Amazon Resource Name (ARN) of the IAM Identity CenterIAM; Identity Center instance used for authentication. * @public */ idcInstanceArn?: string | undefined; /** * The Region where the IAM Identity CenterIAM; Identity Center instance is located. * @public */ idcRegion?: string | undefined; /** * The Amazon Resource Name (ARN) of the managed application created in IAM Identity CenterIAM; Identity Center for this Argo CD capability. This application is automatically created and managed by Amazon EKS. * @public */ idcManagedApplicationArn?: string | undefined; } /** * Configuration for network access to the Argo CD capability's managed API server endpoint. When VPC endpoint IDs are specified, public access is blocked and the Argo CD server is only accessible through the specified VPC endpoints. * @public */ export interface ArgoCdNetworkAccessConfigRequest { /** * A list of VPC endpoint IDs to associate with the managed Argo CD API server endpoint. Each VPC endpoint provides private connectivity from a specific VPC to the Argo CD server. You can specify multiple VPC endpoint IDs to enable access from multiple VPCs. * @public */ vpceIds?: string[] | undefined; } /** * An IAM Identity CenterIAM; Identity Center identity (user or group) that can be assigned permissions in a capability. * @public */ export interface SsoIdentity { /** * The unique identifier of the IAM Identity CenterIAM; Identity Center user or group. * @public */ id: string | undefined; /** * The type of identity. Valid values are <code>SSO_USER</code> or <code>SSO_GROUP</code>. * @public */ type: SsoIdentityType | undefined; } /** * A mapping between an Argo CD role and IAM Identity CenterIAM; Identity Center identities. This defines which users or groups have specific permissions in Argo CD. * @public */ export interface ArgoCdRoleMapping { /** * The Argo CD role to assign. Valid values are: * <ul> * <li> * * <code>ADMIN</code> – Full administrative access to Argo CD. * </li> * <li> * * <code>EDITOR</code> – Edit access to Argo CD resources. * </li> * <li> * * <code>VIEWER</code> – Read-only access to Argo CD resources. * </li> * </ul> * @public */ role: ArgoCdRole | undefined; /** * A list of IAM Identity CenterIAM; Identity Center identities (users or groups) that should be assigned this Argo CD role. * @public */ identities: SsoIdentity[] | undefined; } /** * Configuration settings for an Argo CD capability. This includes the Kubernetes namespace, IAM Identity CenterIAM; Identity Center integration, RBAC role mappings, and network access configuration. * @public */ export interface ArgoCdConfigRequest { /** * The Kubernetes namespace where Argo CD resources will be created. If not specified, the default namespace is used. * @public */ namespace?: string | undefined; /** * Configuration for IAM Identity CenterIAM; Identity Center integration. When configured, users can authenticate to Argo CD using their IAM Identity CenterIAM; Identity Center credentials. * @public */ awsIdc: ArgoCdAwsIdcConfigRequest | undefined; /** * A list of role mappings that define which IAM Identity CenterIAM; Identity Center users or groups have which Argo CD roles. Each mapping associates an Argo CD role (<code>ADMIN</code>, <code>EDITOR</code>, or <code>VIEWER</code>) with one or more IAM Identity CenterIAM; Identity Center identities. * @public */ rbacRoleMappings?: ArgoCdRoleMapping[] | undefined; /** * Configuration for network access to the Argo CD capability's managed API server endpoint. By default, the Argo CD server is accessible via a public endpoint. You can optionally specify one or more VPC endpoint IDs to enable private connectivity from your VPCs. When VPC endpoints are configured, public access is blocked and the Argo CD server is only accessible through the specified VPC endpoints. * @public */ networkAccess?: ArgoCdNetworkAccessConfigRequest | undefined; } /** * The response object containing network access configuration for the Argo CD capability's managed API server endpoint. If VPC endpoint IDs are present, public access is blocked and the Argo CD server is only accessible through the specified VPC endpoints. * @public */ export interface ArgoCdNetworkAccessConfigResponse { /** * The list of VPC endpoint IDs associated with the managed Argo CD API server endpoint. Each VPC endpoint provides private connectivity from a specific VPC to the Argo CD server. * @public */ vpceIds?: string[] | undefined; } /** * The response object containing Argo CD configuration details, including the server URL that you use to access the Argo CD web interface and API. * @public */ export interface ArgoCdConfigResponse { /** * The Kubernetes namespace where Argo CD resources are monitored by your Argo CD Capability. * @public */ namespace?: string | undefined; /** * The IAM Identity CenterIAM; Identity Center integration configuration. * @public */ awsIdc?: ArgoCdAwsIdcConfigResponse | undefined; /** * The list of role mappings that define which IAM Identity CenterIAM; Identity Center users or groups have which Argo CD roles. * @public */ rbacRoleMappings?: ArgoCdRoleMapping[] | undefined; /** * The network access configuration for the Argo CD capability's managed API server endpoint. If VPC endpoint IDs are specified, public access is blocked and the Argo CD server is only accessible through the specified VPC endpoints. * @public */ networkAccess?: ArgoCdNetworkAccessConfigResponse | undefined; /** * The URL of the Argo CD server. Use this URL to access the Argo CD web interface and API. * @public */ serverUrl?: string | undefined; } /** * @public */ export interface AssociateAccessPolicyRequest { /** * The name of your cluster. * @public */ clusterName: string | undefined; /** * The Amazon Resource Name (ARN) of the IAM user or role for the <code>AccessEntry</code> that you're * associating the access policy to. * @public */ principalArn: string | undefined; /** * The ARN of the <code>AccessPolicy</code> that you're associating. For a list of * ARNs, use <code>ListAccessPolicies</code>. * @public */ policyArn: string | undefined; /** * The scope for the <code>AccessPolicy</code>. You can scope access policies to an * entire cluster or to specific Kubernetes namespaces. * @public */ accessScope: AccessScope | undefined; } /** * An access policy association. * @public */ export interface AssociatedAccessPolicy { /** * The ARN of the <code>AccessPolicy</code>. * @public */ policyArn?: string | undefined; /** * The scope of the access policy. * @public */ accessScope?: AccessScope | undefined; /** * The date and time the <code>AccessPolicy</code> was associated with an * <code>AccessEntry</code>. * @public */ associatedAt?: Date | undefined; /** * The Unix epoch timestamp for the last modification to the object. * @public */ modifiedAt?: Date | undefined; } /** * @public */ export interface AssociateAccessPolicyResponse { /** * The name of your cluster. * @public */ clusterName?: string | undefined; /** * The ARN of the IAM principal for the <code>AccessEntry</code>. * @public */ principalArn?: string | undefined; /** * The <code>AccessPolicy</code> and scope associated to the * <code>AccessEntry</code>. * @public */ associatedAccessPolicy?: AssociatedAccessPolicy | undefined; } /** * Identifies the Key Management Service (KMS) key used to encrypt the secrets. * @public */ export interface Provider { /** * Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in * the same Amazon Web Services Region as the cluster. If the KMS key was created in a different * account, the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html">IAM principal</a> must have access to the KMS key. For more information, * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html">Allowing * users in other accounts to use a KMS key</a> in the Key Management Service * Developer Guide. * @public */ keyArn?: string | undefined; } /** * The encryption configuration for the cluster. * @public */ export interface EncryptionConfig { /** * Specifies the resources to be encrypted. The only supported value is * <code>secrets</code>. * @public */ resources?: string[] | undefined; /** * Key Management Service (KMS) key. Either the ARN or the alias can be used. * @public */ provider?: Provider | undefined; } /** * @public */ export interface AssociateEncryptionConfigRequest { /** * The name of your cluster. * @public */ clusterName: string | undefined; /** * The configuration you are using for encryption. * @public */ encryptionConfig: EncryptionConfig[] | undefined; /** * A unique, case-sensitive identifier that you provide to ensure * the idempotency of the request. * @public */ clientRequestToken?: string | undefined; } /** * An object representing an error when an asynchronous operation fails. * @public */ export interface ErrorDetail { /** * A brief description of the error. * <ul> * <li> * * SubnetNotFound: We couldn't find one of the * subnets associated with the cluster. * </li> * <li> * * SecurityGroupNotFound: We couldn't find one * of the security groups associated with the cluster. * </li> * <li> * * EniLimitReached: You have reached the elastic * network interface limit for your account. * </li> * <li> * * IpNotAvailable: A subnet associated with the * cluster doesn't have any available IP addresses. * </li> * <li> * * AccessDenied: You don't have permissions to * perform the specified operation. * </li> * <li> * * OperationNotPermitted: The service role * associated with the cluster doesn't have the required access permissions for * Amazon EKS. * </li> * <li> * * VpcIdNotFound: We couldn't find the VPC * associated with the cluster. * </li> * </ul> * @public */ errorCode?: ErrorCode | undefined; /** * A more complete description of the error. * @public */ errorMessage?: string | undefined; /** * An optional field that contains the resource IDs associated with the error. * @public */ resourceIds?: string[] | undefined; } /** * An object representing the details of an update request. * @public */ export interface UpdateParam { /** * The keys associated with an update request. * @public */ type?: UpdateParamType | undefined; /** * The value of the keys submitted as part of an update request. * @public */ value?: string | undefined; } /** * An object representing an asynchronous update. * @public */ export interface Update { /** * A UUID that is used to track the update. * @public */ id?: string | undefined; /** * The current status of the update. * @public */ status?: UpdateStatus | undefined; /** * The type of the update. * @public */ type?: UpdateType | undefined; /** * A key-value map that contains the parameters associated with the update. * @public */ params?: UpdateParam[] | undefined; /** * The Unix epoch timestamp at object creation. * @public */ createdAt?: Date | undefined; /** * Any errors associated with a <code>Failed</code> update. * @public */ errors?: ErrorDetail[] | undefined; } /** * @public */ export interface AssociateEncryptionConfigResponse { /** * An object representing an asynchronous update. * @public */ update?: Update | undefined; } /** * An object representing an OpenID Connect (OIDC) configuration. Before associating an * OIDC identity provider to your cluster, review the considerations in <a href="https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html">Authenticating * users for your cluster from an OIDC identity provider</a> in the * Amazon EKS User Guide. * @public */ export interface OidcIdentityProviderConfigRequest { /** * The name of the OIDC provider configuration. * @public */ identityProviderConfigName: string | undefined; /** * The URL of the OIDC identity provider that allows the API server to discover public * signing keys for verifying tokens. The URL must begin with <code>https://</code> and * should correspond to the <code>iss</code> claim in the provider's OIDC ID tokens. * Based on the OIDC standard, path components are allowed but query parameters are not. * Typically the URL consists of only a hostname, like * <code>https://server.example.org</code> or <code>https://example.com</code>. This * URL should point to the level below <code>.well-known/openid-configuration</code> and * must be publicly accessible over the internet. * @public */ issuerUrl: string | undefined; /** * This is also known as audience. The ID for the client application * that makes authentication requests to the OIDC identity provider. * @public */ clientId: string | undefined; /** * The JSON Web Token (JWT) claim to use as the username. The default is * <code>sub</code>, which is expected to be a unique identifier of the end user. You can * choose other claims, such as <code>email</code> or <code>name</code>, depending on the * OIDC identity provider. Claims other than <code>email</code> are prefixed with the * issuer URL to prevent naming clashes with other plug-ins. * @public */ usernameClaim?: string | undefined; /** * The prefix that is prepended to username claims to prevent clashes with existing * names. If you do not provide this field, and <code>username</code> is a value other than * <code>email</code>, the prefix defaults to <code>issuerurl#</code>. You can use the * value <code>-</code> to disable all prefixing. * @public */ usernamePrefix?: string | undefined; /** * The JWT claim that the provider uses to return your groups. * @public */ groupsClaim?: string | undefined; /** * The prefix that is prepended to group claims to prevent clashes with existing names * (such as <code>system:</code> groups). For example, the value<code> oidc:</code> will * create group names like <code>oidc:engineering</code> and * <code>oidc:infra</code>. * @public */ groupsPrefix?: string | undefined; /** * The key value pairs that describe required claims in the identity token. If set, each * claim is verified to be present in the token with a matching value. For the maximum * number of claims that you can require, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html">Amazon EKS service quotas</a> in the * Amazon EKS User Guide. * @public */ requiredClaims?: Record<string, string> | undefined; } /** * @public */ export interface AssociateIdentityProviderConfigRequest { /** * The name of your cluster. * @public */ clusterName: string | undefined; /** * An object representing an OpenID Connect (OIDC) identity provider configuration. * @public */ oidc: OidcIdentityProviderConfigRequest | undefined; /** * Metadata that assists with categorization and organization. * Each tag consists of a key and an optional value. You define both. Tags don't * propagate to any other cluster or Amazon Web Services resources. * @public */ tags?: Record<string, string> | undefined; /** * A unique, case-sensitive identifier that you provide to ensure * the idempotency of the request. * @public */ clientRequestToken?: string | undefined; } /** * @public */ export interface AssociateIdentityProviderConfigResponse { /** * An object representing an asynchronous update. * @public */ update?: Update | undefined; /** * The tags for the resource. * @public */ tags?: Record<string, string> | undefined; } /** * An Auto Scaling group that is associated with an Amazon EKS managed node group. * @public */ export interface AutoScalingGroup { /** * The name of the Auto Scaling group associated with an Amazon EKS managed node group. * @public */ name?: string | undefined; } /** * @public */ export interface CreateAccessEntryRequest { /** * The name of your cluster. * @public */ clusterName: string | undefined; /** * The ARN of the IAM principal for the <code>AccessEntry</code>. You can specify one ARN for each access entry. You can't specify the * same ARN in more than one access entry. This value can't be changed after access entry * creation. * The valid principals differ depending on the type of the access entry in the * <code>type</code> field. For <code>STANDARD</code> access entries, you can use every * IAM principal type. For nodes (<code>EC2</code> (for EKS Auto Mode), * <code>EC2_LINUX</code>, <code>EC2_WINDOWS</code>, <code>FARGATE_LINUX</code>, and * <code>HYBRID_LINUX</code>), the only valid ARN is IAM roles. * * You can't use the STS session principal type with access entries because this is a * temporary principal for each session and not a permanent identity that can be assigned * permissions. * * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp">IAM best * practices</a> recommend using IAM roles with temporary credentials, rather * than IAM users with long-term credentials. * @public */ principalArn: string | undefined; /** * The value for <code>name</code> that you've specified for <code>kind: Group</code> as * a <code>subject</code> in a Kubernetes <code>RoleBinding</code> or * <code>ClusterRoleBinding</code> object. Amazon EKS doesn't confirm that the value for * <code>name</code> exists in any bindings on your cluster. You can specify one or * more names. * Kubernetes authorizes the <code>principalArn</code> of the access entry to access any * cluster objects that you've specified in a Kubernetes <code>Role</code> or * <code>ClusterRole</code> object that is also specified in a binding's * <code>roleRef</code>. For more information about creating Kubernetes * <code>RoleBinding</code>, <code>ClusterRoleBinding</code>, <code>Role</code>, or * <code>ClusterRole</code> objects, see <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">Using RBAC * Authorization in the Kubernetes documentation</a>. * If you want Amazon EKS to authorize the <code>principalArn</code> (instead of, or in * addition to Kubernetes authorizing the <code>principalArn</code>), you can associate one or * more access policies to the access entry using <code>AssociateAccessPolicy</code>. If * you associate any access policies, the <code>principalARN</code> has all permissions * assigned in the associated access policies and all permissions in any Kubernetes * <code>Role</code> or <code>ClusterRole</code> objects that the group names are bound * to. * @public */ kubernetesGroups?: string[] | undefined; /** * Metadata that assists with categorization and organization. * Each tag consists of a key and an optional value. You define both. Tags don't * propagate to any other cluster or Amazon Web Services resources. * @public */ tags?: Record<string, string> | undefined; /** * A unique, case-sensitive identifier that you provide to ensure * the idempotency of the request. * @public */ clientRequestToken?: string | undefined; /** * The username to authenticate to Kubernetes with. We recommend not specifying a username and * letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies * for you, or constraints before specifying your own username, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries">Creating * access entries</a> in the Amazon EKS User Guide. * @public */ username?: string | undefined; /** * The type of the new access entry. Valid values are <code>STANDARD</code>, * <code>FARGATE_LINUX</code>, <code>EC2_LINUX</code>, <code>EC2_WINDOWS</code>, * <code>EC2</code> (for EKS Auto Mode), <code>HYBRID_LINUX</code>, and * <code>HYPERPOD_LINUX</code>. * If the <code>principalArn</code> is for an IAM role that's used for self-managed * Amazon EC2 nodes, specify <code>EC2_LINUX</code> or <code>EC2_WINDOWS</code>. Amazon EKS grants * the necessary permissions to the node for you. If the <code>principalArn</code> is for * any other purpose, specify <code>STANDARD</code>. If you don't specify a value, Amazon EKS * sets the value to <code>STANDARD</code>. If you have the access mode of the cluster set * to <code>API_AND_CONFIG_MAP</code>, it's unnecessary to create access entries for IAM * roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries * in the <code>aws-auth</code> * <code>ConfigMap</code> for the roles. You can't change this value once you've created * the access entry. * If you set the value to <code>EC2_LINUX</code> or <code>EC2_WINDOWS</code>, you can't * specify values for <code>kubernetesGroups</code>, or associate an * <code>AccessPolicy</code> to the access entry. * @public */ type?: string | undefined; } /** * @public */ export interface CreateAccessEntryResponse { /** * An access entry allows an IAM principal (user or role) to access your cluster. * Access entries can replace the need to maintain the <code>aws-auth</code> * <code>ConfigMap</code> for authentication. For more information about access entries, * see <a href="https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html">Access * entries</a> in the Amazon EKS User Guide. * @public */ accessEntry?: AccessEntry | undefined; } /** * @public */ export interface CreateAddonRequest { /** * The name of your cluster. * @public */ clusterName: string | undefined; /** * The name of the add-on. The name must match one of the names returned by * <code>DescribeAddonVersions</code>. * @public */ addonName: string | undefined; /** * The version of the add-on. The version must match one of the versions returned by <a href="https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAddonVersions.html"> * <code>DescribeAddonVersions</code> * </a>. * @public */ addonVersion?: string | undefined; /** * The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the * permissions assigned to the node IAM role. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html">Amazon EKS node IAM role</a> in the Amazon EKS User Guide. * <note> * To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for * your cluster. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html">Enabling * IAM roles for service accounts on your cluster</a> in the * Amazon EKS User Guide. * </note> * @public */ serviceAccountRoleArn?: string | undefined; /** * How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based * on the value you choose: * <ul> * <li> * * None – If the self-managed version of * the add-on is installed on your cluster, Amazon EKS doesn't change the value. * Creation of the add-on might fail. * </li> * <li> * * Overwrite – If the self-managed * version of the add-on is installed on your cluster and the Amazon EKS default value * is different than the existing value, Amazon EKS changes the value to the Amazon EKS * default value. * </li> * <li> * * Preserve – This is similar to the NONE * option. If the self-managed version of the add-on is installed on your cluster * Amazon EKS doesn't change the add-on resource properties. Creation of the add-on * might fail if conflicts are detected. This option works differently during the * update operation. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html"> * <code>UpdateAddon</code> * </a>. * </li> * </ul> * If you don't currently have the self-managed version of the add-on installed on your * cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, * regardless of the option that you specify. * @public */ resolveConflicts?: ResolveConflicts | undefined; /** * A unique, case-sensitive identifier that you provide to ensure * the idempotency of the request. * @public */ clientRequestToken?: string | undefined; /** * Metadata that assists with categorization and organization. * Each tag consists of a key and an optional value. You define both. Tags don't * propagate to any other cluster or Amazon Web Services resources. * @public */ tags?: Record<string, string> | undefined; /** * The set of configuration values for the add-on that's created. The values that you * provide are validated against the schema returned by * <code>DescribeAddonConfiguration</code>. * @public */ configurationValues?: string | undefined; /** * An array of EKS Pod Identity associations to be created. Each association maps a Kubernetes service account to * an IAM role. * For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on * using EKS Pod Identity</a> in the Amazon EKS User Guide. * @public */ podIdentityAssociations?: AddonPodIdentityAssociations[] | undefined; /** * The namespace configuration for the addon. If specified, this will override the default namespace for the addon. * @public */ namespaceConfig?: AddonNamespaceConfigRequest | undefined; } /** * @public */ export interface CreateAddonResponse { /** * An Amazon EKS add-on. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html">Amazon EKS add-ons</a> in the * Amazon EKS User Guide. * @public */ addon?: Addon | undefined; } /** * Configuration settings for a capability. The structure of this object varies depending on the capability type. * @public */ export interface CapabilityConfigurationRequest { /** * Configuration settings specific to Argo CD capabilities. This field is only used when creating or updating an Argo CD capability. * @public */ argoCd?: ArgoCdConfigRequest | undefined; } /** * @public */ export interface CreateCapabilityRequest { /** * A unique name for the capability. The name must be unique within your cluster and can contain alphanumeric characters, hyphens, and underscores. * @public */ capabilityName: string | undefined; /** * The name of the Amazon EKS cluster where you want to create the capability. * @public */ clusterName: string | undefined; /** * A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This token is valid for 24 hours after creation. If you retry a request with the same client request token and the same parameters after the original request has completed successfully, the result of the original request is returned. * @public */ clientRequestToken?: string | undefined; /** * The type of capability to create. Valid values are: * <ul> * <li> * * <code>ACK</code> – Amazon Web Services Controllers for Kubernetes (ACK), which lets you manage resources directly from Kubernetes. * </li> * <li> * * <code>ARGOCD</code> – Argo CD for GitOps-based continuous delivery. * </li> * <li> * * <code>KRO</code> – Kube Resource Orchestrator (KRO) for composing and managing custom Kubernetes resources. * </li> * </u