UNPKG

@pulumi/eks

Version:

[![Build Status](https://github.com/pulumi/pulumi-eks/actions/workflows/master.yml/badge.svg)](https://github.com/pulumi/pulumi-eks/actions/workflows/master.yml) [![Slack](http://www.pulumi.com/images/docs/badges/slack.svg)](https://slack.pulumi.com) [![n

pulumi.com

pulumi/pulumi-eks

167 lines (166 loc) 9.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
import * as pulumi from "@pulumi/pulumi"; import * as enums from "./types/enums"; /** * VpcCniAddon manages the configuration of the Amazon VPC CNI plugin for Kubernetes by leveraging the EKS managed add-on. * For more information see: https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html */ export declare class VpcCniAddon extends pulumi.ComponentResource { /** * Returns true if the given object is an instance of VpcCniAddon. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is VpcCniAddon; /** * Create a VpcCniAddon resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: VpcCniAddonArgs, opts?: pulumi.ComponentResourceOptions); } /** * The set of arguments for constructing a VpcCniAddon resource. */ export interface VpcCniAddonArgs { /** * The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used. */ addonVersion?: pulumi.Input<string>; /** * The name of the EKS cluster. */ clusterName: pulumi.Input<string>; /** * The Kubernetes version of the cluster. This is used to determine the addon version to use if `addonVersion` is not specified. */ clusterVersion?: pulumi.Input<string>; /** * Specifies whether ipamd should configure rp filter for primary interface. Default is `false`. */ cniConfigureRpfilter?: pulumi.Input<boolean>; /** * Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is `false` */ cniCustomNetworkCfg?: pulumi.Input<boolean>; /** * Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is `false` */ cniExternalSnat?: pulumi.Input<boolean>; /** * Custom configuration values for the vpc-cni addon. This object must match the schema derived from [describe-addon-configuration](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-configuration.html). */ configurationValues?: pulumi.Input<{ [key: string]: any; }>; /** * Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's `resourcesVpcConfig`. * * Defaults to false. */ customNetworkConfig?: pulumi.Input<boolean>; /** * Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency. */ disableTcpEarlyDemux?: pulumi.Input<boolean>; /** * Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects. * * See for more information: [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/). */ enableNetworkPolicy?: pulumi.Input<boolean>; /** * Specifies whether to allow IPAMD to add the `vpc.amazonaws.com/has-trunk-attached` label to the node if the instance has capacity to attach an additional ENI. Default is `false`. If using liveness and readiness probes, you will also need to disable TCP early demux. */ enablePodEni?: pulumi.Input<boolean>; /** * IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true. */ enablePrefixDelegation?: pulumi.Input<boolean>; /** * Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone * Ref: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c)) * * Defaults to the official AWS CNI image in ECR. */ eniConfigLabelDef?: pulumi.Input<string>; /** * Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001. * * Defaults to 9001. */ eniMtu?: pulumi.Input<number>; /** * Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. * * Defaults to false. */ externalSnat?: pulumi.Input<boolean>; /** * Specifies the file path used for logs. * * Defaults to "stdout" to emit Pod logs for `kubectl logs`. */ logFile?: pulumi.Input<string>; /** * Specifies the log level used for logs. * * Defaults to "DEBUG" * Valid values: "DEBUG", "INFO", "WARN", "ERROR", or "FATAL". */ logLevel?: pulumi.Input<string>; /** * Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose. * * Defaults to true. */ nodePortSupport?: pulumi.Input<boolean>; /** * How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are `NONE` and `OVERWRITE`. For more details see the [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) API Docs. */ resolveConflictsOnCreate?: enums.ResolveConflictsOnCreate; /** * How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are `NONE`, `OVERWRITE`, and `PRESERVE`. For more details see the [UpdateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) API Docs. */ resolveConflictsOnUpdate?: enums.ResolveConflictsOnUpdate; /** * Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default */ securityContextPrivileged?: pulumi.Input<boolean>; /** * The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. * * For more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the Amazon EKS User Guide. * * Note: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the Amazon EKS User Guide. */ serviceAccountRoleArn?: pulumi.Input<string>; /** * Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<pulumi.Input<{ [key: string]: pulumi.Input<string>; }>[]>; /** * Specifies the veth prefix used to generate the host-side veth device name for the CNI. * * The prefix can be at most 4 characters long. * * Defaults to "eni". */ vethPrefix?: pulumi.Input<string>; /** * Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node. * * Defaults to 1. */ warmEniTarget?: pulumi.Input<number>; /** * Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node. */ warmIpTarget?: pulumi.Input<number>; /** * WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md */ warmPrefixTarget?: pulumi.Input<number>; }