aws-cdk-lib

import { Construct } from 'constructs'; import { IAccessPolicy } from './access-entry'; import { IAddon } from './addon'; import { AlbController, AlbControllerOptions } from './alb-controller'; import { AwsAuth } from './aws-auth'; import { FargateProfile, FargateProfileOptions } from './fargate-profile'; import { HelmChart, HelmChartOptions } from './helm-chart'; import { KubernetesManifest, KubernetesManifestOptions } from './k8s-manifest'; import { IKubectlProvider, KubectlProvider } from './kubectl-provider'; import { Nodegroup, NodegroupOptions } from './managed-nodegroup'; import { ServiceAccount, ServiceAccountOptions } from './service-account'; import * as autoscaling from '../../aws-autoscaling'; import * as ec2 from '../../aws-ec2'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { IResource, Resource, Duration, Size } from '../../core'; /** * An EKS cluster */ export interface ICluster extends IResource, ec2.IConnectable { /** * The VPC in which this Cluster was created */ readonly vpc: ec2.IVpc; /** * The physical name of the Cluster * @attribute */ readonly clusterName: string; /** * The unique ARN assigned to the service by AWS * in the form of arn:aws:eks: * @attribute */ readonly clusterArn: string; /** * The API Server endpoint URL * @attribute */ readonly clusterEndpoint: string; /** * The certificate-authority-data for your cluster. * @attribute */ readonly clusterCertificateAuthorityData: string; /** * The id of the cluster security group that was created by Amazon EKS for the cluster. * @attribute */ readonly clusterSecurityGroupId: string; /** * The cluster security group that was created by Amazon EKS for the cluster. * @attribute */ readonly clusterSecurityGroup: ec2.ISecurityGroup; /** * Amazon Resource Name (ARN) or alias of the customer master key (CMK). * @attribute */ readonly clusterEncryptionConfigKeyArn: string; /** * The Open ID Connect Provider of the cluster used to configure Service Accounts. */ readonly openIdConnectProvider: iam.IOpenIdConnectProvider; /** * The EKS Pod Identity Agent addon for the EKS cluster. * * The EKS Pod Identity Agent is responsible for managing the temporary credentials * used by pods in the cluster to access AWS resources. It runs as a DaemonSet on * each node and provides the necessary credentials to the pods based on their * associated service account. * * This property returns the `CfnAddon` resource representing the EKS Pod Identity * Agent addon. If the addon has not been created yet, it will be created and * returned. */ readonly eksPodIdentityAgent?: IAddon; /** * An IAM role that can perform kubectl operations against this cluster. * * The role should be mapped to the `system:masters` Kubernetes RBAC role. */ readonly kubectlRole?: iam.IRole; /** * Custom environment variables when running `kubectl` against this cluster. */ readonly kubectlEnvironment?: { [key: string]: string; }; /** * A security group to use for `kubectl` execution. * * If this is undefined, the k8s endpoint is expected to be accessible * publicly. */ readonly kubectlSecurityGroup?: ec2.ISecurityGroup; /** * Subnets to host the `kubectl` compute resources. * * If this is undefined, the k8s endpoint is expected to be accessible * publicly. */ readonly kubectlPrivateSubnets?: ec2.ISubnet[]; /** * An IAM role that can perform kubectl operations against this cluster. * * The role should be mapped to the `system:masters` Kubernetes RBAC role. * * This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster. */ readonly kubectlLambdaRole?: iam.IRole; /** * An AWS Lambda layer that includes `kubectl` and `helm` * */ readonly kubectlLayer?: lambda.ILayerVersion; /** * Specify which IP family is used to assign Kubernetes pod and service IP addresses. * * @default - IpFamily.IP_V4 * @see https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily */ readonly ipFamily?: IpFamily; /** * An AWS Lambda layer that contains the `aws` CLI. * * If not defined, a default layer will be used containing the AWS CLI 1.x. */ readonly awscliLayer?: lambda.ILayerVersion; /** * Kubectl Provider for issuing kubectl commands against it * * If not defined, a default provider will be used */ readonly kubectlProvider?: IKubectlProvider; /** * Amount of memory to allocate to the provider's lambda function. */ readonly kubectlMemory?: Size; /** * A security group to associate with the Cluster Handler's Lambdas. * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. * * Requires `placeClusterHandlerInVpc` to be set to true. * * @default - No security group. * @attribute */ readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. * * If not defined, a default layer will be used. */ readonly onEventLayer?: lambda.ILayerVersion; /** * Indicates whether Kubernetes resources can be automatically pruned. When * this is enabled (default), prune labels will be allocated and injected to * each resource. These labels will then be used when issuing the `kubectl * apply` operation with the `--prune` switch. */ readonly prune: boolean; /** * The authentication mode for the cluster. * @default AuthenticationMode.CONFIG_MAP */ readonly authenticationMode?: AuthenticationMode; /** * Creates a new service account with corresponding IAM Role (IRSA). * * @param id logical id of service account * @param options service account options */ addServiceAccount(id: string, options?: ServiceAccountOptions): ServiceAccount; /** * Defines a Kubernetes resource in this cluster. * * The manifest will be applied/deleted using kubectl as needed. * * @param id logical id of this manifest * @param manifest a list of Kubernetes resource specifications * @returns a `KubernetesManifest` object. */ addManifest(id: string, ...manifest: Record<string, any>[]): KubernetesManifest; /** * Defines a Helm chart in this cluster. * * @param id logical id of this chart. * @param options options of this chart. * @returns a `HelmChart` construct */ addHelmChart(id: string, options: HelmChartOptions): HelmChart; /** * Defines a CDK8s chart in this cluster. * * @param id logical id of this chart. * @param chart the cdk8s chart. * @returns a `KubernetesManifest` construct representing the chart. */ addCdk8sChart(id: string, chart: Construct, options?: KubernetesManifestOptions): KubernetesManifest; /** * Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster. * * The AutoScalingGroup must be running an EKS-optimized AMI containing the * /etc/eks/bootstrap.sh script. This method will configure Security Groups, * add the right policies to the instance role, apply the right tags, and add * the required user data to the instance's launch configuration. * * Spot instances will be labeled `lifecycle=Ec2Spot` and tainted with `PreferNoSchedule`. * If kubectl is enabled, the * [spot interrupt handler](https://github.com/awslabs/ec2-spot-labs/tree/master/ec2-spot-eks-solution/spot-termination-handler) * daemon will be installed on all spot instances to handle * [EC2 Spot Instance Termination Notices](https://aws.amazon.com/blogs/aws/new-ec2-spot-instance-termination-notices/). * * Prefer to use `addAutoScalingGroupCapacity` if possible. * * @see https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html * @param autoScalingGroup [disable-awslint:ref-via-interface] * @param options options for adding auto scaling groups, like customizing the bootstrap script */ connectAutoScalingGroupCapacity(autoScalingGroup: autoscaling.AutoScalingGroup, options: AutoScalingGroupOptions): void; } /** * Attributes for EKS clusters. */ export interface ClusterAttributes { /** * The VPC in which this Cluster was created * @default - if not specified `cluster.vpc` will throw an error */ readonly vpc?: ec2.IVpc; /** * The physical name of the Cluster */ readonly clusterName: string; /** * The API Server endpoint URL * @default - if not specified `cluster.clusterEndpoint` will throw an error. */ readonly clusterEndpoint?: string; /** * The certificate-authority-data for your cluster. * @default - if not specified `cluster.clusterCertificateAuthorityData` will * throw an error */ readonly clusterCertificateAuthorityData?: string; /** * The cluster security group that was created by Amazon EKS for the cluster. * @default - if not specified `cluster.clusterSecurityGroupId` will throw an * error */ readonly clusterSecurityGroupId?: string; /** * Amazon Resource Name (ARN) or alias of the customer master key (CMK). * @default - if not specified `cluster.clusterEncryptionConfigKeyArn` will * throw an error */ readonly clusterEncryptionConfigKeyArn?: string; /** * Specify which IP family is used to assign Kubernetes pod and service IP addresses. * * @default - IpFamily.IP_V4 * @see https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily */ readonly ipFamily?: IpFamily; /** * Additional security groups associated with this cluster. * @default - if not specified, no additional security groups will be * considered in `cluster.connections`. */ readonly securityGroupIds?: string[]; /** * An IAM role with cluster administrator and "system:masters" permissions. * @default - if not specified, it not be possible to issue `kubectl` commands * against an imported cluster. */ readonly kubectlRoleArn?: string; /** * An IAM role that can perform kubectl operations against this cluster. * * The role should be mapped to the `system:masters` Kubernetes RBAC role. * * This role is directly passed to the lambda handler that sends Kube Ctl commands * to the cluster. * @default - if not specified, the default role created by a lambda function will * be used. */ readonly kubectlLambdaRole?: iam.IRole; /** * Environment variables to use when running `kubectl` against this cluster. * @default - no additional variables */ readonly kubectlEnvironment?: { [name: string]: string; }; /** * A security group to use for `kubectl` execution. If not specified, the k8s * endpoint is expected to be accessible publicly. * @default - k8s endpoint is expected to be accessible publicly */ readonly kubectlSecurityGroupId?: string; /** * Subnets to host the `kubectl` compute resources. If not specified, the k8s * endpoint is expected to be accessible publicly. * @default - k8s endpoint is expected to be accessible publicly */ readonly kubectlPrivateSubnetIds?: string[]; /** * An Open ID Connect provider for this cluster that can be used to configure service accounts. * You can either import an existing provider using `iam.OpenIdConnectProvider.fromProviderArn`, * or create a new provider using `new eks.OpenIdConnectProvider` * @default - if not specified `cluster.openIdConnectProvider` and `cluster.addServiceAccount` will throw an error. */ readonly openIdConnectProvider?: iam.IOpenIdConnectProvider; /** * An AWS Lambda Layer which includes `kubectl` and Helm. * * This layer is used by the kubectl handler to apply manifests and install * helm charts. You must pick an appropriate releases of one of the * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of * Kubernetes you have chosen. * * The handler expects the layer to include the following executables: * * ``` * /opt/helm/helm * /opt/kubectl/kubectl * ``` * * @default - No default layer will be provided */ readonly kubectlLayer?: lambda.ILayerVersion; /** * An AWS Lambda layer that contains the `aws` CLI. * * The handler expects the layer to include the following executables: * * ``` * /opt/awscli/aws * ``` * * @default - a default layer with the AWS CLI 1.x */ readonly awscliLayer?: lambda.ILayerVersion; /** * KubectlProvider for issuing kubectl commands. * * @default - Default CDK provider */ readonly kubectlProvider?: IKubectlProvider; /** * Amount of memory to allocate to the provider's lambda function. * * @default Size.gibibytes(1) */ readonly kubectlMemory?: Size; /** * A security group id to associate with the Cluster Handler's Lambdas. * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. * * @default - No security group. */ readonly clusterHandlerSecurityGroupId?: string; /** * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer * is used by the onEvent handler to route AWS SDK requests through a proxy. * * The handler expects the layer to include the following node_modules: * * proxy-agent * * @default - a layer bundled with this module. */ readonly onEventLayer?: lambda.ILayerVersion; /** * Indicates whether Kubernetes resources added through `addManifest()` can be * automatically pruned. When this is enabled (default), prune labels will be * allocated and injected to each resource. These labels will then be used * when issuing the `kubectl apply` operation with the `--prune` switch. * * @default true */ readonly prune?: boolean; } /** * Options for configuring an EKS cluster. */ export interface CommonClusterOptions { /** * The VPC in which to create the Cluster. * * @default - a VPC with default configuration will be created and can be accessed through `cluster.vpc`. */ readonly vpc?: ec2.IVpc; /** * Where to place EKS Control Plane ENIs * * For example, to only select private subnets, supply the following: * * `vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]` * * @default - All public and private subnets */ readonly vpcSubnets?: ec2.SubnetSelection[]; /** * Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. * * @default - A role is automatically created for you */ readonly role?: iam.IRole; /** * Name for the cluster. * * @default - Automatically generated name */ readonly clusterName?: string; /** * Security Group to use for Control Plane ENIs * * @default - A security group is automatically created */ readonly securityGroup?: ec2.ISecurityGroup; /** * The Kubernetes version to run in the cluster */ readonly version: KubernetesVersion; /** * Determines whether a CloudFormation output with the name of the cluster * will be synthesized. * * @default false */ readonly outputClusterName?: boolean; /** * Determines whether a CloudFormation output with the `aws eks * update-kubeconfig` command will be synthesized. This command will include * the cluster name and the ARN of the masters IAM role. * * Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role * * @default true */ readonly outputConfigCommand?: boolean; } /** * Options for EKS clusters. */ export interface ClusterOptions extends CommonClusterOptions { /** * An IAM role that will be added to the `system:masters` Kubernetes RBAC * group. * * @see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings * * @default - no masters role. */ readonly mastersRole?: iam.IRole; /** * Controls the "eks.amazonaws.com/compute-type" annotation in the CoreDNS * configuration on your cluster to determine which compute type to use * for CoreDNS. * * @default CoreDnsComputeType.EC2 (for `FargateCluster` the default is FARGATE) */ readonly coreDnsComputeType?: CoreDnsComputeType; /** * Determines whether a CloudFormation output with the ARN of the "masters" * IAM role will be synthesized (if `mastersRole` is specified). * * @default false */ readonly outputMastersRoleArn?: boolean; /** * Configure access to the Kubernetes API server endpoint.. * * @see https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html * * @default EndpointAccess.PUBLIC_AND_PRIVATE */ readonly endpointAccess?: EndpointAccess; /** * Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. * * @default - No environment variables. */ readonly kubectlEnvironment?: { [key: string]: string; }; /** * An AWS Lambda Layer which includes `kubectl` and Helm. * * This layer is used by the kubectl handler to apply manifests and install * helm charts. You must pick an appropriate releases of one of the * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of * Kubernetes you have chosen. * * The handler expects the layer to include the following executables: * * ``` * /opt/helm/helm * /opt/kubectl/kubectl * ``` */ readonly kubectlLayer: lambda.ILayerVersion; /** * An AWS Lambda layer that contains the `aws` CLI. * * The handler expects the layer to include the following executables: * * ``` * /opt/awscli/aws * ``` * * @default - a default layer with the AWS CLI 1.x */ readonly awscliLayer?: lambda.ILayerVersion; /** * Amount of memory to allocate to the provider's lambda function. * * @default Size.gibibytes(1) */ readonly kubectlMemory?: Size; /** * Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. * * @default - No environment variables. */ readonly clusterHandlerEnvironment?: { [key: string]: string; }; /** * A security group to associate with the Cluster Handler's Lambdas. * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. * * Requires `placeClusterHandlerInVpc` to be set to true. * * @default - No security group. */ readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer * is used by the onEvent handler to route AWS SDK requests through a proxy. * * By default, the provider will use the layer included in the * "aws-lambda-layer-node-proxy-agent" SAR application which is available in all * commercial regions. * * To deploy the layer locally define it in your app as follows: * * ```ts * const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { * code: lambda.Code.fromAsset(`${__dirname}/layer.zip`), * compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], * }); * ``` * * @default - a layer bundled with this module. */ readonly onEventLayer?: lambda.ILayerVersion; /** * Indicates whether Kubernetes resources added through `addManifest()` can be * automatically pruned. When this is enabled (default), prune labels will be * allocated and injected to each resource. These labels will then be used * when issuing the `kubectl apply` operation with the `--prune` switch. * * @default true */ readonly prune?: boolean; /** * If set to true, the cluster handler functions will be placed in the private subnets * of the cluster vpc, subject to the `vpcSubnets` selection strategy. * * @default false */ readonly placeClusterHandlerInVpc?: boolean; /** * KMS secret for envelope encryption for Kubernetes secrets. * * @default - By default, Kubernetes stores all secret object data within etcd and * all etcd volumes used by Amazon EKS are encrypted at the disk-level * using AWS-Managed encryption keys. */ readonly secretsEncryptionKey?: kms.IKey; /** * Specify which IP family is used to assign Kubernetes pod and service IP addresses. * * @default - IpFamily.IP_V4 * @see https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily */ readonly ipFamily?: IpFamily; /** * The CIDR block to assign Kubernetes service IP addresses from. * * @default - Kubernetes assigns addresses from either the * 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks * @see https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-serviceIpv4Cidr */ readonly serviceIpv4Cidr?: string; /** * Install the AWS Load Balancer Controller onto the cluster. * * @see https://kubernetes-sigs.github.io/aws-load-balancer-controller * * @default - The controller is not installed. */ readonly albController?: AlbControllerOptions; /** * The cluster log types which you want to enable. * * @default - none */ readonly clusterLogging?: ClusterLoggingTypes[]; /** * The desired authentication mode for the cluster. * @default AuthenticationMode.CONFIG_MAP */ readonly authenticationMode?: AuthenticationMode; /** * IPv4 CIDR blocks defining the expected address range of hybrid nodes * that will join the cluster. * @default - none */ readonly remoteNodeNetworks?: RemoteNodeNetwork[]; /** * IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. * @default - none */ readonly remotePodNetworks?: RemotePodNetwork[]; } /** * Group access configuration together. */ interface EndpointAccessConfig { /** * Indicates if private access is enabled. */ readonly privateAccess: boolean; /** * Indicates if public access is enabled. */ readonly publicAccess: boolean; /** * Public access is allowed only from these CIDR blocks. * An empty array means access is open to any address. * * @default - No restrictions. */ readonly publicCidrs?: string[]; } /** * Endpoint access characteristics. */ export declare class EndpointAccess { /** * Configuration properties. * * @internal */ readonly _config: EndpointAccessConfig; /** * The cluster endpoint is accessible from outside of your VPC. * Worker node traffic will leave your VPC to connect to the endpoint. * * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint using the `PUBLIC.onlyFrom` method. * If you limit access to specific CIDR blocks, you must ensure that the CIDR blocks that you * specify include the addresses that worker nodes and Fargate pods (if you use them) * access the public endpoint from. * * @param cidr The CIDR blocks. */ static readonly PUBLIC: EndpointAccess; /** * The cluster endpoint is only accessible through your VPC. * Worker node traffic to the endpoint will stay within your VPC. */ static readonly PRIVATE: EndpointAccess; /** * The cluster endpoint is accessible from outside of your VPC. * Worker node traffic to the endpoint will stay within your VPC. * * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint using the `PUBLIC_AND_PRIVATE.onlyFrom` method. * If you limit access to specific CIDR blocks, you must ensure that the CIDR blocks that you * specify include the addresses that worker nodes and Fargate pods (if you use them) * access the public endpoint from. * * @param cidr The CIDR blocks. */ static readonly PUBLIC_AND_PRIVATE: EndpointAccess; private constructor(); /** * Restrict public access to specific CIDR blocks. * If public access is disabled, this method will result in an error. * * @param cidr CIDR blocks. */ onlyFrom(...cidr: string[]): EndpointAccess; } /** * Common configuration props for EKS clusters. */ export interface ClusterProps extends ClusterOptions { /** * Number of instances to allocate as an initial capacity for this cluster. * Instance type can be configured through `defaultCapacityInstanceType`, * which defaults to `m5.large`. * * Use `cluster.addAutoScalingGroupCapacity` to add additional customized capacity. Set this * to `0` is you wish to avoid the initial capacity allocation. * * @default 2 */ readonly defaultCapacity?: number; /** * The instance type to use for the default capacity. This will only be taken * into account if `defaultCapacity` is > 0. * * @default m5.large */ readonly defaultCapacityInstance?: ec2.InstanceType; /** * The default capacity type for the cluster. * * @default NODEGROUP */ readonly defaultCapacityType?: DefaultCapacityType; /** * The IAM role to pass to the Kubectl Lambda Handler. * * @default - Default Lambda IAM Execution Role */ readonly kubectlLambdaRole?: iam.IRole; /** * Whether or not IAM principal of the cluster creator was set as a cluster admin access entry * during cluster creation time. * * Changing this value after the cluster has been created will result in the cluster being replaced. * * @default true */ readonly bootstrapClusterCreatorAdminPermissions?: boolean; /** * If you set this value to False when creating a cluster, the default networking add-ons will not be installed. * The default networking addons include vpc-cni, coredns, and kube-proxy. * Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons. * * Changing this value after the cluster has been created will result in the cluster being replaced. * * @default true */ readonly bootstrapSelfManagedAddons?: boolean; /** * The tags assigned to the EKS cluster * * @default - none */ readonly tags?: { [key: string]: string; }; } /** * Kubernetes cluster version * @see https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar */ export declare class KubernetesVersion { readonly version: string; /** * Kubernetes version 1.14 * @deprecated Use newer version of EKS */ static readonly V1_14: KubernetesVersion; /** * Kubernetes version 1.15 * @deprecated Use newer version of EKS */ static readonly V1_15: KubernetesVersion; /** * Kubernetes version 1.16 * @deprecated Use newer version of EKS */ static readonly V1_16: KubernetesVersion; /** * Kubernetes version 1.17 * @deprecated Use newer version of EKS */ static readonly V1_17: KubernetesVersion; /** * Kubernetes version 1.18 * @deprecated Use newer version of EKS */ static readonly V1_18: KubernetesVersion; /** * Kubernetes version 1.19 * @deprecated Use newer version of EKS */ static readonly V1_19: KubernetesVersion; /** * Kubernetes version 1.20 * @deprecated Use newer version of EKS */ static readonly V1_20: KubernetesVersion; /** * Kubernetes version 1.21 * @deprecated Use newer version of EKS */ static readonly V1_21: KubernetesVersion; /** * Kubernetes version 1.22 * @deprecated Use newer version of EKS * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV22Layer` from * `@aws-cdk/lambda-layer-kubectl-v22`. * @deprecated Use newer version of EKS */ static readonly V1_22: KubernetesVersion; /** * Kubernetes version 1.23 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV23Layer` from * `@aws-cdk/lambda-layer-kubectl-v23`. */ static readonly V1_23: KubernetesVersion; /** * Kubernetes version 1.24 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV24Layer` from * `@aws-cdk/lambda-layer-kubectl-v24`. */ static readonly V1_24: KubernetesVersion; /** * Kubernetes version 1.25 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV25Layer` from * `@aws-cdk/lambda-layer-kubectl-v25`. */ static readonly V1_25: KubernetesVersion; /** * Kubernetes version 1.26 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV26Layer` from * `@aws-cdk/lambda-layer-kubectl-v26`. */ static readonly V1_26: KubernetesVersion; /** * Kubernetes version 1.27 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV27Layer` from * `@aws-cdk/lambda-layer-kubectl-v27`. */ static readonly V1_27: KubernetesVersion; /** * Kubernetes version 1.28 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV28Layer` from * `@aws-cdk/lambda-layer-kubectl-v28`. */ static readonly V1_28: KubernetesVersion; /** * Kubernetes version 1.29 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV29Layer` from * `@aws-cdk/lambda-layer-kubectl-v29`. */ static readonly V1_29: KubernetesVersion; /** * Kubernetes version 1.30 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV30Layer` from * `@aws-cdk/lambda-layer-kubectl-v30`. */ static readonly V1_30: KubernetesVersion; /** * Kubernetes version 1.31 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV31Layer` from * `@aws-cdk/lambda-layer-kubectl-v31`. */ static readonly V1_31: KubernetesVersion; /** * Kubernetes version 1.32 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV32Layer` from * `@aws-cdk/lambda-layer-kubectl-v32`. */ static readonly V1_32: KubernetesVersion; /** * Kubernetes version 1.33 * * When creating a `Cluster` with this version, you need to also specify the * `kubectlLayer` property with a `KubectlV33Layer` from * `@aws-cdk/lambda-layer-kubectl-v33`. */ static readonly V1_33: KubernetesVersion; /** * Custom cluster version * @param version custom version number */ static of(version: string): KubernetesVersion; /** * * @param version cluster version number */ private constructor(); } /** * EKS cluster logging types */ export declare enum ClusterLoggingTypes { /** * Logs pertaining to API requests to the cluster. */ API = "api", /** * Logs pertaining to cluster access via the Kubernetes API. */ AUDIT = "audit", /** * Logs pertaining to authentication requests into the cluster. */ AUTHENTICATOR = "authenticator", /** * Logs pertaining to state of cluster controllers. */ CONTROLLER_MANAGER = "controllerManager", /** * Logs pertaining to scheduling decisions. */ SCHEDULER = "scheduler" } /** * EKS cluster IP family. */ export declare enum IpFamily { /** * Use IPv4 for pods and services in your cluster. */ IP_V4 = "ipv4", /** * Use IPv6 for pods and services in your cluster. */ IP_V6 = "ipv6" } /** * Represents the authentication mode for an Amazon EKS cluster. */ export declare enum AuthenticationMode { /** * Authenticates using a Kubernetes ConfigMap. */ CONFIG_MAP = "CONFIG_MAP", /** * Authenticates using both the Kubernetes API server and a ConfigMap. */ API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP", /** * Authenticates using the Kubernetes API server. */ API = "API" } declare abstract class ClusterBase extends Resource implements ICluster { abstract readonly connections: ec2.Connections; abstract readonly vpc: ec2.IVpc; abstract readonly clusterName: string; abstract readonly clusterArn: string; abstract readonly clusterEndpoint: string; abstract readonly clusterCertificateAuthorityData: string; abstract readonly clusterSecurityGroupId: string; abstract readonly clusterSecurityGroup: ec2.ISecurityGroup; abstract readonly clusterEncryptionConfigKeyArn: string; abstract readonly ipFamily?: IpFamily; abstract readonly kubectlRole?: iam.IRole; abstract readonly kubectlLambdaRole?: iam.IRole; abstract readonly kubectlLayer?: lambda.ILayerVersion; abstract readonly kubectlEnvironment?: { [key: string]: string; }; abstract readonly kubectlSecurityGroup?: ec2.ISecurityGroup; abstract readonly kubectlPrivateSubnets?: ec2.ISubnet[]; abstract readonly kubectlMemory?: Size; abstract readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; abstract readonly prune: boolean; abstract readonly openIdConnectProvider: iam.IOpenIdConnectProvider; abstract readonly awsAuth: AwsAuth; private _spotInterruptHandler?; /** * Manages the aws-auth config map. * * @internal */ protected _awsAuth?: AwsAuth; /** * Defines a Kubernetes resource in this cluster. * * The manifest will be applied/deleted using kubectl as needed. * * @param id logical id of this manifest * @param manifest a list of Kubernetes resource specifications * @returns a `KubernetesResource` object. */ addManifest(id: string, ...manifest: Record<string, any>[]): KubernetesManifest; /** * Defines a Helm chart in this cluster. * * @param id logical id of this chart. * @param options options of this chart. * @returns a `HelmChart` construct */ addHelmChart(id: string, options: HelmChartOptions): HelmChart; /** * Defines a CDK8s chart in this cluster. * * @param id logical id of this chart. * @param chart the cdk8s chart. * @returns a `KubernetesManifest` construct representing the chart. */ addCdk8sChart(id: string, chart: Construct, options?: KubernetesManifestOptions): KubernetesManifest; addServiceAccount(id: string, options?: ServiceAccountOptions): ServiceAccount; /** * Installs the AWS spot instance interrupt handler on the cluster if it's not * already added. */ private addSpotInterruptHandler; /** * Connect capacity in the form of an existing AutoScalingGroup to the EKS cluster. * * The AutoScalingGroup must be running an EKS-optimized AMI containing the * /etc/eks/bootstrap.sh script. This method will configure Security Groups, * add the right policies to the instance role, apply the right tags, and add * the required user data to the instance's launch configuration. * * Spot instances will be labeled `lifecycle=Ec2Spot` and tainted with `PreferNoSchedule`. * If kubectl is enabled, the * [spot interrupt handler](https://github.com/awslabs/ec2-spot-labs/tree/master/ec2-spot-eks-solution/spot-termination-handler) * daemon will be installed on all spot instances to handle * [EC2 Spot Instance Termination Notices](https://aws.amazon.com/blogs/aws/new-ec2-spot-instance-termination-notices/). * * Prefer to use `addAutoScalingGroupCapacity` if possible. * * @see https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html * @param autoScalingGroup [disable-awslint:ref-via-interface] * @param options options for adding auto scaling groups, like customizing the bootstrap script */ connectAutoScalingGroupCapacity(autoScalingGroup: autoscaling.AutoScalingGroup, options: AutoScalingGroupOptions): void; } /** * Options for fetching a ServiceLoadBalancerAddress. */ export interface ServiceLoadBalancerAddressOptions { /** * Timeout for waiting on the load balancer address. * * @default Duration.minutes(5) */ readonly timeout?: Duration; /** * The namespace the service belongs to. * * @default 'default' */ readonly namespace?: string; } /** * Options for fetching an IngressLoadBalancerAddress. */ export interface IngressLoadBalancerAddressOptions extends ServiceLoadBalancerAddressOptions { } /** * A Cluster represents a managed Kubernetes Service (EKS) * * This is a fully managed cluster of API Servers (control-plane) * The user is still required to create the worker nodes. */ export declare class Cluster extends ClusterBase { /** * Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; /** * Import an existing cluster * * @param scope the construct scope, in most cases 'this' * @param id the id or name to import as * @param attrs the cluster properties to use for importing information */ static fromClusterAttributes(scope: Construct, id: string, attrs: ClusterAttributes): ICluster; private accessEntries; /** * The VPC in which this Cluster was created */ readonly vpc: ec2.IVpc; /** * The Name of the created EKS Cluster */ readonly clusterName: string; /** * The AWS generated ARN for the Cluster resource * * For example, `arn:aws:eks:us-west-2:666666666666:cluster/prod` */ readonly clusterArn: string; /** * The endpoint URL for the Cluster * * This is the URL inside the kubeconfig file to use with kubectl * * For example, `https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com` */ readonly clusterEndpoint: string; /** * The certificate-authority-data for your cluster. */ readonly clusterCertificateAuthorityData: string; /** * The id of the cluster security group that was created by Amazon EKS for the cluster. */ readonly clusterSecurityGroupId: string; /** * The cluster security group that was created by Amazon EKS for the cluster. */ readonly clusterSecurityGroup: ec2.ISecurityGroup; /** * Amazon Resource Name (ARN) or alias of the customer master key (CMK). */ readonly clusterEncryptionConfigKeyArn: string; /** * Manages connection rules (Security Group Rules) for the cluster * * @type {ec2.Connections} * @memberof Cluster */ readonly connections: ec2.Connections; /** * IAM role assumed by the EKS Control Plane */ readonly role: iam.IRole; /** * The auto scaling group that hosts the default capacity for this cluster. * This will be `undefined` if the `defaultCapacityType` is not `EC2` or * `defaultCapacityType` is `EC2` but default capacity is set to 0. */ readonly defaultCapacity?: autoscaling.AutoScalingGroup; /** * The node group that hosts the default capacity for this cluster. * This will be `undefined` if the `defaultCapacityType` is `EC2` or * `defaultCapacityType` is `NODEGROUP` but default capacity is set to 0. */ readonly defaultNodegroup?: Nodegroup; /** * An IAM role that can perform kubectl operations against this cluster. * * The role should be mapped to the `system:masters` Kubernetes RBAC role. */ readonly kubectlRole?: iam.IRole; /** * An IAM role that can perform kubectl operations against this cluster. * * The role should be mapped to the `system:masters` Kubernetes RBAC role. * * This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster. * @default - if not specified, the default role created by a lambda function will * be used. */ readonly kubectlLambdaRole?: iam.IRole; /** * Custom environment variables when running `kubectl` against this cluster. */ readonly kubectlEnvironment?: { [key: string]: string; }; /** * A security group to use for `kubectl` execution. * * @default - If not specified, the k8s endpoint is expected to be accessible * publicly. */ readonly kubectlSecurityGroup?: ec2.ISecurityGroup; /** * Subnets to host the `kubectl` compute resources. * * @default - If not specified, the k8s endpoint is expected to be accessible * publicly. */ readonly kubectlPrivateSubnets?: ec2.ISubnet[]; /** * Specify which IP family is used to assign Kubernetes pod and service IP addresses. * * @default - IpFamily.IP_V4 * @see https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily */ readonly ipFamily?: IpFamily; /** * An IAM role with administrative permissions to create or update the * cluster. This role also has `systems:master` permissions. */ readonly adminRole: iam.Role; /** * If the cluster has one (or more) FargateProfiles associated, this array * will hold a reference to each. */ private readonly _fargateProfiles; /** * an Open ID Connect Provider instance */ private _openIdConnectProvider?; /** * an EKS Pod Identity Agent instance */ private _eksPodIdentityAgent?; /** * An AWS Lambda layer that includes `kubectl` and `helm` * */ readonly kubectlLayer?: lambda.ILayerVersion; /** * An AWS Lambda layer that contains the `aws` CLI. * * If not defined, a default layer will be used containing the AWS CLI 1.x. */ readonly awscliLayer?: lambda.ILayerVersion; /** * The amount of memory allocated to the kubectl provider's lambda function. */ readonly kubectlMemory?: Size; /** * A security group to associate with the Cluster Handler's Lambdas. * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. * * Requires `placeClusterHandlerInVpc` to be set to true. * * @default - No security group. */ readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** * The AWS Lambda layer that contains the NPM dependency `proxy-agent`. If * undefined, a SAR app that contains this layer will be used. */ readonly onEventLayer?: lambda.ILayerVersion; /** * Determines if Kubernetes resources can be pruned automatically. */ readonly prune: boolean; /** * The ALB Controller construct defined for this cluster. * Will be undefined if `albController` wasn't configured. */ readonly albController?: AlbController; /** * The authentication mode for the Amazon EKS cluster. * * The authentication mode determines how users and applications authenticate to the Kubernetes API server. * * @property {AuthenticationMode} [authenticationMode] - The authentication mode for the Amazon EKS cluster. * * @default CONFIG_MAP. */ readonly authenticationMode?: AuthenticationMode; /** * If this cluster is kubectl-enabled, returns the `ClusterResource` object * that manages it. If this cluster is not kubectl-enabled (i.e. uses the * stock `CfnCluster`), this is `undefined`. */ private readonly _clusterResource; private _neuronDevicePlugin?; private readonly endpointAccess; private readonly vpcSubnets; private readonly version; private readonly logging?; /** * A dummy CloudFormation resource that is used as a wait barrier which * represents that the cluster is ready to receive "kubectl" commands. * * Specifically, all fargate profiles are automatically added as a dependency * of this barrier, which means that it will only be "signaled" when all * fargate profiles have been successfully created. * * When kubectl resources call `_attachKubectlResourceScope()`, this resource * is added as their dependency which implies that they can only be deployed * after the cluster is ready. */ private readonly _kubectlReadyBarrier; private readonly _kubectlResourceProvider; /** * Initiates an EKS Cluster with the supplied arguments * * @param scope a Construct, most likely a cdk.Stack created * @param id the id of the Construct to create * @param props properties in the IClusterProps interface */ constructor(scope: Construct, id: string, props: ClusterProps); /** * Grants the specified IAM principal access to the EKS cluster based on the provided access policies. * * This method creates an `AccessEntry` construct that grants the specified IAM principal the access permissions * defined by the provided `IAccessPolicy` array. This allows the IAM principal to perform the actions permitted * by the access policies within the EKS cluster. * * @param id - The ID of the `AccessEntry` construct to be created. * @param principal - The IAM principal (role or user) to be granted access to the EKS cluster. * @param accessPolicies - An array of `IAccessPolicy` objects that define the access permissions to be granted to the IAM principal. */ grantAccess(id: string, principal: string, accessPolicies: IAccessPolicy[]): void; /** * Fetch the load balancer address of a service of type 'LoadBalancer'. * * @param serviceName The name of the service. * @param options Additional operation options. */ getServiceLoadBalancerAddress(serviceName: string, options?: ServiceLoadBalancerAddressOptions): string; /** * Fetch the load balancer address of an ingress backed by a load balancer. * * @param ingressName The name of the ingress. * @param options Additional operation options. */ getIngressLoadBalancerAddress(ingressName: string, options?: IngressLoadBalancerAddressOptions): string; /** * Add nodes to this EKS cluster * * The nodes will automatically be configured with the right VPC and AMI * for the instance type and Kubernetes version. * * Note that if you specify `updateType: RollingUpdate` or `updateType: ReplacingUpdate`, your nodes might be replaced at deploy * time without notice in case the recommended AMI for your machine image type has been updated by AWS. * The default behavior for `updateType` is `None`, which means only new instances will be launched using the new AMI. * * Spot instances will be labeled `lifecycle=Ec2Spot` and tainted with `PreferNoSchedule`. * In addition, the [spot interrupt handler](https://github.com/awslabs/ec2-spot-labs/tree/master/ec2-spot-eks-solution/spot-termination-handler) * daemon will be installed on all spot instances to handle * [EC2 Spot Instance Termination Notices](https://aws.amazon.com/blogs/aws/new-ec2-spot-instance-termination-notices/). */ addAutoScalingGroupCapacity(id: string, options: AutoScalingGroupCapacityOptions): autoscaling.AutoScalingGroup; /** * Add managed nodegroup to this Amazon EKS cluster * * This method will create a new managed nodegroup and add into the capacity. * * @see https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html * @param id The ID of the nodegroup