2023/12/18 - Amazon Elastic Kubernetes Service - 9 new 14 updated api methods
Changes Add support for EKS Cluster Access Management.
Lists the access entries for your cluster.
See also: AWS API Documentation
Request Syntax
client.list_access_entries( clusterName='string', associatedPolicyArn='string', maxResults=123, nextToken='string' )
string
[REQUIRED]
The name of your cluster.
string
The ARN of an AccessPolicy . When you specify an access policy ARN, only the access entries associated to that access policy are returned. For a list of available policy ARNs, use ListAccessPolicies .
integer
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
string
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
dict
Response Syntax
{ 'accessEntries': [ 'string', ], 'nextToken': 'string' }
Response Structure
(dict) --
accessEntries (list) --
The list of access entries that exist for the cluster.
(string) --
nextToken (string) --
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
Disassociates an access policy from an access entry.
See also: AWS API Documentation
Request Syntax
client.disassociate_access_policy( clusterName='string', principalArn='string', policyArn='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The ARN of the IAM principal for the AccessEntry .
string
[REQUIRED]
The ARN of the policy to disassociate from the access entry. For a list of associated policies ARNs, use ListAssociatedAccessPolicies .
dict
Response Syntax
{}
Response Structure
(dict) --
Describes an access entry.
See also: AWS API Documentation
Request Syntax
client.describe_access_entry( clusterName='string', principalArn='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The ARN of the IAM principal for the AccessEntry .
dict
Response Syntax
{ 'accessEntry': { 'clusterName': 'string', 'principalArn': 'string', 'kubernetesGroups': [ 'string', ], 'accessEntryArn': 'string', 'createdAt': datetime(2015, 1, 1), 'modifiedAt': datetime(2015, 1, 1), 'tags': { 'string': 'string' }, 'username': 'string', 'type': 'string' } }
Response Structure
(dict) --
accessEntry (dict) --
Information about the access entry.
clusterName (string) --
The name of your cluster.
principalArn (string) --
The ARN of the IAM principal for the access entry. If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the roleID or userID (you can see this with the Security Token Service GetCallerIdentity API) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's roleID or userID for an access entry, Amazon EKS stores it with the access entry.
kubernetesGroups (list) --
A name that you've specified in a Kubernetes RoleBinding or ClusterRoleBinding object so that Kubernetes authorizes the principalARN access to cluster objects.
(string) --
accessEntryArn (string) --
The ARN of the access entry.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
username (string) --
The name of a user that can authenticate to your cluster.
type (string) --
The type of the access entry.
Creates an access entry.
An access entry allows an IAM principal to access your cluster. Access entries can replace the need to maintain entries in the aws-auth ConfigMap for authentication. You have the following options for authorizing an IAM principal to access Kubernetes objects on your cluster: Kubernetes role-based access control (RBAC), Amazon EKS, or both. Kubernetes RBAC authorization requires you to create and manage Kubernetes Role , ClusterRole , RoleBinding , and ClusterRoleBinding objects, in addition to managing access entries. If you use Amazon EKS authorization exclusively, you don't need to create and manage Kubernetes Role , ClusterRole , RoleBinding , and ClusterRoleBinding objects.
For more information about access entries, see Access entries in the Amazon EKS User Guide .
See also: AWS API Documentation
Request Syntax
client.create_access_entry( clusterName='string', principalArn='string', kubernetesGroups=[ 'string', ], tags={ 'string': 'string' }, clientRequestToken='string', username='string', type='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The ARN of the IAM principal for the AccessEntry . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.
IAM best practices recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
list
The value for name that you've specified for kind: Group as a subject in a Kubernetes RoleBinding or ClusterRoleBinding object. Amazon EKS doesn't confirm that the value for name exists in any bindings on your cluster. You can specify one or more names.
Kubernetes authorizes the principalArn of the access entry to access any cluster objects that you've specified in a Kubernetes Role or ClusterRole object that is also specified in a binding's roleRef . For more information about creating Kubernetes RoleBinding , ClusterRoleBinding , Role , or ClusterRole objects, see Using RBAC Authorization in the Kubernetes documentation .
If you want Amazon EKS to authorize the principalArn (instead of, or in addition to Kubernetes authorizing the principalArn ), you can associate one or more access policies to the access entry using AssociateAccessPolicy . If you associate any access policies, the principalARN has all permissions assigned in the associated access policies and all permissions in any Kubernetes Role or ClusterRole objects that the group names are bound to.
(string) --
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
string
The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see Creating access entries in the Amazon EKS User Guide .
string
If the principalArn is for an IAM role that's used for self-managed Amazon EC2 nodes, specify EC2_LINUX or EC2_WINDOWS . Amazon EKS grants the necessary permissions to the node for you. If the principalArn is for any other purpose, specify STANDARD . If you don't specify a value, Amazon EKS sets the value to STANDARD . It's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the aws-auth ConfigMap for the roles. You can't change this value once you've created the access entry.
If you set the value to EC2_LINUX or EC2_WINDOWS , you can't specify values for kubernetesGroups , or associate an AccessPolicy to the access entry.
dict
Response Syntax
{ 'accessEntry': { 'clusterName': 'string', 'principalArn': 'string', 'kubernetesGroups': [ 'string', ], 'accessEntryArn': 'string', 'createdAt': datetime(2015, 1, 1), 'modifiedAt': datetime(2015, 1, 1), 'tags': { 'string': 'string' }, 'username': 'string', 'type': 'string' } }
Response Structure
(dict) --
accessEntry (dict) --
An access entry allows an IAM principal (user or role) to access your cluster. Access entries can replace the need to maintain the aws-auth ConfigMap for authentication. For more information about access entries, see Access entries in the Amazon EKS User Guide .
clusterName (string) --
The name of your cluster.
principalArn (string) --
The ARN of the IAM principal for the access entry. If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the roleID or userID (you can see this with the Security Token Service GetCallerIdentity API) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's roleID or userID for an access entry, Amazon EKS stores it with the access entry.
kubernetesGroups (list) --
A name that you've specified in a Kubernetes RoleBinding or ClusterRoleBinding object so that Kubernetes authorizes the principalARN access to cluster objects.
(string) --
accessEntryArn (string) --
The ARN of the access entry.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
username (string) --
The name of a user that can authenticate to your cluster.
type (string) --
The type of the access entry.
Associates an access policy and its scope to an access entry. For more information about associating access policies, see Associating and disassociating access policies to and from access entries in the Amazon EKS User Guide .
See also: AWS API Documentation
Request Syntax
client.associate_access_policy( clusterName='string', principalArn='string', policyArn='string', accessScope={ 'type': 'cluster'|'namespace', 'namespaces': [ 'string', ] } )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM user or role for the AccessEntry that you're associating the access policy to.
string
[REQUIRED]
The ARN of the AccessPolicy that you're associating. For a list of ARNs, use ListAccessPolicies .
dict
[REQUIRED]
The scope for the AccessPolicy . You can scope access policies to an entire cluster or to specific Kubernetes namespaces.
type (string) --
The scope type of an access policy.
namespaces (list) --
A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type .
(string) --
dict
Response Syntax
{ 'clusterName': 'string', 'principalArn': 'string', 'associatedAccessPolicy': { 'policyArn': 'string', 'accessScope': { 'type': 'cluster'|'namespace', 'namespaces': [ 'string', ] }, 'associatedAt': datetime(2015, 1, 1), 'modifiedAt': datetime(2015, 1, 1) } }
Response Structure
(dict) --
clusterName (string) --
The name of your cluster.
principalArn (string) --
The ARN of the IAM principal for the AccessEntry .
associatedAccessPolicy (dict) --
The AccessPolicy and scope associated to the AccessEntry .
policyArn (string) --
The ARN of the AccessPolicy .
accessScope (dict) --
The scope of the access policy.
type (string) --
The scope type of an access policy.
namespaces (list) --
A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type .
(string) --
associatedAt (datetime) --
The date and time the AccessPolicy was associated with an AccessEntry .
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
Updates an access entry.
See also: AWS API Documentation
Request Syntax
client.update_access_entry( clusterName='string', principalArn='string', kubernetesGroups=[ 'string', ], clientRequestToken='string', username='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The ARN of the IAM principal for the AccessEntry .
list
The value for name that you've specified for kind: Group as a subject in a Kubernetes RoleBinding or ClusterRoleBinding object. Amazon EKS doesn't confirm that the value for name exists in any bindings on your cluster. You can specify one or more names.
Kubernetes authorizes the principalArn of the access entry to access any cluster objects that you've specified in a Kubernetes Role or ClusterRole object that is also specified in a binding's roleRef . For more information about creating Kubernetes RoleBinding , ClusterRoleBinding , Role , or ClusterRole objects, see Using RBAC Authorization in the Kubernetes documentation .
If you want Amazon EKS to authorize the principalArn (instead of, or in addition to Kubernetes authorizing the principalArn ), you can associate one or more access policies to the access entry using AssociateAccessPolicy . If you associate any access policies, the principalARN has all permissions assigned in the associated access policies and all permissions in any Kubernetes Role or ClusterRole objects that the group names are bound to.
(string) --
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
string
The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see Creating access entries in the Amazon EKS User Guide .
dict
Response Syntax
{ 'accessEntry': { 'clusterName': 'string', 'principalArn': 'string', 'kubernetesGroups': [ 'string', ], 'accessEntryArn': 'string', 'createdAt': datetime(2015, 1, 1), 'modifiedAt': datetime(2015, 1, 1), 'tags': { 'string': 'string' }, 'username': 'string', 'type': 'string' } }
Response Structure
(dict) --
accessEntry (dict) --
The ARN of the IAM principal for the AccessEntry .
clusterName (string) --
The name of your cluster.
principalArn (string) --
The ARN of the IAM principal for the access entry. If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the roleID or userID (you can see this with the Security Token Service GetCallerIdentity API) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's roleID or userID for an access entry, Amazon EKS stores it with the access entry.
kubernetesGroups (list) --
A name that you've specified in a Kubernetes RoleBinding or ClusterRoleBinding object so that Kubernetes authorizes the principalARN access to cluster objects.
(string) --
accessEntryArn (string) --
The ARN of the access entry.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
username (string) --
The name of a user that can authenticate to your cluster.
type (string) --
The type of the access entry.
Lists the available access policies.
See also: AWS API Documentation
Request Syntax
client.list_access_policies( maxResults=123, nextToken='string' )
integer
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
string
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
dict
Response Syntax
{ 'accessPolicies': [ { 'name': 'string', 'arn': 'string' }, ], 'nextToken': 'string' }
Response Structure
(dict) --
accessPolicies (list) --
The list of available access policies. You can't view the contents of an access policy using the API. To view the contents, see Access policy permissions in the Amazon EKS User Guide .
(dict) --
An access policy includes permissions that allow Amazon EKS to authorize an IAM principal to work with Kubernetes objects on your cluster. The policies are managed by Amazon EKS, but they're not IAM policies. You can't view the permissions in the policies using the API. The permissions for many of the policies are similar to the Kubernetes cluster-admin , admin , edit , and view cluster roles. For more information about these cluster roles, see User-facing roles in the Kubernetes documentation. To view the contents of the policies, see Access policy permissions in the Amazon EKS User Guide .
name (string) --
The name of the access policy.
arn (string) --
The ARN of the access policy.
nextToken (string) --
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
Lists the access policies associated with an access entry.
See also: AWS API Documentation
Request Syntax
client.list_associated_access_policies( clusterName='string', principalArn='string', maxResults=123, nextToken='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The ARN of the IAM principal for the AccessEntry .
integer
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
string
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
dict
Response Syntax
{ 'clusterName': 'string', 'principalArn': 'string', 'nextToken': 'string', 'associatedAccessPolicies': [ { 'policyArn': 'string', 'accessScope': { 'type': 'cluster'|'namespace', 'namespaces': [ 'string', ] }, 'associatedAt': datetime(2015, 1, 1), 'modifiedAt': datetime(2015, 1, 1) }, ] }
Response Structure
(dict) --
clusterName (string) --
The name of your cluster.
principalArn (string) --
The ARN of the IAM principal for the AccessEntry .
nextToken (string) --
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
associatedAccessPolicies (list) --
The list of access policies associated with the access entry.
(dict) --
An access policy association.
policyArn (string) --
The ARN of the AccessPolicy .
accessScope (dict) --
The scope of the access policy.
type (string) --
The scope type of an access policy.
namespaces (list) --
A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type .
(string) --
associatedAt (datetime) --
The date and time the AccessPolicy was associated with an AccessEntry .
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
Deletes an access entry.
Deleting an access entry of a type other than Standard can cause your cluster to function improperly. If you delete an access entry in error, you can recreate it.
See also: AWS API Documentation
Request Syntax
client.delete_access_entry( clusterName='string', principalArn='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The ARN of the IAM principal for the AccessEntry .
dict
Response Syntax
{}
Response Structure
(dict) --
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Associates an encryption configuration to an existing cluster.
Use this API to enable encryption on existing clusters that don't already have encryption enabled. This allows you to implement a defense-in-depth security strategy without migrating applications to new Amazon EKS clusters.
See also: AWS API Documentation
Request Syntax
client.associate_encryption_config( clusterName='string', encryptionConfig=[ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], clientRequestToken='string' )
string
[REQUIRED]
The name of your cluster.
list
[REQUIRED]
The configuration you are using for encryption.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Associates an identity provider configuration to a cluster.
If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes Role and ClusterRole objects, assign permissions to them, and then bind them to the identities using Kubernetes RoleBinding and ClusterRoleBinding objects. For more information see Using RBAC Authorization in the Kubernetes documentation.
See also: AWS API Documentation
Request Syntax
client.associate_identity_provider_config( clusterName='string', oidc={ 'identityProviderConfigName': 'string', 'issuerUrl': 'string', 'clientId': 'string', 'usernameClaim': 'string', 'usernamePrefix': 'string', 'groupsClaim': 'string', 'groupsPrefix': 'string', 'requiredClaims': { 'string': 'string' } }, tags={ 'string': 'string' }, clientRequestToken='string' )
string
[REQUIRED]
The name of your cluster.
dict
[REQUIRED]
An object representing an OpenID Connect (OIDC) identity provider configuration.
identityProviderConfigName (string) -- [REQUIRED]
The name of the OIDC provider configuration.
issuerUrl (string) -- [REQUIRED]
The URL of the OIDC identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider's OIDC ID tokens. Based on the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com . This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.
clientId (string) -- [REQUIRED]
This is also known as audience . The ID for the client application that makes authentication requests to the OIDC identity provider.
usernameClaim (string) --
The JSON Web Token (JWT) claim to use as the username. The default is sub , which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name , depending on the OIDC identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.
usernamePrefix (string) --
The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email , the prefix defaults to issuerurl# . You can use the value - to disable all prefixing.
groupsClaim (string) --
The JWT claim that the provider uses to return your groups.
groupsPrefix (string) --
The prefix that is prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value``oidc:`` will create group names like oidc:engineering and oidc:infra .
requiredClaims (dict) --
The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas in the Amazon EKS User Guide .
(string) --
(string) --
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] }, 'tags': { 'string': 'string' } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
tags (dict) --
The tags for the resource.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
{'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP | CONFIG_MAP', 'bootstrapClusterCreatorAdminPermissions': 'boolean'}}Response
{'cluster': {'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP ' '| CONFIG_MAP', 'bootstrapClusterCreatorAdminPermissions': 'boolean'}}}
Creates an Amazon EKS control plane.
The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by Amazon Web Services, and the Kubernetes API is exposed by the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single tenant and unique. It runs on its own set of Amazon EC2 instances.
The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support kubectl exec , logs , and proxy data flows).
Amazon EKS nodes run in your Amazon Web Services account and connect to your cluster's control plane over the Kubernetes API server endpoint and a certificate file that is created for your cluster.
You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the * Amazon EKS User Guide * .
You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the * Amazon EKS User Guide * .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing .
In most cases, it takes several minutes to create a cluster. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS nodes in the Amazon EKS User Guide .
See also: AWS API Documentation
Request Syntax
client.create_cluster( name='string', version='string', roleArn='string', resourcesVpcConfig={ 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, kubernetesNetworkConfig={ 'serviceIpv4Cidr': 'string', 'ipFamily': 'ipv4'|'ipv6' }, logging={ 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, clientRequestToken='string', tags={ 'string': 'string' }, encryptionConfig=[ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], outpostConfig={ 'outpostArns': [ 'string', ], 'controlPlaneInstanceType': 'string', 'controlPlanePlacement': { 'groupName': 'string' } }, accessConfig={ 'bootstrapClusterCreatorAdminPermissions': True|False, 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } )
string
[REQUIRED]
The unique name to give to your cluster.
string
The desired Kubernetes version for your cluster. If you don't specify a value here, the default version available in Amazon EKS is used.
Note
The default version might not be the latest version available.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf. For more information, see Amazon EKS Service IAM Role in the * Amazon EKS User Guide * .
dict
[REQUIRED]
The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.
subnetIds (list) --
Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.
(string) --
securityGroupIds (list) --
Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see Amazon EKS security group considerations in the * Amazon EKS User Guide * .
(string) --
endpointPublicAccess (boolean) --
Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
endpointPrivateAccess (boolean) --
Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and Fargate Pod in the cluster. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
(string) --
dict
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
Don't specify a value if you select ipv6 for ipFamily . The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8 , 172.16.0.0/12 , or 192.168.0.0/16 .
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12 .
Warning
You can only specify a custom CIDR block when you create a cluster. You can't change this value after the cluster is created.
ipFamily (string) --
Specify which IP family is used to assign Kubernetes pod and service IP addresses. If you don't specify a value, ipv4 is used by default. You can only specify an IP family when you create a cluster and can't change this value once the cluster is created. If you specify ipv6 , the VPC and subnets that you specify for cluster creation must have both IPv4 and IPv6 CIDR blocks assigned to them. You can't specify ipv6 for clusters in China Regions.
You can only specify ipv6 for 1.21 and later clusters that use version 1.10.1 or later of the Amazon VPC CNI add-on. If you specify ipv6 , then ensure that your VPC meets the requirements listed in the considerations listed in Assigning IPv6 addresses to pods and services in the Amazon EKS User Guide. Kubernetes assigns services IPv6 addresses from the unique local address range (fc00::/7) . You can't specify a custom IPv6 CIDR block. Pod addresses are assigned from the subnet's IPv6 CIDR.
dict
Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the * Amazon EKS User Guide * .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing .
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
list
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
dict
An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. Before creating a local cluster on an Outpost, review Local clusters for Amazon EKS on Amazon Web Services Outposts in the Amazon EKS User Guide . This object isn't available for creating Amazon EKS clusters on the Amazon Web Services cloud.
outpostArns (list) -- [REQUIRED]
The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. Only a single Outpost ARN is supported.
(string) --
controlPlaneInstanceType (string) -- [REQUIRED]
The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. Choose an instance type based on the number of nodes that your cluster will have. For more information, see Capacity considerations in the Amazon EKS User Guide .
The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. The control plane is not automatically scaled by Amazon EKS.
controlPlanePlacement (dict) --
An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .
groupName (string) --
The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
dict
The access configuration for the cluster.
bootstrapClusterCreatorAdminPermissions (boolean) --
Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time. The default value is true .
authenticationMode (string) --
The desired authentication mode for the cluster. If you create a cluster by using the EKS API, Amazon Web Services SDKs, or CloudFormation, the default is CONFIG_MAP . If you create the cluster by using the Amazon Web Services Management Console, the default value is API_AND_CONFIG_MAP .
dict
Response Syntax
{ 'cluster': { 'name': 'string', 'arn': 'string', 'createdAt': datetime(2015, 1, 1), 'version': 'string', 'endpoint': 'string', 'roleArn': 'string', 'resourcesVpcConfig': { 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'clusterSecurityGroupId': 'string', 'vpcId': 'string', 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, 'kubernetesNetworkConfig': { 'serviceIpv4Cidr': 'string', 'serviceIpv6Cidr': 'string', 'ipFamily': 'ipv4'|'ipv6' }, 'logging': { 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, 'identity': { 'oidc': { 'issuer': 'string' } }, 'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING', 'certificateAuthority': { 'data': 'string' }, 'clientRequestToken': 'string', 'platformVersion': 'string', 'tags': { 'string': 'string' }, 'encryptionConfig': [ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], 'connectorConfig': { 'activationId': 'string', 'activationCode': 'string', 'activationExpiry': datetime(2015, 1, 1), 'provider': 'string', 'roleArn': 'string' }, 'id': 'string', 'health': { 'issues': [ { 'code': 'AccessDenied'|'ClusterUnreachable'|'ConfigurationConflict'|'InternalFailure'|'ResourceLimitExceeded'|'ResourceNotFound'|'IamRoleNotFound'|'VpcNotFound'|'InsufficientFreeAddresses'|'Ec2ServiceNotSubscribed'|'Ec2SubnetNotFound'|'Ec2SecurityGroupNotFound'|'KmsGrantRevoked'|'KmsKeyNotFound'|'KmsKeyMarkedForDeletion'|'KmsKeyDisabled'|'StsRegionalEndpointDisabled'|'UnsupportedVersion'|'Other', 'message': 'string', 'resourceIds': [ 'string', ] }, ] }, 'outpostConfig': { 'outpostArns': [ 'string', ], 'controlPlaneInstanceType': 'string', 'controlPlanePlacement': { 'groupName': 'string' } }, 'accessConfig': { 'bootstrapClusterCreatorAdminPermissions': True|False, 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } } }
Response Structure
(dict) --
cluster (dict) --
The full description of your new cluster.
name (string) --
The name of your cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
Whether the public API server endpoint is enabled.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
(string) --
kubernetesNetworkConfig (dict) --
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
serviceIpv6Cidr (string) --
The CIDR block that Kubernetes pod and service IP addresses are assigned from if you created a 1.21 or later cluster with version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7 ) because you can't specify a custom IPv6 CIDR block when you create the cluster.
ipFamily (string) --
The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4 , unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
An object representing the OpenID Connect identity provider information.
issuer (string) --
The issuer URL for the OIDC identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the * Amazon EKS User Guide * . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the * Amazon EKS User Guide * .
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
connectorConfig (dict) --
The configuration used to connect to a cluster for registration.
activationId (string) --
A unique ID associated with the cluster for registration purposes.
activationCode (string) --
A unique code associated with the cluster for registration purposes.
activationExpiry (datetime) --
The expiration time of the connected cluster. The cluster's YAML file must be applied through the native provider.
provider (string) --
The cluster's cloud service provider.
roleArn (string) --
The Amazon Resource Name (ARN) of the role to communicate with services from the connected Kubernetes cluster.
id (string) --
The ID of your local Amazon EKS cluster on an Amazon Web Services Outpost. This property isn't available for an Amazon EKS cluster on the Amazon Web Services cloud.
health (dict) --
An object representing the health of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
issues (list) --
An object representing the health issues of your local Amazon EKS cluster on an Amazon Web Services Outpost.
(dict) --
An issue with your local Amazon EKS cluster on an Amazon Web Services Outpost. You can't use this API with an Amazon EKS cluster on the Amazon Web Services cloud.
code (string) --
The error code of the issue.
message (string) --
A description of the issue.
resourceIds (list) --
The resource IDs that the issue relates to.
(string) --
outpostConfig (dict) --
An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
outpostArns (list) --
The ARN of the Outpost that you specified for use with your local Amazon EKS cluster on Outposts.
(string) --
controlPlaneInstanceType (string) --
The Amazon EC2 instance type used for the control plane. The instance type is the same for all control plane instances.
controlPlanePlacement (dict) --
An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .
groupName (string) --
The name of the placement group for the Kubernetes control plane instances.
accessConfig (dict) --
The access configuration for the cluster.
bootstrapClusterCreatorAdminPermissions (boolean) --
Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.
authenticationMode (string) --
The current authentication mode of the cluster.
{'cluster': {'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP ' '| CONFIG_MAP', 'bootstrapClusterCreatorAdminPermissions': 'boolean'}}}
Deletes an Amazon EKS cluster control plane.
If you have active services in your cluster that are associated with a load balancer, you must delete those services before deleting the cluster so that the load balancers are deleted properly. Otherwise, you can have orphaned resources in your VPC that prevent you from being able to delete the VPC. For more information, see Deleting a cluster in the Amazon EKS User Guide .
If you have managed node groups or Fargate profiles attached to the cluster, you must delete them first. For more information, see DeleteNodgroup and DeleteFargateProfile .
See also: AWS API Documentation
Request Syntax
client.delete_cluster( name='string' )
string
[REQUIRED]
The name of the cluster to delete.
dict
Response Syntax
{ 'cluster': { 'name': 'string', 'arn': 'string', 'createdAt': datetime(2015, 1, 1), 'version': 'string', 'endpoint': 'string', 'roleArn': 'string', 'resourcesVpcConfig': { 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'clusterSecurityGroupId': 'string', 'vpcId': 'string', 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, 'kubernetesNetworkConfig': { 'serviceIpv4Cidr': 'string', 'serviceIpv6Cidr': 'string', 'ipFamily': 'ipv4'|'ipv6' }, 'logging': { 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, 'identity': { 'oidc': { 'issuer': 'string' } }, 'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING', 'certificateAuthority': { 'data': 'string' }, 'clientRequestToken': 'string', 'platformVersion': 'string', 'tags': { 'string': 'string' }, 'encryptionConfig': [ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], 'connectorConfig': { 'activationId': 'string', 'activationCode': 'string', 'activationExpiry': datetime(2015, 1, 1), 'provider': 'string', 'roleArn': 'string' }, 'id': 'string', 'health': { 'issues': [ { 'code': 'AccessDenied'|'ClusterUnreachable'|'ConfigurationConflict'|'InternalFailure'|'ResourceLimitExceeded'|'ResourceNotFound'|'IamRoleNotFound'|'VpcNotFound'|'InsufficientFreeAddresses'|'Ec2ServiceNotSubscribed'|'Ec2SubnetNotFound'|'Ec2SecurityGroupNotFound'|'KmsGrantRevoked'|'KmsKeyNotFound'|'KmsKeyMarkedForDeletion'|'KmsKeyDisabled'|'StsRegionalEndpointDisabled'|'UnsupportedVersion'|'Other', 'message': 'string', 'resourceIds': [ 'string', ] }, ] }, 'outpostConfig': { 'outpostArns': [ 'string', ], 'controlPlaneInstanceType': 'string', 'controlPlanePlacement': { 'groupName': 'string' } }, 'accessConfig': { 'bootstrapClusterCreatorAdminPermissions': True|False, 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } } }
Response Structure
(dict) --
cluster (dict) --
The full description of the cluster to delete.
name (string) --
The name of your cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
Whether the public API server endpoint is enabled.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
(string) --
kubernetesNetworkConfig (dict) --
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
serviceIpv6Cidr (string) --
The CIDR block that Kubernetes pod and service IP addresses are assigned from if you created a 1.21 or later cluster with version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7 ) because you can't specify a custom IPv6 CIDR block when you create the cluster.
ipFamily (string) --
The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4 , unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
An object representing the OpenID Connect identity provider information.
issuer (string) --
The issuer URL for the OIDC identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the * Amazon EKS User Guide * . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the * Amazon EKS User Guide * .
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
connectorConfig (dict) --
The configuration used to connect to a cluster for registration.
activationId (string) --
A unique ID associated with the cluster for registration purposes.
activationCode (string) --
A unique code associated with the cluster for registration purposes.
activationExpiry (datetime) --
The expiration time of the connected cluster. The cluster's YAML file must be applied through the native provider.
provider (string) --
The cluster's cloud service provider.
roleArn (string) --
The Amazon Resource Name (ARN) of the role to communicate with services from the connected Kubernetes cluster.
id (string) --
The ID of your local Amazon EKS cluster on an Amazon Web Services Outpost. This property isn't available for an Amazon EKS cluster on the Amazon Web Services cloud.
health (dict) --
An object representing the health of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
issues (list) --
An object representing the health issues of your local Amazon EKS cluster on an Amazon Web Services Outpost.
(dict) --
An issue with your local Amazon EKS cluster on an Amazon Web Services Outpost. You can't use this API with an Amazon EKS cluster on the Amazon Web Services cloud.
code (string) --
The error code of the issue.
message (string) --
A description of the issue.
resourceIds (list) --
The resource IDs that the issue relates to.
(string) --
outpostConfig (dict) --
An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
outpostArns (list) --
The ARN of the Outpost that you specified for use with your local Amazon EKS cluster on Outposts.
(string) --
controlPlaneInstanceType (string) --
The Amazon EC2 instance type used for the control plane. The instance type is the same for all control plane instances.
controlPlanePlacement (dict) --
An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .
groupName (string) --
The name of the placement group for the Kubernetes control plane instances.
accessConfig (dict) --
The access configuration for the cluster.
bootstrapClusterCreatorAdminPermissions (boolean) --
Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.
authenticationMode (string) --
The current authentication mode of the cluster.
{'cluster': {'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP ' '| CONFIG_MAP', 'bootstrapClusterCreatorAdminPermissions': 'boolean'}}}
Deregisters a connected cluster to remove it from the Amazon EKS control plane.
A connected cluster is a Kubernetes cluster that you've connected to your control plane using the Amazon EKS Connector .
See also: AWS API Documentation
Request Syntax
client.deregister_cluster( name='string' )
string
[REQUIRED]
The name of the connected cluster to deregister.
dict
Response Syntax
{ 'cluster': { 'name': 'string', 'arn': 'string', 'createdAt': datetime(2015, 1, 1), 'version': 'string', 'endpoint': 'string', 'roleArn': 'string', 'resourcesVpcConfig': { 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'clusterSecurityGroupId': 'string', 'vpcId': 'string', 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, 'kubernetesNetworkConfig': { 'serviceIpv4Cidr': 'string', 'serviceIpv6Cidr': 'string', 'ipFamily': 'ipv4'|'ipv6' }, 'logging': { 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, 'identity': { 'oidc': { 'issuer': 'string' } }, 'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING', 'certificateAuthority': { 'data': 'string' }, 'clientRequestToken': 'string', 'platformVersion': 'string', 'tags': { 'string': 'string' }, 'encryptionConfig': [ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], 'connectorConfig': { 'activationId': 'string', 'activationCode': 'string', 'activationExpiry': datetime(2015, 1, 1), 'provider': 'string', 'roleArn': 'string' }, 'id': 'string', 'health': { 'issues': [ { 'code': 'AccessDenied'|'ClusterUnreachable'|'ConfigurationConflict'|'InternalFailure'|'ResourceLimitExceeded'|'ResourceNotFound'|'IamRoleNotFound'|'VpcNotFound'|'InsufficientFreeAddresses'|'Ec2ServiceNotSubscribed'|'Ec2SubnetNotFound'|'Ec2SecurityGroupNotFound'|'KmsGrantRevoked'|'KmsKeyNotFound'|'KmsKeyMarkedForDeletion'|'KmsKeyDisabled'|'StsRegionalEndpointDisabled'|'UnsupportedVersion'|'Other', 'message': 'string', 'resourceIds': [ 'string', ] }, ] }, 'outpostConfig': { 'outpostArns': [ 'string', ], 'controlPlaneInstanceType': 'string', 'controlPlanePlacement': { 'groupName': 'string' } }, 'accessConfig': { 'bootstrapClusterCreatorAdminPermissions': True|False, 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } } }
Response Structure
(dict) --
cluster (dict) --
An object representing an Amazon EKS cluster.
name (string) --
The name of your cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
Whether the public API server endpoint is enabled.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
(string) --
kubernetesNetworkConfig (dict) --
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
serviceIpv6Cidr (string) --
The CIDR block that Kubernetes pod and service IP addresses are assigned from if you created a 1.21 or later cluster with version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7 ) because you can't specify a custom IPv6 CIDR block when you create the cluster.
ipFamily (string) --
The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4 , unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
An object representing the OpenID Connect identity provider information.
issuer (string) --
The issuer URL for the OIDC identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the * Amazon EKS User Guide * . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the * Amazon EKS User Guide * .
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
connectorConfig (dict) --
The configuration used to connect to a cluster for registration.
activationId (string) --
A unique ID associated with the cluster for registration purposes.
activationCode (string) --
A unique code associated with the cluster for registration purposes.
activationExpiry (datetime) --
The expiration time of the connected cluster. The cluster's YAML file must be applied through the native provider.
provider (string) --
The cluster's cloud service provider.
roleArn (string) --
The Amazon Resource Name (ARN) of the role to communicate with services from the connected Kubernetes cluster.
id (string) --
The ID of your local Amazon EKS cluster on an Amazon Web Services Outpost. This property isn't available for an Amazon EKS cluster on the Amazon Web Services cloud.
health (dict) --
An object representing the health of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
issues (list) --
An object representing the health issues of your local Amazon EKS cluster on an Amazon Web Services Outpost.
(dict) --
An issue with your local Amazon EKS cluster on an Amazon Web Services Outpost. You can't use this API with an Amazon EKS cluster on the Amazon Web Services cloud.
code (string) --
The error code of the issue.
message (string) --
A description of the issue.
resourceIds (list) --
The resource IDs that the issue relates to.
(string) --
outpostConfig (dict) --
An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
outpostArns (list) --
The ARN of the Outpost that you specified for use with your local Amazon EKS cluster on Outposts.
(string) --
controlPlaneInstanceType (string) --
The Amazon EC2 instance type used for the control plane. The instance type is the same for all control plane instances.
controlPlanePlacement (dict) --
An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .
groupName (string) --
The name of the placement group for the Kubernetes control plane instances.
accessConfig (dict) --
The access configuration for the cluster.
bootstrapClusterCreatorAdminPermissions (boolean) --
Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.
authenticationMode (string) --
The current authentication mode of the cluster.
{'cluster': {'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP ' '| CONFIG_MAP', 'bootstrapClusterCreatorAdminPermissions': 'boolean'}}}
Describes an Amazon EKS cluster.
The API server endpoint and certificate authority data returned by this operation are required for kubelet and kubectl to communicate with your Kubernetes API server. For more information, see Creating or updating a ``kubeconfig` file for an Amazon EKS cluster <https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html>`__ .
Note
The API server endpoint and certificate authority data aren't available until the cluster reaches the ACTIVE state.
See also: AWS API Documentation
Request Syntax
client.describe_cluster( name='string' )
string
[REQUIRED]
The name of your cluster.
dict
Response Syntax
{ 'cluster': { 'name': 'string', 'arn': 'string', 'createdAt': datetime(2015, 1, 1), 'version': 'string', 'endpoint': 'string', 'roleArn': 'string', 'resourcesVpcConfig': { 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'clusterSecurityGroupId': 'string', 'vpcId': 'string', 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, 'kubernetesNetworkConfig': { 'serviceIpv4Cidr': 'string', 'serviceIpv6Cidr': 'string', 'ipFamily': 'ipv4'|'ipv6' }, 'logging': { 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, 'identity': { 'oidc': { 'issuer': 'string' } }, 'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING', 'certificateAuthority': { 'data': 'string' }, 'clientRequestToken': 'string', 'platformVersion': 'string', 'tags': { 'string': 'string' }, 'encryptionConfig': [ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], 'connectorConfig': { 'activationId': 'string', 'activationCode': 'string', 'activationExpiry': datetime(2015, 1, 1), 'provider': 'string', 'roleArn': 'string' }, 'id': 'string', 'health': { 'issues': [ { 'code': 'AccessDenied'|'ClusterUnreachable'|'ConfigurationConflict'|'InternalFailure'|'ResourceLimitExceeded'|'ResourceNotFound'|'IamRoleNotFound'|'VpcNotFound'|'InsufficientFreeAddresses'|'Ec2ServiceNotSubscribed'|'Ec2SubnetNotFound'|'Ec2SecurityGroupNotFound'|'KmsGrantRevoked'|'KmsKeyNotFound'|'KmsKeyMarkedForDeletion'|'KmsKeyDisabled'|'StsRegionalEndpointDisabled'|'UnsupportedVersion'|'Other', 'message': 'string', 'resourceIds': [ 'string', ] }, ] }, 'outpostConfig': { 'outpostArns': [ 'string', ], 'controlPlaneInstanceType': 'string', 'controlPlanePlacement': { 'groupName': 'string' } }, 'accessConfig': { 'bootstrapClusterCreatorAdminPermissions': True|False, 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } } }
Response Structure
(dict) --
cluster (dict) --
The full description of your specified cluster.
name (string) --
The name of your cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
Whether the public API server endpoint is enabled.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
(string) --
kubernetesNetworkConfig (dict) --
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
serviceIpv6Cidr (string) --
The CIDR block that Kubernetes pod and service IP addresses are assigned from if you created a 1.21 or later cluster with version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7 ) because you can't specify a custom IPv6 CIDR block when you create the cluster.
ipFamily (string) --
The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4 , unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
An object representing the OpenID Connect identity provider information.
issuer (string) --
The issuer URL for the OIDC identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the * Amazon EKS User Guide * . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the * Amazon EKS User Guide * .
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
connectorConfig (dict) --
The configuration used to connect to a cluster for registration.
activationId (string) --
A unique ID associated with the cluster for registration purposes.
activationCode (string) --
A unique code associated with the cluster for registration purposes.
activationExpiry (datetime) --
The expiration time of the connected cluster. The cluster's YAML file must be applied through the native provider.
provider (string) --
The cluster's cloud service provider.
roleArn (string) --
The Amazon Resource Name (ARN) of the role to communicate with services from the connected Kubernetes cluster.
id (string) --
The ID of your local Amazon EKS cluster on an Amazon Web Services Outpost. This property isn't available for an Amazon EKS cluster on the Amazon Web Services cloud.
health (dict) --
An object representing the health of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
issues (list) --
An object representing the health issues of your local Amazon EKS cluster on an Amazon Web Services Outpost.
(dict) --
An issue with your local Amazon EKS cluster on an Amazon Web Services Outpost. You can't use this API with an Amazon EKS cluster on the Amazon Web Services cloud.
code (string) --
The error code of the issue.
message (string) --
A description of the issue.
resourceIds (list) --
The resource IDs that the issue relates to.
(string) --
outpostConfig (dict) --
An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
outpostArns (list) --
The ARN of the Outpost that you specified for use with your local Amazon EKS cluster on Outposts.
(string) --
controlPlaneInstanceType (string) --
The Amazon EC2 instance type used for the control plane. The instance type is the same for all control plane instances.
controlPlanePlacement (dict) --
An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .
groupName (string) --
The name of the placement group for the Kubernetes control plane instances.
accessConfig (dict) --
The access configuration for the cluster.
bootstrapClusterCreatorAdminPermissions (boolean) --
Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.
authenticationMode (string) --
The current authentication mode of the cluster.
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Describes an update to an Amazon EKS resource.
When the status of the update is Succeeded , the update is complete. If an update fails, the status is Failed , and an error detail explains the reason for the failure.
See also: AWS API Documentation
Request Syntax
client.describe_update( name='string', updateId='string', nodegroupName='string', addonName='string' )
string
[REQUIRED]
The name of the Amazon EKS cluster associated with the update.
string
[REQUIRED]
The ID of the update to describe.
string
The name of the Amazon EKS node group associated with the update. This parameter is required if the update is a node group update.
string
The name of the add-on. The name must match one of the names returned by ` ListAddons https://docs.aws.amazon.com/eks/latest/APIReference/API_ListAddons.html`__ . This parameter is required if the update is an add-on update.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
The full description of the specified update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Disassociates an identity provider configuration from a cluster.
If you disassociate an identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with IAM principals.
See also: AWS API Documentation
Request Syntax
client.disassociate_identity_provider_config( clusterName='string', identityProviderConfig={ 'type': 'string', 'name': 'string' }, clientRequestToken='string' )
string
[REQUIRED]
The name of your cluster.
dict
[REQUIRED]
An object representing an identity provider configuration.
type (string) -- [REQUIRED]
The type of the identity provider configuration. The only type available is oidc .
name (string) -- [REQUIRED]
The name of the identity provider configuration.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'cluster': {'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP ' '| CONFIG_MAP', 'bootstrapClusterCreatorAdminPermissions': 'boolean'}}}
Connects a Kubernetes cluster to the Amazon EKS control plane.
Any Kubernetes cluster can be connected to the Amazon EKS control plane to view current information about the cluster and its nodes.
Cluster connection requires two steps. First, send a `` RegisterClusterRequest `` to add it to the Amazon EKS control plane.
Second, a Manifest containing the activationID and activationCode must be applied to the Kubernetes cluster through it's native provider to provide visibility.
After the manifest is updated and applied, the connected cluster is visible to the Amazon EKS control plane. If the manifest isn't applied within three days, the connected cluster will no longer be visible and must be deregistered using DeregisterCluster .
See also: AWS API Documentation
Request Syntax
client.register_cluster( name='string', connectorConfig={ 'roleArn': 'string', 'provider': 'EKS_ANYWHERE'|'ANTHOS'|'GKE'|'AKS'|'OPENSHIFT'|'TANZU'|'RANCHER'|'EC2'|'OTHER' }, clientRequestToken='string', tags={ 'string': 'string' } )
string
[REQUIRED]
A unique name for this cluster in your Amazon Web Services Region.
dict
[REQUIRED]
The configuration settings required to connect the Kubernetes cluster to the Amazon EKS control plane.
roleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the role that is authorized to request the connector configuration.
provider (string) -- [REQUIRED]
The cloud provider for the target cluster to connect.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
dict
Response Syntax
{ 'cluster': { 'name': 'string', 'arn': 'string', 'createdAt': datetime(2015, 1, 1), 'version': 'string', 'endpoint': 'string', 'roleArn': 'string', 'resourcesVpcConfig': { 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'clusterSecurityGroupId': 'string', 'vpcId': 'string', 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, 'kubernetesNetworkConfig': { 'serviceIpv4Cidr': 'string', 'serviceIpv6Cidr': 'string', 'ipFamily': 'ipv4'|'ipv6' }, 'logging': { 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, 'identity': { 'oidc': { 'issuer': 'string' } }, 'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING', 'certificateAuthority': { 'data': 'string' }, 'clientRequestToken': 'string', 'platformVersion': 'string', 'tags': { 'string': 'string' }, 'encryptionConfig': [ { 'resources': [ 'string', ], 'provider': { 'keyArn': 'string' } }, ], 'connectorConfig': { 'activationId': 'string', 'activationCode': 'string', 'activationExpiry': datetime(2015, 1, 1), 'provider': 'string', 'roleArn': 'string' }, 'id': 'string', 'health': { 'issues': [ { 'code': 'AccessDenied'|'ClusterUnreachable'|'ConfigurationConflict'|'InternalFailure'|'ResourceLimitExceeded'|'ResourceNotFound'|'IamRoleNotFound'|'VpcNotFound'|'InsufficientFreeAddresses'|'Ec2ServiceNotSubscribed'|'Ec2SubnetNotFound'|'Ec2SecurityGroupNotFound'|'KmsGrantRevoked'|'KmsKeyNotFound'|'KmsKeyMarkedForDeletion'|'KmsKeyDisabled'|'StsRegionalEndpointDisabled'|'UnsupportedVersion'|'Other', 'message': 'string', 'resourceIds': [ 'string', ] }, ] }, 'outpostConfig': { 'outpostArns': [ 'string', ], 'controlPlaneInstanceType': 'string', 'controlPlanePlacement': { 'groupName': 'string' } }, 'accessConfig': { 'bootstrapClusterCreatorAdminPermissions': True|False, 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } } }
Response Structure
(dict) --
cluster (dict) --
An object representing an Amazon EKS cluster.
name (string) --
The name of your cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
Whether the public API server endpoint is enabled.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
(string) --
kubernetesNetworkConfig (dict) --
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
serviceIpv6Cidr (string) --
The CIDR block that Kubernetes pod and service IP addresses are assigned from if you created a 1.21 or later cluster with version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7 ) because you can't specify a custom IPv6 CIDR block when you create the cluster.
ipFamily (string) --
The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4 , unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
An object representing the OpenID Connect identity provider information.
issuer (string) --
The issuer URL for the OIDC identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the * Amazon EKS User Guide * . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the * Amazon EKS User Guide * .
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
connectorConfig (dict) --
The configuration used to connect to a cluster for registration.
activationId (string) --
A unique ID associated with the cluster for registration purposes.
activationCode (string) --
A unique code associated with the cluster for registration purposes.
activationExpiry (datetime) --
The expiration time of the connected cluster. The cluster's YAML file must be applied through the native provider.
provider (string) --
The cluster's cloud service provider.
roleArn (string) --
The Amazon Resource Name (ARN) of the role to communicate with services from the connected Kubernetes cluster.
id (string) --
The ID of your local Amazon EKS cluster on an Amazon Web Services Outpost. This property isn't available for an Amazon EKS cluster on the Amazon Web Services cloud.
health (dict) --
An object representing the health of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
issues (list) --
An object representing the health issues of your local Amazon EKS cluster on an Amazon Web Services Outpost.
(dict) --
An issue with your local Amazon EKS cluster on an Amazon Web Services Outpost. You can't use this API with an Amazon EKS cluster on the Amazon Web Services cloud.
code (string) --
The error code of the issue.
message (string) --
A description of the issue.
resourceIds (list) --
The resource IDs that the issue relates to.
(string) --
outpostConfig (dict) --
An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
outpostArns (list) --
The ARN of the Outpost that you specified for use with your local Amazon EKS cluster on Outposts.
(string) --
controlPlaneInstanceType (string) --
The Amazon EC2 instance type used for the control plane. The instance type is the same for all control plane instances.
controlPlanePlacement (dict) --
An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide .
groupName (string) --
The name of the placement group for the Kubernetes control plane instances.
accessConfig (dict) --
The access configuration for the cluster.
bootstrapClusterCreatorAdminPermissions (boolean) --
Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.
authenticationMode (string) --
The current authentication mode of the cluster.
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Updates an Amazon EKS add-on.
See also: AWS API Documentation
Request Syntax
client.update_addon( clusterName='string', addonName='string', addonVersion='string', serviceAccountRoleArn='string', resolveConflicts='OVERWRITE'|'NONE'|'PRESERVE', clientRequestToken='string', configurationValues='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by ` ListAddons https://docs.aws.amazon.com/eks/latest/APIReference/API_ListAddons.html`__ .
string
The version of the add-on. The version must match one of the versions returned by ` DescribeAddonVersions https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAddonVersions.html`__ .
string
The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide .
Note
To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster in the Amazon EKS User Guide .
string
How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Conflicts are handled based on the option you choose:
None – Amazon EKS doesn't change the value. The update might fail.
Overwrite – Amazon EKS overwrites the changed value back to the Amazon EKS default value.
Preserve – Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
string
The set of configuration values for the add-on that's created. The values that you provide are validated against the schema returned by DescribeAddonConfiguration .
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'accessConfig': {'authenticationMode': 'API | API_AND_CONFIG_MAP | ' 'CONFIG_MAP'}}Response
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate "/>.
You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the * Amazon EKS User Guide * .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing .
You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the * Amazon EKS User Guide * .
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful ), the cluster status moves to Active .
See also: AWS API Documentation
Request Syntax
client.update_cluster_config( name='string', resourcesVpcConfig={ 'subnetIds': [ 'string', ], 'securityGroupIds': [ 'string', ], 'endpointPublicAccess': True|False, 'endpointPrivateAccess': True|False, 'publicAccessCidrs': [ 'string', ] }, logging={ 'clusterLogging': [ { 'types': [ 'api'|'audit'|'authenticator'|'controllerManager'|'scheduler', ], 'enabled': True|False }, ] }, clientRequestToken='string', accessConfig={ 'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP' } )
string
[REQUIRED]
The name of the Amazon EKS cluster to update.
dict
An object representing the VPC configuration to use for an Amazon EKS cluster.
subnetIds (list) --
Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.
(string) --
securityGroupIds (list) --
Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see Amazon EKS security group considerations in the * Amazon EKS User Guide * .
(string) --
endpointPublicAccess (boolean) --
Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
endpointPrivateAccess (boolean) --
Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and Fargate Pod in the cluster. For more information, see Amazon EKS cluster endpoint access control in the * Amazon EKS User Guide * .
(string) --
dict
Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS cluster control plane logs in the * Amazon EKS User Guide * .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing .
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
The access configuration for the cluster.
authenticationMode (string) --
The desired authentication mode for the cluster.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Updates an Amazon EKS cluster to the specified Kubernetes version. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with the DescribeUpdate API operation.
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful ), the cluster status moves to Active .
If your cluster has managed node groups attached to it, all of your node groups’ Kubernetes versions must match the cluster’s Kubernetes version in order to update the cluster to a new Kubernetes version.
See also: AWS API Documentation
Request Syntax
client.update_cluster_version( name='string', version='string', clientRequestToken='string' )
string
[REQUIRED]
The name of the Amazon EKS cluster to update.
string
[REQUIRED]
The desired Kubernetes version following a successful update.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
The full description of the specified update
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Updates an Amazon EKS managed node group configuration. Your node group continues to function during the update. The response output includes an update ID that you can use to track the status of your node group update with the DescribeUpdate API operation. Currently you can update the Kubernetes labels for a node group or the scaling configuration.
See also: AWS API Documentation
Request Syntax
client.update_nodegroup_config( clusterName='string', nodegroupName='string', labels={ 'addOrUpdateLabels': { 'string': 'string' }, 'removeLabels': [ 'string', ] }, taints={ 'addOrUpdateTaints': [ { 'key': 'string', 'value': 'string', 'effect': 'NO_SCHEDULE'|'NO_EXECUTE'|'PREFER_NO_SCHEDULE' }, ], 'removeTaints': [ { 'key': 'string', 'value': 'string', 'effect': 'NO_SCHEDULE'|'NO_EXECUTE'|'PREFER_NO_SCHEDULE' }, ] }, scalingConfig={ 'minSize': 123, 'maxSize': 123, 'desiredSize': 123 }, updateConfig={ 'maxUnavailable': 123, 'maxUnavailablePercentage': 123 }, clientRequestToken='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the managed node group to update.
dict
The Kubernetes labels to apply to the nodes in the node group after the update.
addOrUpdateLabels (dict) --
The Kubernetes labels to add or update.
(string) --
(string) --
removeLabels (list) --
The Kubernetes labels to remove.
(string) --
dict
The Kubernetes taints to be applied to the nodes in the node group after the update. For more information, see Node taints on managed node groups .
addOrUpdateTaints (list) --
Kubernetes taints to be added or updated.
(dict) --
A property that allows a node to repel a Pod . For more information, see Node taints on managed node groups in the Amazon EKS User Guide .
key (string) --
The key of the taint.
value (string) --
The value of the taint.
effect (string) --
The effect of the taint.
removeTaints (list) --
Kubernetes taints to remove.
(dict) --
A property that allows a node to repel a Pod . For more information, see Node taints on managed node groups in the Amazon EKS User Guide .
key (string) --
The key of the taint.
value (string) --
The value of the taint.
effect (string) --
The effect of the taint.
dict
The scaling configuration details for the Auto Scaling group after the update.
minSize (integer) --
The minimum number of nodes that the managed node group can scale in to.
maxSize (integer) --
The maximum number of nodes that the managed node group can scale out to. For information about the maximum number that you can specify, see Amazon EKS service quotas in the Amazon EKS User Guide .
desiredSize (integer) --
The current number of nodes that the managed node group should maintain.
Warning
If you use the Kubernetes Cluster Autoscaler , you shouldn't change the desiredSize value directly, as this can cause the Cluster Autoscaler to suddenly scale up or scale down.
Whenever this parameter changes, the number of worker nodes in the node group is updated to the specified size. If this parameter is given a value that is smaller than the current number of running worker nodes, the necessary number of worker nodes are terminated to match the given value. When using CloudFormation, no action occurs if you remove this parameter from your CFN template.
This parameter can be different from minSize in some cases, such as when starting with extra hosts for testing. This parameter can also be different when you want to start with an estimated number of needed hosts, but let the Cluster Autoscaler reduce the number if there are too many. When the Cluster Autoscaler is used, the desiredSize parameter is altered by the Cluster Autoscaler (but can be out-of-date for short periods of time). the Cluster Autoscaler doesn't scale a managed node group lower than minSize or higher than maxSize .
dict
The node group update configuration.
maxUnavailable (integer) --
The maximum number of nodes unavailable at once during a version update. Nodes are updated in parallel. This value or maxUnavailablePercentage is required to have a value.The maximum number is 100.
maxUnavailablePercentage (integer) --
The maximum percentage of nodes unavailable during a version update. This percentage of nodes are updated in parallel, up to 100 nodes at once. This value or maxUnavailable is required to have a value.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'AuthenticationMode'}}, 'type': {'AccessConfigUpdate'}}}
Updates the Kubernetes version or AMI version of an Amazon EKS managed node group.
You can update a node group using a launch template only if the node group was originally deployed with a launch template. If you need to update a custom AMI in a node group that was deployed with a launch template, then update your custom AMI, specify the new ID in a new version of the launch template, and then update the node group to the new version of the launch template.
If you update without a launch template, then you can update to the latest available AMI version of a node group's current Kubernetes version by not specifying a Kubernetes version in the request. You can update to the latest AMI version of your cluster's current Kubernetes version by specifying your cluster's Kubernetes version in the request. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide . For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide .
You cannot roll back a node group to an earlier Kubernetes version or AMI version.
When a node in a managed node group is terminated due to a scaling action or update, every Pod on that node is drained first. Amazon EKS attempts to drain the nodes gracefully and will fail if it is unable to do so. You can force the update if Amazon EKS is unable to drain the nodes as a result of a Pod disruption budget issue.
See also: AWS API Documentation
Request Syntax
client.update_nodegroup_version( clusterName='string', nodegroupName='string', version='string', releaseVersion='string', launchTemplate={ 'name': 'string', 'version': 'string', 'id': 'string' }, force=True|False, clientRequestToken='string' )
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the managed node group to update.
string
The Kubernetes version to update to. If no version is specified, then the Kubernetes version of the node group does not change. You can specify the Kubernetes version of the cluster to update the node group to the latest AMI version of the cluster's Kubernetes version. If you specify launchTemplate , and your launch template uses a custom AMI, then don't specify version , or the node group update will fail. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide .
string
The AMI version of the Amazon EKS optimized AMI to use for the update. By default, the latest available AMI version for the node group's Kubernetes version is used. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide . Amazon EKS managed node groups support the November 2022 and later releases of the Windows AMIs. For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide .
If you specify launchTemplate , and your launch template uses a custom AMI, then don't specify releaseVersion , or the node group update will fail. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide .
dict
An object representing a node group's launch template specification. You can only update a node group using a launch template if the node group was originally deployed with a launch template.
name (string) --
The name of the launch template.
You must specify either the launch template name or the launch template ID in the request, but not both.
version (string) --
The version number of the launch template to use. If no version is specified, then the template's default version is used.
id (string) --
The ID of the launch template.
You must specify either the launch template ID or the launch template name in the request, but not both.
boolean
Force the update if any Pod on the existing node group can't be drained due to a Pod disruption budget issue. If an update fails because all Pods can't be drained, you can force the update after it fails to terminate the old node whether or not any Pod is running on the node.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{ 'update': { 'id': 'string', 'status': 'InProgress'|'Failed'|'Cancelled'|'Successful', 'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate', 'params': [ { 'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode', 'value': 'string' }, ], 'createdAt': datetime(2015, 1, 1), 'errors': [ { 'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound', 'errorMessage': 'string', 'resourceIds': [ 'string', ] }, ] } }
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --