2026/02/09 - Amazon Elastic Kubernetes Service - 10 updated api methods
Changes Amazon EKS adds a new DescribeUpdate update type, VendedLogsUpdate, to support an integration between EKS Auto Mode and Amazon CloudWatch Vended Logs.
{'update': {'type': {'VendedLogsUpdate'}}}
Associates an encryption configuration to an existing cluster.
Use this API to enable encryption on existing clusters that don't already have encryption enabled. This allows you to implement a defense-in-depth security strategy without migrating applications to new Amazon EKS clusters.
See also: AWS API Documentation
Request Syntax
client.associate_encryption_config(
clusterName='string',
encryptionConfig=[
{
'resources': [
'string',
],
'provider': {
'keyArn': 'string'
}
},
],
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
list
[REQUIRED]
The configuration you are using for encryption.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets.
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Associates an identity provider configuration to a cluster.
If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes Role and ClusterRole objects, assign permissions to them, and then bind them to the identities using Kubernetes RoleBinding and ClusterRoleBinding objects. For more information see Using RBAC Authorization in the Kubernetes documentation.
See also: AWS API Documentation
Request Syntax
client.associate_identity_provider_config(
clusterName='string',
oidc={
'identityProviderConfigName': 'string',
'issuerUrl': 'string',
'clientId': 'string',
'usernameClaim': 'string',
'usernamePrefix': 'string',
'groupsClaim': 'string',
'groupsPrefix': 'string',
'requiredClaims': {
'string': 'string'
}
},
tags={
'string': 'string'
},
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
dict
[REQUIRED]
An object representing an OpenID Connect (OIDC) identity provider configuration.
identityProviderConfigName (string) -- [REQUIRED]
The name of the OIDC provider configuration.
issuerUrl (string) -- [REQUIRED]
The URL of the OIDC identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider's OIDC ID tokens. Based on the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.
clientId (string) -- [REQUIRED]
This is also known as audience. The ID for the client application that makes authentication requests to the OIDC identity provider.
usernameClaim (string) --
The JSON Web Token (JWT) claim to use as the username. The default is sub, which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name, depending on the OIDC identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.
usernamePrefix (string) --
The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing.
groupsClaim (string) --
The JWT claim that the provider uses to return your groups.
groupsPrefix (string) --
The prefix that is prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value `` oidc:`` will create group names like oidc:engineering and oidc:infra.
requiredClaims (dict) --
The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas in the Amazon EKS User Guide.
(string) --
(string) --
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
},
'tags': {
'string': 'string'
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
tags (dict) --
The tags for the resource.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
{'update': {'type': {'VendedLogsUpdate'}}}
Describes an update to an Amazon EKS resource.
When the status of the update is Successful, the update is complete. If an update fails, the status is Failed, and an error detail explains the reason for the failure.
See also: AWS API Documentation
Request Syntax
client.describe_update(
name='string',
updateId='string',
nodegroupName='string',
addonName='string',
capabilityName='string'
)
string
[REQUIRED]
The name of the Amazon EKS cluster associated with the update.
string
[REQUIRED]
The ID of the update to describe.
string
The name of the Amazon EKS node group associated with the update. This parameter is required if the update is a node group update.
string
The name of the add-on. The name must match one of the names returned by ListAddons. This parameter is required if the update is an add-on update.
string
The name of the capability for which you want to describe updates.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
The full description of the specified update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Disassociates an identity provider configuration from a cluster.
If you disassociate an identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with IAM principals.
See also: AWS API Documentation
Request Syntax
client.disassociate_identity_provider_config(
clusterName='string',
identityProviderConfig={
'type': 'string',
'name': 'string'
},
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
dict
[REQUIRED]
An object representing an identity provider configuration.
type (string) -- [REQUIRED]
The type of the identity provider configuration. The only type available is oidc.
name (string) -- [REQUIRED]
The name of the identity provider configuration.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Updates an Amazon EKS add-on.
See also: AWS API Documentation
Request Syntax
client.update_addon(
clusterName='string',
addonName='string',
addonVersion='string',
serviceAccountRoleArn='string',
resolveConflicts='OVERWRITE'|'NONE'|'PRESERVE',
clientRequestToken='string',
configurationValues='string',
podIdentityAssociations=[
{
'serviceAccount': 'string',
'roleArn': 'string'
},
]
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by ListAddons.
string
The version of the add-on. The version must match one of the versions returned by DescribeAddonVersions.
string
The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.
string
How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Conflicts are handled based on the option you choose:
None – Amazon EKS doesn't change the value. The update might fail.
Overwrite – Amazon EKS overwrites the changed value back to the Amazon EKS default value.
Preserve – Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
string
The set of configuration values for the add-on that's created. The values that you provide are validated against the schema returned by DescribeAddonConfiguration.
list
An array of EKS Pod Identity associations to be updated. Each association maps a Kubernetes service account to an IAM role. If this value is left blank, no change. If an empty array is provided, existing associations owned by the add-on are deleted.
For more information, see Attach an IAM Role to an Amazon EKS add-on using EKS Pod Identity in the Amazon EKS User Guide.
(dict) --
A type of EKS Pod Identity association owned by an Amazon EKS add-on.
Each association maps a role to a service account in a namespace in the cluster.
For more information, see Attach an IAM Role to an Amazon EKS add-on using EKS Pod Identity in the Amazon EKS User Guide.
serviceAccount (string) -- [REQUIRED]
The name of a Kubernetes Service Account.
roleArn (string) -- [REQUIRED]
The ARN of an IAM Role.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Updates the configuration of a managed capability in your Amazon EKS cluster. You can update the IAM role, configuration settings, and delete propagation policy for a capability.
When you update a capability, Amazon EKS applies the changes and may restart capability components as needed. The capability remains available during the update process, but some operations may be temporarily unavailable.
See also: AWS API Documentation
Request Syntax
client.update_capability(
clusterName='string',
capabilityName='string',
roleArn='string',
configuration={
'argoCd': {
'rbacRoleMappings': {
'addOrUpdateRoleMappings': [
{
'role': 'ADMIN'|'EDITOR'|'VIEWER',
'identities': [
{
'id': 'string',
'type': 'SSO_USER'|'SSO_GROUP'
},
]
},
],
'removeRoleMappings': [
{
'role': 'ADMIN'|'EDITOR'|'VIEWER',
'identities': [
{
'id': 'string',
'type': 'SSO_USER'|'SSO_GROUP'
},
]
},
]
},
'networkAccess': {
'vpceIds': [
'string',
]
}
}
},
clientRequestToken='string',
deletePropagationPolicy='RETAIN'
)
string
[REQUIRED]
The name of the Amazon EKS cluster that contains the capability you want to update configuration for.
string
[REQUIRED]
The name of the capability to update configuration for.
string
The Amazon Resource Name (ARN) of the IAM role that the capability uses to interact with Amazon Web Services services. If you specify a new role ARN, the capability will start using the new role for all subsequent operations.
dict
The updated configuration settings for the capability. You only need to specify the configuration parameters you want to change. For Argo CD capabilities, you can update RBAC role mappings and network access settings.
argoCd (dict) --
Configuration updates specific to Argo CD capabilities.
rbacRoleMappings (dict) --
Updated RBAC role mappings for the Argo CD capability. You can add, update, or remove role mappings.
addOrUpdateRoleMappings (list) --
A list of role mappings to add or update. If a mapping for the specified role already exists, it will be updated with the new identities. If it doesn't exist, a new mapping will be created.
(dict) --
A mapping between an Argo CD role and IAM Identity CenterIAM; Identity Center identities. This defines which users or groups have specific permissions in Argo CD.
role (string) -- [REQUIRED]
The Argo CD role to assign. Valid values are:
ADMIN – Full administrative access to Argo CD.
EDITOR – Edit access to Argo CD resources.
VIEWER – Read-only access to Argo CD resources.
identities (list) -- [REQUIRED]
A list of IAM Identity CenterIAM; Identity Center identities (users or groups) that should be assigned this Argo CD role.
(dict) --
An IAM Identity CenterIAM; Identity Center identity (user or group) that can be assigned permissions in a capability.
id (string) -- [REQUIRED]
The unique identifier of the IAM Identity CenterIAM; Identity Center user or group.
type (string) -- [REQUIRED]
The type of identity. Valid values are SSO_USER or SSO_GROUP.
removeRoleMappings (list) --
A list of role mappings to remove from the RBAC configuration. Each mapping specifies an Argo CD role ( ADMIN, EDITOR, or VIEWER) and the identities to remove from that role.
(dict) --
A mapping between an Argo CD role and IAM Identity CenterIAM; Identity Center identities. This defines which users or groups have specific permissions in Argo CD.
role (string) -- [REQUIRED]
The Argo CD role to assign. Valid values are:
ADMIN – Full administrative access to Argo CD.
EDITOR – Edit access to Argo CD resources.
VIEWER – Read-only access to Argo CD resources.
identities (list) -- [REQUIRED]
A list of IAM Identity CenterIAM; Identity Center identities (users or groups) that should be assigned this Argo CD role.
(dict) --
An IAM Identity CenterIAM; Identity Center identity (user or group) that can be assigned permissions in a capability.
id (string) -- [REQUIRED]
The unique identifier of the IAM Identity CenterIAM; Identity Center user or group.
type (string) -- [REQUIRED]
The type of identity. Valid values are SSO_USER or SSO_GROUP.
networkAccess (dict) --
Updated network access configuration for the Argo CD capability's managed API server endpoint. You can add or remove VPC endpoint associations to control which VPCs have private access to the Argo CD server.
vpceIds (list) --
A list of VPC endpoint IDs to associate with the managed Argo CD API server endpoint. Each VPC endpoint provides private connectivity from a specific VPC to the Argo CD server. You can specify multiple VPC endpoint IDs to enable access from multiple VPCs.
(string) --
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This token is valid for 24 hours after creation.
This field is autopopulated if not provided.
string
The updated delete propagation policy for the capability. Currently, the only supported value is RETAIN.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate.
You can use this operation to do the following actions:
You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the Amazon EKS User Guide .
You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Cluster API server endpoint in the Amazon EKS User Guide .
You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .
You can also use this API operation to enable or disable ARC zonal shift. If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.
You can also use this API operation to add, change, or remove the configuration in the cluster for EKS Hybrid Nodes. To remove the configuration, use the remoteNetworkConfig key with an object containing both subkeys with empty arrays for each. Here is an inline example: "remoteNetworkConfig": { "remoteNodeNetworks": [], "remotePodNetworks": [] }.
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.
See also: AWS API Documentation
Request Syntax
client.update_cluster_config(
name='string',
resourcesVpcConfig={
'subnetIds': [
'string',
],
'securityGroupIds': [
'string',
],
'endpointPublicAccess': True|False,
'endpointPrivateAccess': True|False,
'publicAccessCidrs': [
'string',
]
},
logging={
'clusterLogging': [
{
'types': [
'api'|'audit'|'authenticator'|'controllerManager'|'scheduler',
],
'enabled': True|False
},
]
},
clientRequestToken='string',
accessConfig={
'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP'
},
upgradePolicy={
'supportType': 'STANDARD'|'EXTENDED'
},
zonalShiftConfig={
'enabled': True|False
},
computeConfig={
'enabled': True|False,
'nodePools': [
'string',
],
'nodeRoleArn': 'string'
},
kubernetesNetworkConfig={
'serviceIpv4Cidr': 'string',
'ipFamily': 'ipv4'|'ipv6',
'elasticLoadBalancing': {
'enabled': True|False
}
},
storageConfig={
'blockStorage': {
'enabled': True|False
}
},
remoteNetworkConfig={
'remoteNodeNetworks': [
{
'cidrs': [
'string',
]
},
],
'remotePodNetworks': [
{
'cidrs': [
'string',
]
},
]
},
deletionProtection=True|False,
controlPlaneScalingConfig={
'tier': 'standard'|'tier-xl'|'tier-2xl'|'tier-4xl'
}
)
string
[REQUIRED]
The name of the Amazon EKS cluster to update.
dict
An object representing the VPC configuration to use for an Amazon EKS cluster.
subnetIds (list) --
Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.
(string) --
securityGroupIds (list) --
Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see Amazon EKS security group considerations in the Amazon EKS User Guide .
(string) --
endpointPublicAccess (boolean) --
Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true, which enables public access for your Kubernetes API server. The endpoint domain name and IP address family depends on the value of the ipFamily for the cluster. For more information, see Cluster API server endpoint in the Amazon EKS User Guide .
endpointPrivateAccess (boolean) --
Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false, which disables private access for your Kubernetes API server. If you disable private access and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Cluster API server endpoint in the Amazon EKS User Guide .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 and additionally ::/0 for dual-stack IPv6 clusters. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and Fargate Pod in the cluster. For more information, see Cluster API server endpoint in the Amazon EKS User Guide .
Note that the public endpoints are dual-stack for only IPv6 clusters that are made after October 2024. You can't add IPv6 CIDR blocks to IPv4 clusters or IPv6 clusters that were made before October 2024.
(string) --
dict
Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs . By default, cluster control plane logs aren't exported to CloudWatch Logs . For more information, see Amazon EKS cluster control plane logs in the Amazon EKS User Guide .
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs . If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
The access configuration for the cluster.
authenticationMode (string) --
The desired authentication mode for the cluster.
dict
You can enable or disable extended support for clusters currently on standard support. You cannot disable extended support once it starts. You must enable extended support before your cluster exits standard support.
supportType (string) --
If the cluster is set to EXTENDED, it will enter extended support at the end of standard support. If the cluster is set to STANDARD, it will be automatically upgraded at the end of standard support.
Learn more about EKS Extended Support in the Amazon EKS User Guide.
dict
Enable or disable ARC zonal shift for the cluster. If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.
Zonal shift is a feature of Amazon Application Recovery Controller (ARC). ARC zonal shift is designed to be a temporary measure that allows you to move traffic for a resource away from an impaired AZ until the zonal shift expires or you cancel it. You can extend the zonal shift if necessary.
You can start a zonal shift for an EKS cluster, or you can allow Amazon Web Services to do it for you by enabling zonal autoshift. This shift updates the flow of east-to-west network traffic in your cluster to only consider network endpoints for Pods running on worker nodes in healthy AZs. Additionally, any ALB or NLB handling ingress traffic for applications in your EKS cluster will automatically route traffic to targets in the healthy AZs. For more information about zonal shift in EKS, see Learn about Amazon Application Recovery Controller (ARC) Zonal Shift in Amazon EKS in the Amazon EKS User Guide .
enabled (boolean) --
If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.
dict
Update the configuration of the compute capability of your EKS Auto Mode cluster. For example, enable the capability.
enabled (boolean) --
Request to enable or disable the compute capability on your EKS Auto Mode cluster. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your Amazon Web Services account.
nodePools (list) --
Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. For more information, see EKS Auto Mode Node Pools in the Amazon EKS User Guide.
(string) --
nodeRoleArn (string) --
The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled. For more information, see the IAM Reference in the Amazon EKS User Guide.
dict
The Kubernetes network configuration for the cluster.
serviceIpv4Cidr (string) --
Don't specify a value if you select ipv6 for ipFamily. The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
ipFamily (string) --
Specify which IP family is used to assign Kubernetes pod and service IP addresses. If you don't specify a value, ipv4 is used by default. You can only specify an IP family when you create a cluster and can't change this value once the cluster is created. If you specify ipv6, the VPC and subnets that you specify for cluster creation must have both IPv4 and IPv6 CIDR blocks assigned to them. You can't specify ipv6 for clusters in China Regions.
You can only specify ipv6 for 1.21 and later clusters that use version 1.10.1 or later of the Amazon VPC CNI add-on. If you specify ipv6, then ensure that your VPC meets the requirements listed in the considerations listed in Assigning IPv6 addresses to pods and services in the Amazon EKS User Guide. Kubernetes assigns services IPv6 addresses from the unique local address range (fc00::/7). You can't specify a custom IPv6 CIDR block. Pod addresses are assigned from the subnet's IPv6 CIDR.
elasticLoadBalancing (dict) --
Request to enable or disable the load balancing capability on your EKS Auto Mode cluster. For more information, see EKS Auto Mode load balancing capability in the Amazon EKS User Guide.
enabled (boolean) --
Indicates if the load balancing capability is enabled on your EKS Auto Mode cluster. If the load balancing capability is enabled, EKS Auto Mode will create and delete load balancers in your Amazon Web Services account.
dict
Update the configuration of the block storage capability of your EKS Auto Mode cluster. For example, enable the capability.
blockStorage (dict) --
Request to configure EBS Block Storage settings for your EKS Auto Mode cluster.
enabled (boolean) --
Indicates if the block storage capability is enabled on your EKS Auto Mode cluster. If the block storage capability is enabled, EKS Auto Mode will create and delete EBS volumes in your Amazon Web Services account.
dict
The configuration in the cluster for EKS Hybrid Nodes. You can add, change, or remove this configuration after the cluster is created.
remoteNodeNetworks (list) --
The list of network CIDRs that can contain hybrid nodes.
These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, 10.2.0.0/16).
It must satisfy the following requirements:
Each block must be within an IPv4 RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including Transit Gateway, Site-to-Site VPN, or Direct Connect.
Each host must allow outbound connection to the EKS cluster control plane on TCP ports 443 and 10250.
Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
Each host must allow TCP and UDP network connectivity to and from other hosts that are running CoreDNS on UDP port 53 for service and pod DNS names.
(dict) --
A network CIDR that can contain hybrid nodes.
These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, 10.2.0.0/16).
It must satisfy the following requirements:
Each block must be within an IPv4 RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including Transit Gateway, Site-to-Site VPN, or Direct Connect.
Each host must allow outbound connection to the EKS cluster control plane on TCP ports 443 and 10250.
Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
Each host must allow TCP and UDP network connectivity to and from other hosts that are running CoreDNS on UDP port 53 for service and pod DNS names.
cidrs (list) --
A network CIDR that can contain hybrid nodes.
These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, 10.2.0.0/16).
It must satisfy the following requirements:
Each block must be within an IPv4 RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including Transit Gateway, Site-to-Site VPN, or Direct Connect.
Each host must allow outbound connection to the EKS cluster control plane on TCP ports 443 and 10250.
Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
Each host must allow TCP and UDP network connectivity to and from other hosts that are running CoreDNS on UDP port 53 for service and pod DNS names.
(string) --
remotePodNetworks (list) --
The list of network CIDRs that can contain pods that run Kubernetes webhooks on hybrid nodes.
These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, 10.2.0.0/16).
It must satisfy the following requirements:
Each block must be within an IPv4 RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
(dict) --
A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.
These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, 10.2.0.0/16).
It must satisfy the following requirements:
Each block must be within an IPv4 RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
cidrs (list) --
A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.
These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, 10.2.0.0/16).
It must satisfy the following requirements:
Each block must be within an IPv4 RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
(string) --
boolean
Specifies whether to enable or disable deletion protection for the cluster. When enabled ( true), the cluster cannot be deleted until deletion protection is explicitly disabled. When disabled ( false), the cluster can be deleted normally.
dict
The control plane scaling tier configuration. For more information, see EKS Provisioned Control Plane in the Amazon EKS User Guide.
tier (string) --
The control plane scaling tier configuration. Available options are standard, tier-xl, tier-2xl, or tier-4xl. For more information, see EKS Provisioned Control Plane in the Amazon EKS User Guide.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Updates an Amazon EKS cluster to the specified Kubernetes version. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with the DescribeUpdate API operation.
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.
If your cluster has managed node groups attached to it, all of your node groups' Kubernetes versions must match the cluster's Kubernetes version in order to update the cluster to a new Kubernetes version.
See also: AWS API Documentation
Request Syntax
client.update_cluster_version(
name='string',
version='string',
clientRequestToken='string',
force=True|False
)
string
[REQUIRED]
The name of the Amazon EKS cluster to update.
string
[REQUIRED]
The desired Kubernetes version following a successful update.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
boolean
Set this value to true to override upgrade-blocking readiness checks when updating a cluster.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
The full description of the specified update
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Updates an Amazon EKS managed node group configuration. Your node group continues to function during the update. The response output includes an update ID that you can use to track the status of your node group update with the DescribeUpdate API operation. You can update the Kubernetes labels and taints for a node group and the scaling and version update configuration.
See also: AWS API Documentation
Request Syntax
client.update_nodegroup_config(
clusterName='string',
nodegroupName='string',
labels={
'addOrUpdateLabels': {
'string': 'string'
},
'removeLabels': [
'string',
]
},
taints={
'addOrUpdateTaints': [
{
'key': 'string',
'value': 'string',
'effect': 'NO_SCHEDULE'|'NO_EXECUTE'|'PREFER_NO_SCHEDULE'
},
],
'removeTaints': [
{
'key': 'string',
'value': 'string',
'effect': 'NO_SCHEDULE'|'NO_EXECUTE'|'PREFER_NO_SCHEDULE'
},
]
},
scalingConfig={
'minSize': 123,
'maxSize': 123,
'desiredSize': 123
},
updateConfig={
'maxUnavailable': 123,
'maxUnavailablePercentage': 123,
'updateStrategy': 'DEFAULT'|'MINIMAL'
},
nodeRepairConfig={
'enabled': True|False,
'maxUnhealthyNodeThresholdCount': 123,
'maxUnhealthyNodeThresholdPercentage': 123,
'maxParallelNodesRepairedCount': 123,
'maxParallelNodesRepairedPercentage': 123,
'nodeRepairConfigOverrides': [
{
'nodeMonitoringCondition': 'string',
'nodeUnhealthyReason': 'string',
'minRepairWaitTimeMins': 123,
'repairAction': 'Replace'|'Reboot'|'NoAction'
},
]
},
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the managed node group to update.
dict
The Kubernetes labels to apply to the nodes in the node group after the update.
addOrUpdateLabels (dict) --
The Kubernetes labels to add or update.
(string) --
(string) --
removeLabels (list) --
The Kubernetes labels to remove.
(string) --
dict
The Kubernetes taints to be applied to the nodes in the node group after the update. For more information, see Node taints on managed node groups.
addOrUpdateTaints (list) --
Kubernetes taints to be added or updated.
(dict) --
A property that allows a node to repel a Pod. For more information, see Node taints on managed node groups in the Amazon EKS User Guide.
key (string) --
The key of the taint.
value (string) --
The value of the taint.
effect (string) --
The effect of the taint.
removeTaints (list) --
Kubernetes taints to remove.
(dict) --
A property that allows a node to repel a Pod. For more information, see Node taints on managed node groups in the Amazon EKS User Guide.
key (string) --
The key of the taint.
value (string) --
The value of the taint.
effect (string) --
The effect of the taint.
dict
The scaling configuration details for the Auto Scaling group after the update.
minSize (integer) --
The minimum number of nodes that the managed node group can scale in to.
maxSize (integer) --
The maximum number of nodes that the managed node group can scale out to. For information about the maximum number that you can specify, see Amazon EKS service quotas in the Amazon EKS User Guide.
desiredSize (integer) --
The current number of nodes that the managed node group should maintain.
Whenever this parameter changes, the number of worker nodes in the node group is updated to the specified size. If this parameter is given a value that is smaller than the current number of running worker nodes, the necessary number of worker nodes are terminated to match the given value. When using CloudFormation, no action occurs if you remove this parameter from your CFN template.
This parameter can be different from minSize in some cases, such as when starting with extra hosts for testing. This parameter can also be different when you want to start with an estimated number of needed hosts, but let the Cluster Autoscaler reduce the number if there are too many. When the Cluster Autoscaler is used, the desiredSize parameter is altered by the Cluster Autoscaler (but can be out-of-date for short periods of time). the Cluster Autoscaler doesn't scale a managed node group lower than minSize or higher than maxSize.
dict
The node group update configuration.
maxUnavailable (integer) --
The maximum number of nodes unavailable at once during a version update. Nodes are updated in parallel. This value or maxUnavailablePercentage is required to have a value.The maximum number is 100.
maxUnavailablePercentage (integer) --
The maximum percentage of nodes unavailable during a version update. This percentage of nodes are updated in parallel, up to 100 nodes at once. This value or maxUnavailable is required to have a value.
updateStrategy (string) --
The configuration for the behavior to follow during a node group version update of this managed node group. You choose between two possible strategies for replacing nodes during an UpdateNodegroupVersion action.
An Amazon EKS managed node group updates by replacing nodes with new nodes of newer AMI versions in parallel. The update strategy changes the managed node update behavior of the managed node group for each quantity. The default strategy has guardrails to protect you from misconfiguration and launches the new instances first, before terminating the old instances. The minimal strategy removes the guardrails and terminates the old instances before launching the new instances. This minimal strategy is useful in scenarios where you are constrained to resources or costs (for example, with hardware accelerators such as GPUs).
dict
The node auto repair configuration for the node group.
enabled (boolean) --
Specifies whether to enable node auto repair for the node group. Node auto repair is disabled by default.
maxUnhealthyNodeThresholdCount (integer) --
Specify a count threshold of unhealthy nodes, above which node auto repair actions will stop. When using this, you cannot also set maxUnhealthyNodeThresholdPercentage at the same time.
maxUnhealthyNodeThresholdPercentage (integer) --
Specify a percentage threshold of unhealthy nodes, above which node auto repair actions will stop. When using this, you cannot also set maxUnhealthyNodeThresholdCount at the same time.
maxParallelNodesRepairedCount (integer) --
Specify the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a count of unhealthy nodes. This gives you finer-grained control over the pace of node replacements. When using this, you cannot also set maxParallelNodesRepairedPercentage at the same time.
maxParallelNodesRepairedPercentage (integer) --
Specify the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a percentage of unhealthy nodes. This gives you finer-grained control over the pace of node replacements. When using this, you cannot also set maxParallelNodesRepairedCount at the same time.
nodeRepairConfigOverrides (list) --
Specify granular overrides for specific repair actions. These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.
(dict) --
Specify granular overrides for specific repair actions. These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.
nodeMonitoringCondition (string) --
Specify an unhealthy condition reported by the node monitoring agent that this override would apply to.
nodeUnhealthyReason (string) --
Specify a reason reported by the node monitoring agent that this override would apply to.
minRepairWaitTimeMins (integer) --
Specify the minimum time in minutes to wait before attempting to repair a node with this specific nodeMonitoringCondition and nodeUnhealthyReason.
repairAction (string) --
Specify the repair action to take for nodes when all of the specified conditions are met.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'type': {'VendedLogsUpdate'}}}
Updates the Kubernetes version or AMI version of an Amazon EKS managed node group.
You can update a node group using a launch template only if the node group was originally deployed with a launch template. Additionally, the launch template ID or name must match what was used when the node group was created. You can update the launch template version with necessary changes.
If you need to update a custom AMI in a node group that was deployed with a launch template, then update your custom AMI, specify the new ID in a new version of the launch template, and then update the node group to the new version of the launch template.
If you update without a launch template, then you can update to the latest available AMI version of a node group's current Kubernetes version by not specifying a Kubernetes version in the request. You can update to the latest AMI version of your cluster's current Kubernetes version by specifying your cluster's Kubernetes version in the request. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide. For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide.
You cannot roll back a node group to an earlier Kubernetes version or AMI version.
When a node in a managed node group is terminated due to a scaling action or update, every Pod on that node is drained first. Amazon EKS attempts to drain the nodes gracefully and will fail if it is unable to do so. You can force the update if Amazon EKS is unable to drain the nodes as a result of a Pod disruption budget issue.
See also: AWS API Documentation
Request Syntax
client.update_nodegroup_version(
clusterName='string',
nodegroupName='string',
version='string',
releaseVersion='string',
launchTemplate={
'name': 'string',
'version': 'string',
'id': 'string'
},
force=True|False,
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the managed node group to update.
string
The Kubernetes version to update to. If no version is specified, then the node group will be updated to match the cluster's current Kubernetes version, and the latest available AMI for that version will be used. You can also specify the Kubernetes version of the cluster to update the node group to the latest AMI version of the cluster's Kubernetes version. If you specify launchTemplate, and your launch template uses a custom AMI, then don't specify version, or the node group update will fail. For more information about using launch templates with Amazon EKS, see Customizing managed nodes with launch templates in the Amazon EKS User Guide.
string
The AMI version of the Amazon EKS optimized AMI to use for the update. By default, the latest available AMI version for the node group's Kubernetes version is used. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide. Amazon EKS managed node groups support the November 2022 and later releases of the Windows AMIs. For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide.
If you specify launchTemplate, and your launch template uses a custom AMI, then don't specify releaseVersion, or the node group update will fail. For more information about using launch templates with Amazon EKS, see Customizing managed nodes with launch templates in the Amazon EKS User Guide.
dict
An object representing a node group's launch template specification. You can only update a node group using a launch template if the node group was originally deployed with a launch template. When updating, you must specify the same launch template ID or name that was used to create the node group.
name (string) --
The name of the launch template.
You must specify either the launch template name or the launch template ID in the request, but not both. After node group creation, you cannot use a different name.
version (string) --
The version number of the launch template to use. If no version is specified, then the template's default version is used. You can use a different version for node group updates.
id (string) --
The ID of the launch template.
You must specify either the launch template ID or the launch template name in the request, but not both. After node group creation, you cannot use a different ID.
boolean
Force the update if any Pod on the existing node group can't be drained due to a Pod disruption budget issue. If an update fails because all Pods can't be drained, you can force the update after it fails to terminate the old node whether or not any Pod is running on the node.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate'|'UpgradePolicyUpdate'|'ZonalShiftConfigUpdate'|'AutoModeUpdate'|'RemoteNetworkConfigUpdate'|'DeletionProtectionUpdate'|'ControlPlaneScalingConfigUpdate'|'VendedLogsUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'NodeRepairEnabled'|'UpdateStrategy'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations'|'UpgradePolicy'|'ZonalShiftConfig'|'ComputeConfig'|'StorageConfig'|'KubernetesNetworkConfig'|'RemoteNetworkConfig'|'DeletionProtection'|'NodeRepairConfig'|'UpdatedTier'|'PreviousTier',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --