-
Notifications
You must be signed in to change notification settings - Fork 0
/
awsqs-eks-cluster.json
297 lines (297 loc) · 13.1 KB
/
awsqs-eks-cluster.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
{
"typeName": "AWSQS::EKS::Cluster",
"description": "A resource that creates Amazon Elastic Kubernetes Service (Amazon EKS) clusters.",
"sourceUrl": "https://github.com/aws-quickstart/quickstart-amazon-eks-cluster-resource-provider.git",
"documentationUrl": "https://github.com/aws-quickstart/quickstart-amazon-eks-cluster-resource-provider/blob/main/README.md",
"definitions": {
"KubernetesApiAccessEntry": {
"type": "object",
"additionalProperties": false,
"properties": {
"Arn": {"type": "string"},
"Username": {"type": "string"},
"Groups": {"type": "array", "items": {"type": "string"}}
}
},
"Provider": {
"description": "AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.",
"type": "object",
"additionalProperties": false,
"properties": {
"KeyArn": {
"description": "Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK.",
"type": "string"
}
}
},
"EncryptionConfigEntry": {
"description": "The encryption configuration for the cluster.",
"type": "object",
"additionalProperties": false,
"properties": {
"Resources": {
"type": "array",
"description": "Specifies the resources to be encrypted. The only supported value is \"secrets\".",
"items": {
"description": "Specifies the resources to be encrypted. The only supported value is \"secrets\".",
"type": "string"
}
},
"Provider": {
"$ref": "#/definitions/Provider"
}
}
}
},
"properties": {
"Name": {
"description": "A unique name for your cluster.",
"type": "string",
"minLength": 1
},
"RoleArn": {
"description": "Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role. This provides permissions for Amazon EKS to call other AWS APIs.",
"type": "string"
},
"LambdaRoleName": {
"description": "Name of the AWS Identity and Access Management (IAM) role used for clusters that have the public endpoint disabled. this provides permissions for Lambda to be invoked and attach to the cluster VPC",
"type": "string",
"default": "CloudFormation-Kubernetes-VPC"
},
"Version": {
"description": "Desired Kubernetes version for your cluster. If you don't specify this value, the cluster uses the latest version from Amazon EKS.",
"type": "string",
"default": "1.21"
},
"KubernetesNetworkConfig": {
"description": "Network configuration for Amazon EKS cluster.\n\n",
"type": "object",
"additionalProperties": false,
"properties": {
"ServiceIpv4Cidr": {
"description": "Specify the range from which cluster services will receive IPv4 addresses.",
"type": "string"
}
}
},
"ResourcesVpcConfig": {
"description": "An object that represents the virtual private cloud (VPC) configuration to use for an Amazon EKS cluster.",
"type": "object",
"properties": {
"SecurityGroupIds": {
"description": "Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane. If you don't specify a security group, the default security group for your VPC is used.",
"type": "array",
"items": {"type": "string"}
},
"SubnetIds": {
"description": "Specify subnets for your Amazon EKS worker nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.",
"type": "array",
"items": {"type": "string"}
},
"EndpointPublicAccess": {
"description": "Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server.",
"type": "boolean"
},
"EndpointPrivateAccess": {
"description": "Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods.",
"type": "boolean"
},
"PublicAccessCidrs": {
"description": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that you specify the necessary CIDR blocks.",
"type": "array",
"items": {"type": "string"}
}
},
"required": ["SubnetIds"],
"additionalProperties": false
},
"EnabledClusterLoggingTypes": {
"description": "Enables exporting of logs from the Kubernetes control plane to Amazon CloudWatch Logs. By default, logs from the cluster control plane are not exported to CloudWatch Logs. The valid log types are api, audit, authenticator, controllerManager, and scheduler.",
"type": "array",
"items": {"type": "string", "pattern": "^api$|^audit$|^authenticator$|^controllerManager$|^scheduler$"}
},
"EncryptionConfig": {
"description": "Encryption configuration for the cluster.",
"type": "array",
"items": {
"$ref": "#/definitions/EncryptionConfigEntry"
}
},
"KubernetesApiAccess": {
"type": "object",
"additionalProperties": false,
"properties": {
"Roles": {
"type": "array",
"items": {
"$ref": "#/definitions/KubernetesApiAccessEntry"
}
},
"Users": {
"type": "array",
"items": {
"$ref": "#/definitions/KubernetesApiAccessEntry"
}
}
}
},
"Arn": {
"description": "ARN of the cluster (e.g., `arn:aws:eks:us-west-2:666666666666:cluster/prod`).",
"type": "string"
},
"CertificateAuthorityData": {
"description": "Certificate authority data for your cluster.",
"type": "string"
},
"ClusterSecurityGroupId": {
"description": "Security group that was created by Amazon EKS for your cluster. Managed-node groups use this security group for control-plane-to-data-plane communications.",
"type": "string"
},
"Endpoint": {
"description": "Endpoint for your Kubernetes API server (e.g., https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com).",
"type": "string"
},
"EncryptionConfigKeyArn": {
"description": "ARN or alias of the customer master key (CMK).",
"type": "string"
},
"OIDCIssuerURL": {
"description": "Issuer URL for the OpenID Connect identity provider.",
"type": "string"
},
"Tags": {
"type": "array",
"uniqueItems": false,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"Value": {
"type": "string"
},
"Key": {
"type": "string"
}
},
"required": [
"Value",
"Key"
]
}
}
},
"additionalProperties": false,
"required": [
"RoleArn",
"ResourcesVpcConfig"
],
"readOnlyProperties": [
"/properties/Arn",
"/properties/Endpoint",
"/properties/ClusterSecurityGroupId",
"/properties/CertificateAuthorityData",
"/properties/EncryptionConfigKeyArn",
"/properties/OIDCIssuerURL"
],
"createOnlyProperties": [
"/properties/Name",
"/properties/KubernetesNetworkConfig/ServiceIpv4Cidr",
"/properties/RoleArn",
"/properties/ResourcesVpcConfig/SubnetIds",
"/properties/ResourcesVpcConfig/SecurityGroupIds"
],
"primaryIdentifier": [
"/properties/Name"
],
"handlers": {
"create": {
"permissions": [
"sts:GetCallerIdentity",
"eks:CreateCluster",
"eks:DescribeCluster",
"eks:ListTagsForResource",
"eks:TagResource",
"iam:PassRole",
"sts:AssumeRole",
"lambda:UpdateFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:PassRole",
"cloudformation:ListExports",
"kms:DescribeKey",
"kms:CreateGrant"
]
},
"read": {
"permissions": [
"sts:GetCallerIdentity",
"eks:DescribeCluster",
"eks:ListTagsForResource",
"lambda:UpdateFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:PassRole",
"cloudformation:ListExports",
"kms:DescribeKey",
"kms:CreateGrant"
]
},
"update": {
"permissions": [
"sts:GetCallerIdentity",
"eks:DescribeCluster",
"eks:UpdateClusterVersion",
"eks:UpdateClusterConfig",
"eks:ListTagsForResource",
"eks:TagResource",
"eks:UntagResource",
"iam:PassRole",
"lambda:UpdateFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"cloudformation:ListExports",
"kms:DescribeKey",
"kms:CreateGrant"
]
},
"delete": {
"permissions": [
"sts:GetCallerIdentity",
"eks:DescribeCluster",
"eks:ListTagsForResource",
"eks:DeleteCluster",
"lambda:UpdateFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:PassRole",
"cloudformation:ListExports",
"kms:DescribeKey",
"kms:CreateGrant"
]
}
}
}