CloudWiki

Amazon Web Service (AWS)

EKS

Compute
Amazon Elastic Kubernetes Service (EKS) is a managed service that helps you easily run Kubernetes on AWS without the need to install or operate your own Kubernetes control plane or worker nodes. EKS automatically manages the availability and scalability of the K8s control plane nodes, responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks. It integrates with many other AWS services to provide scalability and security for your applications.
aws_eks_cluster
EKS
attributes:

The following arguments are required:

  • name – (Required) Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
  • role_arn - (Required) ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding depends_on if using the aws_iam_role_policy resource or aws_iam_role_policy_attachment resource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion.
  • vpc_config - (Required) Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.

The following arguments are optional:

  • enabled_cluster_log_types - (Optional) List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
  • encryption_config - (Optional) Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
  • kubernetes_network_config - (Optional) Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, Terraform will only perform drift detection if a configuration value is provided.
  • outpost_config - (Optional) Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
  • tags - (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • version – (Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.

encryption_config

The following arguments are supported in the encryption_config configuration block:

  • provider - (Required) Configuration block with provider for encryption. Detailed below.
  • resources - (Required) List of strings with resources to be encrypted. Valid values: secrets.

provider

The following arguments are supported in the provider configuration block:

vpc_config Arguments

  • endpoint_private_access - (Optional) Whether the Amazon EKS private API server endpoint is enabled. Default is false.
  • endpoint_public_access - (Optional) Whether the Amazon EKS public API server endpoint is enabled. Default is true.
  • public_access_cidrs - (Optional) List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. Terraform will only perform drift detection of its value when present in a configuration.
  • security_group_ids – (Optional) List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
  • subnet_ids – (Required) List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.

kubernetes_network_config

The following arguments are supported in the kubernetes_network_config configuration block:

  • service_ipv4_cidr - (Optional) The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
  • Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
  • Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
  • Between /24 and /12.
  • ip_family - (Optional) The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.

outpost_config

The following arguments are supported in the outpost_config configuration block:

  • control_plane_instance_type - (Required) The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
  • 1–20 nodes, then we recommend specifying a large instance type.
  • 21–100 nodes, then we recommend specifying an xlarge instance type.
  • 101–250 nodes, then we recommend specifying a 2xlarge instance type.

For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.

  • outpost_arns - (Required) The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.

Associating resources with a
EKS
Resources do not "belong" to a
EKS
Rather, one or more Security Groups are associated to a resource.
Create
EKS
via Terraform:
The following HCL creates an EKS cluster
Syntax:

resource "aws_eks_cluster" "example" {
 name     = "example"
 role_arn = aws_iam_role.example.arn

 vpc_config {
   subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
 }

 # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
 # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
 depends_on = [
   aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy,
   aws_iam_role_policy_attachment.example-AmazonEKSVPCResourceController,
 ]
}

output "endpoint" {
 value = aws_eks_cluster.example.endpoint
}

output "kubeconfig-certificate-authority-data" {
 value = aws_eks_cluster.example.certificate_authority[0].data
}

Create
EKS
via CLI:
Parametres:

create-cluster
--name <value>
--role-arn <value>
--resources-vpc-config <value>
[--kubernetes-network-config <value>]
[--logging <value>]
[--client-request-token <value>]
[--tags <value>]
[--encryption-config <value>]
[--outpost-config <value>]
[--kubernetes-version <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws eks create-cluster --name prod \
--role-arn arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI \
--resources-vpc-config subnetIds=subnet-6782e71e,subnet-e7e761ac,securityGroupIds=sg-6979fe18

Best Practices for
EKS

Categorized by Availability, Security & Compliance and Cost

Critical
EKS cluster delete alarm
No items found.
Info
Ensure EKS Private access is enabled
Warning
Ensure EKS Public access is disabled
Critical
Ensure EKS Public access is restricted to specific sources
Explore all the rules our platform covers
All Resources