{ "description": "AWSManagedControlPlane is the schema for the Amazon EKS Managed Control Plane API.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "AWSManagedControlPlaneSpec defines the desired state of an Amazon EKS Cluster.", "properties": { "additionalTags": { "additionalProperties": { "type": "string" }, "description": "AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the\nones added by default.", "type": "object" }, "addons": { "description": "Addons defines the EKS addons to enable with the EKS cluster.", "items": { "description": "Addon represents a EKS addon.", "properties": { "configuration": { "description": "Configuration of the EKS addon", "type": "string" }, "conflictResolution": { "default": "none", "description": "ConflictResolution is used to declare what should happen if there\nare parameter conflicts. Defaults to none", "enum": [ "overwrite", "none" ], "type": "string" }, "name": { "description": "Name is the name of the addon", "minLength": 2, "type": "string" }, "serviceAccountRoleARN": { "description": "ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account", "type": "string" }, "version": { "description": "Version is the version of the addon to use", "type": "string" } }, "required": [ "name", "version" ], "type": "object", "additionalProperties": false }, "type": "array" }, "associateOIDCProvider": { "default": false, "description": "AssociateOIDCProvider can be enabled to automatically create an identity\nprovider for the controller for use with IAM roles for service accounts", "type": "boolean" }, "bastion": { "description": "Bastion contains options to configure the bastion host.", "properties": { "allowedCIDRBlocks": { "description": "AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.\nThey are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).", "items": { "type": "string" }, "type": "array" }, "ami": { "description": "AMI will use the specified AMI to boot the bastion. If not specified,\nthe AMI will default to one picked out in public space.", "type": "string" }, "disableIngressRules": { "description": "DisableIngressRules will ensure there are no Ingress rules in the bastion host's security group.\nRequires AllowedCIDRBlocks to be empty.", "type": "boolean" }, "enabled": { "description": "Enabled allows this provider to create a bastion host instance\nwith a public ip to access the VPC private network.", "type": "boolean" }, "instanceType": { "description": "InstanceType will use the specified instance type for the bastion. If not specified,\nCluster API Provider AWS will use t3.micro for all regions except us-east-1, where t2.micro\nwill be the default.", "type": "string" } }, "type": "object", "additionalProperties": false }, "controlPlaneEndpoint": { "description": "ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.", "properties": { "host": { "description": "The hostname on which the API server is serving.", "type": "string" }, "port": { "description": "The port on which the API server is serving.", "format": "int32", "type": "integer" } }, "required": [ "host", "port" ], "type": "object", "additionalProperties": false }, "disableVPCCNI": { "default": false, "description": "DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the\nAmazon VPC CNI is automatically installed into the cluster. For clusters where you want\nto use an alternate CNI this option provides a way to specify that the Amazon VPC CNI\nshould be deleted. You cannot set this to true if you are using the\nAmazon VPC CNI addon.", "type": "boolean" }, "eksClusterName": { "description": "EKSClusterName allows you to specify the name of the EKS cluster in\nAWS. If you don't specify a name then a default name will be created\nbased on the namespace and name of the managed control plane.", "type": "string" }, "encryptionConfig": { "description": "EncryptionConfig specifies the encryption configuration for the cluster", "properties": { "provider": { "description": "Provider specifies the ARN or alias of the CMK (in AWS KMS)", "type": "string" }, "resources": { "description": "Resources specifies the resources to be encrypted", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "endpointAccess": { "description": "Endpoints specifies access to this cluster's control plane endpoints", "properties": { "private": { "description": "Private points VPC-internal control plane access to the private endpoint", "type": "boolean" }, "public": { "description": "Public controls whether control plane endpoints are publicly accessible", "type": "boolean" }, "publicCIDRs": { "description": "PublicCIDRs specifies which blocks can access the public endpoint", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "iamAuthenticatorConfig": { "description": "IAMAuthenticatorConfig allows the specification of any additional user or role mappings\nfor use when generating the aws-iam-authenticator configuration. If this is nil the\ndefault configuration is still generated for the cluster.", "properties": { "mapRoles": { "description": "RoleMappings is a list of role mappings", "items": { "description": "RoleMapping represents a mapping from a IAM role to Kubernetes users and groups.", "properties": { "groups": { "description": "Groups is a list of kubernetes RBAC groups", "items": { "type": "string" }, "type": "array" }, "rolearn": { "description": "RoleARN is the AWS ARN for the role to map", "minLength": 31, "type": "string" }, "username": { "description": "UserName is a kubernetes RBAC user subject", "type": "string" } }, "required": [ "groups", "rolearn", "username" ], "type": "object", "additionalProperties": false }, "type": "array" }, "mapUsers": { "description": "UserMappings is a list of user mappings", "items": { "description": "UserMapping represents a mapping from an IAM user to Kubernetes users and groups.", "properties": { "groups": { "description": "Groups is a list of kubernetes RBAC groups", "items": { "type": "string" }, "type": "array" }, "userarn": { "description": "UserARN is the AWS ARN for the user to map", "minLength": 31, "type": "string" }, "username": { "description": "UserName is a kubernetes RBAC user subject", "type": "string" } }, "required": [ "groups", "userarn", "username" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "identityRef": { "description": "IdentityRef is a reference to an identity to be used when reconciling the managed control plane.\nIf no identity is specified, the default identity for this controller will be used.", "properties": { "kind": { "description": "Kind of the identity.", "enum": [ "AWSClusterControllerIdentity", "AWSClusterRoleIdentity", "AWSClusterStaticIdentity" ], "type": "string" }, "name": { "description": "Name of the identity.", "minLength": 1, "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "imageLookupBaseOS": { "description": "ImageLookupBaseOS is the name of the base operating system used to look\nup machine images when a machine does not specify an AMI. When set, this\nwill be used for all cluster machines unless a machine specifies a\ndifferent ImageLookupBaseOS.", "type": "string" }, "imageLookupFormat": { "description": "ImageLookupFormat is the AMI naming format to look up machine images when\na machine does not specify an AMI. When set, this will be used for all\ncluster machines unless a machine specifies a different ImageLookupOrg.\nSupports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base\nOS and kubernetes version, respectively. The BaseOS will be the value in\nImageLookupBaseOS or ubuntu (the default), and the kubernetes version as\ndefined by the packages produced by kubernetes/release without v as a\nprefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default\nimage format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up\nsearching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a\nMachine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See\nalso: https://golang.org/pkg/text/template/", "type": "string" }, "imageLookupOrg": { "description": "ImageLookupOrg is the AWS Organization ID to look up machine images when a\nmachine does not specify an AMI. When set, this will be used for all\ncluster machines unless a machine specifies a different ImageLookupOrg.", "type": "string" }, "kubeProxy": { "description": "KubeProxy defines managed attributes of the kube-proxy daemonset", "properties": { "disable": { "default": false, "description": "Disable set to true indicates that kube-proxy should be disabled. With EKS clusters\nkube-proxy is automatically installed into the cluster. For clusters where you want\nto use kube-proxy functionality that is provided with an alternate CNI, this option\nprovides a way to specify that the kube-proxy daemonset should be deleted. You cannot\nset this to true if you are using the Amazon kube-proxy addon.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "logging": { "description": "Logging specifies which EKS Cluster logs should be enabled. Entries for\neach of the enabled logs will be sent to CloudWatch", "properties": { "apiServer": { "default": false, "description": "APIServer indicates if the Kubernetes API Server log (kube-apiserver) shoulkd be enabled", "type": "boolean" }, "audit": { "default": false, "description": "Audit indicates if the Kubernetes API audit log should be enabled", "type": "boolean" }, "authenticator": { "default": false, "description": "Authenticator indicates if the iam authenticator log should be enabled", "type": "boolean" }, "controllerManager": { "default": false, "description": "ControllerManager indicates if the controller manager (kube-controller-manager) log should be enabled", "type": "boolean" }, "scheduler": { "default": false, "description": "Scheduler indicates if the Kubernetes scheduler (kube-scheduler) log should be enabled", "type": "boolean" } }, "required": [ "apiServer", "audit", "authenticator", "controllerManager", "scheduler" ], "type": "object", "additionalProperties": false }, "network": { "description": "NetworkSpec encapsulates all things related to AWS network.", "properties": { "additionalControlPlaneIngressRules": { "description": "AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane", "items": { "description": "IngressRule defines an AWS ingress rule for security groups.", "properties": { "cidrBlocks": { "description": "List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "description": { "description": "Description provides extended information about the ingress rule.", "type": "string" }, "fromPort": { "description": "FromPort is the start of port range.", "format": "int64", "type": "integer" }, "ipv6CidrBlocks": { "description": "List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "natGatewaysIPsSource": { "description": "NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.", "type": "boolean" }, "protocol": { "description": "Protocol is the protocol for the ingress rule. Accepted values are \"-1\" (all), \"4\" (IP in IP),\"tcp\", \"udp\", \"icmp\", and \"58\" (ICMPv6), \"50\" (ESP).", "enum": [ "-1", "4", "tcp", "udp", "icmp", "58", "50" ], "type": "string" }, "sourceSecurityGroupIds": { "description": "The security group id to allow access from. Cannot be specified with CidrBlocks.", "items": { "type": "string" }, "type": "array" }, "sourceSecurityGroupRoles": { "description": "The security group role to allow access from. Cannot be specified with CidrBlocks.\nThe field will be combined with source security group IDs if specified.", "items": { "description": "SecurityGroupRole defines the unique role of a security group.", "enum": [ "bastion", "node", "controlplane", "apiserver-lb", "lb", "node-eks-additional" ], "type": "string" }, "type": "array" }, "toPort": { "description": "ToPort is the end of port range.", "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" }, "cni": { "description": "CNI configuration", "properties": { "cniIngressRules": { "description": "CNIIngressRules specify rules to apply to control plane and worker node security groups.\nThe source for the rule will be set to control plane and worker security group IDs.", "items": { "description": "CNIIngressRule defines an AWS ingress rule for CNI requirements.", "properties": { "description": { "type": "string" }, "fromPort": { "format": "int64", "type": "integer" }, "protocol": { "description": "SecurityGroupProtocol defines the protocol type for a security group rule.", "type": "string" }, "toPort": { "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "securityGroupOverrides": { "additionalProperties": { "type": "string" }, "description": "SecurityGroupOverrides is an optional set of security groups to use for cluster instances\nThis is optional - if not provided new security groups will be created for the cluster", "type": "object" }, "subnets": { "description": "Subnets configuration.", "items": { "description": "SubnetSpec configures an AWS Subnet.", "properties": { "availabilityZone": { "description": "AvailabilityZone defines the availability zone to use for this subnet in the cluster's region.", "type": "string" }, "cidrBlock": { "description": "CidrBlock is the CIDR block to be used when the provider creates a managed VPC.", "type": "string" }, "id": { "description": "ID defines a unique identifier to reference this resource.\nIf you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`.\n\n\nWhen the VPC is managed by CAPA, and you'd like the provider to create a subnet for you,\nthe id can be set to any placeholder value that does not start with `subnet-`;\nupon creation, the subnet AWS identifier will be populated in the `ResourceID` field and\nthe `id` field is going to be used as the subnet name. If you specify a tag\ncalled `Name`, it takes precedence.", "type": "string" }, "ipv6CidrBlock": { "description": "IPv6CidrBlock is the IPv6 CIDR block to be used when the provider creates a managed VPC.\nA subnet can have an IPv4 and an IPv6 address.\nIPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.", "type": "string" }, "isIpv6": { "description": "IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled.\nIPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.", "type": "boolean" }, "isPublic": { "description": "IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway.", "type": "boolean" }, "natGatewayId": { "description": "NatGatewayID is the NAT gateway id associated with the subnet.\nIgnored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet.", "type": "string" }, "parentZoneName": { "description": "ParentZoneName is the zone name where the current subnet's zone is tied when\nthe zone is a Local Zone.\n\n\nThe subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName\nto select the correct private route table to egress traffic to the internet.", "type": "string" }, "resourceID": { "description": "ResourceID is the subnet identifier from AWS, READ ONLY.\nThis field is populated when the provider manages the subnet.", "type": "string" }, "routeTableId": { "description": "RouteTableID is the routing table id associated with the subnet.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a collection of tags describing the resource.", "type": "object" }, "zoneType": { "description": "ZoneType defines the type of the zone where the subnet is created.\n\n\nThe valid values are availability-zone, local-zone, and wavelength-zone.\n\n\nSubnet with zone type availability-zone (regular) is always selected to create cluster\nresources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc.\n\n\nSubnet with zone type local-zone or wavelength-zone is not eligible to automatically create\nregular cluster resources.\n\n\nThe public subnet in availability-zone or local-zone is associated with regular public\nroute table with default route entry to a Internet Gateway.\n\n\nThe public subnet in wavelength-zone is associated with a carrier public\nroute table with default route entry to a Carrier Gateway.\n\n\nThe private subnet in the availability-zone is associated with a private route table with\nthe default route entry to a NAT Gateway created in that zone.\n\n\nThe private subnet in the local-zone or wavelength-zone is associated with a private route table with\nthe default route entry re-using the NAT Gateway in the Region (preferred from the\nparent zone, the zone type availability-zone in the region, or first table available).", "enum": [ "availability-zone", "local-zone", "wavelength-zone" ], "type": "string" } }, "required": [ "id" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "id" ], "x-kubernetes-list-type": "map" }, "vpc": { "description": "VPC configuration.", "properties": { "availabilityZoneSelection": { "default": "Ordered", "description": "AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs\nin a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes:\nOrdered - selects based on alphabetical order\nRandom - selects AZs randomly in a region\nDefaults to Ordered", "enum": [ "Ordered", "Random" ], "type": "string" }, "availabilityZoneUsageLimit": { "default": 3, "description": "AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that\nshould be used in a region when automatically creating subnets. If a region has more\nthan this number of AZs then this number of AZs will be picked randomly when creating\ndefault subnets. Defaults to 3", "minimum": 1, "type": "integer" }, "carrierGatewayId": { "description": "CarrierGatewayID is the id of the internet gateway associated with the VPC,\nfor carrier network (Wavelength Zones).", "type": "string", "x-kubernetes-validations": [ { "message": "Carrier Gateway ID must start with 'cagw-'", "rule": "self.startsWith('cagw-')" } ] }, "cidrBlock": { "description": "CidrBlock is the CIDR block to be used when the provider creates a managed VPC.\nDefaults to 10.0.0.0/16.\nMutually exclusive with IPAMPool.", "type": "string" }, "elasticIpPool": { "description": "ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool\nbrought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for\nthe API Server.", "properties": { "publicIpv4Pool": { "description": "PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources\ncreated in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom\nPublic IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool\nresource ID starts with 'ipv4pool-ec2'.", "maxLength": 30, "type": "string" }, "publicIpv4PoolFallbackOrder": { "description": "PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted,\nno more IPv4 address available in the pool.\n\n\nWhen set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the\nIPv4 limit, the address will be claimed from Amazon-pool (default).\n\n\nWhen set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted.", "enum": [ "amazon-pool", "none" ], "type": "string", "x-kubernetes-validations": [ { "message": "allowed values are 'none' and 'amazon-pool'", "rule": "self in ['none','amazon-pool']" } ] } }, "type": "object", "additionalProperties": false }, "emptyRoutesDefaultVPCSecurityGroup": { "description": "EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress\nand egress rules should be removed.\n\n\nBy default, when creating a VPC, AWS creates a security group called `default` with ingress and egress\nrules that allow traffic from anywhere. The group could be used as a potential surface attack and\nit's generally suggested that the group rules are removed or modified appropriately.\n\n\nNOTE: This only applies when the VPC is managed by the Cluster API AWS controller.", "type": "boolean" }, "id": { "description": "ID is the vpc-id of the VPC this provider should use to create resources.", "type": "string" }, "internetGatewayId": { "description": "InternetGatewayID is the id of the internet gateway associated with the VPC.", "type": "string" }, "ipamPool": { "description": "IPAMPool defines the IPAMv4 pool to be used for VPC.\nMutually exclusive with CidrBlock.", "properties": { "id": { "description": "ID is the ID of the IPAM pool this provider should use to create VPC.", "type": "string" }, "name": { "description": "Name is the name of the IPAM pool this provider should use to create VPC.", "type": "string" }, "netmaskLength": { "description": "The netmask length of the IPv4 CIDR you want to allocate to VPC from\nan Amazon VPC IP Address Manager (IPAM) pool.\nDefaults to /16 for IPv4 if not specified.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "ipv6": { "description": "IPv6 contains ipv6 specific settings for the network. Supported only in managed clusters.\nThis field cannot be set on AWSCluster object.", "properties": { "cidrBlock": { "description": "CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6.\nMutually exclusive with IPAMPool.", "type": "string" }, "egressOnlyInternetGatewayId": { "description": "EgressOnlyInternetGatewayID is the id of the egress only internet gateway associated with an IPv6 enabled VPC.", "type": "string" }, "ipamPool": { "description": "IPAMPool defines the IPAMv6 pool to be used for VPC.\nMutually exclusive with CidrBlock.", "properties": { "id": { "description": "ID is the ID of the IPAM pool this provider should use to create VPC.", "type": "string" }, "name": { "description": "Name is the name of the IPAM pool this provider should use to create VPC.", "type": "string" }, "netmaskLength": { "description": "The netmask length of the IPv4 CIDR you want to allocate to VPC from\nan Amazon VPC IP Address Manager (IPAM) pool.\nDefaults to /16 for IPv4 if not specified.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "poolId": { "description": "PoolID is the IP pool which must be defined in case of BYO IP is defined.\nMust be specified if CidrBlock is set.\nMutually exclusive with IPAMPool.", "type": "string" } }, "type": "object", "additionalProperties": false }, "privateDnsHostnameTypeOnLaunch": { "description": "PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.\nFor IPv4-only and dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the instance IPv4 address (ip-name)\nor the instance ID (resource-name). For IPv6 only subnets, an instance DNS name must be based on the instance ID (resource-name).", "enum": [ "ip-name", "resource-name" ], "type": "string" }, "subnetSchema": { "default": "PreferPrivate", "description": "SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs.\nPreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets.\nPreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet\nthat will be further sub-divided for the private subnets.\nDefaults to PreferPrivate", "enum": [ "PreferPrivate", "PreferPublic" ], "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a collection of tags describing the resource.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "oidcIdentityProviderConfig": { "description": "IdentityProviderconfig is used to specify the oidc provider config\nto be attached with this eks cluster", "properties": { "clientId": { "description": "This is also known as audience. The ID for the client application that makes\nauthentication requests to the OpenID identity provider.", "type": "string" }, "groupsClaim": { "description": "The JWT claim that the provider uses to return your groups.", "type": "string" }, "groupsPrefix": { "description": "The prefix that is prepended to group claims to prevent clashes with existing\nnames (such as system: groups). For example, the valueoidc: will create group\nnames like oidc:engineering and oidc:infra.", "type": "string" }, "identityProviderConfigName": { "description": "The name of the OIDC provider configuration.\n\n\nIdentityProviderConfigName is a required field", "type": "string" }, "issuerUrl": { "description": "The URL of the OpenID identity provider that allows the API server to discover\npublic signing keys for verifying tokens. The URL must begin with https://\nand should correspond to the iss claim in the provider's OIDC ID tokens.\nPer the OIDC standard, path components are allowed but query parameters are\nnot. Typically the URL consists of only a hostname, like https://server.example.org\nor https://example.com. This URL should point to the level below .well-known/openid-configuration\nand must be publicly accessible over the internet.", "type": "string" }, "requiredClaims": { "additionalProperties": { "type": "string" }, "description": "The key value pairs that describe required claims in the identity token.\nIf set, each claim is verified to be present in the token with a matching\nvalue. For the maximum number of claims that you can require, see Amazon\nEKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html)\nin the Amazon EKS User Guide.", "type": "object" }, "tags": { "additionalProperties": { "type": "string" }, "description": "tags to apply to oidc identity provider association", "type": "object" }, "usernameClaim": { "description": "The JSON Web Token (JWT) claim to use as the username. The default is sub,\nwhich is expected to be a unique identifier of the end user. You can choose\nother claims, such as email or name, depending on the OpenID identity provider.\nClaims other than email are prefixed with the issuer URL to prevent naming\nclashes with other plug-ins.", "type": "string" }, "usernamePrefix": { "description": "The prefix that is prepended to username claims to prevent clashes with existing\nnames. If you do not provide this field, and username is a value other than\nemail, the prefix defaults to issuerurl#. You can use the value - to disable\nall prefixing.", "type": "string" } }, "type": "object", "additionalProperties": false }, "region": { "description": "The AWS Region the cluster lives in.", "type": "string" }, "roleAdditionalPolicies": { "description": "RoleAdditionalPolicies allows you to attach additional polices to\nthe control plane role. You must enable the EKSAllowAddRoles\nfeature flag to incorporate these into the created role.", "items": { "type": "string" }, "type": "array" }, "roleName": { "description": "RoleName specifies the name of IAM role that gives EKS\npermission to make API calls. If the role is pre-existing\nwe will treat it as unmanaged and not delete it on\ndeletion. If the EKSEnableIAM feature flag is true\nand no name is supplied then a role is created.", "minLength": 2, "type": "string" }, "secondaryCidrBlock": { "description": "SecondaryCidrBlock is the additional CIDR range to use for pod IPs.\nMust be within the 100.64.0.0/10 or 198.19.0.0/16 range.", "type": "string" }, "sshKeyName": { "description": "SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)", "type": "string" }, "tokenMethod": { "default": "iam-authenticator", "description": "TokenMethod is used to specify the method for obtaining a client token for communicating with EKS\niam-authenticator - obtains a client token using iam-authentictor\naws-cli - obtains a client token using the AWS CLI\nDefaults to iam-authenticator", "enum": [ "iam-authenticator", "aws-cli" ], "type": "string" }, "version": { "description": "Version defines the desired Kubernetes version. If no version number\nis supplied then the latest version of Kubernetes that EKS supports\nwill be used.", "minLength": 2, "pattern": "^v?(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.?(\\.0|[1-9][0-9]*)?$", "type": "string" }, "vpcCni": { "description": "VpcCni is used to set configuration options for the VPC CNI plugin", "properties": { "env": { "description": "Env defines a list of environment variables to apply to the `aws-node` DaemonSet", "items": { "description": "EnvVar represents an environment variable present in a Container.", "properties": { "name": { "description": "Name of the environment variable. Must be a C_IDENTIFIER.", "type": "string" }, "value": { "description": "Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".", "type": "string" }, "valueFrom": { "description": "Source for the environment variable's value. Cannot be used if value is not empty.", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "status": { "description": "AWSManagedControlPlaneStatus defines the observed state of an Amazon EKS Cluster.", "properties": { "addons": { "description": "Addons holds the current status of the EKS addons", "items": { "description": "AddonState represents the state of an addon.", "properties": { "arn": { "description": "ARN is the AWS ARN of the addon", "type": "string" }, "createdAt": { "description": "CreatedAt is the date and time the addon was created at", "format": "date-time", "type": "string" }, "issues": { "description": "Issues is a list of issue associated with the addon", "items": { "description": "AddonIssue represents an issue with an addon.", "properties": { "code": { "description": "Code is the issue code", "type": "string" }, "message": { "description": "Message is the textual description of the issue", "type": "string" }, "resourceIds": { "description": "ResourceIDs is a list of resource ids for the issue", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "modifiedAt": { "description": "ModifiedAt is the date and time the addon was last modified", "format": "date-time", "type": "string" }, "name": { "description": "Name is the name of the addon", "type": "string" }, "serviceAccountRoleARN": { "description": "ServiceAccountRoleArn is the ARN of the IAM role used for the service account", "type": "string" }, "status": { "description": "Status is the status of the addon", "type": "string" }, "version": { "description": "Version is the version of the addon to use", "type": "string" } }, "required": [ "arn", "name", "version" ], "type": "object", "additionalProperties": false }, "type": "array" }, "bastion": { "description": "Bastion holds details of the instance that is used as a bastion jump box", "properties": { "addresses": { "description": "Addresses contains the AWS instance associated addresses.", "items": { "description": "MachineAddress contains information for the node's address.", "properties": { "address": { "description": "The machine address.", "type": "string" }, "type": { "description": "Machine address type, one of Hostname, ExternalIP, InternalIP, ExternalDNS or InternalDNS.", "type": "string" } }, "required": [ "address", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "availabilityZone": { "description": "Availability zone of instance", "type": "string" }, "capacityReservationId": { "description": "CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched.", "type": "string" }, "ebsOptimized": { "description": "Indicates whether the instance is optimized for Amazon EBS I/O.", "type": "boolean" }, "enaSupport": { "description": "Specifies whether enhanced networking with ENA is enabled.", "type": "boolean" }, "iamProfile": { "description": "The name of the IAM instance profile associated with the instance, if applicable.", "type": "string" }, "id": { "type": "string" }, "imageId": { "description": "The ID of the AMI used to launch the instance.", "type": "string" }, "instanceMetadataOptions": { "description": "InstanceMetadataOptions is the metadata options for the EC2 instance.", "properties": { "httpEndpoint": { "default": "enabled", "description": "Enables or disables the HTTP metadata endpoint on your instances.\n\n\nIf you specify a value of disabled, you cannot access your instance metadata.\n\n\nDefault: enabled", "enum": [ "enabled", "disabled" ], "type": "string" }, "httpPutResponseHopLimit": { "default": 1, "description": "The desired HTTP PUT response hop limit for instance metadata requests. The\nlarger the number, the further instance metadata requests can travel.\n\n\nDefault: 1", "format": "int64", "maximum": 64, "minimum": 1, "type": "integer" }, "httpTokens": { "default": "optional", "description": "The state of token usage for your instance metadata requests.\n\n\nIf the state is optional, you can choose to retrieve instance metadata with\nor without a session token on your request. If you retrieve the IAM role\ncredentials without a token, the version 1.0 role credentials are returned.\nIf you retrieve the IAM role credentials using a valid session token, the\nversion 2.0 role credentials are returned.\n\n\nIf the state is required, you must send a session token with any instance\nmetadata retrieval requests. In this state, retrieving the IAM role credentials\nalways returns the version 2.0 credentials; the version 1.0 credentials are\nnot available.\n\n\nDefault: optional", "enum": [ "optional", "required" ], "type": "string" }, "instanceMetadataTags": { "default": "disabled", "description": "Set to enabled to allow access to instance tags from the instance metadata.\nSet to disabled to turn off access to instance tags from the instance metadata.\nFor more information, see Work with instance tags using the instance metadata\n(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS).\n\n\nDefault: disabled", "enum": [ "enabled", "disabled" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "instanceState": { "description": "The current state of the instance.", "type": "string" }, "networkInterfaces": { "description": "Specifies ENIs attached to instance", "items": { "type": "string" }, "type": "array" }, "nonRootVolumes": { "description": "Configuration options for the non root storage volumes.", "items": { "description": "Volume encapsulates the configuration options for the storage device.", "properties": { "deviceName": { "description": "Device name", "type": "string" }, "encrypted": { "description": "Encrypted is whether the volume should be encrypted or not.", "type": "boolean" }, "encryptionKey": { "description": "EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN.\nIf Encrypted is set and this is omitted, the default AWS key will be used.\nThe key must already exist and be accessible by the controller.", "type": "string" }, "iops": { "description": "IOPS is the number of IOPS requested for the disk. Not applicable to all types.", "format": "int64", "type": "integer" }, "size": { "description": "Size specifies size (in Gi) of the storage device.\nMust be greater than the image snapshot size or 8 (whichever is greater).", "format": "int64", "minimum": 8, "type": "integer" }, "throughput": { "description": "Throughput to provision in MiB/s supported for the volume type. Not applicable to all types.", "format": "int64", "type": "integer" }, "type": { "description": "Type is the type of the volume (e.g. gp2, io1, etc...).", "type": "string" } }, "required": [ "size" ], "type": "object", "additionalProperties": false }, "type": "array" }, "placementGroupName": { "description": "PlacementGroupName specifies the name of the placement group in which to launch the instance.", "type": "string" }, "placementGroupPartition": { "description": "PlacementGroupPartition is the partition number within the placement group in which to launch the instance.\nThis value is only valid if the placement group, referred in `PlacementGroupName`, was created with\nstrategy set to partition.", "format": "int64", "maximum": 7, "minimum": 1, "type": "integer" }, "privateDnsName": { "description": "PrivateDNSName is the options for the instance hostname.", "properties": { "enableResourceNameDnsAAAARecord": { "description": "EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.", "type": "boolean" }, "enableResourceNameDnsARecord": { "description": "EnableResourceNameDNSARecord indicates whether to respond to DNS queries for instance hostnames with DNS A records.", "type": "boolean" }, "hostnameType": { "description": "The type of hostname to assign to an instance.", "enum": [ "ip-name", "resource-name" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "privateIp": { "description": "The private IPv4 address assigned to the instance.", "type": "string" }, "publicIPOnLaunch": { "description": "PublicIPOnLaunch is the option to associate a public IP on instance launch", "type": "boolean" }, "publicIp": { "description": "The public IPv4 address assigned to the instance, if applicable.", "type": "string" }, "rootVolume": { "description": "Configuration options for the root storage volume.", "properties": { "deviceName": { "description": "Device name", "type": "string" }, "encrypted": { "description": "Encrypted is whether the volume should be encrypted or not.", "type": "boolean" }, "encryptionKey": { "description": "EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN.\nIf Encrypted is set and this is omitted, the default AWS key will be used.\nThe key must already exist and be accessible by the controller.", "type": "string" }, "iops": { "description": "IOPS is the number of IOPS requested for the disk. Not applicable to all types.", "format": "int64", "type": "integer" }, "size": { "description": "Size specifies size (in Gi) of the storage device.\nMust be greater than the image snapshot size or 8 (whichever is greater).", "format": "int64", "minimum": 8, "type": "integer" }, "throughput": { "description": "Throughput to provision in MiB/s supported for the volume type. Not applicable to all types.", "format": "int64", "type": "integer" }, "type": { "description": "Type is the type of the volume (e.g. gp2, io1, etc...).", "type": "string" } }, "required": [ "size" ], "type": "object", "additionalProperties": false }, "securityGroupIds": { "description": "SecurityGroupIDs are one or more security group IDs this instance belongs to.", "items": { "type": "string" }, "type": "array" }, "spotMarketOptions": { "description": "SpotMarketOptions option for configuring instances to be run using AWS Spot instances.", "properties": { "maxPrice": { "description": "MaxPrice defines the maximum price the user is willing to pay for Spot VM instances", "type": "string" } }, "type": "object", "additionalProperties": false }, "sshKeyName": { "description": "The name of the SSH key pair.", "type": "string" }, "subnetId": { "description": "The ID of the subnet of the instance.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "The tags associated with the instance.", "type": "object" }, "tenancy": { "description": "Tenancy indicates if instance should run on shared or single-tenant hardware.", "type": "string" }, "type": { "description": "The instance type.", "type": "string" }, "userData": { "description": "UserData is the raw data script passed to the instance which is run upon bootstrap.\nThis field must not be base64 encoded and should only be used when running a new instance.", "type": "string" }, "volumeIDs": { "description": "IDs of the instance's volumes", "items": { "type": "string" }, "type": "array" } }, "required": [ "id" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions specifies the cpnditions for the managed control plane", "items": { "description": "Condition defines an observation of a Cluster API resource operational state.", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when\nthe API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.\nThis field may be empty.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition in CamelCase.\nThe specific API may choose whether or not this field is considered a guaranteed API.\nThis field may not be empty.", "type": "string" }, "severity": { "description": "Severity provides an explicit classification of Reason code, so the users or machines can immediately\nunderstand the current situation and act accordingly.\nThe Severity field MUST be set only when Status=False.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type of condition in CamelCase or in foo.example.com/CamelCase.\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions\ncan be useful (see .node.status.conditions), the ability to deconflict is important.", "type": "string" } }, "required": [ "lastTransitionTime", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "externalManagedControlPlane": { "default": true, "description": "ExternalManagedControlPlane indicates to cluster-api that the control plane\nis managed by an external service such as AKS, EKS, GKE, etc.", "type": "boolean" }, "failureDomains": { "additionalProperties": { "description": "FailureDomainSpec is the Schema for Cluster API failure domains.\nIt allows controllers to understand how many failure domains a cluster can optionally span across.", "properties": { "attributes": { "additionalProperties": { "type": "string" }, "description": "Attributes is a free form map of attributes an infrastructure provider might use or require.", "type": "object" }, "controlPlane": { "description": "ControlPlane determines if this failure domain is suitable for use by control plane machines.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "description": "FailureDomains specifies a list fo available availability zones that can be used", "type": "object" }, "failureMessage": { "description": "ErrorMessage indicates that there is a terminal problem reconciling the\nstate, and will be set to a descriptive error message.", "type": "string" }, "identityProviderStatus": { "description": "IdentityProviderStatus holds the status for\nassociated identity provider", "properties": { "arn": { "description": "ARN holds the ARN of associated identity provider", "type": "string" }, "status": { "description": "Status holds current status of associated identity provider", "type": "string" } }, "type": "object", "additionalProperties": false }, "initialized": { "description": "Initialized denotes whether or not the control plane has the\nuploaded kubernetes config-map.", "type": "boolean" }, "networkStatus": { "description": "Networks holds details about the AWS networking resources used by the control plane", "properties": { "apiServerElb": { "description": "APIServerELB is the Kubernetes api server load balancer.", "properties": { "arn": { "description": "ARN of the load balancer. Unlike the ClassicLB, ARN is used mostly\nto define and get it.", "type": "string" }, "attributes": { "description": "ClassicElbAttributes defines extra attributes associated with the load balancer.", "properties": { "crossZoneLoadBalancing": { "description": "CrossZoneLoadBalancing enables the classic load balancer load balancing.", "type": "boolean" }, "idleTimeout": { "description": "IdleTimeout is time that the connection is allowed to be idle (no data\nhas been sent over the connection) before it is closed by the load balancer.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "availabilityZones": { "description": "AvailabilityZones is an array of availability zones in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "dnsName": { "description": "DNSName is the dns name of the load balancer.", "type": "string" }, "elbAttributes": { "additionalProperties": { "type": "string" }, "description": "ELBAttributes defines extra attributes associated with v2 load balancers.", "type": "object" }, "elbListeners": { "description": "ELBListeners is an array of listeners associated with the load balancer. There must be at least one.", "items": { "description": "Listener defines an AWS network load balancer listener.", "properties": { "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "targetGroup": { "description": "TargetGroupSpec specifies target group settings for a given listener.\nThis is created first, and the ARN is then passed to the listener.", "properties": { "name": { "description": "Name of the TargetGroup. Must be unique over the same group of listeners.", "maxLength": 32, "type": "string" }, "port": { "description": "Port is the exposed port", "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "enum": [ "tcp", "tls", "udp", "TCP", "TLS", "UDP" ], "type": "string" }, "targetGroupHealthCheck": { "description": "HealthCheck is the elb health check associated with the load balancer.", "properties": { "intervalSeconds": { "format": "int64", "type": "integer" }, "path": { "type": "string" }, "port": { "type": "string" }, "protocol": { "type": "string" }, "thresholdCount": { "format": "int64", "type": "integer" }, "timeoutSeconds": { "format": "int64", "type": "integer" }, "unhealthyThresholdCount": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "vpcId": { "type": "string" } }, "required": [ "name", "port", "protocol", "vpcId" ], "type": "object", "additionalProperties": false } }, "required": [ "port", "protocol", "targetGroup" ], "type": "object", "additionalProperties": false }, "type": "array" }, "healthChecks": { "description": "HealthCheck is the classic elb health check associated with the load balancer.", "properties": { "healthyThreshold": { "format": "int64", "type": "integer" }, "interval": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "target": { "type": "string" }, "timeout": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "unhealthyThreshold": { "format": "int64", "type": "integer" } }, "required": [ "healthyThreshold", "interval", "target", "timeout", "unhealthyThreshold" ], "type": "object", "additionalProperties": false }, "listeners": { "description": "ClassicELBListeners is an array of classic elb listeners associated with the load balancer. There must be at least one.", "items": { "description": "ClassicELBListener defines an AWS classic load balancer listener.", "properties": { "instancePort": { "format": "int64", "type": "integer" }, "instanceProtocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" } }, "required": [ "instancePort", "instanceProtocol", "port", "protocol" ], "type": "object", "additionalProperties": false }, "type": "array" }, "loadBalancerType": { "description": "LoadBalancerType sets the type for a load balancer. The default type is classic.", "enum": [ "classic", "elb", "alb", "nlb" ], "type": "string" }, "name": { "description": "The name of the load balancer. It must be unique within the set of load balancers\ndefined in the region. It also serves as identifier.", "type": "string" }, "scheme": { "description": "Scheme is the load balancer scheme, either internet-facing or private.", "type": "string" }, "securityGroupIds": { "description": "SecurityGroupIDs is an array of security groups assigned to the load balancer.", "items": { "type": "string" }, "type": "array" }, "subnetIds": { "description": "SubnetIDs is an array of subnets in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a map of tags associated with the load balancer.", "type": "object" } }, "type": "object", "additionalProperties": false }, "natGatewaysIPs": { "description": "NatGatewaysIPs contains the public IPs of the NAT Gateways", "items": { "type": "string" }, "type": "array" }, "secondaryAPIServerELB": { "description": "SecondaryAPIServerELB is the secondary Kubernetes api server load balancer.", "properties": { "arn": { "description": "ARN of the load balancer. Unlike the ClassicLB, ARN is used mostly\nto define and get it.", "type": "string" }, "attributes": { "description": "ClassicElbAttributes defines extra attributes associated with the load balancer.", "properties": { "crossZoneLoadBalancing": { "description": "CrossZoneLoadBalancing enables the classic load balancer load balancing.", "type": "boolean" }, "idleTimeout": { "description": "IdleTimeout is time that the connection is allowed to be idle (no data\nhas been sent over the connection) before it is closed by the load balancer.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "availabilityZones": { "description": "AvailabilityZones is an array of availability zones in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "dnsName": { "description": "DNSName is the dns name of the load balancer.", "type": "string" }, "elbAttributes": { "additionalProperties": { "type": "string" }, "description": "ELBAttributes defines extra attributes associated with v2 load balancers.", "type": "object" }, "elbListeners": { "description": "ELBListeners is an array of listeners associated with the load balancer. There must be at least one.", "items": { "description": "Listener defines an AWS network load balancer listener.", "properties": { "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "targetGroup": { "description": "TargetGroupSpec specifies target group settings for a given listener.\nThis is created first, and the ARN is then passed to the listener.", "properties": { "name": { "description": "Name of the TargetGroup. Must be unique over the same group of listeners.", "maxLength": 32, "type": "string" }, "port": { "description": "Port is the exposed port", "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "enum": [ "tcp", "tls", "udp", "TCP", "TLS", "UDP" ], "type": "string" }, "targetGroupHealthCheck": { "description": "HealthCheck is the elb health check associated with the load balancer.", "properties": { "intervalSeconds": { "format": "int64", "type": "integer" }, "path": { "type": "string" }, "port": { "type": "string" }, "protocol": { "type": "string" }, "thresholdCount": { "format": "int64", "type": "integer" }, "timeoutSeconds": { "format": "int64", "type": "integer" }, "unhealthyThresholdCount": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "vpcId": { "type": "string" } }, "required": [ "name", "port", "protocol", "vpcId" ], "type": "object", "additionalProperties": false } }, "required": [ "port", "protocol", "targetGroup" ], "type": "object", "additionalProperties": false }, "type": "array" }, "healthChecks": { "description": "HealthCheck is the classic elb health check associated with the load balancer.", "properties": { "healthyThreshold": { "format": "int64", "type": "integer" }, "interval": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "target": { "type": "string" }, "timeout": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "unhealthyThreshold": { "format": "int64", "type": "integer" } }, "required": [ "healthyThreshold", "interval", "target", "timeout", "unhealthyThreshold" ], "type": "object", "additionalProperties": false }, "listeners": { "description": "ClassicELBListeners is an array of classic elb listeners associated with the load balancer. There must be at least one.", "items": { "description": "ClassicELBListener defines an AWS classic load balancer listener.", "properties": { "instancePort": { "format": "int64", "type": "integer" }, "instanceProtocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" } }, "required": [ "instancePort", "instanceProtocol", "port", "protocol" ], "type": "object", "additionalProperties": false }, "type": "array" }, "loadBalancerType": { "description": "LoadBalancerType sets the type for a load balancer. The default type is classic.", "enum": [ "classic", "elb", "alb", "nlb" ], "type": "string" }, "name": { "description": "The name of the load balancer. It must be unique within the set of load balancers\ndefined in the region. It also serves as identifier.", "type": "string" }, "scheme": { "description": "Scheme is the load balancer scheme, either internet-facing or private.", "type": "string" }, "securityGroupIds": { "description": "SecurityGroupIDs is an array of security groups assigned to the load balancer.", "items": { "type": "string" }, "type": "array" }, "subnetIds": { "description": "SubnetIDs is an array of subnets in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a map of tags associated with the load balancer.", "type": "object" } }, "type": "object", "additionalProperties": false }, "securityGroups": { "additionalProperties": { "description": "SecurityGroup defines an AWS security group.", "properties": { "id": { "description": "ID is a unique identifier.", "type": "string" }, "ingressRule": { "description": "IngressRules is the inbound rules associated with the security group.", "items": { "description": "IngressRule defines an AWS ingress rule for security groups.", "properties": { "cidrBlocks": { "description": "List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "description": { "description": "Description provides extended information about the ingress rule.", "type": "string" }, "fromPort": { "description": "FromPort is the start of port range.", "format": "int64", "type": "integer" }, "ipv6CidrBlocks": { "description": "List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "natGatewaysIPsSource": { "description": "NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.", "type": "boolean" }, "protocol": { "description": "Protocol is the protocol for the ingress rule. Accepted values are \"-1\" (all), \"4\" (IP in IP),\"tcp\", \"udp\", \"icmp\", and \"58\" (ICMPv6), \"50\" (ESP).", "enum": [ "-1", "4", "tcp", "udp", "icmp", "58", "50" ], "type": "string" }, "sourceSecurityGroupIds": { "description": "The security group id to allow access from. Cannot be specified with CidrBlocks.", "items": { "type": "string" }, "type": "array" }, "sourceSecurityGroupRoles": { "description": "The security group role to allow access from. Cannot be specified with CidrBlocks.\nThe field will be combined with source security group IDs if specified.", "items": { "description": "SecurityGroupRole defines the unique role of a security group.", "enum": [ "bastion", "node", "controlplane", "apiserver-lb", "lb", "node-eks-additional" ], "type": "string" }, "type": "array" }, "toPort": { "description": "ToPort is the end of port range.", "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" }, "name": { "description": "Name is the security group name.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a map of tags associated with the security group.", "type": "object" } }, "required": [ "id", "name" ], "type": "object", "additionalProperties": false }, "description": "SecurityGroups is a map from the role/kind of the security group to its unique name, if any.", "type": "object" } }, "type": "object", "additionalProperties": false }, "oidcProvider": { "description": "OIDCProvider holds the status of the identity provider for this cluster", "properties": { "arn": { "description": "ARN holds the ARN of the provider", "type": "string" }, "trustPolicy": { "description": "TrustPolicy contains the boilerplate IAM trust policy to use for IRSA", "type": "string" } }, "type": "object", "additionalProperties": false }, "ready": { "default": false, "description": "Ready denotes that the AWSManagedControlPlane API Server is ready to\nreceive requests and that the VPC infra is ready.", "type": "boolean" } }, "required": [ "ready" ], "type": "object", "additionalProperties": false } }, "type": "object" }