The customizations in this section are applicable only to EKS clusters. They will only be applied to clusters that
use the EKS
infrastructure provider, i.e. a CAPI Cluster
that references an AWSManagedControlPlane
.
This is the multi-page printable view of this section. Click here to print.
EKS
1 - EKS Additional Tags
The EKS additional tags customization allows the user to specify custom tags to be applied to AWS resources created by the EKS cluster.
The customization can be applied at the cluster level and worker node level.
This customization will be available when the
provider-specific cluster configuration patch is included in the ClusterClass
.
Example
To specify additional tags for EKS resources, use the following configuration:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
eks:
additionalTags:
Environment: production
Team: platform
CostCenter: "12345"
We can further customize individual MachineDeployments by using the overrides field with the following configuration:
spec:
topology:
# ...
workers:
machineDeployments:
- class: default-worker
name: md-0
variables:
overrides:
- name: workerConfig
value:
eks:
additionalTags:
NodeType: worker
Workload: database
Environment: production
Tag Precedence
When tags are specified at multiple levels, the following precedence applies (higher precedence overrides lower):
- Worker level tags (highest precedence)
- Cluster level tags (lowest precedence)
This means that if the same tag key is specified at multiple levels, the worker level values will take precedence over the cluster level values.
Applying this configuration will result in the following values being set
AWSManagedControlPlane
:spec: template: spec: additionalTags: Environment: production Team: platform CostCenter: "12345"
worker
AWSMachineTemplate
:spec: template: spec: additionalTags: Environment: production Team: platform CostCenter: "12345" NodeType: worker Workload: general
2 - Identity Reference
The identity reference customization allows the user to specify the AWS identity to use when reconciling the EKS cluster. This identity reference can be used to authenticate with AWS services using different identity types such as AWSClusterControllerIdentity, AWSClusterRoleIdentity, or AWSClusterStaticIdentity.
This customization is available for EKS clusters when the
provider-specific cluster configuration patch is included in the ClusterClass
.
For detailed information about AWS multi-tenancy and identity management, see the Cluster API AWS Multi-tenancy documentation.
Example
To specify the AWS identity reference for an EKS cluster, use the following configuration:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
eks:
identityRef:
kind: AWSClusterStaticIdentity
name: my-aws-identity
Identity Types
The following identity types are supported:
- AWSClusterControllerIdentity: Uses the default identity for the controller
- AWSClusterRoleIdentity: Assumes a role using the provided source reference
- AWSClusterStaticIdentity: Uses static credentials stored in a secret
Example with Different Identity Types
Using AWSClusterRoleIdentity
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
eks:
identityRef:
kind: AWSClusterRoleIdentity
name: my-role-identity
Using AWSClusterStaticIdentity
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
eks:
identityRef:
kind: AWSClusterStaticIdentity
name: my-static-identity
Applying this configuration will result in the following value being set:
AWSManagedControlPlane
:spec: template: spec: identityRef: kind: AWSClusterStaticIdentity name: my-aws-identity
Notes
- If no identity is specified, the default identity for the controller will be used
- The identity reference must exist in the cluster before creating the cluster
- For AWSClusterStaticIdentity, the referenced secret must contain the required AWS credentials
- For AWSClusterRoleIdentity, the role must be properly configured with the necessary permissions