This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

EKS

The customizations in this section are applicable only to EKS clusters. They will only be applied to clusters that use the EKS infrastructure provider, i.e. a CAPI Cluster that references an AWSManagedControlPlane.

1 - EKS Additional Tags

The EKS additional tags customization allows the user to specify custom tags to be applied to AWS resources created by the EKS cluster. The customization can be applied at the cluster level and worker node level. This customization will be available when the provider-specific cluster configuration patch is included in the ClusterClass.

Example

To specify additional tags for EKS resources, use the following configuration:

apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: <NAME>
spec:
  topology:
    variables:
      - name: clusterConfig
        value:
          eks:
            additionalTags:
              Environment: production
              Team: platform
              CostCenter: "12345"

We can further customize individual MachineDeployments by using the overrides field with the following configuration:

spec:
  topology:
    # ...
    workers:
      machineDeployments:
        - class: default-worker
          name: md-0
          variables:
            overrides:
              - name: workerConfig
                value:
                  eks:
                    additionalTags:
                      NodeType: worker
                      Workload: database
                      Environment: production

Tag Precedence

When tags are specified at multiple levels, the following precedence applies (higher precedence overrides lower):

  1. Worker level tags (highest precedence)
  2. Cluster level tags (lowest precedence)

This means that if the same tag key is specified at multiple levels, the worker level values will take precedence over the cluster level values.

Applying this configuration will result in the following values being set

  • AWSManagedControlPlane:

    • spec:
        template:
          spec:
            additionalTags:
              Environment: production
              Team: platform
              CostCenter: "12345"
      
  • worker AWSMachineTemplate:

    • spec:
        template:
          spec:
            additionalTags:
              Environment: production
              Team: platform
              CostCenter: "12345"
              NodeType: worker
              Workload: general
      

2 - Identity Reference

The identity reference customization allows the user to specify the AWS identity to use when reconciling the EKS cluster. This identity reference can be used to authenticate with AWS services using different identity types such as AWSClusterControllerIdentity, AWSClusterRoleIdentity, or AWSClusterStaticIdentity.

This customization is available for EKS clusters when the provider-specific cluster configuration patch is included in the ClusterClass.

For detailed information about AWS multi-tenancy and identity management, see the Cluster API AWS Multi-tenancy documentation.

Example

To specify the AWS identity reference for an EKS cluster, use the following configuration:

apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: <NAME>
spec:
  topology:
    variables:
      - name: clusterConfig
        value:
          eks:
            identityRef:
              kind: AWSClusterStaticIdentity
              name: my-aws-identity

Identity Types

The following identity types are supported:

  • AWSClusterControllerIdentity: Uses the default identity for the controller
  • AWSClusterRoleIdentity: Assumes a role using the provided source reference
  • AWSClusterStaticIdentity: Uses static credentials stored in a secret

Example with Different Identity Types

Using AWSClusterRoleIdentity

apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: <NAME>
spec:
  topology:
    variables:
      - name: clusterConfig
        value:
          eks:
            identityRef:
              kind: AWSClusterRoleIdentity
              name: my-role-identity

Using AWSClusterStaticIdentity

apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: <NAME>
spec:
  topology:
    variables:
      - name: clusterConfig
        value:
          eks:
            identityRef:
              kind: AWSClusterStaticIdentity
              name: my-static-identity

Applying this configuration will result in the following value being set:

  • AWSManagedControlPlane:

    • spec:
        template:
          spec:
            identityRef:
              kind: AWSClusterStaticIdentity
              name: my-aws-identity
      

Notes

  • If no identity is specified, the default identity for the controller will be used
  • The identity reference must exist in the cluster before creating the cluster
  • For AWSClusterStaticIdentity, the referenced secret must contain the required AWS credentials
  • For AWSClusterRoleIdentity, the role must be properly configured with the necessary permissions