eksctl

zone name for this subnet, it can either be an availability zone name or a local zone name. AZ can be omitted if the key is an AZ.

specifies a list of access entries for the cluster.

specifies the authentication mode for a cluster.

specifies whether the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.

set of policies to associate with an access entry

set of Kubernetes groups to map to the principal ARN

username to map to the principal ARN

EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX or STANDARD

defines the scope of an access policy.

Scope access to namespace(s)

namespace or cluster

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

list of ARNs of the IAM policies to attach

defines the set of configuration properties for add-ons. For now, all properties will be specified as a JSON string and have to respect the schema from DescribeAddonConfiguration.

holds namespace configuration for addon deployment

ARN of the permissions' boundary to associate

holds a list of associations to be configured for the addon

determines how to resolve field value conflicts for an EKS add-on if a value was changed from default

The metadata to apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define.

uses the pod identity associations recommended by the EKS API. Defaults to false.

for attaching common IAM policies

specifies the target namespace for addon deployment

specifies whether to automatically apply pod identity associations for supported addons that require IAM permissions.

enables or disables creation of default networking addons when the cluster is created. By default, all default addons are installed as EKS addons.

ARN of the IDC instance

region of the IDC instance

holds AWS IDC configuration for ArgoCD

for ArgoCD installation

holds network access configuration for ArgoCD

for ArgoCD RBAC

for VPC endpoint access

SSO identities to map to the role

ArgoCD role (ADMIN, EDITOR, VIEWER)

enables or disables Auto Mode.

a list of node pools to create.

of the capability

of the capability (ACK, KRO, ARGOCD)

list of access policies to associate with the access entry

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

list of ARNs of the IAM policies to attach

holds capability-specific configuration

specifies the delete propagation policy

ARN of the permissions boundary policy

IAM role ARN for the capability

used to tag AWS resources created by the capability

holds ArgoCD-specific configuration

defines a nodegroup's Capacity Reservation preferences (either 'open' or 'none')

container config parameters related to cluster logging

Types of logging to enable (see CloudWatch docs). Valid entries are: "api", "audit", "authenticator", "controllerManager", "scheduler", "all", "*".

sets the number of days to retain the logs for (see CloudWatch docs) . Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.

contains general cluster information

specifies the access config for a cluster.

holds the addons config.

specifies the capabilities for the cluster.

contains config parameters related to CloudWatch

holds control plane scaling configuration.

groups all configuration options related to enabling GitOps Toolkit on a cluster and linking it to a Git repository. Note: this will replace the older Git types

holds all IAM attributes of a cluster

provides configuration options

contains cluster networking options

specifies a list of local zones where the subnets should be created. Only self-managed nodegroups can be launched in local zones. These subnets are not passed to EKS.

See Nodegroups usage and managed nodegroups

For information and examples see nodegroups

holds the Outpost configuration.

defines the configuration for a fully-private cluster.

RemoteNetworkConfig

defines the configuration for KMS encryption provider

holds the upgrade policy configuration for the cluster

holds global subnet and all child subnets

holds the zonal shift configuration.

role used by pods to access AWS APIs. This role is added to the Kubernetes RBAC for authorization. See Pod Execution Role

permissions boundary for the fargate pod execution role`. See EKS Fargate Support

pod identity associations to create in the cluster. See Pod Identity Associations

service accounts to create in the cluster. See IAM Service Accounts

permissions boundary for all identity-based entities created by eksctl. See AWS Permission Boundary

attaches the IAM policy necessary to run the VPC controller in the control plane

enables the IAM OIDC provider as well as IRSA for the Amazon CNI plugin

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

list of ARNs of the IAM policies to attach

ARN of the role to attach to the service account

holds information we can use to create ObjectMeta for service accounts

ARN of the permissions boundary to associate with the service account

Specific role name instead of the Cloudformation-generated role name

Specify if only the IAM Service Account role should be created without creating/annotating the service account

holds status of the IAM service account

Subject pattern to use in the trust policy condition. When set, this pattern is used instead of the service account name, and StringLike is used instead of StringEquals to allow wildcard matching.

AWS tags for the service account

for attaching common IAM policies

of the cluster

the AWS region hosting this cluster

arbitrary metadata ignored by eksctl.

When updating cluster version, provide the force flag to override upgrade-blocking insights

used to tag AWS resources created by eksctl

use ./eksctl utils describe-cluster-versions to get the list of supported versions

Valid variants are: "HighlyAvailable" configures a highly available NAT gateway, "Single" configures a single NAT gateway (default), "Disable" disables NAT.

holds subnet to AZ mappings. If the key is an AZ, that also becomes the name of the subnet otherwise use the key to refer to this subnet.

holds subnet to AZ mappings. If the key is an AZ, that also becomes the name of the subnet otherwise use the key to refer to this subnet.

AutoAllocateIPV6 requests an IPv6 CIDR block with /56 prefix for the VPC

holds cluster api server endpoint access information

configures the security groups for the control plane.

configures the subnets for the control plane.

for additional CIDR associations, e.g. a CIDR for private subnets or any ad-hoc subnets

for additional IPv6 CIDR associations, e.g. a CIDR for private subnets or any ad-hoc subnets

type of hostname to use for EC2 instances.

Automatically add security group rules to and from the default cluster security group and the shared node security group. This allows unmanaged nodes to communicate with the control plane and managed nodes. This option cannot be disabled when using eksctl created security groups.

NAT config

which CIDR blocks to allow access to public k8s API endpoint

(aka the ControlPlaneSecurityGroup) for communication between control plane and nodes

for pre-defined shared node SG

holds private and public subnets

of the Fargate profile.

IAM role's ARN to use to run pods onto Fargate.

define the rules to select workload to schedule onto Fargate.

The current status of the Fargate profile.

which Fargate should use to do network placement of the selected workload. If none provided, all subnets for the cluster will be used.

Used to tag the AWS resources

Kubernetes namespace from which to select workload.

Kubernetes label selectors to use to select workload.

a map of string for passing arbitrary flags to Flux bootstrap

The repository hosting service. Can be either Github or Gitlab.

groups all configuration options related to a Git repository used for GitOps Toolkit (Flux v2).

Valid variants are: "oidc": OIDC identity provider

specifies the market type for the instances

List of allowed instance types to select from w/ regex syntax (Example: m[3-5]\.*)

CPU Architecture of the EC2 instance type. Valid variants are: "x86_64" "amd64" "arm64"

List of instance types which should be excluded w/ regex syntax (Example: m[1-2]\.*)

specifies the number of GPUs. It can be set to 0 to select non-GPU instance types.

specifies the memory The unit defaults to GiB

specifies the number of Neuron device Accelerators. It can be set to 0 to select non-Accelerator instance types.

specifies the number of vCPUs

defines the Karpenter version to install

create a service account or not.

override the default IAM instance profile

if true, adds all required policies and rules for supporting Spot Interruption Queue on Karpenter deployments

Valid variants are: "IPv4" defines an IP family of v4 to be used when creating a new VPC and cluster., "IPv6" defines an IP family of v6 to be used when creating a new VPC and cluster..

IPv4 CIDR range from where ClusterIPs are assigned

IPv6 CIDR range from where ClusterIPs are assigned

Launch template ID

Launch template version Defaults to the default launch template version TODO support $Default, $Latest

Additional Volume Configurations

Specify custom AMIs, auto-ssm, auto, or static

Valid variants are: "AmazonLinux2023" (default), "AmazonLinux2", "UbuntuPro2404", "Ubuntu2404", "UbuntuPro2204", "Ubuntu2204", "UbuntuPro2004", "Ubuntu2004", "Bottlerocket", "WindowsServer2019CoreContainer", "WindowsServer2019FullContainer", "WindowsServer2022CoreContainer", "WindowsServer2022FullContainer", "WindowsServer2025CoreContainer", "WindowsServer2025FullContainer".

See relevant AWS docs

Limit nodes to specific AZs

holds the configuration for Bottlerocket based NodeGroups.

defines a nodegroup's Capacity Reservation targeting option

requires requests to the metadata service to use IMDSv2 tokens

blocks all IMDS requests from non-host networking pods

enables EBS optimization

creates the maximum allowed number of EFA-enabled network cards on nodes in this group.

Enable EC2 detailed monitoring

holds all IAM attributes of a NodeGroup

describes the market (purchasing) option for the instances

holds EC2 instance selector options

specifies a list of instance types

contains the auto repair configuration for the nodegroup

specifies the Outpost ARN in which the nodegroup should be created.

Override eksctl's bootstrapping script

specifies placement group information

executed before bootstrapping instances to the cluster

Enable private networking for nodegroup

Propagate all taints and labels to the ASG automatically.

the AMI version of the EKS optimized AMI to use

controls security groups for this nodegroup

creates a spot nodegroup

holds all the ssh access configuration to a NodeGroup

Limit nodes to specific subnets

Applied to the Autoscaling Group and to the EC2 instances (unmanaged), Applied to the EKS Nodegroup resource and to the EC2 instances (managed)

taints to apply to the nodegroup

contains the configuration for updating NodeGroups.

gigabytes

Valid variants are: "gp2" is General Purpose SSD, "gp3" is General Purpose SSD which can be optimised for high throughput (default), "io1" is Provisioned IOPS SSD, "io2" is Provisioned IOPS SSD, "sc1" is Cold HDD, "st1" is Throughput Optimized HDD.

Additional Volume Configurations

Specify custom AMIs, auto-ssm, auto, or static

Valid variants are: "AmazonLinux2023" (default), "AmazonLinux2", "UbuntuPro2404", "Ubuntu2404", "UbuntuPro2204", "Ubuntu2204", "UbuntuPro2004", "Ubuntu2004", "Bottlerocket", "WindowsServer2019CoreContainer", "WindowsServer2019FullContainer", "WindowsServer2022CoreContainer", "WindowsServer2022FullContainer", "WindowsServer2025CoreContainer", "WindowsServer2025FullContainer".

See relevant AWS docs

Limit nodes to specific AZs

holds the configuration for Bottlerocket based NodeGroups.

defines a nodegroup's Capacity Reservation targeting option

Associate load balancers with auto scaling group

Custom address used for DNS lookups

defines the runtime (CRI) to use for containers on the node

configures T3 Unlimited, valid only for T-type instances

requires requests to the metadata service to use IMDSv2 tokens

blocks all IMDS requests from non-host networking pods

enables EBS optimization

creates the maximum allowed number of EFA-enabled network cards on nodes in this group.

Enable EC2 detailed monitoring

determines if the EC2 instance will be Nitro enclave enabled

holds all IAM attributes of a NodeGroup

describes the market (purchasing) option for the instances

holds EC2 instance selector options

holds the configuration for spot instances

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

specifies a list of local zones where the nodegroup should be launched. The cluster should have been created with all of the local zones specified in this field.

defines the maximum amount of time in seconds an instance stays alive.

specifies the Outpost ARN in which the nodegroup should be created.

Override eksctl's bootstrapping script

specifies placement group information

executed before bootstrapping instances to the cluster

Enable private networking for nodegroup

Propagate all taints and labels to the ASG automatically.

controls security groups for this nodegroup

holds all the ssh access configuration to a NodeGroup

Limit nodes to specific subnets

Applied to the Autoscaling Group and to the EC2 instances (unmanaged), Applied to the EKS Nodegroup resource and to the EC2 instances (managed)

handles unmarshalling both map[string]string and []NodeGroupTaint

Associate target group with auto scaling group

contains the configuration for updating NodeGroups.

gigabytes

Valid variants are: "gp2" is General Purpose SSD, "gp3" is General Purpose SSD which can be optimised for high throughput (default), "io1" is Provisioned IOPS SSD, "io2" is Provisioned IOPS SSD, "sc1" is Cold HDD, "st1" is Throughput Optimized HDD.

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

list of ARNs of the IAM policies to attach

holds the ARN of instance profile, not supported for Managed NodeGroups

holds all IAM addon policies

enables full access to AppMesh

enables full access to AppMesh Preview

enables IAM policy for cluster-autoscaler

enables the ability to add records to Route 53 in order to solve the DNS01 challenge. More information can be found here

enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver

adds the external-dns project policies for Amazon Route 53

allows for full ECR (Elastic Container Registry) access. This is useful for building, for example, a CI server that needs to push images to ECR

Enable capacity rebalancing for spot instances

Range [0-100]

Range [1-20]

Enables the auto repair feature for the nodegroup

specifies the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a count of unhealthy nodes. When using this, you cannot also set MaxParallelNodesRepairedPercentage at the same time.

specifies the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a percentage of unhealthy nodes. When using this, you cannot also set MaxParallelNodesRepairedCount at the same time.

specifies a count threshold of unhealthy nodes, above which node auto repair actions will stop. When using this, you cannot also set MaxUnhealthyNodeThresholdPercentage at the same time.

specifies a percentage threshold of unhealthy nodes, above which node auto repair actions will stop. When using this, you cannot also set MaxUnhealthyNodeThresholdCount at the same time.

specifies granular overrides for specific repair actions. These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.

attaches additional security groups to the nodegroup

attach a security group local to this nodegroup Not supported for managed nodegroups

attach the security group shared among all nodegroups in the cluster Not supported for managed nodegroups

If Allow is true the SSH configuration provided is used, otherwise it is ignored. Only one of PublicKeyPath, PublicKey and PublicKeyName can be configured

Enables the ability to SSH onto nodes using SSM

Public key to be added to the nodes SSH keychain. If Allow is false this value is ignored.

Public key name in EC2 to be added to the nodes SSH keychain. If Allow is false this value is ignored.

The path to the SSH public key to be added to the nodes SSH keychain. If Allow is true this value defaults to "~/.ssh/id_rsa.pub", otherwise the value is ignored.

sets the max number of nodes that can become unavailable when updating a nodegroup (specified as number)

sets the max number of nodes that can become unavailable when updating a nodegroup (specified as percentage)

specifies the minimum time in minutes to wait before attempting to repair a node with this specific NodeMonitoringCondition and NodeUnhealthyReason

specifies an unhealthy condition reported by the node monitoring agent that this override would apply to

specifies a reason reported by the node monitoring agent that this override would apply to

specifies the repair action to take for nodes when all of the specified conditions are met

specifies the instance type to use for creating the control plane instances.

specifies the Outpost ARN in which the control plane should be created.

specifies placement group information

disables the tags that are automatically added to role session by Amazon EKS.

holds any arbitrary JSON/YAML documents, such as extra config parameters or IAM policies

optional policy that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role.

Amazon Resource Name (ARN) of the IAM role to be chained to the IAM role specified as RoleARN. This enables cross-account access where the RoleARN is in the same account as the cluster and TargetRoleARN is in a different account.

for attaching common IAM policies

specifies additional endpoint services that must be enabled for private access. Valid entries are "cloudformation", "autoscaling" and "logs".

enables creation of a fully-private cluster.

skips the creation process for endpoints completely. This is only used in case of an already provided VPC and if the user decided to set it to true.

VPCGatewayID the ID of the gateway that facilitates external connectivity from customer's VPC to their remote network(s). Valid options are Transit Gateway and Virtual Private Gateway.

the CA bundle certificate used by IRA trust anchor. Can't be set if Provider is SSM.

the AWS service responsible for provisioning IAM credentials to remote nodes. Valid options are SSM (System Manager), default, and IRA (IAM Roles anywhere). Required IRA config (i.e. TrustAnchor, AnywhereProfile) will be created by eksctl behind the scenes.

the IAM Role ARN to be added to aws-auth configmap for remote nodes. If not set, eksctl creates the role behind the scenes, adds an entry into the configmap and sets up any other SSM/IRA config. If set, eksctl will only add the configmap entry, while creating any required SSM/IRA config falls under user's responsibility.

of the SSO identity

of the SSO identity (SSO_USER, SSO_GROUP)

specifies the support type for the cluster. Valid variants are: "STANDARD" standard support for the cluster, "EXTENDED" extended support for the cluster (default) defines the default support type.

gigabytes

Valid variants are: "gp2" is General Purpose SSD, "gp3" is General Purpose SSD which can be optimised for high throughput (default), "io1" is Provisioned IOPS SSD, "io2" is Provisioned IOPS SSD, "sc1" is Cold HDD, "st1" is Throughput Optimized HDD.

adds policies for cluster-autoscaler. See autoscaler AWS docs.

adds policies for using the aws-load-balancer-controller. See Load Balancer docs.

adds cert-manager policies. See cert-manager docs.

adds policies for using the ebs-csi-controller. See aws-ebs-csi-driver docs.

adds policies for using the efs-csi-controller. See aws-efs-csi-driver docs.

adds external-dns policies for Amazon Route 53. See external-dns docs.

allows for full ECR (Elastic Container Registry) access.

enables or disables zonal shift.