AWSClusterConfiguration

Version: deckhouse.io/v1

Describes the configuration of a cloud cluster in AWS.

Used by the cloud provider if a cluster’s control plane is hosted in the cloud.

Run the following command to change the configuration in a running cluster:

d8 system edit provider-cluster-configuration

After updating the node parameters, you need to run the dhctl converge command to apply the changes.

Example:

apiVersion: deckhouse.io/v1
kind: AWSClusterConfiguration
layout: WithoutNAT
sshPublicKey: "<SSH_PUBLIC_KEY>"
nodeNetworkCIDR: 172.16.0.0/22
vpcNetworkCIDR: 172.16.0.0/16
masterNodeGroup:
  replicas: 1
  instanceClass:
    instanceType: m5.xlarge
    ami: ami-08b6d44b4f6f7b279
    diskType: gp3
nodeGroups:
- name: worker
  nodeTemplate:
    labels:
      node-role.kubernetes.io/worker: ''
  replicas: 2
  instanceClass:
    instanceType: t2.medium
    ami: ami-0caef02b518350c8b
  additionalTags:
    backup: srv1
provider:
  providerAccessKeyId: "<AWS_ACCESS_KEY>"
  providerSecretAccessKey: "<AWS_SECRET_ACCESS_KEY>"
  region: eu-central-1
tags:
  team: rangers
  • additionalRolePolicies
    array of strings

    A list containing additional policy actions for IAM roles.

    • Additional policy actions would be attached to the default IAM role policy actions.
    • Parameter is optional. If omitted, only default IAM role policy actions are used.
    • Example of policy actions: ecr:ListImages, s3:GetObject, etc.

    Default IAM role policies actions contain the following roles:

    • ec2:DescribeTags
    • ec2:DescribeInstances
    • Element of the array
      string

      Pattern: ^([a-zA-Z0-9_\-]+):([a-zA-Z0-9_\-\*\?]+)$

  • apiVersion
    string

    Required value

    Allowed values: deckhouse.io/v1, deckhouse.io/v1alpha1

  • disableDefaultSecurityGroup
    boolean

    If set to true, the default security group will not be created.

    Warning. When using disableDefaultSecurityGroup: true, you must manually create all required security groups to allow access to cluster nodes. Additionally, you must explicitly specify them in the following parameters:

    • additionalSecurityGroups in the masterNodeGroup section of the AWSClusterConfiguration resource;
    • additionalSecurityGroups in the AWSInstanceClass resource;
    • additionalSecurityGroups in the nodeGroups.instanceClass section.

    To configure the security groups used by load balancers, specify them using the service.beta.kubernetes.io/aws-load-balancer-security-groups annotation.

  • existingVPCID
    string

    ID of the existing VPC to use for deploying.

    • A mandatory parameter if the vpcNetworkCIDR is omitted.
    • Caution! If there is an Internet Gateway in the target VPC, the deployment of the basic infrastructure will fail with an error. Currently, an Internet Gateway cannot be adopted.
  • iamNodeRole
    string

    The name of the IAM role that will be attached to all AWS instances of the cluster nodes.

    DKP always creates and assigns a special IAM role named <PREFIX>-node to each AWS instance of the cluster nodes (<PREFIX> is the value of the parameter cloud.prefix in the common cluster parameters). You can specify your IAM-role with greater permissions in the iamNodeRole parameter, but it is important that it includes the IAM policies of the role created by DKP (the <PREFIX>-node role).

    More details about IAM roles for AWS EC2 can be found in the AWS documentation.

    Pattern: ^[a-zA-Z0-9+=,.@\-_']{1,64}$

  • kind
    string

    Required value

    Allowed values: AWSClusterConfiguration

  • layout
    string

    Required value

    The way resources are located in the cloud.

    Read more about possible provider layouts.

    Note, that the Standard layout is deprecated.

    Allowed values: WithoutNAT, WithNAT, Standard

  • masterNodeGroup
    object

    Required value

    Parameters of the master’s NodeGroup.

    For the changes to take effect, run dhctl converge after modifying the parameters of the masterNodeGroup section.

    • masterNodeGroup.additionalTags
      object

      The additional tags to attach to the instances created (in addition to those specified in the cloud provider configuration).

      Example:

      additionalTags:
  project: cms-production
  severity: critical
    • masterNodeGroup.instanceClass
      object

      Required value

      Partial contents of the fields of the AWSInstanceClass.

      • masterNodeGroup.instanceClass.additionalSecurityGroups
        array of strings

        The additional security groups to add to provisioned instances of the specific InstanceClass.

      • masterNodeGroup.instanceClass.ami
        string

        Required value

        The Amazon Machine Image (AMI ID) to use in provisioned instances.

        Here is how you can find the required AMI (each region has its own set of AMIs):

        aws ec2 --region <REGION> describe-images \
--filters 'Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-2020*' | \
jq '.Images[].ImageId'

        Example:

        ami: ami-040a1551f9c9d11ad
      • masterNodeGroup.instanceClass.diskSizeGb
        integer

        Instance disk size in gibibytes.

        Example:

        diskSizeGb: 50
      • masterNodeGroup.instanceClass.diskType
        string

        Instance EBS disk type.

        Allowed values: gp3, gp2, io2, io1, st1, sc1

        Example:

        diskType: gp2
      • masterNodeGroup.instanceClass.etcdDisk
        object

        Default: {"sizeGb":20,"type":"gp3"}

        • masterNodeGroup.instanceClass.etcdDisk.sizeGb
          integer

          Etcd disk size in gibibytes.

        • masterNodeGroup.instanceClass.etcdDisk.type
          string

          Etcd disk type.

      • masterNodeGroup.instanceClass.instanceType
        string

        Required value

        Instance type of AWS instance.

        Caution! Ensure that this type is present in all zones specified in the zones parameter.

        Example:

        instanceType: t3.large
    • masterNodeGroup.replicas
      integer

      Required value

      The number of master nodes to create.

      It is important to have an odd number of masters to ensure a quorum.

      Allowed values: 1 <= X

    • masterNodeGroup.zones
      array of strings

      Not required value.

      A limited set of zones in which master nodes can be created.

      The order in which zones are specified does not influence the sequence of node creation. Nodes are assigned to zones in alphabetical order: the first node is placed in the alphabetically first zone, the second node in the second zone, and so forth. If there are more nodes than zones, the assignment process restarts from the beginning of the zone list after placing a node in the last alphabetical zone.

  • nodeGroups
    array of objects

    An array of additional NodeGroups for creating static nodes (e.g., for dedicated front nodes or gateways).

    • nodeGroups.additionalTags
      object

      The additional tags to attach to the instances created (in addition to those specified in the cloud provider configuration).

      Example:

      project: cms-production
severity: critical
    • nodeGroups.instanceClass
      object

      Required value

      Partial contents of the fields of the AWSInstanceClass.

      • nodeGroups.instanceClass.additionalSecurityGroups
        array of strings

        The additional security groups to add to provisioned instances of the specific InstanceClass.

      • nodeGroups.instanceClass.ami
        string

        Required value

        The Amazon Machine Image (AMI ID) to use in provisioned instances.

        Here is how you can find the required AMI (each region has its own set of AMIs):

        aws ec2 --region <REGION> describe-images \
--filters 'Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-2020*' | \
jq '.Images[].ImageId'

        Example:

        ami: ami-040a1551f9c9d11ad
      • nodeGroups.instanceClass.diskSizeGb
        integer

        Instance disk size in gibibytes.

        Example:

        diskSizeGb: 50
      • nodeGroups.instanceClass.diskType
        string

        Instance EBS disk type.

        Allowed values: gp3, gp2, io2, io1, st1, sc1

        Example:

        diskType: gp2
      • nodeGroups.instanceClass.instanceType
        string

        Required value

        Instance type of AWS instance.

        Caution! Ensure that this type is present in all zones specified in the zones parameter.

        Example:

        instanceType: t3.large
    • nodeGroups.name
      string

      Required value

      The name of the NodeGroup. It is used to generate the node name.

    • nodeGroups.nodeTemplate

      Parameters of Node objects in Kubernetes to add after registering the node.

      • nodeGroups.nodeTemplate.annotations
        object

        The same as the metadata.annotations standard field.

        Example:

        annotations:
  ai.fleet.com/discombobulate: "true"
      • nodeGroups.nodeTemplate.labels
        object

        A list of labels to attach to cluster resources.

        The same as the metadata.labels standard field.

        Note that you have to re-create all the machines to add new tags if tags were modified in the running cluster.

        Example:

        labels:
  environment: production
  app: warp-drive-ai
      • nodeGroups.nodeTemplate.taints
        array of objects

        The same as the .spec.taints field of the Node object.

        Available fields: effect, key, and values.

        Example:

        taints:
- effect: NoExecute
  key: ship-class
  value: frigate
        • nodeGroups.nodeTemplate.taints.effect
          string

          Allowed values: NoSchedule, PreferNoSchedule, NoExecute

        • nodeGroups.nodeTemplate.taints.key
          string
        • nodeGroups.nodeTemplate.taints.value
          string
    • nodeGroups.replicas
      integer

      Required value

      The number of nodes.

    • nodeGroups.zones
      array of strings

      Not required value.

      A limited set of zones in which nodes can be created.

      The order in which zones are specified does not influence the sequence of node creation. Nodes are assigned to zones in alphabetical order: the first node is placed in the alphabetically first zone, the second node in the second zone, and so forth. If there are more nodes than zones, the assignment process restarts from the beginning of the zone list after placing a node in the last alphabetical zone.

  • nodeNetworkCIDR
    string

    A subnet to use for cluster nodes:

    • The IP range must overlap or match the VPC address range.
    • The IP range will be evenly split into subnets, one per Availability Zone in your region.
    • An optional but recommended parameter. By default, it corresponds to the whole range of VPC addresses.

    If a new VPC is created along with a new cluster and no vpcNetworkCIDR is provided, then the range from nodeNetworkCIDR is used for the VPC. Thus, the entire VPC is allocated for the cluster networks, and you will not be able to add other resources to this VPC.

    The nodeNetworkCIDR range is distributed between subnets depending on the number of availability zones in the selected region. For example, if nodeNetworkCIDR: "10.241.1.0/20" and there are three availability zones in the region, subnets will be created with the /22 mask.

    Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

  • peeredVPCs
    array of strings

    A list of AWS VPC IDs to peer with the cluster network.

    The service account must have access to all the VPCs listed. You have to configure the peering connection manually if no access is available.

  • provider
    object

    Required value

    Contains settings to connect to the AWS API.

    • provider.providerAccessKeyId
      string

      Required value

      Access key ID.

    • provider.providerSecretAccessKey
      string

      Required value

      Access key secret.

    • provider.region
      string

      Required value

      The name of the AWS region where instances will be provisioned.

  • sshAllowList
    array of strings

    A list of CIDR’s allowed to connect to nodes via SSH.

    By default, 0.0.0.0/0.

  • sshPublicKey
    string

    Required value

    A public key for accessing nodes.

  • standard
    Deprecated
    object

    Layout is deprecated.

    • tags
      object

      Not required value.

      A dictionary of tags to create on all resources that support this feature.

      You have to re-create all the machines to add new tags if tags were modified in the running cluster.

    • vpcNetworkCIDR
      string

      A subnet to use in the VPC being created.

      A mandatory parameter if the existingVPCID parameter is omitted.

      Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • withNAT
      object
      • withNAT.bastionInstance
        object
        • withNAT.bastionInstance.instanceClass
          object

          Required value

          Partial contents of the fields of the AWSInstanceClass.

          • withNAT.bastionInstance.instanceClass.additionalSecurityGroups
            array of strings

            The additional security groups to add to provisioned instance of the specific InstanceClass.

          • withNAT.bastionInstance.instanceClass.ami
            string

            Required value

            The Amazon Machine Image (AMI ID) to use in provisioned instance.

            Here is how you can find the required AMI (each region has its own set of AMIs):

            aws ec2 --region <REGION> describe-images \
--filters 'Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-2020*' | \
jq '.Images[].ImageId'

            Example:

            ami: ami-040a1551f9c9d11ad
          • withNAT.bastionInstance.instanceClass.diskSizeGb
            integer

            Instance disk size in gibibytes.

            Example:

            diskSizeGb: 20
          • withNAT.bastionInstance.instanceClass.diskType
            string

            Instance EBS disk type.

            Allowed values: gp3, gp2, io2, io1, st1, sc1

            Example:

            diskType: gp2
          • withNAT.bastionInstance.instanceClass.instanceType
            string

            Required value

            Instance type of AWS instance.

            Caution! Ensure that this type is present in selected zone.

            Example:

            instanceType: t3.large
        • withNAT.bastionInstance.zone
          string

          The zone in which the bastion instance will be created.

          By default, the first available zone in the region or the first from the list of the global parameter zones will be used.

    • withoutNAT
      object
      • zones
        array of strings

        The globally restricted set of zones that this cloud provider works with.

        Restricts only the creation of nodes in the cluster.