{ "description": "AWSCluster is the schema for Amazon EC2 based Kubernetes Cluster API.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "AWSClusterSpec defines the desired state of an EC2-based Kubernetes cluster.", "properties": { "additionalTags": { "additionalProperties": { "type": "string" }, "description": "AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the\nones added by default.", "type": "object" }, "bastion": { "description": "Bastion contains options to configure the bastion host.", "properties": { "allowedCIDRBlocks": { "description": "AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.\nThey are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).", "items": { "type": "string" }, "type": "array" }, "ami": { "description": "AMI will use the specified AMI to boot the bastion. If not specified,\nthe AMI will default to one picked out in public space.", "type": "string" }, "disableIngressRules": { "description": "DisableIngressRules will ensure there are no Ingress rules in the bastion host's security group.\nRequires AllowedCIDRBlocks to be empty.", "type": "boolean" }, "enabled": { "description": "Enabled allows this provider to create a bastion host instance\nwith a public ip to access the VPC private network.", "type": "boolean" }, "instanceType": { "description": "InstanceType will use the specified instance type for the bastion. If not specified,\nCluster API Provider AWS will use t3.micro for all regions except us-east-1, where t2.micro\nwill be the default.", "type": "string" } }, "type": "object", "additionalProperties": false }, "controlPlaneEndpoint": { "description": "ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.", "properties": { "host": { "description": "The hostname on which the API server is serving.", "type": "string" }, "port": { "description": "The port on which the API server is serving.", "format": "int32", "type": "integer" } }, "required": [ "host", "port" ], "type": "object", "additionalProperties": false }, "controlPlaneLoadBalancer": { "description": "ControlPlaneLoadBalancer is optional configuration for customizing control plane behavior.", "properties": { "additionalListeners": { "description": "AdditionalListeners sets the additional listeners for the control plane load balancer.\nThis is only applicable to Network Load Balancer (NLB) types for the time being.", "items": { "description": "AdditionalListenerSpec defines the desired state of an\nadditional listener on an AWS load balancer.", "properties": { "healthCheck": { "description": "HealthCheck sets the optional custom health check configuration to the API target group.", "properties": { "intervalSeconds": { "description": "The approximate amount of time, in seconds, between health checks of an individual\ntarget.", "format": "int64", "maximum": 300, "minimum": 5, "type": "integer" }, "path": { "description": "The destination for health checks on the targets when using the protocol HTTP or HTTPS,\notherwise the path will be ignored.", "type": "string" }, "port": { "description": "The port the load balancer uses when performing health checks for additional target groups. When\nnot specified this value will be set for the same of listener port.", "type": "string" }, "protocol": { "description": "The protocol to use to health check connect with the target. When not specified the Protocol\nwill be the same of the listener.", "enum": [ "TCP", "HTTP", "HTTPS" ], "type": "string" }, "thresholdCount": { "description": "The number of consecutive health check successes required before considering\na target healthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" }, "timeoutSeconds": { "description": "The amount of time, in seconds, during which no response from a target means\na failed health check.", "format": "int64", "maximum": 120, "minimum": 2, "type": "integer" }, "unhealthyThresholdCount": { "description": "The number of consecutive health check failures required before considering\na target unhealthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" } }, "type": "object", "additionalProperties": false }, "port": { "description": "Port sets the port for the additional listener.", "format": "int64", "maximum": 65535, "minimum": 1, "type": "integer" }, "protocol": { "default": "TCP", "description": "Protocol sets the protocol for the additional listener.\nCurrently only TCP is supported.", "enum": [ "TCP" ], "type": "string" } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "port" ], "x-kubernetes-list-type": "map" }, "additionalSecurityGroups": { "description": "AdditionalSecurityGroups sets the security groups used by the load balancer. Expected to be security group IDs\nThis is optional - if not provided new security groups will be created for the load balancer", "items": { "type": "string" }, "type": "array" }, "crossZoneLoadBalancing": { "description": "CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing.\n\n\nWith cross-zone load balancing, each load balancer node for your Classic Load Balancer\ndistributes requests evenly across the registered instances in all enabled Availability Zones.\nIf cross-zone load balancing is disabled, each load balancer node distributes requests evenly across\nthe registered instances in its Availability Zone only.\n\n\nDefaults to false.", "type": "boolean" }, "disableHostsRewrite": { "description": "DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts\nfile of each instance. This is by default, false.", "type": "boolean" }, "healthCheck": { "description": "HealthCheck sets custom health check configuration to the API target group.", "properties": { "intervalSeconds": { "description": "The approximate amount of time, in seconds, between health checks of an individual\ntarget.", "format": "int64", "maximum": 300, "minimum": 5, "type": "integer" }, "thresholdCount": { "description": "The number of consecutive health check successes required before considering\na target healthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" }, "timeoutSeconds": { "description": "The amount of time, in seconds, during which no response from a target means\na failed health check.", "format": "int64", "maximum": 120, "minimum": 2, "type": "integer" }, "unhealthyThresholdCount": { "description": "The number of consecutive health check failures required before considering\na target unhealthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" } }, "type": "object", "additionalProperties": false }, "healthCheckProtocol": { "description": "HealthCheckProtocol sets the protocol type for ELB health check target\ndefault value is ELBProtocolSSL", "enum": [ "TCP", "SSL", "HTTP", "HTTPS", "TLS", "UDP" ], "type": "string" }, "ingressRules": { "description": "IngressRules sets the ingress rules for the control plane load balancer.", "items": { "description": "IngressRule defines an AWS ingress rule for security groups.", "properties": { "cidrBlocks": { "description": "List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "description": { "description": "Description provides extended information about the ingress rule.", "type": "string" }, "fromPort": { "description": "FromPort is the start of port range.", "format": "int64", "type": "integer" }, "ipv6CidrBlocks": { "description": "List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "natGatewaysIPsSource": { "description": "NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.", "type": "boolean" }, "protocol": { "description": "Protocol is the protocol for the ingress rule. Accepted values are \"-1\" (all), \"4\" (IP in IP),\"tcp\", \"udp\", \"icmp\", and \"58\" (ICMPv6), \"50\" (ESP).", "enum": [ "-1", "4", "tcp", "udp", "icmp", "58", "50" ], "type": "string" }, "sourceSecurityGroupIds": { "description": "The security group id to allow access from. Cannot be specified with CidrBlocks.", "items": { "type": "string" }, "type": "array" }, "sourceSecurityGroupRoles": { "description": "The security group role to allow access from. Cannot be specified with CidrBlocks.\nThe field will be combined with source security group IDs if specified.", "items": { "description": "SecurityGroupRole defines the unique role of a security group.", "enum": [ "bastion", "node", "controlplane", "apiserver-lb", "lb", "node-eks-additional" ], "type": "string" }, "type": "array" }, "toPort": { "description": "ToPort is the end of port range.", "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" }, "loadBalancerType": { "default": "classic", "description": "LoadBalancerType sets the type for a load balancer. The default type is classic.", "enum": [ "classic", "elb", "alb", "nlb", "disabled" ], "type": "string" }, "name": { "description": "Name sets the name of the classic ELB load balancer. As per AWS, the name must be unique\nwithin your set of load balancers for the region, must have a maximum of 32 characters, must\ncontain only alphanumeric characters or hyphens, and cannot begin or end with a hyphen. Once\nset, the value cannot be changed.", "maxLength": 32, "pattern": "^[A-Za-z0-9]([A-Za-z0-9]{0,31}|[-A-Za-z0-9]{0,30}[A-Za-z0-9])$", "type": "string" }, "preserveClientIP": { "description": "PreserveClientIP lets the user control if preservation of client ips must be retained or not.\nIf this is enabled 6443 will be opened to 0.0.0.0/0.", "type": "boolean" }, "scheme": { "default": "internet-facing", "description": "Scheme sets the scheme of the load balancer (defaults to internet-facing)", "enum": [ "internet-facing", "internal" ], "type": "string" }, "subnets": { "description": "Subnets sets the subnets that should be applied to the control plane load balancer (defaults to discovered subnets for managed VPCs or an empty set for unmanaged VPCs)", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "identityRef": { "description": "IdentityRef is a reference to an identity to be used when reconciling the managed control plane.\nIf no identity is specified, the default identity for this controller will be used.", "properties": { "kind": { "description": "Kind of the identity.", "enum": [ "AWSClusterControllerIdentity", "AWSClusterRoleIdentity", "AWSClusterStaticIdentity" ], "type": "string" }, "name": { "description": "Name of the identity.", "minLength": 1, "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "imageLookupBaseOS": { "description": "ImageLookupBaseOS is the name of the base operating system used to look\nup machine images when a machine does not specify an AMI. When set, this\nwill be used for all cluster machines unless a machine specifies a\ndifferent ImageLookupBaseOS.", "type": "string" }, "imageLookupFormat": { "description": "ImageLookupFormat is the AMI naming format to look up machine images when\na machine does not specify an AMI. When set, this will be used for all\ncluster machines unless a machine specifies a different ImageLookupOrg.\nSupports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base\nOS and kubernetes version, respectively. The BaseOS will be the value in\nImageLookupBaseOS or ubuntu (the default), and the kubernetes version as\ndefined by the packages produced by kubernetes/release without v as a\nprefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default\nimage format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up\nsearching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a\nMachine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See\nalso: https://golang.org/pkg/text/template/", "type": "string" }, "imageLookupOrg": { "description": "ImageLookupOrg is the AWS Organization ID to look up machine images when a\nmachine does not specify an AMI. When set, this will be used for all\ncluster machines unless a machine specifies a different ImageLookupOrg.", "type": "string" }, "network": { "description": "NetworkSpec encapsulates all things related to AWS network.", "properties": { "additionalControlPlaneIngressRules": { "description": "AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane", "items": { "description": "IngressRule defines an AWS ingress rule for security groups.", "properties": { "cidrBlocks": { "description": "List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "description": { "description": "Description provides extended information about the ingress rule.", "type": "string" }, "fromPort": { "description": "FromPort is the start of port range.", "format": "int64", "type": "integer" }, "ipv6CidrBlocks": { "description": "List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "natGatewaysIPsSource": { "description": "NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.", "type": "boolean" }, "protocol": { "description": "Protocol is the protocol for the ingress rule. Accepted values are \"-1\" (all), \"4\" (IP in IP),\"tcp\", \"udp\", \"icmp\", and \"58\" (ICMPv6), \"50\" (ESP).", "enum": [ "-1", "4", "tcp", "udp", "icmp", "58", "50" ], "type": "string" }, "sourceSecurityGroupIds": { "description": "The security group id to allow access from. Cannot be specified with CidrBlocks.", "items": { "type": "string" }, "type": "array" }, "sourceSecurityGroupRoles": { "description": "The security group role to allow access from. Cannot be specified with CidrBlocks.\nThe field will be combined with source security group IDs if specified.", "items": { "description": "SecurityGroupRole defines the unique role of a security group.", "enum": [ "bastion", "node", "controlplane", "apiserver-lb", "lb", "node-eks-additional" ], "type": "string" }, "type": "array" }, "toPort": { "description": "ToPort is the end of port range.", "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" }, "cni": { "description": "CNI configuration", "properties": { "cniIngressRules": { "description": "CNIIngressRules specify rules to apply to control plane and worker node security groups.\nThe source for the rule will be set to control plane and worker security group IDs.", "items": { "description": "CNIIngressRule defines an AWS ingress rule for CNI requirements.", "properties": { "description": { "type": "string" }, "fromPort": { "format": "int64", "type": "integer" }, "protocol": { "description": "SecurityGroupProtocol defines the protocol type for a security group rule.", "type": "string" }, "toPort": { "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "securityGroupOverrides": { "additionalProperties": { "type": "string" }, "description": "SecurityGroupOverrides is an optional set of security groups to use for cluster instances\nThis is optional - if not provided new security groups will be created for the cluster", "type": "object" }, "subnets": { "description": "Subnets configuration.", "items": { "description": "SubnetSpec configures an AWS Subnet.", "properties": { "availabilityZone": { "description": "AvailabilityZone defines the availability zone to use for this subnet in the cluster's region.", "type": "string" }, "cidrBlock": { "description": "CidrBlock is the CIDR block to be used when the provider creates a managed VPC.", "type": "string" }, "id": { "description": "ID defines a unique identifier to reference this resource.\nIf you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`.\n\n\nWhen the VPC is managed by CAPA, and you'd like the provider to create a subnet for you,\nthe id can be set to any placeholder value that does not start with `subnet-`;\nupon creation, the subnet AWS identifier will be populated in the `ResourceID` field and\nthe `id` field is going to be used as the subnet name. If you specify a tag\ncalled `Name`, it takes precedence.", "type": "string" }, "ipv6CidrBlock": { "description": "IPv6CidrBlock is the IPv6 CIDR block to be used when the provider creates a managed VPC.\nA subnet can have an IPv4 and an IPv6 address.\nIPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.", "type": "string" }, "isIpv6": { "description": "IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled.\nIPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.", "type": "boolean" }, "isPublic": { "description": "IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway.", "type": "boolean" }, "natGatewayId": { "description": "NatGatewayID is the NAT gateway id associated with the subnet.\nIgnored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet.", "type": "string" }, "parentZoneName": { "description": "ParentZoneName is the zone name where the current subnet's zone is tied when\nthe zone is a Local Zone.\n\n\nThe subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName\nto select the correct private route table to egress traffic to the internet.", "type": "string" }, "resourceID": { "description": "ResourceID is the subnet identifier from AWS, READ ONLY.\nThis field is populated when the provider manages the subnet.", "type": "string" }, "routeTableId": { "description": "RouteTableID is the routing table id associated with the subnet.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a collection of tags describing the resource.", "type": "object" }, "zoneType": { "description": "ZoneType defines the type of the zone where the subnet is created.\n\n\nThe valid values are availability-zone, local-zone, and wavelength-zone.\n\n\nSubnet with zone type availability-zone (regular) is always selected to create cluster\nresources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc.\n\n\nSubnet with zone type local-zone or wavelength-zone is not eligible to automatically create\nregular cluster resources.\n\n\nThe public subnet in availability-zone or local-zone is associated with regular public\nroute table with default route entry to a Internet Gateway.\n\n\nThe public subnet in wavelength-zone is associated with a carrier public\nroute table with default route entry to a Carrier Gateway.\n\n\nThe private subnet in the availability-zone is associated with a private route table with\nthe default route entry to a NAT Gateway created in that zone.\n\n\nThe private subnet in the local-zone or wavelength-zone is associated with a private route table with\nthe default route entry re-using the NAT Gateway in the Region (preferred from the\nparent zone, the zone type availability-zone in the region, or first table available).", "enum": [ "availability-zone", "local-zone", "wavelength-zone" ], "type": "string" } }, "required": [ "id" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "id" ], "x-kubernetes-list-type": "map" }, "vpc": { "description": "VPC configuration.", "properties": { "availabilityZoneSelection": { "default": "Ordered", "description": "AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs\nin a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes:\nOrdered - selects based on alphabetical order\nRandom - selects AZs randomly in a region\nDefaults to Ordered", "enum": [ "Ordered", "Random" ], "type": "string" }, "availabilityZoneUsageLimit": { "default": 3, "description": "AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that\nshould be used in a region when automatically creating subnets. If a region has more\nthan this number of AZs then this number of AZs will be picked randomly when creating\ndefault subnets. Defaults to 3", "minimum": 1, "type": "integer" }, "carrierGatewayId": { "description": "CarrierGatewayID is the id of the internet gateway associated with the VPC,\nfor carrier network (Wavelength Zones).", "type": "string", "x-kubernetes-validations": [ { "message": "Carrier Gateway ID must start with 'cagw-'", "rule": "self.startsWith('cagw-')" } ] }, "cidrBlock": { "description": "CidrBlock is the CIDR block to be used when the provider creates a managed VPC.\nDefaults to 10.0.0.0/16.\nMutually exclusive with IPAMPool.", "type": "string" }, "elasticIpPool": { "description": "ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool\nbrought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for\nthe API Server.", "properties": { "publicIpv4Pool": { "description": "PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources\ncreated in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom\nPublic IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool\nresource ID starts with 'ipv4pool-ec2'.", "maxLength": 30, "type": "string" }, "publicIpv4PoolFallbackOrder": { "description": "PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted,\nno more IPv4 address available in the pool.\n\n\nWhen set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the\nIPv4 limit, the address will be claimed from Amazon-pool (default).\n\n\nWhen set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted.", "enum": [ "amazon-pool", "none" ], "type": "string", "x-kubernetes-validations": [ { "message": "allowed values are 'none' and 'amazon-pool'", "rule": "self in ['none','amazon-pool']" } ] } }, "type": "object", "additionalProperties": false }, "emptyRoutesDefaultVPCSecurityGroup": { "description": "EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress\nand egress rules should be removed.\n\n\nBy default, when creating a VPC, AWS creates a security group called `default` with ingress and egress\nrules that allow traffic from anywhere. The group could be used as a potential surface attack and\nit's generally suggested that the group rules are removed or modified appropriately.\n\n\nNOTE: This only applies when the VPC is managed by the Cluster API AWS controller.", "type": "boolean" }, "id": { "description": "ID is the vpc-id of the VPC this provider should use to create resources.", "type": "string" }, "internetGatewayId": { "description": "InternetGatewayID is the id of the internet gateway associated with the VPC.", "type": "string" }, "ipamPool": { "description": "IPAMPool defines the IPAMv4 pool to be used for VPC.\nMutually exclusive with CidrBlock.", "properties": { "id": { "description": "ID is the ID of the IPAM pool this provider should use to create VPC.", "type": "string" }, "name": { "description": "Name is the name of the IPAM pool this provider should use to create VPC.", "type": "string" }, "netmaskLength": { "description": "The netmask length of the IPv4 CIDR you want to allocate to VPC from\nan Amazon VPC IP Address Manager (IPAM) pool.\nDefaults to /16 for IPv4 if not specified.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "ipv6": { "description": "IPv6 contains ipv6 specific settings for the network. Supported only in managed clusters.\nThis field cannot be set on AWSCluster object.", "properties": { "cidrBlock": { "description": "CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6.\nMutually exclusive with IPAMPool.", "type": "string" }, "egressOnlyInternetGatewayId": { "description": "EgressOnlyInternetGatewayID is the id of the egress only internet gateway associated with an IPv6 enabled VPC.", "type": "string" }, "ipamPool": { "description": "IPAMPool defines the IPAMv6 pool to be used for VPC.\nMutually exclusive with CidrBlock.", "properties": { "id": { "description": "ID is the ID of the IPAM pool this provider should use to create VPC.", "type": "string" }, "name": { "description": "Name is the name of the IPAM pool this provider should use to create VPC.", "type": "string" }, "netmaskLength": { "description": "The netmask length of the IPv4 CIDR you want to allocate to VPC from\nan Amazon VPC IP Address Manager (IPAM) pool.\nDefaults to /16 for IPv4 if not specified.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "poolId": { "description": "PoolID is the IP pool which must be defined in case of BYO IP is defined.\nMust be specified if CidrBlock is set.\nMutually exclusive with IPAMPool.", "type": "string" } }, "type": "object", "additionalProperties": false }, "privateDnsHostnameTypeOnLaunch": { "description": "PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.\nFor IPv4-only and dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the instance IPv4 address (ip-name)\nor the instance ID (resource-name). For IPv6 only subnets, an instance DNS name must be based on the instance ID (resource-name).", "enum": [ "ip-name", "resource-name" ], "type": "string" }, "subnetSchema": { "default": "PreferPrivate", "description": "SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs.\nPreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets.\nPreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet\nthat will be further sub-divided for the private subnets.\nDefaults to PreferPrivate", "enum": [ "PreferPrivate", "PreferPublic" ], "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a collection of tags describing the resource.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "partition": { "description": "Partition is the AWS security partition being used. Defaults to \"aws\"", "type": "string" }, "region": { "description": "The AWS Region the cluster lives in.", "type": "string" }, "s3Bucket": { "description": "S3Bucket contains options to configure a supporting S3 bucket for this\ncluster - currently used for nodes requiring Ignition\n(https://coreos.github.io/ignition/) for bootstrapping (requires\nBootstrapFormatIgnition feature flag to be enabled).", "properties": { "bestEffortDeleteObjects": { "description": "BestEffortDeleteObjects defines whether access/permission errors during object deletion should be ignored.", "type": "boolean" }, "controlPlaneIAMInstanceProfile": { "description": "ControlPlaneIAMInstanceProfile is a name of the IAMInstanceProfile, which will be allowed\nto read control-plane node bootstrap data from S3 Bucket.", "type": "string" }, "name": { "description": "Name defines name of S3 Bucket to be created.", "maxLength": 63, "minLength": 3, "pattern": "^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$", "type": "string" }, "nodesIAMInstanceProfiles": { "description": "NodesIAMInstanceProfiles is a list of IAM instance profiles, which will be allowed to read\nworker nodes bootstrap data from S3 Bucket.", "items": { "type": "string" }, "type": "array" }, "presignedURLDuration": { "description": "PresignedURLDuration defines the duration for which presigned URLs are valid.\n\n\nThis is used to generate presigned URLs for S3 Bucket objects, which are used by\ncontrol-plane and worker nodes to fetch bootstrap data.\n\n\nWhen enabled, the IAM instance profiles specified are not used.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "secondaryControlPlaneLoadBalancer": { "description": "SecondaryControlPlaneLoadBalancer is an additional load balancer that can be used for the control plane.\n\n\nAn example use case is to have a separate internal load balancer for internal traffic,\nand a separate external load balancer for external traffic.", "properties": { "additionalListeners": { "description": "AdditionalListeners sets the additional listeners for the control plane load balancer.\nThis is only applicable to Network Load Balancer (NLB) types for the time being.", "items": { "description": "AdditionalListenerSpec defines the desired state of an\nadditional listener on an AWS load balancer.", "properties": { "healthCheck": { "description": "HealthCheck sets the optional custom health check configuration to the API target group.", "properties": { "intervalSeconds": { "description": "The approximate amount of time, in seconds, between health checks of an individual\ntarget.", "format": "int64", "maximum": 300, "minimum": 5, "type": "integer" }, "path": { "description": "The destination for health checks on the targets when using the protocol HTTP or HTTPS,\notherwise the path will be ignored.", "type": "string" }, "port": { "description": "The port the load balancer uses when performing health checks for additional target groups. When\nnot specified this value will be set for the same of listener port.", "type": "string" }, "protocol": { "description": "The protocol to use to health check connect with the target. When not specified the Protocol\nwill be the same of the listener.", "enum": [ "TCP", "HTTP", "HTTPS" ], "type": "string" }, "thresholdCount": { "description": "The number of consecutive health check successes required before considering\na target healthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" }, "timeoutSeconds": { "description": "The amount of time, in seconds, during which no response from a target means\na failed health check.", "format": "int64", "maximum": 120, "minimum": 2, "type": "integer" }, "unhealthyThresholdCount": { "description": "The number of consecutive health check failures required before considering\na target unhealthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" } }, "type": "object", "additionalProperties": false }, "port": { "description": "Port sets the port for the additional listener.", "format": "int64", "maximum": 65535, "minimum": 1, "type": "integer" }, "protocol": { "default": "TCP", "description": "Protocol sets the protocol for the additional listener.\nCurrently only TCP is supported.", "enum": [ "TCP" ], "type": "string" } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "port" ], "x-kubernetes-list-type": "map" }, "additionalSecurityGroups": { "description": "AdditionalSecurityGroups sets the security groups used by the load balancer. Expected to be security group IDs\nThis is optional - if not provided new security groups will be created for the load balancer", "items": { "type": "string" }, "type": "array" }, "crossZoneLoadBalancing": { "description": "CrossZoneLoadBalancing enables the classic ELB cross availability zone balancing.\n\n\nWith cross-zone load balancing, each load balancer node for your Classic Load Balancer\ndistributes requests evenly across the registered instances in all enabled Availability Zones.\nIf cross-zone load balancing is disabled, each load balancer node distributes requests evenly across\nthe registered instances in its Availability Zone only.\n\n\nDefaults to false.", "type": "boolean" }, "disableHostsRewrite": { "description": "DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts\nfile of each instance. This is by default, false.", "type": "boolean" }, "healthCheck": { "description": "HealthCheck sets custom health check configuration to the API target group.", "properties": { "intervalSeconds": { "description": "The approximate amount of time, in seconds, between health checks of an individual\ntarget.", "format": "int64", "maximum": 300, "minimum": 5, "type": "integer" }, "thresholdCount": { "description": "The number of consecutive health check successes required before considering\na target healthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" }, "timeoutSeconds": { "description": "The amount of time, in seconds, during which no response from a target means\na failed health check.", "format": "int64", "maximum": 120, "minimum": 2, "type": "integer" }, "unhealthyThresholdCount": { "description": "The number of consecutive health check failures required before considering\na target unhealthy.", "format": "int64", "maximum": 10, "minimum": 2, "type": "integer" } }, "type": "object", "additionalProperties": false }, "healthCheckProtocol": { "description": "HealthCheckProtocol sets the protocol type for ELB health check target\ndefault value is ELBProtocolSSL", "enum": [ "TCP", "SSL", "HTTP", "HTTPS", "TLS", "UDP" ], "type": "string" }, "ingressRules": { "description": "IngressRules sets the ingress rules for the control plane load balancer.", "items": { "description": "IngressRule defines an AWS ingress rule for security groups.", "properties": { "cidrBlocks": { "description": "List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "description": { "description": "Description provides extended information about the ingress rule.", "type": "string" }, "fromPort": { "description": "FromPort is the start of port range.", "format": "int64", "type": "integer" }, "ipv6CidrBlocks": { "description": "List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "natGatewaysIPsSource": { "description": "NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.", "type": "boolean" }, "protocol": { "description": "Protocol is the protocol for the ingress rule. Accepted values are \"-1\" (all), \"4\" (IP in IP),\"tcp\", \"udp\", \"icmp\", and \"58\" (ICMPv6), \"50\" (ESP).", "enum": [ "-1", "4", "tcp", "udp", "icmp", "58", "50" ], "type": "string" }, "sourceSecurityGroupIds": { "description": "The security group id to allow access from. Cannot be specified with CidrBlocks.", "items": { "type": "string" }, "type": "array" }, "sourceSecurityGroupRoles": { "description": "The security group role to allow access from. Cannot be specified with CidrBlocks.\nThe field will be combined with source security group IDs if specified.", "items": { "description": "SecurityGroupRole defines the unique role of a security group.", "enum": [ "bastion", "node", "controlplane", "apiserver-lb", "lb", "node-eks-additional" ], "type": "string" }, "type": "array" }, "toPort": { "description": "ToPort is the end of port range.", "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" }, "loadBalancerType": { "default": "classic", "description": "LoadBalancerType sets the type for a load balancer. The default type is classic.", "enum": [ "classic", "elb", "alb", "nlb", "disabled" ], "type": "string" }, "name": { "description": "Name sets the name of the classic ELB load balancer. As per AWS, the name must be unique\nwithin your set of load balancers for the region, must have a maximum of 32 characters, must\ncontain only alphanumeric characters or hyphens, and cannot begin or end with a hyphen. Once\nset, the value cannot be changed.", "maxLength": 32, "pattern": "^[A-Za-z0-9]([A-Za-z0-9]{0,31}|[-A-Za-z0-9]{0,30}[A-Za-z0-9])$", "type": "string" }, "preserveClientIP": { "description": "PreserveClientIP lets the user control if preservation of client ips must be retained or not.\nIf this is enabled 6443 will be opened to 0.0.0.0/0.", "type": "boolean" }, "scheme": { "default": "internet-facing", "description": "Scheme sets the scheme of the load balancer (defaults to internet-facing)", "enum": [ "internet-facing", "internal" ], "type": "string" }, "subnets": { "description": "Subnets sets the subnets that should be applied to the control plane load balancer (defaults to discovered subnets for managed VPCs or an empty set for unmanaged VPCs)", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "sshKeyName": { "description": "SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)", "type": "string" } }, "type": "object", "additionalProperties": false }, "status": { "description": "AWSClusterStatus defines the observed state of AWSCluster.", "properties": { "bastion": { "description": "Instance describes an AWS instance.", "properties": { "addresses": { "description": "Addresses contains the AWS instance associated addresses.", "items": { "description": "MachineAddress contains information for the node's address.", "properties": { "address": { "description": "The machine address.", "type": "string" }, "type": { "description": "Machine address type, one of Hostname, ExternalIP, InternalIP, ExternalDNS or InternalDNS.", "type": "string" } }, "required": [ "address", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "availabilityZone": { "description": "Availability zone of instance", "type": "string" }, "capacityReservationId": { "description": "CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched.", "type": "string" }, "ebsOptimized": { "description": "Indicates whether the instance is optimized for Amazon EBS I/O.", "type": "boolean" }, "enaSupport": { "description": "Specifies whether enhanced networking with ENA is enabled.", "type": "boolean" }, "iamProfile": { "description": "The name of the IAM instance profile associated with the instance, if applicable.", "type": "string" }, "id": { "type": "string" }, "imageId": { "description": "The ID of the AMI used to launch the instance.", "type": "string" }, "instanceMetadataOptions": { "description": "InstanceMetadataOptions is the metadata options for the EC2 instance.", "properties": { "httpEndpoint": { "default": "enabled", "description": "Enables or disables the HTTP metadata endpoint on your instances.\n\n\nIf you specify a value of disabled, you cannot access your instance metadata.\n\n\nDefault: enabled", "enum": [ "enabled", "disabled" ], "type": "string" }, "httpPutResponseHopLimit": { "default": 1, "description": "The desired HTTP PUT response hop limit for instance metadata requests. The\nlarger the number, the further instance metadata requests can travel.\n\n\nDefault: 1", "format": "int64", "maximum": 64, "minimum": 1, "type": "integer" }, "httpTokens": { "default": "optional", "description": "The state of token usage for your instance metadata requests.\n\n\nIf the state is optional, you can choose to retrieve instance metadata with\nor without a session token on your request. If you retrieve the IAM role\ncredentials without a token, the version 1.0 role credentials are returned.\nIf you retrieve the IAM role credentials using a valid session token, the\nversion 2.0 role credentials are returned.\n\n\nIf the state is required, you must send a session token with any instance\nmetadata retrieval requests. In this state, retrieving the IAM role credentials\nalways returns the version 2.0 credentials; the version 1.0 credentials are\nnot available.\n\n\nDefault: optional", "enum": [ "optional", "required" ], "type": "string" }, "instanceMetadataTags": { "default": "disabled", "description": "Set to enabled to allow access to instance tags from the instance metadata.\nSet to disabled to turn off access to instance tags from the instance metadata.\nFor more information, see Work with instance tags using the instance metadata\n(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS).\n\n\nDefault: disabled", "enum": [ "enabled", "disabled" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "instanceState": { "description": "The current state of the instance.", "type": "string" }, "networkInterfaces": { "description": "Specifies ENIs attached to instance", "items": { "type": "string" }, "type": "array" }, "nonRootVolumes": { "description": "Configuration options for the non root storage volumes.", "items": { "description": "Volume encapsulates the configuration options for the storage device.", "properties": { "deviceName": { "description": "Device name", "type": "string" }, "encrypted": { "description": "Encrypted is whether the volume should be encrypted or not.", "type": "boolean" }, "encryptionKey": { "description": "EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN.\nIf Encrypted is set and this is omitted, the default AWS key will be used.\nThe key must already exist and be accessible by the controller.", "type": "string" }, "iops": { "description": "IOPS is the number of IOPS requested for the disk. Not applicable to all types.", "format": "int64", "type": "integer" }, "size": { "description": "Size specifies size (in Gi) of the storage device.\nMust be greater than the image snapshot size or 8 (whichever is greater).", "format": "int64", "minimum": 8, "type": "integer" }, "throughput": { "description": "Throughput to provision in MiB/s supported for the volume type. Not applicable to all types.", "format": "int64", "type": "integer" }, "type": { "description": "Type is the type of the volume (e.g. gp2, io1, etc...).", "type": "string" } }, "required": [ "size" ], "type": "object", "additionalProperties": false }, "type": "array" }, "placementGroupName": { "description": "PlacementGroupName specifies the name of the placement group in which to launch the instance.", "type": "string" }, "placementGroupPartition": { "description": "PlacementGroupPartition is the partition number within the placement group in which to launch the instance.\nThis value is only valid if the placement group, referred in `PlacementGroupName`, was created with\nstrategy set to partition.", "format": "int64", "maximum": 7, "minimum": 1, "type": "integer" }, "privateDnsName": { "description": "PrivateDNSName is the options for the instance hostname.", "properties": { "enableResourceNameDnsAAAARecord": { "description": "EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.", "type": "boolean" }, "enableResourceNameDnsARecord": { "description": "EnableResourceNameDNSARecord indicates whether to respond to DNS queries for instance hostnames with DNS A records.", "type": "boolean" }, "hostnameType": { "description": "The type of hostname to assign to an instance.", "enum": [ "ip-name", "resource-name" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "privateIp": { "description": "The private IPv4 address assigned to the instance.", "type": "string" }, "publicIPOnLaunch": { "description": "PublicIPOnLaunch is the option to associate a public IP on instance launch", "type": "boolean" }, "publicIp": { "description": "The public IPv4 address assigned to the instance, if applicable.", "type": "string" }, "rootVolume": { "description": "Configuration options for the root storage volume.", "properties": { "deviceName": { "description": "Device name", "type": "string" }, "encrypted": { "description": "Encrypted is whether the volume should be encrypted or not.", "type": "boolean" }, "encryptionKey": { "description": "EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN.\nIf Encrypted is set and this is omitted, the default AWS key will be used.\nThe key must already exist and be accessible by the controller.", "type": "string" }, "iops": { "description": "IOPS is the number of IOPS requested for the disk. Not applicable to all types.", "format": "int64", "type": "integer" }, "size": { "description": "Size specifies size (in Gi) of the storage device.\nMust be greater than the image snapshot size or 8 (whichever is greater).", "format": "int64", "minimum": 8, "type": "integer" }, "throughput": { "description": "Throughput to provision in MiB/s supported for the volume type. Not applicable to all types.", "format": "int64", "type": "integer" }, "type": { "description": "Type is the type of the volume (e.g. gp2, io1, etc...).", "type": "string" } }, "required": [ "size" ], "type": "object", "additionalProperties": false }, "securityGroupIds": { "description": "SecurityGroupIDs are one or more security group IDs this instance belongs to.", "items": { "type": "string" }, "type": "array" }, "spotMarketOptions": { "description": "SpotMarketOptions option for configuring instances to be run using AWS Spot instances.", "properties": { "maxPrice": { "description": "MaxPrice defines the maximum price the user is willing to pay for Spot VM instances", "type": "string" } }, "type": "object", "additionalProperties": false }, "sshKeyName": { "description": "The name of the SSH key pair.", "type": "string" }, "subnetId": { "description": "The ID of the subnet of the instance.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "The tags associated with the instance.", "type": "object" }, "tenancy": { "description": "Tenancy indicates if instance should run on shared or single-tenant hardware.", "type": "string" }, "type": { "description": "The instance type.", "type": "string" }, "userData": { "description": "UserData is the raw data script passed to the instance which is run upon bootstrap.\nThis field must not be base64 encoded and should only be used when running a new instance.", "type": "string" }, "volumeIDs": { "description": "IDs of the instance's volumes", "items": { "type": "string" }, "type": "array" } }, "required": [ "id" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions provide observations of the operational state of a Cluster API resource.", "items": { "description": "Condition defines an observation of a Cluster API resource operational state.", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when\nthe API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.\nThis field may be empty.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition in CamelCase.\nThe specific API may choose whether or not this field is considered a guaranteed API.\nThis field may not be empty.", "type": "string" }, "severity": { "description": "Severity provides an explicit classification of Reason code, so the users or machines can immediately\nunderstand the current situation and act accordingly.\nThe Severity field MUST be set only when Status=False.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type of condition in CamelCase or in foo.example.com/CamelCase.\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions\ncan be useful (see .node.status.conditions), the ability to deconflict is important.", "type": "string" } }, "required": [ "lastTransitionTime", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "failureDomains": { "additionalProperties": { "description": "FailureDomainSpec is the Schema for Cluster API failure domains.\nIt allows controllers to understand how many failure domains a cluster can optionally span across.", "properties": { "attributes": { "additionalProperties": { "type": "string" }, "description": "Attributes is a free form map of attributes an infrastructure provider might use or require.", "type": "object" }, "controlPlane": { "description": "ControlPlane determines if this failure domain is suitable for use by control plane machines.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "description": "FailureDomains is a slice of FailureDomains.", "type": "object" }, "networkStatus": { "description": "NetworkStatus encapsulates AWS networking resources.", "properties": { "apiServerElb": { "description": "APIServerELB is the Kubernetes api server load balancer.", "properties": { "arn": { "description": "ARN of the load balancer. Unlike the ClassicLB, ARN is used mostly\nto define and get it.", "type": "string" }, "attributes": { "description": "ClassicElbAttributes defines extra attributes associated with the load balancer.", "properties": { "crossZoneLoadBalancing": { "description": "CrossZoneLoadBalancing enables the classic load balancer load balancing.", "type": "boolean" }, "idleTimeout": { "description": "IdleTimeout is time that the connection is allowed to be idle (no data\nhas been sent over the connection) before it is closed by the load balancer.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "availabilityZones": { "description": "AvailabilityZones is an array of availability zones in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "dnsName": { "description": "DNSName is the dns name of the load balancer.", "type": "string" }, "elbAttributes": { "additionalProperties": { "type": "string" }, "description": "ELBAttributes defines extra attributes associated with v2 load balancers.", "type": "object" }, "elbListeners": { "description": "ELBListeners is an array of listeners associated with the load balancer. There must be at least one.", "items": { "description": "Listener defines an AWS network load balancer listener.", "properties": { "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "targetGroup": { "description": "TargetGroupSpec specifies target group settings for a given listener.\nThis is created first, and the ARN is then passed to the listener.", "properties": { "name": { "description": "Name of the TargetGroup. Must be unique over the same group of listeners.", "maxLength": 32, "type": "string" }, "port": { "description": "Port is the exposed port", "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "enum": [ "tcp", "tls", "udp", "TCP", "TLS", "UDP" ], "type": "string" }, "targetGroupHealthCheck": { "description": "HealthCheck is the elb health check associated with the load balancer.", "properties": { "intervalSeconds": { "format": "int64", "type": "integer" }, "path": { "type": "string" }, "port": { "type": "string" }, "protocol": { "type": "string" }, "thresholdCount": { "format": "int64", "type": "integer" }, "timeoutSeconds": { "format": "int64", "type": "integer" }, "unhealthyThresholdCount": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "vpcId": { "type": "string" } }, "required": [ "name", "port", "protocol", "vpcId" ], "type": "object", "additionalProperties": false } }, "required": [ "port", "protocol", "targetGroup" ], "type": "object", "additionalProperties": false }, "type": "array" }, "healthChecks": { "description": "HealthCheck is the classic elb health check associated with the load balancer.", "properties": { "healthyThreshold": { "format": "int64", "type": "integer" }, "interval": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "target": { "type": "string" }, "timeout": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "unhealthyThreshold": { "format": "int64", "type": "integer" } }, "required": [ "healthyThreshold", "interval", "target", "timeout", "unhealthyThreshold" ], "type": "object", "additionalProperties": false }, "listeners": { "description": "ClassicELBListeners is an array of classic elb listeners associated with the load balancer. There must be at least one.", "items": { "description": "ClassicELBListener defines an AWS classic load balancer listener.", "properties": { "instancePort": { "format": "int64", "type": "integer" }, "instanceProtocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" } }, "required": [ "instancePort", "instanceProtocol", "port", "protocol" ], "type": "object", "additionalProperties": false }, "type": "array" }, "loadBalancerType": { "description": "LoadBalancerType sets the type for a load balancer. The default type is classic.", "enum": [ "classic", "elb", "alb", "nlb" ], "type": "string" }, "name": { "description": "The name of the load balancer. It must be unique within the set of load balancers\ndefined in the region. It also serves as identifier.", "type": "string" }, "scheme": { "description": "Scheme is the load balancer scheme, either internet-facing or private.", "type": "string" }, "securityGroupIds": { "description": "SecurityGroupIDs is an array of security groups assigned to the load balancer.", "items": { "type": "string" }, "type": "array" }, "subnetIds": { "description": "SubnetIDs is an array of subnets in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a map of tags associated with the load balancer.", "type": "object" } }, "type": "object", "additionalProperties": false }, "natGatewaysIPs": { "description": "NatGatewaysIPs contains the public IPs of the NAT Gateways", "items": { "type": "string" }, "type": "array" }, "secondaryAPIServerELB": { "description": "SecondaryAPIServerELB is the secondary Kubernetes api server load balancer.", "properties": { "arn": { "description": "ARN of the load balancer. Unlike the ClassicLB, ARN is used mostly\nto define and get it.", "type": "string" }, "attributes": { "description": "ClassicElbAttributes defines extra attributes associated with the load balancer.", "properties": { "crossZoneLoadBalancing": { "description": "CrossZoneLoadBalancing enables the classic load balancer load balancing.", "type": "boolean" }, "idleTimeout": { "description": "IdleTimeout is time that the connection is allowed to be idle (no data\nhas been sent over the connection) before it is closed by the load balancer.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "availabilityZones": { "description": "AvailabilityZones is an array of availability zones in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "dnsName": { "description": "DNSName is the dns name of the load balancer.", "type": "string" }, "elbAttributes": { "additionalProperties": { "type": "string" }, "description": "ELBAttributes defines extra attributes associated with v2 load balancers.", "type": "object" }, "elbListeners": { "description": "ELBListeners is an array of listeners associated with the load balancer. There must be at least one.", "items": { "description": "Listener defines an AWS network load balancer listener.", "properties": { "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "targetGroup": { "description": "TargetGroupSpec specifies target group settings for a given listener.\nThis is created first, and the ARN is then passed to the listener.", "properties": { "name": { "description": "Name of the TargetGroup. Must be unique over the same group of listeners.", "maxLength": 32, "type": "string" }, "port": { "description": "Port is the exposed port", "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "enum": [ "tcp", "tls", "udp", "TCP", "TLS", "UDP" ], "type": "string" }, "targetGroupHealthCheck": { "description": "HealthCheck is the elb health check associated with the load balancer.", "properties": { "intervalSeconds": { "format": "int64", "type": "integer" }, "path": { "type": "string" }, "port": { "type": "string" }, "protocol": { "type": "string" }, "thresholdCount": { "format": "int64", "type": "integer" }, "timeoutSeconds": { "format": "int64", "type": "integer" }, "unhealthyThresholdCount": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "vpcId": { "type": "string" } }, "required": [ "name", "port", "protocol", "vpcId" ], "type": "object", "additionalProperties": false } }, "required": [ "port", "protocol", "targetGroup" ], "type": "object", "additionalProperties": false }, "type": "array" }, "healthChecks": { "description": "HealthCheck is the classic elb health check associated with the load balancer.", "properties": { "healthyThreshold": { "format": "int64", "type": "integer" }, "interval": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "target": { "type": "string" }, "timeout": { "description": "A Duration represents the elapsed time between two instants\nas an int64 nanosecond count. The representation limits the\nlargest representable duration to approximately 290 years.", "format": "int64", "type": "integer" }, "unhealthyThreshold": { "format": "int64", "type": "integer" } }, "required": [ "healthyThreshold", "interval", "target", "timeout", "unhealthyThreshold" ], "type": "object", "additionalProperties": false }, "listeners": { "description": "ClassicELBListeners is an array of classic elb listeners associated with the load balancer. There must be at least one.", "items": { "description": "ClassicELBListener defines an AWS classic load balancer listener.", "properties": { "instancePort": { "format": "int64", "type": "integer" }, "instanceProtocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" }, "port": { "format": "int64", "type": "integer" }, "protocol": { "description": "ELBProtocol defines listener protocols for a load balancer.", "type": "string" } }, "required": [ "instancePort", "instanceProtocol", "port", "protocol" ], "type": "object", "additionalProperties": false }, "type": "array" }, "loadBalancerType": { "description": "LoadBalancerType sets the type for a load balancer. The default type is classic.", "enum": [ "classic", "elb", "alb", "nlb" ], "type": "string" }, "name": { "description": "The name of the load balancer. It must be unique within the set of load balancers\ndefined in the region. It also serves as identifier.", "type": "string" }, "scheme": { "description": "Scheme is the load balancer scheme, either internet-facing or private.", "type": "string" }, "securityGroupIds": { "description": "SecurityGroupIDs is an array of security groups assigned to the load balancer.", "items": { "type": "string" }, "type": "array" }, "subnetIds": { "description": "SubnetIDs is an array of subnets in the VPC attached to the load balancer.", "items": { "type": "string" }, "type": "array" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a map of tags associated with the load balancer.", "type": "object" } }, "type": "object", "additionalProperties": false }, "securityGroups": { "additionalProperties": { "description": "SecurityGroup defines an AWS security group.", "properties": { "id": { "description": "ID is a unique identifier.", "type": "string" }, "ingressRule": { "description": "IngressRules is the inbound rules associated with the security group.", "items": { "description": "IngressRule defines an AWS ingress rule for security groups.", "properties": { "cidrBlocks": { "description": "List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "description": { "description": "Description provides extended information about the ingress rule.", "type": "string" }, "fromPort": { "description": "FromPort is the start of port range.", "format": "int64", "type": "integer" }, "ipv6CidrBlocks": { "description": "List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.", "items": { "type": "string" }, "type": "array" }, "natGatewaysIPsSource": { "description": "NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.", "type": "boolean" }, "protocol": { "description": "Protocol is the protocol for the ingress rule. Accepted values are \"-1\" (all), \"4\" (IP in IP),\"tcp\", \"udp\", \"icmp\", and \"58\" (ICMPv6), \"50\" (ESP).", "enum": [ "-1", "4", "tcp", "udp", "icmp", "58", "50" ], "type": "string" }, "sourceSecurityGroupIds": { "description": "The security group id to allow access from. Cannot be specified with CidrBlocks.", "items": { "type": "string" }, "type": "array" }, "sourceSecurityGroupRoles": { "description": "The security group role to allow access from. Cannot be specified with CidrBlocks.\nThe field will be combined with source security group IDs if specified.", "items": { "description": "SecurityGroupRole defines the unique role of a security group.", "enum": [ "bastion", "node", "controlplane", "apiserver-lb", "lb", "node-eks-additional" ], "type": "string" }, "type": "array" }, "toPort": { "description": "ToPort is the end of port range.", "format": "int64", "type": "integer" } }, "required": [ "description", "fromPort", "protocol", "toPort" ], "type": "object", "additionalProperties": false }, "type": "array" }, "name": { "description": "Name is the security group name.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags is a map of tags associated with the security group.", "type": "object" } }, "required": [ "id", "name" ], "type": "object", "additionalProperties": false }, "description": "SecurityGroups is a map from the role/kind of the security group to its unique name, if any.", "type": "object" } }, "type": "object", "additionalProperties": false }, "ready": { "default": false, "type": "boolean" } }, "required": [ "ready" ], "type": "object", "additionalProperties": false } }, "type": "object" }