2024/06/03 - Amazon Elastic Kubernetes Service - 19 updated api methods
Changes Adds support for EKS add-ons pod identity associations integration
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Associates an encryption configuration to an existing cluster.
Use this API to enable encryption on existing clusters that don't already have encryption enabled. This allows you to implement a defense-in-depth security strategy without migrating applications to new Amazon EKS clusters.
See also: AWS API Documentation
Request Syntax
client.associate_encryption_config(
clusterName='string',
encryptionConfig=[
{
'resources': [
'string',
],
'provider': {
'keyArn': 'string'
}
},
],
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
list
[REQUIRED]
The configuration you are using for encryption.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is secrets .
(string) --
provider (dict) --
Key Management Service (KMS) key. Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide .
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Associates an identity provider configuration to a cluster.
If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes Role and ClusterRole objects, assign permissions to them, and then bind them to the identities using Kubernetes RoleBinding and ClusterRoleBinding objects. For more information see Using RBAC Authorization in the Kubernetes documentation.
See also: AWS API Documentation
Request Syntax
client.associate_identity_provider_config(
clusterName='string',
oidc={
'identityProviderConfigName': 'string',
'issuerUrl': 'string',
'clientId': 'string',
'usernameClaim': 'string',
'usernamePrefix': 'string',
'groupsClaim': 'string',
'groupsPrefix': 'string',
'requiredClaims': {
'string': 'string'
}
},
tags={
'string': 'string'
},
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
dict
[REQUIRED]
An object representing an OpenID Connect (OIDC) identity provider configuration.
identityProviderConfigName (string) -- [REQUIRED]
The name of the OIDC provider configuration.
issuerUrl (string) -- [REQUIRED]
The URL of the OIDC identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider's OIDC ID tokens. Based on the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com . This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.
clientId (string) -- [REQUIRED]
This is also known as audience . The ID for the client application that makes authentication requests to the OIDC identity provider.
usernameClaim (string) --
The JSON Web Token (JWT) claim to use as the username. The default is sub , which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name , depending on the OIDC identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.
usernamePrefix (string) --
The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email , the prefix defaults to issuerurl# . You can use the value - to disable all prefixing.
groupsClaim (string) --
The JWT claim that the provider uses to return your groups.
groupsPrefix (string) --
The prefix that is prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value oidc: will create group names like oidc:engineering and oidc:infra .
requiredClaims (dict) --
The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas in the Amazon EKS User Guide .
(string) --
(string) --
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
},
'tags': {
'string': 'string'
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
tags (dict) --
The tags for the resource.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
{'podIdentityAssociations': [{'roleArn': 'string', 'serviceAccount': 'string'}]}
Response {'addon': {'health': {'issues': {'code': {'AddonPermissionFailure',
'AddonSubscriptionNeeded'}}},
'podIdentityAssociations': ['string']}}
Creates an Amazon EKS add-on.
Amazon EKS add-ons help to automate the provisioning and lifecycle management of common operational software for Amazon EKS clusters. For more information, see Amazon EKS add-ons in the Amazon EKS User Guide .
See also: AWS API Documentation
Request Syntax
client.create_addon(
clusterName='string',
addonName='string',
addonVersion='string',
serviceAccountRoleArn='string',
resolveConflicts='OVERWRITE'|'NONE'|'PRESERVE',
clientRequestToken='string',
tags={
'string': 'string'
},
configurationValues='string',
podIdentityAssociations=[
{
'serviceAccount': 'string',
'roleArn': 'string'
},
]
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by DescribeAddonVersions .
string
The version of the add-on. The version must match one of the versions returned by DescribeAddonVersions.
string
The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide .
Note
To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster in the Amazon EKS User Guide .
string
How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:
None – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
Overwrite – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.
Preserve – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see UpdateAddon.
If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
The set of configuration values for the add-on that's created. The values that you provide are validated against the schema returned by DescribeAddonConfiguration .
list
An array of Pod Identity Assocations to be created. Each EKS Pod Identity association maps a Kubernetes service account to an IAM Role.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
(dict) --
A type of Pod Identity Association owned by an Amazon EKS Add-on.
Each EKS Pod Identity Association maps a role to a service account in a namespace in the cluster.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
serviceAccount (string) -- [REQUIRED]
The name of a Kubernetes Service Account.
roleArn (string) -- [REQUIRED]
The ARN of an IAM Role.
dict
Response Syntax
{
'addon': {
'addonName': 'string',
'clusterName': 'string',
'status': 'CREATING'|'ACTIVE'|'CREATE_FAILED'|'UPDATING'|'DELETING'|'DELETE_FAILED'|'DEGRADED'|'UPDATE_FAILED',
'addonVersion': 'string',
'health': {
'issues': [
{
'code': 'AccessDenied'|'InternalFailure'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound'|'AddonSubscriptionNeeded'|'AddonPermissionFailure',
'message': 'string',
'resourceIds': [
'string',
]
},
]
},
'addonArn': 'string',
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'serviceAccountRoleArn': 'string',
'tags': {
'string': 'string'
},
'publisher': 'string',
'owner': 'string',
'marketplaceInformation': {
'productId': 'string',
'productUrl': 'string'
},
'configurationValues': 'string',
'podIdentityAssociations': [
'string',
]
}
}
Response Structure
(dict) --
addon (dict) --
An Amazon EKS add-on. For more information, see Amazon EKS add-ons in the Amazon EKS User Guide .
addonName (string) --
The name of the add-on.
clusterName (string) --
The name of your cluster.
status (string) --
The status of the add-on.
addonVersion (string) --
The version of the add-on.
health (dict) --
An object that represents the health of the add-on.
issues (list) --
An object representing the health issues for an add-on.
(dict) --
An issue related to an add-on.
code (string) --
A code that describes the type of issue.
message (string) --
A message that provides details about the issue and what might cause it.
resourceIds (list) --
The resource IDs of the issue.
(string) --
addonArn (string) --
The Amazon Resource Name (ARN) of the add-on.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
serviceAccountRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that's bound to the Kubernetes ServiceAccount object that the add-on uses.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
publisher (string) --
The publisher of the add-on.
owner (string) --
The owner of the add-on.
marketplaceInformation (dict) --
Information about an Amazon EKS add-on from the Amazon Web Services Marketplace.
productId (string) --
The product ID from the Amazon Web Services Marketplace.
productUrl (string) --
The product URL from the Amazon Web Services Marketplace.
configurationValues (string) --
The configuration values that you provided.
podIdentityAssociations (list) --
An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
(string) --
{'association': {'ownerArn': 'string'}}
Creates an EKS Pod Identity association between a service account in an Amazon EKS cluster and an IAM role with EKS Pod Identity . Use EKS Pod Identity to give temporary IAM credentials to pods and the credentials are rotated automatically.
Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
If a pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the pod. The environment variables configure the Amazon Web Services SDKs, including the Command Line Interface, to use the EKS Pod Identity credentials.
Pod Identity is a simpler method than IAM roles for service accounts , as this method doesn't use OIDC identity providers. Additionally, you can configure a role for Pod Identity once, and reuse it across clusters.
See also: AWS API Documentation
Request Syntax
client.create_pod_identity_association(
clusterName='string',
namespace='string',
serviceAccount='string',
roleArn='string',
clientRequestToken='string',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the cluster to create the association in.
string
[REQUIRED]
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
string
[REQUIRED]
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws: , AWS: , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
dict
Response Syntax
{
'association': {
'clusterName': 'string',
'namespace': 'string',
'serviceAccount': 'string',
'roleArn': 'string',
'associationArn': 'string',
'associationId': 'string',
'tags': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'ownerArn': 'string'
}
}
Response Structure
(dict) --
association (dict) --
The full description of your new association.
The description includes an ID for the association. Use the ID of the association in further actions to manage the association.
clusterName (string) --
The name of the cluster that the association is in.
namespace (string) --
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
serviceAccount (string) --
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
associationArn (string) --
The Amazon Resource Name (ARN) of the association.
associationId (string) --
The ID of the association.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws: , AWS: , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
createdAt (datetime) --
The timestamp that the association was created at.
modifiedAt (datetime) --
The most recent timestamp that the association was modified at
ownerArn (string) --
If defined, the Pod Identity Association is owned by an Amazon EKS Addon.
{'addon': {'health': {'issues': {'code': {'AddonPermissionFailure',
'AddonSubscriptionNeeded'}}},
'podIdentityAssociations': ['string']}}
Deletes an Amazon EKS add-on.
When you remove an add-on, it's deleted from the cluster. You can always manually start an add-on on the cluster using the Kubernetes API.
See also: AWS API Documentation
Request Syntax
client.delete_addon(
clusterName='string',
addonName='string',
preserve=True|False
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by ListAddons.
boolean
Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
dict
Response Syntax
{
'addon': {
'addonName': 'string',
'clusterName': 'string',
'status': 'CREATING'|'ACTIVE'|'CREATE_FAILED'|'UPDATING'|'DELETING'|'DELETE_FAILED'|'DEGRADED'|'UPDATE_FAILED',
'addonVersion': 'string',
'health': {
'issues': [
{
'code': 'AccessDenied'|'InternalFailure'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound'|'AddonSubscriptionNeeded'|'AddonPermissionFailure',
'message': 'string',
'resourceIds': [
'string',
]
},
]
},
'addonArn': 'string',
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'serviceAccountRoleArn': 'string',
'tags': {
'string': 'string'
},
'publisher': 'string',
'owner': 'string',
'marketplaceInformation': {
'productId': 'string',
'productUrl': 'string'
},
'configurationValues': 'string',
'podIdentityAssociations': [
'string',
]
}
}
Response Structure
(dict) --
addon (dict) --
An Amazon EKS add-on. For more information, see Amazon EKS add-ons in the Amazon EKS User Guide .
addonName (string) --
The name of the add-on.
clusterName (string) --
The name of your cluster.
status (string) --
The status of the add-on.
addonVersion (string) --
The version of the add-on.
health (dict) --
An object that represents the health of the add-on.
issues (list) --
An object representing the health issues for an add-on.
(dict) --
An issue related to an add-on.
code (string) --
A code that describes the type of issue.
message (string) --
A message that provides details about the issue and what might cause it.
resourceIds (list) --
The resource IDs of the issue.
(string) --
addonArn (string) --
The Amazon Resource Name (ARN) of the add-on.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
serviceAccountRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that's bound to the Kubernetes ServiceAccount object that the add-on uses.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
publisher (string) --
The publisher of the add-on.
owner (string) --
The owner of the add-on.
marketplaceInformation (dict) --
Information about an Amazon EKS add-on from the Amazon Web Services Marketplace.
productId (string) --
The product ID from the Amazon Web Services Marketplace.
productUrl (string) --
The product URL from the Amazon Web Services Marketplace.
configurationValues (string) --
The configuration values that you provided.
podIdentityAssociations (list) --
An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
(string) --
{'association': {'ownerArn': 'string'}}
Deletes a EKS Pod Identity association.
The temporary Amazon Web Services credentials from the previous IAM role session might still be valid until the session expiry. If you need to immediately revoke the temporary session credentials, then go to the role in the IAM console.
See also: AWS API Documentation
Request Syntax
client.delete_pod_identity_association(
clusterName='string',
associationId='string'
)
string
[REQUIRED]
The cluster name that
string
[REQUIRED]
The ID of the association to be deleted.
dict
Response Syntax
{
'association': {
'clusterName': 'string',
'namespace': 'string',
'serviceAccount': 'string',
'roleArn': 'string',
'associationArn': 'string',
'associationId': 'string',
'tags': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'ownerArn': 'string'
}
}
Response Structure
(dict) --
association (dict) --
The full description of the EKS Pod Identity association that was deleted.
clusterName (string) --
The name of the cluster that the association is in.
namespace (string) --
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
serviceAccount (string) --
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
associationArn (string) --
The Amazon Resource Name (ARN) of the association.
associationId (string) --
The ID of the association.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws: , AWS: , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
createdAt (datetime) --
The timestamp that the association was created at.
modifiedAt (datetime) --
The most recent timestamp that the association was modified at
ownerArn (string) --
If defined, the Pod Identity Association is owned by an Amazon EKS Addon.
{'addon': {'health': {'issues': {'code': {'AddonPermissionFailure',
'AddonSubscriptionNeeded'}}},
'podIdentityAssociations': ['string']}}
Describes an Amazon EKS add-on.
See also: AWS API Documentation
Request Syntax
client.describe_addon(
clusterName='string',
addonName='string'
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by ListAddons.
dict
Response Syntax
{
'addon': {
'addonName': 'string',
'clusterName': 'string',
'status': 'CREATING'|'ACTIVE'|'CREATE_FAILED'|'UPDATING'|'DELETING'|'DELETE_FAILED'|'DEGRADED'|'UPDATE_FAILED',
'addonVersion': 'string',
'health': {
'issues': [
{
'code': 'AccessDenied'|'InternalFailure'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound'|'AddonSubscriptionNeeded'|'AddonPermissionFailure',
'message': 'string',
'resourceIds': [
'string',
]
},
]
},
'addonArn': 'string',
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'serviceAccountRoleArn': 'string',
'tags': {
'string': 'string'
},
'publisher': 'string',
'owner': 'string',
'marketplaceInformation': {
'productId': 'string',
'productUrl': 'string'
},
'configurationValues': 'string',
'podIdentityAssociations': [
'string',
]
}
}
Response Structure
(dict) --
addon (dict) --
An Amazon EKS add-on. For more information, see Amazon EKS add-ons in the Amazon EKS User Guide .
addonName (string) --
The name of the add-on.
clusterName (string) --
The name of your cluster.
status (string) --
The status of the add-on.
addonVersion (string) --
The version of the add-on.
health (dict) --
An object that represents the health of the add-on.
issues (list) --
An object representing the health issues for an add-on.
(dict) --
An issue related to an add-on.
code (string) --
A code that describes the type of issue.
message (string) --
A message that provides details about the issue and what might cause it.
resourceIds (list) --
The resource IDs of the issue.
(string) --
addonArn (string) --
The Amazon Resource Name (ARN) of the add-on.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
modifiedAt (datetime) --
The Unix epoch timestamp for the last modification to the object.
serviceAccountRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that's bound to the Kubernetes ServiceAccount object that the add-on uses.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
publisher (string) --
The publisher of the add-on.
owner (string) --
The owner of the add-on.
marketplaceInformation (dict) --
Information about an Amazon EKS add-on from the Amazon Web Services Marketplace.
productId (string) --
The product ID from the Amazon Web Services Marketplace.
productUrl (string) --
The product URL from the Amazon Web Services Marketplace.
configurationValues (string) --
The configuration values that you provided.
podIdentityAssociations (list) --
An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
(string) --
{'podIdentityConfiguration': [{'recommendedManagedPolicies': ['string'],
'serviceAccount': 'string'}]}
Returns configuration options.
See also: AWS API Documentation
Request Syntax
client.describe_addon_configuration(
addonName='string',
addonVersion='string'
)
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by DescribeAddonVersions .
string
[REQUIRED]
The version of the add-on. The version must match one of the versions returned by DescribeAddonVersions.
dict
Response Syntax
{
'addonName': 'string',
'addonVersion': 'string',
'configurationSchema': 'string',
'podIdentityConfiguration': [
{
'serviceAccount': 'string',
'recommendedManagedPolicies': [
'string',
]
},
]
}
Response Structure
(dict) --
addonName (string) --
The name of the add-on.
addonVersion (string) --
The version of the add-on. The version must match one of the versions returned by DescribeAddonVersions.
configurationSchema (string) --
A JSON schema that's used to validate the configuration values you provide when an add-on is created or updated.
podIdentityConfiguration (list) --
The Kubernetes service account name used by the addon, and any suggested IAM policies. Use this information to create an IAM Role for the Addon.
(dict) --
Information about how to configure IAM for an Addon.
serviceAccount (string) --
The Kubernetes Service Account name used by the addon.
recommendedManagedPolicies (list) --
A suggested IAM Policy for the addon.
(string) --
{'addons': {'addonVersions': {'requiresIamPermissions': 'boolean'}}}
Describes the versions for an add-on.
Information such as the Kubernetes versions that you can use the add-on with, the owner , publisher , and the type of the add-on are returned.
See also: AWS API Documentation
Request Syntax
client.describe_addon_versions(
kubernetesVersion='string',
maxResults=123,
nextToken='string',
addonName='string',
types=[
'string',
],
publishers=[
'string',
],
owners=[
'string',
]
)
string
The Kubernetes versions that you can use the add-on with.
integer
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
string
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
string
The name of the add-on. The name must match one of the names returned by ListAddons.
list
The type of the add-on. For valid types , don't specify a value for this property.
(string) --
list
The publisher of the add-on. For valid publishers , don't specify a value for this property.
(string) --
list
The owner of the add-on. For valid owners , don't specify a value for this property.
(string) --
dict
Response Syntax
{
'addons': [
{
'addonName': 'string',
'type': 'string',
'addonVersions': [
{
'addonVersion': 'string',
'architecture': [
'string',
],
'compatibilities': [
{
'clusterVersion': 'string',
'platformVersions': [
'string',
],
'defaultVersion': True|False
},
],
'requiresConfiguration': True|False,
'requiresIamPermissions': True|False
},
],
'publisher': 'string',
'owner': 'string',
'marketplaceInformation': {
'productId': 'string',
'productUrl': 'string'
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
addons (list) --
The list of available versions with Kubernetes version compatibility and other properties.
(dict) --
Information about an add-on.
addonName (string) --
The name of the add-on.
type (string) --
The type of the add-on.
addonVersions (list) --
An object representing information about available add-on versions and compatible Kubernetes versions.
(dict) --
Information about an add-on version.
addonVersion (string) --
The version of the add-on.
architecture (list) --
The architectures that the version supports.
(string) --
compatibilities (list) --
An object representing the compatibilities of a version.
(dict) --
Compatibility information.
clusterVersion (string) --
The supported Kubernetes version of the cluster.
platformVersions (list) --
The supported compute platform.
(string) --
defaultVersion (boolean) --
The supported default version.
requiresConfiguration (boolean) --
Whether the add-on requires configuration.
requiresIamPermissions (boolean) --
Indicates if the Addon requires IAM Permissions to operate, such as networking permissions.
publisher (string) --
The publisher of the add-on.
owner (string) --
The owner of the add-on.
marketplaceInformation (dict) --
Information about the add-on from the Amazon Web Services Marketplace.
productId (string) --
The product ID from the Amazon Web Services Marketplace.
productUrl (string) --
The product URL from the Amazon Web Services Marketplace.
nextToken (string) --
The nextToken value to include in a future DescribeAddonVersions request. When the results of a DescribeAddonVersions request exceed maxResults , you can use this value to retrieve the next page of results. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
{'association': {'ownerArn': 'string'}}
Returns descriptive information about an EKS Pod Identity association.
This action requires the ID of the association. You can get the ID from the response to the CreatePodIdentityAssocation for newly created associations. Or, you can list the IDs for associations with ListPodIdentityAssociations and filter the list by namespace or service account.
See also: AWS API Documentation
Request Syntax
client.describe_pod_identity_association(
clusterName='string',
associationId='string'
)
string
[REQUIRED]
The name of the cluster that the association is in.
string
[REQUIRED]
The ID of the association that you want the description of.
dict
Response Syntax
{
'association': {
'clusterName': 'string',
'namespace': 'string',
'serviceAccount': 'string',
'roleArn': 'string',
'associationArn': 'string',
'associationId': 'string',
'tags': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'ownerArn': 'string'
}
}
Response Structure
(dict) --
association (dict) --
The full description of the EKS Pod Identity association.
clusterName (string) --
The name of the cluster that the association is in.
namespace (string) --
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
serviceAccount (string) --
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
associationArn (string) --
The Amazon Resource Name (ARN) of the association.
associationId (string) --
The ID of the association.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws: , AWS: , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
createdAt (datetime) --
The timestamp that the association was created at.
modifiedAt (datetime) --
The most recent timestamp that the association was modified at
ownerArn (string) --
If defined, the Pod Identity Association is owned by an Amazon EKS Addon.
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Describes an update to an Amazon EKS resource.
When the status of the update is Succeeded , the update is complete. If an update fails, the status is Failed , and an error detail explains the reason for the failure.
See also: AWS API Documentation
Request Syntax
client.describe_update(
name='string',
updateId='string',
nodegroupName='string',
addonName='string'
)
string
[REQUIRED]
The name of the Amazon EKS cluster associated with the update.
string
[REQUIRED]
The ID of the update to describe.
string
The name of the Amazon EKS node group associated with the update. This parameter is required if the update is a node group update.
string
The name of the add-on. The name must match one of the names returned by ListAddons. This parameter is required if the update is an add-on update.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
The full description of the specified update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Disassociates an identity provider configuration from a cluster.
If you disassociate an identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with IAM principals.
See also: AWS API Documentation
Request Syntax
client.disassociate_identity_provider_config(
clusterName='string',
identityProviderConfig={
'type': 'string',
'name': 'string'
},
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
dict
[REQUIRED]
An object representing an identity provider configuration.
type (string) -- [REQUIRED]
The type of the identity provider configuration. The only type available is oidc .
name (string) -- [REQUIRED]
The name of the identity provider configuration.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'associations': {'ownerArn': 'string'}}
List the EKS Pod Identity associations in a cluster. You can filter the list by the namespace that the association is in or the service account that the association uses.
See also: AWS API Documentation
Request Syntax
client.list_pod_identity_associations(
clusterName='string',
namespace='string',
serviceAccount='string',
maxResults=123,
nextToken='string'
)
string
[REQUIRED]
The name of the cluster that the associations are in.
string
The name of the Kubernetes namespace inside the cluster that the associations are in.
string
The name of the Kubernetes service account that the associations use.
integer
The maximum number of EKS Pod Identity association results returned by ListPodIdentityAssociations in paginated output. When you use this parameter, ListPodIdentityAssociations returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListPodIdentityAssociations request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListPodIdentityAssociations returns up to 100 results and a nextToken value if applicable.
string
The nextToken value returned from a previous paginated ListUpdates request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
dict
Response Syntax
{
'associations': [
{
'clusterName': 'string',
'namespace': 'string',
'serviceAccount': 'string',
'associationArn': 'string',
'associationId': 'string',
'ownerArn': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
associations (list) --
The list of summarized descriptions of the associations that are in the cluster and match any filters that you provided.
Each summary is simplified by removing these fields compared to the full PodIdentityAssociation :
The IAM role: roleArn
The timestamp that the association was created at: createdAt
The most recent timestamp that the association was modified at:. modifiedAt
The tags on the association: tags
(dict) --
The summarized description of the association.
Each summary is simplified by removing these fields compared to the full PodIdentityAssociation :
The IAM role: roleArn
The timestamp that the association was created at: createdAt
The most recent timestamp that the association was modified at:. modifiedAt
The tags on the association: tags
clusterName (string) --
The name of the cluster that the association is in.
namespace (string) --
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
serviceAccount (string) --
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
associationArn (string) --
The Amazon Resource Name (ARN) of the association.
associationId (string) --
The ID of the association.
ownerArn (string) --
If defined, the Pod Identity Association is owned by an Amazon EKS Addon.
nextToken (string) --
The nextToken value to include in a future ListPodIdentityAssociations request. When the results of a ListPodIdentityAssociations request exceed maxResults , you can use this value to retrieve the next page of results. This value is null when there are no more results to return.
Note
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
{'podIdentityAssociations': [{'roleArn': 'string', 'serviceAccount': 'string'}]}
Response {'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Updates an Amazon EKS add-on.
See also: AWS API Documentation
Request Syntax
client.update_addon(
clusterName='string',
addonName='string',
addonVersion='string',
serviceAccountRoleArn='string',
resolveConflicts='OVERWRITE'|'NONE'|'PRESERVE',
clientRequestToken='string',
configurationValues='string',
podIdentityAssociations=[
{
'serviceAccount': 'string',
'roleArn': 'string'
},
]
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the add-on. The name must match one of the names returned by ListAddons.
string
The version of the add-on. The version must match one of the versions returned by DescribeAddonVersions.
string
The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide .
Note
To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster in the Amazon EKS User Guide .
string
How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Conflicts are handled based on the option you choose:
None – Amazon EKS doesn't change the value. The update might fail.
Overwrite – Amazon EKS overwrites the changed value back to the Amazon EKS default value.
Preserve – Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
string
The set of configuration values for the add-on that's created. The values that you provide are validated against the schema returned by DescribeAddonConfiguration .
list
An array of Pod Identity Assocations to be updated. Each EKS Pod Identity association maps a Kubernetes service account to an IAM Role. If this value is left blank, no change. If an empty array is provided, existing Pod Identity Assocations owned by the Addon are deleted.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
(dict) --
A type of Pod Identity Association owned by an Amazon EKS Add-on.
Each EKS Pod Identity Association maps a role to a service account in a namespace in the cluster.
For more information, see Attach an IAM Role to an Amazon EKS add-on using Pod Identity in the EKS User Guide.
serviceAccount (string) -- [REQUIRED]
The name of a Kubernetes Service Account.
roleArn (string) -- [REQUIRED]
The ARN of an IAM Role.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate "/>.
You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the Amazon EKS User Guide .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.
You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful ), the cluster status moves to Active .
See also: AWS API Documentation
Request Syntax
client.update_cluster_config(
name='string',
resourcesVpcConfig={
'subnetIds': [
'string',
],
'securityGroupIds': [
'string',
],
'endpointPublicAccess': True|False,
'endpointPrivateAccess': True|False,
'publicAccessCidrs': [
'string',
]
},
logging={
'clusterLogging': [
{
'types': [
'api'|'audit'|'authenticator'|'controllerManager'|'scheduler',
],
'enabled': True|False
},
]
},
clientRequestToken='string',
accessConfig={
'authenticationMode': 'API'|'API_AND_CONFIG_MAP'|'CONFIG_MAP'
}
)
string
[REQUIRED]
The name of the Amazon EKS cluster to update.
dict
An object representing the VPC configuration to use for an Amazon EKS cluster.
subnetIds (list) --
Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.
(string) --
securityGroupIds (list) --
Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see Amazon EKS security group considerations in the Amazon EKS User Guide .
(string) --
endpointPublicAccess (boolean) --
Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
endpointPrivateAccess (boolean) --
Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and Fargate Pod in the cluster. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
(string) --
dict
Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS cluster control plane logs in the Amazon EKS User Guide .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
The access configuration for the cluster.
authenticationMode (string) --
The desired authentication mode for the cluster.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Updates an Amazon EKS cluster to the specified Kubernetes version. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with the DescribeUpdate API operation.
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful ), the cluster status moves to Active .
If your cluster has managed node groups attached to it, all of your node groups’ Kubernetes versions must match the cluster’s Kubernetes version in order to update the cluster to a new Kubernetes version.
See also: AWS API Documentation
Request Syntax
client.update_cluster_version(
name='string',
version='string',
clientRequestToken='string'
)
string
[REQUIRED]
The name of the Amazon EKS cluster to update.
string
[REQUIRED]
The desired Kubernetes version following a successful update.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
The full description of the specified update
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Updates an Amazon EKS managed node group configuration. Your node group continues to function during the update. The response output includes an update ID that you can use to track the status of your node group update with the DescribeUpdate API operation. Currently you can update the Kubernetes labels for a node group or the scaling configuration.
See also: AWS API Documentation
Request Syntax
client.update_nodegroup_config(
clusterName='string',
nodegroupName='string',
labels={
'addOrUpdateLabels': {
'string': 'string'
},
'removeLabels': [
'string',
]
},
taints={
'addOrUpdateTaints': [
{
'key': 'string',
'value': 'string',
'effect': 'NO_SCHEDULE'|'NO_EXECUTE'|'PREFER_NO_SCHEDULE'
},
],
'removeTaints': [
{
'key': 'string',
'value': 'string',
'effect': 'NO_SCHEDULE'|'NO_EXECUTE'|'PREFER_NO_SCHEDULE'
},
]
},
scalingConfig={
'minSize': 123,
'maxSize': 123,
'desiredSize': 123
},
updateConfig={
'maxUnavailable': 123,
'maxUnavailablePercentage': 123
},
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the managed node group to update.
dict
The Kubernetes labels to apply to the nodes in the node group after the update.
addOrUpdateLabels (dict) --
The Kubernetes labels to add or update.
(string) --
(string) --
removeLabels (list) --
The Kubernetes labels to remove.
(string) --
dict
The Kubernetes taints to be applied to the nodes in the node group after the update. For more information, see Node taints on managed node groups.
addOrUpdateTaints (list) --
Kubernetes taints to be added or updated.
(dict) --
A property that allows a node to repel a Pod . For more information, see Node taints on managed node groups in the Amazon EKS User Guide .
key (string) --
The key of the taint.
value (string) --
The value of the taint.
effect (string) --
The effect of the taint.
removeTaints (list) --
Kubernetes taints to remove.
(dict) --
A property that allows a node to repel a Pod . For more information, see Node taints on managed node groups in the Amazon EKS User Guide .
key (string) --
The key of the taint.
value (string) --
The value of the taint.
effect (string) --
The effect of the taint.
dict
The scaling configuration details for the Auto Scaling group after the update.
minSize (integer) --
The minimum number of nodes that the managed node group can scale in to.
maxSize (integer) --
The maximum number of nodes that the managed node group can scale out to. For information about the maximum number that you can specify, see Amazon EKS service quotas in the Amazon EKS User Guide .
desiredSize (integer) --
The current number of nodes that the managed node group should maintain.
Warning
If you use the Kubernetes Cluster Autoscaler, you shouldn't change the desiredSize value directly, as this can cause the Cluster Autoscaler to suddenly scale up or scale down.
Whenever this parameter changes, the number of worker nodes in the node group is updated to the specified size. If this parameter is given a value that is smaller than the current number of running worker nodes, the necessary number of worker nodes are terminated to match the given value. When using CloudFormation, no action occurs if you remove this parameter from your CFN template.
This parameter can be different from minSize in some cases, such as when starting with extra hosts for testing. This parameter can also be different when you want to start with an estimated number of needed hosts, but let the Cluster Autoscaler reduce the number if there are too many. When the Cluster Autoscaler is used, the desiredSize parameter is altered by the Cluster Autoscaler (but can be out-of-date for short periods of time). the Cluster Autoscaler doesn't scale a managed node group lower than minSize or higher than maxSize .
dict
The node group update configuration.
maxUnavailable (integer) --
The maximum number of nodes unavailable at once during a version update. Nodes are updated in parallel. This value or maxUnavailablePercentage is required to have a value.The maximum number is 100.
maxUnavailablePercentage (integer) --
The maximum percentage of nodes unavailable during a version update. This percentage of nodes are updated in parallel, up to 100 nodes at once. This value or maxUnavailable is required to have a value.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'update': {'params': {'type': {'PodIdentityAssociations'}}}}
Updates the Kubernetes version or AMI version of an Amazon EKS managed node group.
You can update a node group using a launch template only if the node group was originally deployed with a launch template. If you need to update a custom AMI in a node group that was deployed with a launch template, then update your custom AMI, specify the new ID in a new version of the launch template, and then update the node group to the new version of the launch template.
If you update without a launch template, then you can update to the latest available AMI version of a node group's current Kubernetes version by not specifying a Kubernetes version in the request. You can update to the latest AMI version of your cluster's current Kubernetes version by specifying your cluster's Kubernetes version in the request. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide . For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide .
You cannot roll back a node group to an earlier Kubernetes version or AMI version.
When a node in a managed node group is terminated due to a scaling action or update, every Pod on that node is drained first. Amazon EKS attempts to drain the nodes gracefully and will fail if it is unable to do so. You can force the update if Amazon EKS is unable to drain the nodes as a result of a Pod disruption budget issue.
See also: AWS API Documentation
Request Syntax
client.update_nodegroup_version(
clusterName='string',
nodegroupName='string',
version='string',
releaseVersion='string',
launchTemplate={
'name': 'string',
'version': 'string',
'id': 'string'
},
force=True|False,
clientRequestToken='string'
)
string
[REQUIRED]
The name of your cluster.
string
[REQUIRED]
The name of the managed node group to update.
string
The Kubernetes version to update to. If no version is specified, then the Kubernetes version of the node group does not change. You can specify the Kubernetes version of the cluster to update the node group to the latest AMI version of the cluster's Kubernetes version. If you specify launchTemplate , and your launch template uses a custom AMI, then don't specify version , or the node group update will fail. For more information about using launch templates with Amazon EKS, see Customizing managed nodes with launch templates in the Amazon EKS User Guide .
string
The AMI version of the Amazon EKS optimized AMI to use for the update. By default, the latest available AMI version for the node group's Kubernetes version is used. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide . Amazon EKS managed node groups support the November 2022 and later releases of the Windows AMIs. For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide .
If you specify launchTemplate , and your launch template uses a custom AMI, then don't specify releaseVersion , or the node group update will fail. For more information about using launch templates with Amazon EKS, see Customizing managed nodes with launch templates in the Amazon EKS User Guide .
dict
An object representing a node group's launch template specification. You can only update a node group using a launch template if the node group was originally deployed with a launch template.
name (string) --
The name of the launch template.
You must specify either the launch template name or the launch template ID in the request, but not both.
version (string) --
The version number of the launch template to use. If no version is specified, then the template's default version is used.
id (string) --
The ID of the launch template.
You must specify either the launch template ID or the launch template name in the request, but not both.
boolean
Force the update if any Pod on the existing node group can't be drained due to a Pod disruption budget issue. If an update fails because all Pods can't be drained, you can force the update after it fails to terminate the old node whether or not any Pod is running on the node.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'update': {
'id': 'string',
'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
'params': [
{
'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'errors': [
{
'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
'errorMessage': 'string',
'resourceIds': [
'string',
]
},
]
}
}
Response Structure
(dict) --
update (dict) --
An object representing an asynchronous update.
id (string) --
A UUID that is used to track the update.
status (string) --
The current status of the update.
type (string) --
The type of the update.
params (list) --
A key-value map that contains the parameters associated with the update.
(dict) --
An object representing the details of an update request.
type (string) --
The keys associated with an update request.
value (string) --
The value of the keys submitted as part of an update request.
createdAt (datetime) --
The Unix epoch timestamp at object creation.
errors (list) --
Any errors associated with a Failed update.
(dict) --
An object representing an error when an asynchronous operation fails.
errorCode (string) --
A brief description of the error.
SubnetNotFound : We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound : We couldn't find one of the security groups associated with the cluster.
EniLimitReached : You have reached the elastic network interface limit for your account.
IpNotAvailable : A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied : You don't have permissions to perform the specified operation.
OperationNotPermitted : The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound : We couldn't find the VPC associated with the cluster.
errorMessage (string) --
A more complete description of the error.
resourceIds (list) --
An optional field that contains the resource IDs associated with the error.
(string) --
{'association': {'ownerArn': 'string'}}
Updates a EKS Pod Identity association. Only the IAM role can be changed; an association can't be moved between clusters, namespaces, or service accounts. If you need to edit the namespace or service account, you need to delete the association and then create a new association with your desired settings.
See also: AWS API Documentation
Request Syntax
client.update_pod_identity_association(
clusterName='string',
associationId='string',
roleArn='string',
clientRequestToken='string'
)
string
[REQUIRED]
The name of the cluster that you want to update the association in.
string
[REQUIRED]
The ID of the association to be updated.
string
The new IAM role to change the
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'association': {
'clusterName': 'string',
'namespace': 'string',
'serviceAccount': 'string',
'roleArn': 'string',
'associationArn': 'string',
'associationId': 'string',
'tags': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'modifiedAt': datetime(2015, 1, 1),
'ownerArn': 'string'
}
}
Response Structure
(dict) --
association (dict) --
The full description of the EKS Pod Identity association that was updated.
clusterName (string) --
The name of the cluster that the association is in.
namespace (string) --
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
serviceAccount (string) --
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
associationArn (string) --
The Amazon Resource Name (ARN) of the association.
associationId (string) --
The ID of the association.
tags (dict) --
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws: , AWS: , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
(string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
(string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
createdAt (datetime) --
The timestamp that the association was created at.
modifiedAt (datetime) --
The most recent timestamp that the association was modified at
ownerArn (string) --
If defined, the Pod Identity Association is owned by an Amazon EKS Addon.