Kubernetes Cluster API Provider AWS

NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to “”.

NameSuffix will be appended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to “.cluster-api-provider-aws.sigs.k8s.io”.

ControlPlane controls the configuration of the AWS IAM role for a Kubernetes cluster’s control plane nodes.

ClusterAPIControllers controls the configuration of an IAM role and policy specifically for Kubernetes Cluster API Provider AWS.

Nodes controls the configuration of the AWS IAM role for all nodes in a Kubernetes cluster.

BootstrapUser contains a list of elements that is specific to the configuration and enablement of an IAM user.

StackName defines the name of the AWS CloudFormation stack.

Region controls which region the control-plane is created in if not specified on the command line or via environment variables.

EKS controls the configuration related to EKS. Settings in here affect the control plane and nodes roles

EventBridge controls configuration for consuming EventBridge events

Partition is the AWS security partition being used. Defaults to “aws”

SecureSecretsBackend, when set to parameter-store will create AWS Systems Manager Parameter Storage policies. By default or with the value of secrets-manager, will generate AWS Secrets Manager policies instead.

Disable if set to true will not create the AWS IAM role. Defaults to false.

ExtraPolicyAttachments is a list of additional policies to be attached to the IAM role.

ExtraStatements are additional IAM statements to be included inline for the role.

TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role. See “sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1” for more documentation.

Tags is a map of tags to be applied to the AWS IAM role.

Enable controls whether or not a bootstrap AWS IAM user will be created. This can be used to scope down the initial credentials used to bootstrap the cluster. Defaults to false.

UserName controls the username of the bootstrap user. Defaults to “bootstrapper.cluster-api-provider-aws.sigs.k8s.io”

GroupName controls the group the user will belong to. Defaults to “bootstrapper.cluster-api-provider-aws.sigs.k8s.io”

ExtraPolicyAttachments is a list of additional policies to be attached to the IAM user.

ExtraGroups is a list of groups to add this user to.

ExtraStatements are additional AWS IAM policy document statements to be included inline for the user.

Tags is a map of tags to be applied to the AWS IAM user.

(Members of AWSIAMRoleSpec are embedded into this type.)

AllowedEC2InstanceProfiles controls which EC2 roles are allowed to be consumed by Cluster API when creating an ec2 instance. Defaults to *., where suffix is defaulted to .cluster-api-provider-aws.sigs.k8s.io

(Members of AWSIAMRoleSpec are embedded into this type.)

DisableClusterAPIControllerPolicyAttachment, if set to true, will not attach the AWS IAM policy for Cluster API Provider AWS to the control plane role. Defaults to false.

DisableCloudProviderPolicy if set to true, will not generate and attach the AWS IAM policy for the AWS Cloud Provider.

EnableCSIPolicy if set to true, will generate and attach the AWS IAM policy for the EBS CSI Driver.

Disable controls whether EKS-related permissions are granted

AllowIAMRoleCreation controls whether the EKS controllers have permissions for creating IAM roles per cluster

EnableUserEKSConsolePolicy controls the creation of the policy to view EKS nodes and workloads.

DefaultControlPlaneRole controls the configuration of the AWS IAM role for the EKS control plane. This is the default role that will be used if no role is included in the spec and automatic creation of the role isn’t enabled

ManagedMachinePool controls the configuration of the AWS IAM role for used by EKS managed machine pools.

Fargate controls the configuration of the AWS IAM role for used by EKS managed machine pools.

KMSAliasPrefix is prefix to use to restrict permission to KMS keys to only those that have an alias name that is prefixed by this. Defaults to cluster-api-provider-aws-*

Enable controls whether permissions are granted to consume EC2 events

(Members of AWSIAMRoleSpec are embedded into this type.)

DisableCloudProviderPolicy if set to true, will not generate and attach the policy for the AWS Cloud Provider. Defaults to false.

EC2ContainerRegistryReadOnly controls whether the node has read-only access to the EC2 container registry

NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to “”.

NameSuffix will be appended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to “.cluster-api-provider-aws.sigs.k8s.io”.

ControlPlane controls the configuration of the AWS IAM role for a Kubernetes cluster’s control plane nodes.

ClusterAPIControllers controls the configuration of an IAM role and policy specifically for Kubernetes Cluster API Provider AWS.

Nodes controls the configuration of the AWS IAM role for all nodes in a Kubernetes cluster.

BootstrapUser contains a list of elements that is specific to the configuration and enablement of an IAM user.

StackName defines the name of the AWS CloudFormation stack.

StackTags defines the tags of the AWS CloudFormation stack.

Region controls which region the control-plane is created in if not specified on the command line or via environment variables.

EKS controls the configuration related to EKS. Settings in here affect the control plane and nodes roles

EventBridge controls configuration for consuming EventBridge events

Partition is the AWS security partition being used. Defaults to “aws”

SecureSecretsBackend, when set to parameter-store will create AWS Systems Manager Parameter Storage policies. By default or with the value of secrets-manager, will generate AWS Secrets Manager policies instead.

S3Buckets, when enabled, will add controller nodes permissions to create S3 Buckets for workload clusters. TODO: This field could be a pointer, but it seems it breaks setting default values?

AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies

Disable if set to true will not create the AWS IAM role. Defaults to false.

ExtraPolicyAttachments is a list of additional policies to be attached to the IAM role.

ExtraStatements are additional IAM statements to be included inline for the role.

Path sets the path to the role.

PermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.

TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role. See “sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1” for more documentation.

Tags is a map of tags to be applied to the AWS IAM role.

Enable controls whether or not a bootstrap AWS IAM user will be created. This can be used to scope down the initial credentials used to bootstrap the cluster. Defaults to false.

UserName controls the username of the bootstrap user. Defaults to “bootstrapper.cluster-api-provider-aws.sigs.k8s.io”

GroupName controls the group the user will belong to. Defaults to “bootstrapper.cluster-api-provider-aws.sigs.k8s.io”

ExtraPolicyAttachments is a list of additional policies to be attached to the IAM user.

ExtraGroups is a list of groups to add this user to.

ExtraStatements are additional AWS IAM policy document statements to be included inline for the user.

Tags is a map of tags to be applied to the AWS IAM user.

(Members of AWSIAMRoleSpec are embedded into this type.)

AllowedEC2InstanceProfiles controls which EC2 roles are allowed to be consumed by Cluster API when creating an ec2 instance. Defaults to *., where suffix is defaulted to .cluster-api-provider-aws.sigs.k8s.io

(Members of AWSIAMRoleSpec are embedded into this type.)

DisableClusterAPIControllerPolicyAttachment, if set to true, will not attach the AWS IAM policy for Cluster API Provider AWS to the control plane role. Defaults to false.

DisableCloudProviderPolicy if set to true, will not generate and attach the AWS IAM policy for the AWS Cloud Provider.

EnableCSIPolicy if set to true, will generate and attach the AWS IAM policy for the EBS CSI Driver.

Disable controls whether EKS-related permissions are granted

AllowIAMRoleCreation controls whether the EKS controllers have permissions for creating IAM roles per cluster

EnableUserEKSConsolePolicy controls the creation of the policy to view EKS nodes and workloads.

DefaultControlPlaneRole controls the configuration of the AWS IAM role for the EKS control plane. This is the default role that will be used if no role is included in the spec and automatic creation of the role isn’t enabled

ManagedMachinePool controls the configuration of the AWS IAM role for used by EKS managed machine pools.

Fargate controls the configuration of the AWS IAM role for used by EKS managed machine pools.

KMSAliasPrefix is prefix to use to restrict permission to KMS keys to only those that have an alias name that is prefixed by this. Defaults to cluster-api-provider-aws-*

Enable controls whether permissions are granted to consume EC2 events

(Members of AWSIAMRoleSpec are embedded into this type.)

DisableCloudProviderPolicy if set to true, will not generate and attach the policy for the AWS Cloud Provider. Defaults to false.

EC2ContainerRegistryReadOnly controls whether the node has read-only access to the EC2 container registry

Enable controls whether permissions are granted to manage S3 buckets.

NamePrefix will be prepended to every AWS IAM role bucket name. Defaults to “cluster-api-provider-aws-”. AWSCluster S3 Bucket name must be prefixed with the same prefix.

KubeletExtraArgs passes the specified kubelet args into the Amazon EKS machine bootstrap script

ContainerRuntime specify the container runtime to use when bootstrapping EKS.

DNSClusterIP overrides the IP address to use for DNS queries within the cluster.

DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. This is expected to be a json string.

APIRetryAttempts is the number of retry attempts for AWS API call.

PauseContainer allows customization of the pause container to use.

UseMaxPods sets –max-pods for the kubelet when true.

ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then the ip family will be set to ipv6.

Ready indicates the BootstrapData secret is ready to be consumed

DataSecretName is the name of the secret that stores the bootstrap data script.

FailureReason will be set on non-retryable errors

FailureMessage will be set on non-retryable errors

ObservedGeneration is the latest generation observed by the controller.

Conditions defines current service state of the EKSConfig.

AccountNumber is the AWS account number to pull the pause container from.

Version is the tag of the pause container to use.

Partitions specifies the list of the partitions to setup.

Filesystems specifies the list of file systems to setup.

KubeletExtraArgs passes the specified kubelet args into the Amazon EKS machine bootstrap script

ContainerRuntime specify the container runtime to use when bootstrapping EKS.

DNSClusterIP overrides the IP address to use for DNS queries within the cluster.

DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. This is expected to be a json string.

APIRetryAttempts is the number of retry attempts for AWS API call.

PauseContainer allows customization of the pause container to use.

UseMaxPods sets –max-pods for the kubelet when true.

ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then the ip family will be set to ipv6.

PreBootstrapCommands specifies extra commands to run before bootstrapping nodes to the cluster

PostBootstrapCommands specifies extra commands to run after bootstrapping nodes to the cluster

BootstrapCommandOverride allows you to override the bootstrap command to use for EKS nodes.

Files specifies extra files to be passed to user_data upon creation.

DiskSetup specifies options for the creation of partition tables and file systems on devices.

Mounts specifies a list of mount points to be setup.

Users specifies extra users to add

NTP specifies NTP configuration

Ready indicates the BootstrapData secret is ready to be consumed

DataSecretName is the name of the secret that stores the bootstrap data script.

FailureReason will be set on non-retryable errors

FailureMessage will be set on non-retryable errors

ObservedGeneration is the latest generation observed by the controller.

Conditions defines current service state of the EKSConfig.

"base64"

Base64 implies the contents of the file are encoded as base64.

"gzip"

Gzip implies the contents of the file are encoded with gzip.

"gzip+base64"

GzipBase64 implies the contents of the file are first base64 encoded and then gzip encoded.

Path specifies the full path on disk where to store the file.

Owner specifies the ownership of the file, e.g. “root:root”.

Permissions specifies the permissions to assign to the file, e.g. “0640”.

Encoding specifies the encoding of the file contents.

Append specifies whether to append Content to existing file if Path exists.

Content is the actual content of the file.

ContentFrom is a referenced source of content to populate the file.

Secret represents a secret that should populate this file.

Device specifies the device name

Filesystem specifies the file system type.

Label specifies the file system label to be used. If set to None, no label is used.

Partition specifies the partition to use. The valid options are: “auto|any”, “auto”, “any”, “none”, and , where NUM is the actual partition number.

Overwrite defines whether or not to overwrite any existing filesystem. If true, any pre-existing file system will be destroyed. Use with Caution.

ExtraOpts defined extra options to add to the command for creating the file system.

Servers specifies which NTP servers to use

Enabled specifies whether NTP should be enabled

Device is the name of the device.

Layout specifies the device layout. If it is true, a single partition will be created for the entire device. When layout is false, it means don’t partition or ignore existing partitioning.

Overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. Use with caution. Default is ‘false’.

TableType specifies the tupe of partition table. The following are supported: ‘mbr’: default and setups a MS-DOS partition table ‘gpt’: setups a GPT partition table

Secret represents a secret that should populate this password.

AccountNumber is the AWS account number to pull the pause container from.

Version is the tag of the pause container to use.

Name of the secret in the KubeadmBootstrapConfig’s namespace to use.

Key is the key in the secret’s data map for this value.

Name of the secret in the KubeadmBootstrapConfig’s namespace to use.

Key is the key in the secret’s data map for this value.

Name specifies the username

Gecos specifies the gecos to use for the user

Groups specifies the additional groups for the user

HomeDir specifies the home directory to use for the user

Inactive specifies whether to mark the user as inactive

Shell specifies the user’s shell

Passwd specifies a hashed password for the user

PasswdFrom is a referenced source of passwd to populate the passwd.

PrimaryGroup specifies the primary group for the user

LockPassword specifies if password login should be disabled

Sudo specifies a sudo role for the user

SSHAuthorizedKeys specifies a list of ssh authorized keys for the user

EKSClusterName allows you to specify the name of the EKS cluster in AWS. If you don’t specify a name then a default name will be created based on the namespace and name of the managed control plane.

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. If no identity is specified, the default identity for this controller will be used.

NetworkSpec encapsulates all things related to AWS network.

SecondaryCidrBlock is the additional CIDR range to use for pod IPs. Must be within the 100.64.0.0/10 or 198.19.0.0/16 range.

The AWS Region the cluster lives in.

SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)

Version defines the desired Kubernetes version. If no version number is supplied then the latest version of Kubernetes that EKS supports will be used.

RoleName specifies the name of IAM role that gives EKS permission to make API calls. If the role is pre-existing we will treat it as unmanaged and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created.

RoleAdditionalPolicies allows you to attach additional polices to the control plane role. You must enable the EKSAllowAddRoles feature flag to incorporate these into the created role.

Logging specifies which EKS Cluster logs should be enabled. Entries for each of the enabled logs will be sent to CloudWatch

EncryptionConfig specifies the encryption configuration for the cluster

AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the ones added by default.

IAMAuthenticatorConfig allows the specification of any additional user or role mappings for use when generating the aws-iam-authenticator configuration. If this is nil the default configuration is still generated for the cluster.

Endpoints specifies access to this cluster’s control plane endpoints

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

ImageLookupFormat is the AMI naming format to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupOrg. Supports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and kubernetes version, respectively. The BaseOS will be the value in ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as defined by the packages produced by kubernetes/release without v as a prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See also: https://golang.org/pkg/text/template/

ImageLookupOrg is the AWS Organization ID to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupOrg.

ImageLookupBaseOS is the name of the base operating system used to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupBaseOS.

Bastion contains options to configure the bastion host.

TokenMethod is used to specify the method for obtaining a client token for communicating with EKS iam-authenticator - obtains a client token using iam-authentictor aws-cli - obtains a client token using the AWS CLI Defaults to iam-authenticator

AssociateOIDCProvider can be enabled to automatically create an identity provider for the controller for use with IAM roles for service accounts

Addons defines the EKS addons to enable with the EKS cluster.

IdentityProviderconfig is used to specify the oidc provider config to be attached with this eks cluster

DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the Amazon VPC CNI is automatically installed into the cluster. For clusters where you want to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI should be deleted. You cannot set this to true if you are using the Amazon VPC CNI addon.

VpcCni is used to set configuration options for the VPC CNI plugin

KubeProxy defines managed attributes of the kube-proxy daemonset

Networks holds details about the AWS networking resources used by the control plane

FailureDomains specifies a list fo available availability zones that can be used

Bastion holds details of the instance that is used as a bastion jump box

OIDCProvider holds the status of the identity provider for this cluster

ExternalManagedControlPlane indicates to cluster-api that the control plane is managed by an external service such as AKS, EKS, GKE, etc.

Initialized denotes whether or not the control plane has the uploaded kubernetes config-map.

Ready denotes that the AWSManagedControlPlane API Server is ready to receive requests and that the VPC infra is ready.

ErrorMessage indicates that there is a terminal problem reconciling the state, and will be set to a descriptive error message.

Conditions specifies the cpnditions for the managed control plane

Addons holds the current status of the EKS addons

IdentityProviderStatus holds the status for associated identity provider

Name is the name of the addon

Version is the version of the addon to use

Configuration of the EKS addon

ConflictResolution is used to declare what should happen if there are parameter conflicts. Defaults to none

ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account

PreserveOnDelete indicates that the addon resources should be preserved in the cluster on delete.

Code is the issue code

Message is the textual description of the issue

ResourceIDs is a list of resource ids for the issue

Name is the name of the addon

Version is the version of the addon to use

ARN is the AWS ARN of the addon

ServiceAccountRoleArn is the ARN of the IAM role used for the service account

CreatedAt is the date and time the addon was created at

ModifiedAt is the date and time the addon was last modified

Status is the status of the addon

Issues is a list of issue associated with the addon

APIServer indicates if the Kubernetes API Server log (kube-apiserver) shoulkd be enabled

Audit indicates if the Kubernetes API audit log should be enabled

Authenticator indicates if the iam authenticator log should be enabled

ControllerManager indicates if the controller manager (kube-controller-manager) log should be enabled

Scheduler indicates if the Kubernetes scheduler (kube-scheduler) log should be enabled

Provider specifies the ARN or alias of the CMK (in AWS KMS)

Resources specifies the resources to be encrypted

Public controls whether control plane endpoints are publicly accessible

PublicCIDRs specifies which blocks can access the public endpoint

Private points VPC-internal control plane access to the private endpoint

RoleMappings is a list of role mappings

UserMappings is a list of user mappings

ARN holds the ARN of associated identity provider

Status holds current status of associated identity provider

Disable set to true indicates that kube-proxy should be disabled. With EKS clusters kube-proxy is automatically installed into the cluster. For clusters where you want to use kube-proxy functionality that is provided with an alternate CNI, this option provides a way to specify that the kube-proxy daemonset should be deleted. You cannot set this to true if you are using the Amazon kube-proxy addon.

UserName is a kubernetes RBAC user subject

Groups is a list of kubernetes RBAC groups

This is also known as audience. The ID for the client application that makes authentication requests to the OpenID identity provider.

The JWT claim that the provider uses to return your groups.

The prefix that is prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the valueoidc: will create group names like oidc:engineering and oidc:infra.

The name of the OIDC provider configuration.

IdentityProviderConfigName is a required field

The URL of the OpenID identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider’s OIDC ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.

The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) in the Amazon EKS User Guide.

The JSON Web Token (JWT) claim to use as the username. The default is sub, which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name, depending on the OpenID identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.

The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing.

tags to apply to oidc identity provider association

ARN holds the ARN of the provider

TrustPolicy contains the boilerplate IAM trust policy to use for IRSA

RoleARN is the AWS ARN for the role to map

(Members of KubernetesMapping are embedded into this type.)

KubernetesMapping holds the RBAC details for the mapping

UserARN is the AWS ARN for the user to map

(Members of KubernetesMapping are embedded into this type.)

KubernetesMapping holds the RBAC details for the mapping

Env defines a list of environment variables to apply to the aws-node DaemonSet

EKSClusterName allows you to specify the name of the EKS cluster in AWS. If you don’t specify a name then a default name will be created based on the namespace and name of the managed control plane.

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. If no identity is specified, the default identity for this controller will be used.

NetworkSpec encapsulates all things related to AWS network.

SecondaryCidrBlock is the additional CIDR range to use for pod IPs. Must be within the 100.64.0.0/10 or 198.19.0.0/16 range.

The AWS Region the cluster lives in.

Partition is the AWS security partition being used. Defaults to “aws”

SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)

Version defines the desired Kubernetes version. If no version number is supplied then the latest version of Kubernetes that EKS supports will be used.

RoleName specifies the name of IAM role that gives EKS permission to make API calls. If the role is pre-existing we will treat it as unmanaged and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created.

RoleAdditionalPolicies allows you to attach additional polices to the control plane role. You must enable the EKSAllowAddRoles feature flag to incorporate these into the created role.

RolePath sets the path to the role. For more information about paths, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the IAM User Guide.

This parameter is optional. If it is not included, it defaults to a slash (/).

RolePermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.

A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see Permissions boundaries for IAM entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the IAM User Guide.

For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the IAM User Guide.

Logging specifies which EKS Cluster logs should be enabled. Entries for each of the enabled logs will be sent to CloudWatch

EncryptionConfig specifies the encryption configuration for the cluster

AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the ones added by default.

IAMAuthenticatorConfig allows the specification of any additional user or role mappings for use when generating the aws-iam-authenticator configuration. If this is nil the default configuration is still generated for the cluster.

Endpoints specifies access to this cluster’s control plane endpoints

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

ImageLookupFormat is the AMI naming format to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupOrg. Supports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and kubernetes version, respectively. The BaseOS will be the value in ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as defined by the packages produced by kubernetes/release without v as a prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See also: https://golang.org/pkg/text/template/

ImageLookupOrg is the AWS Organization ID to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupOrg.

ImageLookupBaseOS is the name of the base operating system used to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupBaseOS.

Bastion contains options to configure the bastion host.

TokenMethod is used to specify the method for obtaining a client token for communicating with EKS iam-authenticator - obtains a client token using iam-authentictor aws-cli - obtains a client token using the AWS CLI Defaults to iam-authenticator

AssociateOIDCProvider can be enabled to automatically create an identity provider for the controller for use with IAM roles for service accounts

Addons defines the EKS addons to enable with the EKS cluster.

IdentityProviderconfig is used to specify the oidc provider config to be attached with this eks cluster

AccessConfig specifies the access configuration information for the cluster

VpcCni is used to set configuration options for the VPC CNI plugin

BootstrapSelfManagedAddons is used to set configuration options for bare EKS cluster without EKS default networking addons If you set this value to false when creating a cluster, the default networking add-ons will not be installed

RestrictPrivateSubnets indicates that the EKS control plane should only use private subnets.

KubeProxy defines managed attributes of the kube-proxy daemonset

The cluster upgrade policy to use for the cluster. (Official AWS docs for this policy: https://docs.aws.amazon.com/eks/latest/userguide/view-upgrade-policy.html) extended upgrade policy indicates that the cluster will enter into extended support once the Kubernetes version reaches end of standard support. You will incur extended support charges with this setting. You can upgrade your cluster to a standard supported Kubernetes version to stop incurring extended support charges. standard upgrade policy indicates that the cluster is eligible for automatic upgrade at the end of standard support. You will not incur extended support charges with this setting but your EKS cluster will automatically upgrade to the next supported Kubernetes version in standard support. If omitted, new clusters will use the AWS default upgrade policy (which at the time of writing is “extended”) and existing clusters will have their upgrade policy unchanged.

Networks holds details about the AWS networking resources used by the control plane

FailureDomains specifies a list fo available availability zones that can be used

Bastion holds details of the instance that is used as a bastion jump box

OIDCProvider holds the status of the identity provider for this cluster

ExternalManagedControlPlane indicates to cluster-api that the control plane is managed by an external service such as AKS, EKS, GKE, etc.

Initialized denotes whether or not the control plane has the uploaded kubernetes config-map.

Ready denotes that the AWSManagedControlPlane API Server is ready to receive requests and that the VPC infra is ready.

ErrorMessage indicates that there is a terminal problem reconciling the state, and will be set to a descriptive error message.

Conditions specifies the cpnditions for the managed control plane

Addons holds the current status of the EKS addons

IdentityProviderStatus holds the status for associated identity provider

Version represents the minimum Kubernetes version for the control plane machines in the cluster.

AuthenticationMode specifies the desired authentication mode for the cluster Defaults to config_map

BootstrapClusterCreatorAdminPermissions grants cluster admin permissions to the IAM identity creating the cluster. Only applied during creation, ignored when updating existing clusters. Defaults to true.

Name is the name of the addon

Version is the version of the addon to use

Configuration of the EKS addon

ConflictResolution is used to declare what should happen if there are parameter conflicts. Defaults to overwrite

ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account

PreserveOnDelete indicates that the addon resources should be preserved in the cluster on delete.

Code is the issue code

Message is the textual description of the issue

ResourceIDs is a list of resource ids for the issue

Name is the name of the addon

Version is the version of the addon to use

ARN is the AWS ARN of the addon

ServiceAccountRoleArn is the ARN of the IAM role used for the service account

CreatedAt is the date and time the addon was created at

ModifiedAt is the date and time the addon was last modified

Status is the status of the addon

Issues is a list of issue associated with the addon

APIServer indicates if the Kubernetes API Server log (kube-apiserver) shoulkd be enabled

Audit indicates if the Kubernetes API audit log should be enabled

Authenticator indicates if the iam authenticator log should be enabled

ControllerManager indicates if the controller manager (kube-controller-manager) log should be enabled

Scheduler indicates if the Kubernetes scheduler (kube-scheduler) log should be enabled

Provider specifies the ARN or alias of the CMK (in AWS KMS)

Resources specifies the resources to be encrypted

Public controls whether control plane endpoints are publicly accessible

PublicCIDRs specifies which blocks can access the public endpoint

Private points VPC-internal control plane access to the private endpoint

RoleMappings is a list of role mappings

UserMappings is a list of user mappings

ARN holds the ARN of associated identity provider

Status holds current status of associated identity provider

Disable set to true indicates that kube-proxy should be disabled. With EKS clusters kube-proxy is automatically installed into the cluster. For clusters where you want to use kube-proxy functionality that is provided with an alternate CNI, this option provides a way to specify that the kube-proxy daemonset should be deleted. You cannot set this to true if you are using the Amazon kube-proxy addon.

UserName is a kubernetes RBAC user subject

Groups is a list of kubernetes RBAC groups

This is also known as audience. The ID for the client application that makes authentication requests to the OpenID identity provider.

The JWT claim that the provider uses to return your groups.

The prefix that is prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the valueoidc: will create group names like oidc:engineering and oidc:infra.

The name of the OIDC provider configuration.

IdentityProviderConfigName is a required field

The URL of the OpenID identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider’s OIDC ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.

The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) in the Amazon EKS User Guide.

The JSON Web Token (JWT) claim to use as the username. The default is sub, which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name, depending on the OpenID identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.

The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing.

tags to apply to oidc identity provider association

ARN holds the ARN of the provider

TrustPolicy contains the boilerplate IAM trust policy to use for IRSA

RoleARN is the AWS ARN for the role to map

(Members of KubernetesMapping are embedded into this type.)

KubernetesMapping holds the RBAC details for the mapping

UserARN is the AWS ARN for the user to map

(Members of KubernetesMapping are embedded into this type.)

KubernetesMapping holds the RBAC details for the mapping

Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the Amazon VPC CNI is automatically installed into the cluster. For clusters where you want to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI should be deleted. You cannot set this to true if you are using the Amazon VPC CNI addon.

Env defines a list of environment variables to apply to the aws-node DaemonSet

The referenced role must have a trust relationship that allows it to be assumed via web identity. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html. Example: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “Federated”: “{{ .ProviderARN }}” }, “Action”: “sts:AssumeRoleWithWebIdentity”, “Condition”: { “StringEquals”: { “{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} } } } ] }

IngressARN is an ARN value referencing a role appropriate for the Ingress Operator.

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “elasticloadbalancing:DescribeLoadBalancers”, “tag:GetResources”, “route53:ListHostedZones” ], “Resource”: “*” }, { “Effect”: “Allow”, “Action”: [ “route53:ChangeResourceRecordSets” ], “Resource”: [ “arn:aws:route53:::PUBLIC_ZONE_ID”, “arn:aws:route53:::PRIVATE_ZONE_ID” ] } ] }

ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “s3:CreateBucket”, “s3:DeleteBucket”, “s3:PutBucketTagging”, “s3:GetBucketTagging”, “s3:PutBucketPublicAccessBlock”, “s3:GetBucketPublicAccessBlock”, “s3:PutEncryptionConfiguration”, “s3:GetEncryptionConfiguration”, “s3:PutLifecycleConfiguration”, “s3:GetLifecycleConfiguration”, “s3:GetBucketLocation”, “s3:ListBucket”, “s3:GetObject”, “s3:PutObject”, “s3:DeleteObject”, “s3:ListBucketMultipartUploads”, “s3:AbortMultipartUpload”, “s3:ListMultipartUploadParts” ], “Resource”: “*” } ] }

StorageARN is an ARN value referencing a role appropriate for the Storage Operator.

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:AttachVolume”, “ec2:CreateSnapshot”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:DeleteSnapshot”, “ec2:DeleteTags”, “ec2:DeleteVolume”, “ec2:DescribeInstances”, “ec2:DescribeSnapshots”, “ec2:DescribeTags”, “ec2:DescribeVolumes”, “ec2:DescribeVolumesModifications”, “ec2:DetachVolume”, “ec2:ModifyVolume” ], “Resource”: “*” } ] }

NetworkARN is an ARN value referencing a role appropriate for the Network Operator.

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:DescribeInstances”, “ec2:DescribeInstanceStatus”, “ec2:DescribeInstanceTypes”, “ec2:UnassignPrivateIpAddresses”, “ec2:AssignPrivateIpAddresses”, “ec2:UnassignIpv6Addresses”, “ec2:AssignIpv6Addresses”, “ec2:DescribeSubnets”, “ec2:DescribeNetworkInterfaces” ], “Resource”: “*” } ] }

KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “autoscaling:DescribeAutoScalingGroups”, “autoscaling:DescribeLaunchConfigurations”, “autoscaling:DescribeTags”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeInstances”, “ec2:DescribeImages”, “ec2:DescribeRegions”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSubnets”, “ec2:DescribeVolumes”, “ec2:CreateSecurityGroup”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:ModifyInstanceAttribute”, “ec2:ModifyVolume”, “ec2:AttachVolume”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateRoute”, “ec2:DeleteRoute”, “ec2:DeleteSecurityGroup”, “ec2:DeleteVolume”, “ec2:DetachVolume”, “ec2:RevokeSecurityGroupIngress”, “ec2:DescribeVpcs”, “elasticloadbalancing:AddTags”, “elasticloadbalancing:AttachLoadBalancerToSubnets”, “elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:CreateLoadBalancerPolicy”, “elasticloadbalancing:CreateLoadBalancerListeners”, “elasticloadbalancing:ConfigureHealthCheck”, “elasticloadbalancing:DeleteLoadBalancer”, “elasticloadbalancing:DeleteLoadBalancerListeners”, “elasticloadbalancing:DescribeLoadBalancers”, “elasticloadbalancing:DescribeLoadBalancerAttributes”, “elasticloadbalancing:DetachLoadBalancerFromSubnets”, “elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, “elasticloadbalancing:ModifyLoadBalancerAttributes”, “elasticloadbalancing:RegisterInstancesWithLoadBalancer”, “elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, “elasticloadbalancing:AddTags”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeleteListener”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:DeregisterTargets”, “elasticloadbalancing:DescribeListeners”, “elasticloadbalancing:DescribeLoadBalancerPolicies”, “elasticloadbalancing:DescribeTargetGroups”, “elasticloadbalancing:DescribeTargetHealth”, “elasticloadbalancing:ModifyListener”, “elasticloadbalancing:ModifyTargetGroup”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, “iam:CreateServiceLinkedRole”, “kms:DescribeKey” ], “Resource”: [ “*” ], “Effect”: “Allow” } ] }

NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “ec2:AssociateRouteTable”, “ec2:AttachInternetGateway”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateInternetGateway”, “ec2:CreateNatGateway”, “ec2:CreateRoute”, “ec2:CreateRouteTable”, “ec2:CreateSecurityGroup”, “ec2:CreateSubnet”, “ec2:CreateTags”, “ec2:DeleteInternetGateway”, “ec2:DeleteNatGateway”, “ec2:DeleteRouteTable”, “ec2:DeleteSecurityGroup”, “ec2:DeleteSubnet”, “ec2:DeleteTags”, “ec2:DescribeAccountAttributes”, “ec2:DescribeAddresses”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeImages”, “ec2:DescribeInstances”, “ec2:DescribeInternetGateways”, “ec2:DescribeNatGateways”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeNetworkInterfaceAttribute”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSubnets”, “ec2:DescribeVpcs”, “ec2:DescribeVpcAttribute”, “ec2:DescribeVolumes”, “ec2:DetachInternetGateway”, “ec2:DisassociateRouteTable”, “ec2:DisassociateAddress”, “ec2:ModifyInstanceAttribute”, “ec2:ModifyNetworkInterfaceAttribute”, “ec2:ModifySubnetAttribute”, “ec2:RevokeSecurityGroupIngress”, “ec2:RunInstances”, “ec2:TerminateInstances”, “tag:GetResources”, “ec2:CreateLaunchTemplate”, “ec2:CreateLaunchTemplateVersion”, “ec2:DescribeLaunchTemplates”, “ec2:DescribeLaunchTemplateVersions”, “ec2:DeleteLaunchTemplate”, “ec2:DeleteLaunchTemplateVersions” ], “Resource”: [ “” ], “Effect”: “Allow” }, { “Condition”: { “StringLike”: { “iam:AWSServiceName”: “elasticloadbalancing.amazonaws.com” } }, “Action”: [ “iam:CreateServiceLinkedRole” ], “Resource”: [ “arn::iam:::role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing” ], “Effect”: “Allow” }, { “Action”: [ “iam:PassRole” ], “Resource”: [ “arn::iam:::role/-worker-role” ], “Effect”: “Allow” }, { “Effect”: “Allow”, “Action”: [ “kms:Decrypt”, “kms:ReEncrypt”, “kms:GenerateDataKeyWithoutPlainText”, “kms:DescribeKey” ], “Resource”: “” }, { “Effect”: “Allow”, “Action”: [ “kms:CreateGrant” ], “Resource”: “”, “Condition”: { “Bool”: { “kms:GrantIsForAWSResource”: true } } } ] }

ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator.

The following is an example of a valid policy document:

{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:CreateVpcEndpoint”, “ec2:DescribeVpcEndpoints”, “ec2:ModifyVpcEndpoint”, “ec2:DeleteVpcEndpoints”, “ec2:CreateTags”, “route53:ListHostedZones”, “ec2:CreateSecurityGroup”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:DeleteSecurityGroup”, “ec2:RevokeSecurityGroupIngress”, “ec2:RevokeSecurityGroupEgress”, “ec2:DescribeSecurityGroups”, “ec2:DescribeVpcs”, ], “Resource”: “*” }, { “Effect”: “Allow”, “Action”: [ “route53:ChangeResourceRecordSets”, “route53:ListResourceRecordSets” ], “Resource”: “arn:aws:route53:::%s” } ] }

mode specifies the mode for the AutoNode. Setting Enable/Disable mode will allows/disallow karpenter AutoNode scaling.

roleARN sets the autoNode role ARN, which includes the IAM policy and cluster-specific role that grant the necessary permissions to the Karpenter controller. The role must be attached with the same OIDC-ID that is used with the ROSA-HCP cluster.

"Disabled"

AutoNodeModeDisabled Disabled AutoNode

"Enabled"

AutoNodeModeEnabled enable AutoNode

"candidate"

Candidate channel group is for testing candidate builds.

"eus"

Eus channel group is for eus channel releases.

"fast"

Fast channel group is for fast channel releases.

"nightly"

Nightly channel group is for testing nigtly builds.

"stable"

Stable channel group is the default channel group for stable releases.

The instance type to use, for example r5.xlarge. Instance type ref; https://aws.amazon.com/ec2/instance-types/

Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value must be equal or multiple of the availability zones count.

VolumeSize set the disk volume size for the default workers machine pool in Gib. The default is 300 GiB.

Name of the OIDC provider

Issuer describes attributes of the OIDC token issuer

OIDCClients contains configuration for the platform’s clients that need to request tokens from the issuer

ClaimMappings describes rules on how to transform information from an ID token into a cluster identity

ClaimValidationRules are rules that are applied to validate token claims to authenticate users.

Name is the metadata.name of the referenced object.

IP addresses block used by OpenShift while installing the cluster, for example “10.0.0.0/16”.

IP address block from which to assign pod IP addresses, for example 10.128.0.0/14.

IP address block from which to assign service IP addresses, for example 172.30.0.0/16.

Network host prefix which is defaulted to 23 if not specified.

The CNI network type default is OVNKubernetes.

ComponentName is the name of the component that is supposed to consume this client configuration

ComponentNamespace is the namespace of the component that is supposed to consume this client configuration

ClientID is the identifier of the OIDC client from the OIDC provider

ClientSecret refers to a secret that contains the client secret in the clientSecret key of the .data field

ExtraScopes is an optional set of scopes to request tokens with.

Claim is a JWT token claim to be used in the mapping

Prefix is a string to prefix the value from the token in the result of the claim mapping.

By default, no prefixing occurs.

Example: if prefix is set to “myoidc:”” and the claim in JWT contains an array of strings “a”, “b” and “c”, the mapping will result in an array of string “myoidc:a”, “myoidc:b” and “myoidc:c”.

AdditionalTrustedCAs containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

AllowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from.

RegistrySources contains configuration that determines how the container runtime should treat individual registries when accessing images. It does not contain configuration for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.

domainName specifies a domain name for the registry. The domain name might include wildcards, like ‘*’ or ‘??’. In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.

insecure indicates whether the registry is secure (https) or insecure (http), default is secured.

AllowedRegistries are the registries for which image pull and push actions are allowed. To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, For example, *.example.com. You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.

BlockedRegistries are the registries for which image pull and push actions are denied. To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, For example, *.example.com. You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.

InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, For example, *.example.com. You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.

Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric characters or ‘-’, start with an alphabetic character, end with an alphanumeric character and have a max length of 54 characters.

DomainPrefix is an optional prefix added to the cluster’s domain name. It will be used when generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label consisting of lower case alphanumeric characters or ‘-’, start with an alphabetic character end with an alphanumeric character and have a max length of 15 characters.

The Subnet IDs to use when installing the cluster. SubnetIDs should come in pairs; two per availability zone, one private and one public.

AvailabilityZones describe AWS AvailabilityZones of the worker nodes. should match the AvailabilityZones of the provided Subnets. a machinepool will be created for each availabilityZone.

The AWS Region the cluster lives in.

OpenShift semantic version, for example “4.14.5”.

OpenShift version channel group, default is stable.

VersionGate requires acknowledgment when upgrading ROSA-HCP y-stream versions (e.g., from 4.15 to 4.16). Default is WaitForAcknowledge. WaitForAcknowledge: If acknowledgment is required, the upgrade will not proceed until VersionGate is set to Acknowledge or AlwaysAcknowledge. Acknowledge: If acknowledgment is required, apply it for the upgrade. After upgrade is done set the version gate to WaitForAcknowledge. AlwaysAcknowledge: If acknowledgment is required, apply it and proceed with the upgrade.

RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account roles, operator roles and OIDC configuration. RosaRoleConfigRef and role fields such as installerRoleARN, supportRoleARN, workerRoleARN, rolesRef and oidcID are mutually exclusive.

AWS IAM roles used to perform credential requests by the openshift operators. Required if RosaRoleConfigRef is not specified.

The ID of the internal OpenID Connect Provider. Required if RosaRoleConfigRef is not specified.

EnableExternalAuthProviders enables external authentication configuration for the cluster.

ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster. Can only be set if “enableExternalAuthProviders” is set to “True”.

At most one provider can be configured.

InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster. Required if RosaRoleConfigRef is not specified.

SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable access to the cluster account in order to provide support. Required if RosaRoleConfigRef is not specified.

WorkerRoleARN is an AWS IAM role that will be attached to worker instances. Required if RosaRoleConfigRef is not specified.

BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA HCP clusters. The cost of running each ROSA HCP cluster will be billed to the infrastructure account in which the cluster is running.

DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation. One MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators to work properly. As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider. rosa list machinepools -c <rosaClusterName> can be used to view those machinepools.

This field will be removed in the future once the current limitation is resolved.

Network config for the ROSA HCP cluster.

EndpointAccess specifies the publishing scope of cluster endpoints. The default is Public.

AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.

EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be created out-of-band by the user and tagged with red-hat:true.

AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch. If not set, audit log forwarding is disabled.

ProvisionShardID defines the shard where ROSA hosted control plane components will be hosted.

CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. The secret should contain the following data keys: - ocmToken: eyJhbGciOiJIUzI1NiIsI…. - ocmApiUrl: Optional, defaults to ‘https://api.openshift.com’

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. If no identity is specified, the default identity for this controller will be used.

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

ClusterRegistryConfig represents registry config used with the cluster.

autoNode set the autoNode mode and roleARN.

ROSANetworkRef references ROSANetwork custom resource that contains the networking infrastructure for the ROSA HCP cluster.

ExternalManagedControlPlane indicates to cluster-api that the control plane is managed by an external service such as AKS, EKS, GKE, etc.

Initialized denotes whether or not the control plane has the uploaded kubernetes config-map.

Ready denotes that the ROSAControlPlane API Server is ready to receive requests.

FailureMessage will be set in the event that there is a terminal problem reconciling the state and will be set to a descriptive error message.

This field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the spec or the configuration of the controller, and that manual intervention is required.

Conditions specifies the conditions for the managed control plane

ID is the cluster ID given by ROSA.

ConsoleURL is the url for the openshift console.

OIDCEndpointURL is the endpoint url for the managed OIDC provider.

OpenShift semantic version, for example “4.14.5”.

Available upgrades for the ROSA hosted control plane.

"Private"

Private endpoint access allows only private API server access and private node communication with the control plane.

"Public"

Public endpoint access allows public API server access and private node communication with the control plane.

Username is a name of the claim that should be used to construct usernames for the cluster identity.

Default value: “sub”

Groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.

Type sets the type of the validation rule

RequiredClaim allows configuring a required claim name and its expected value

URL is the serving URL of the token issuer. Must use the https:// scheme.

Audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their “aud” claim. Must be set to exactly one value.

CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the “ca-bundle.crt” key. If unset, system trust is used instead.

Claim is a name of a required claim. Only claims with string values are supported.

RequiredValue is the required value for the claim.

"RequiredClaim"

TokenValidationRuleTypeRequiredClaim defines the type for RequiredClaim.

Claim is a JWT token claim to be used in the mapping

PrefixPolicy specifies how a prefix should apply.

By default, claims other than email will be prefixed with the issuer URL to prevent naming clashes with other plugins.

Set to “NoPrefix” to disable prefixing.

Example: (1) prefix is set to “myoidc:” and claim is set to “username”. If the JWT claim username contains value userA, the resulting mapped value will be “myoidc:userA”. (2) prefix is set to “myoidc:” and claim is set to “email”. If the JWT email claim contains value “userA@myoidc.tld”, the resulting mapped value will be “myoidc:userA@myoidc.tld”. (3) prefix is unset, issuerURL is set to https://myoidc.tld, the JWT claims include “username”:“userA” and “email”:“userA@myoidc.tld”, and claim is set to: (a) “username”: the mapped value will be “https://myoidc.tld#userA” (b) “email”: the mapped value will be “userA@myoidc.tld”

Prefix is prepended to claim to prevent clashes with existing names.

""

NoOpinion let’s the cluster assign prefixes. If the username claim is email, there is no prefix If the username claim is anything else, it is prefixed by the issuerURL

"NoPrefix"

NoPrefix means the username claim value will not have any prefix

"Prefix"

Prefix means the prefix value must be specified. It cannot be empty

"Acknowledge"

Acknowledge if acknowledgment is required and proceed with the upgrade.

"AlwaysAcknowledge"

AlwaysAcknowledge always acknowledg if required and proceed with the upgrade.

"WaitForAcknowledge"

WaitForAcknowledge if acknowledgment is required, wait not to proceed with the upgrade.

ID of resource

EKSOptimizedLookupType If specified, will look up an EKS Optimized image in SSM Parameter store

Spec for this AWSClusterControllerIdentity.

(Members of AWSClusterIdentitySpec are embedded into this type.)

AllowedNamespaces is used to identify which namespaces are allowed to use the identity from. Namespaces can be selected either using an array of namespaces or with label selector. An empty allowedNamespaces object indicates that AWSClusters can use this identity from any namespace. If this object is nil, no namespaces will be allowed (default behaviour, if this field is not provided) A namespace should be either in the NamespaceList or match with Selector to use the identity.

Spec for this AWSClusterRoleIdentity.

(Members of AWSClusterIdentitySpec are embedded into this type.)

(Members of AWSRoleSpec are embedded into this type.)

A unique identifier that might be required when you assume a role in another account. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId parameter. This value can be any string, such as a passphrase or account number. A cross-account role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account. For more information about the external ID, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party in the IAM User Guide.

SourceIdentityRef is a reference to another identity which will be chained to do role assumption. All identity types are accepted.

NetworkSpec encapsulates all things related to AWS network.

The AWS Region the cluster lives in.

SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the ones added by default.

ControlPlaneLoadBalancer is optional configuration for customizing control plane behavior.

ImageLookupFormat is the AMI naming format to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupOrg. Supports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and kubernetes version, respectively. The BaseOS will be the value in ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as defined by the packages produced by kubernetes/release without v as a prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See also: https://golang.org/pkg/text/template/

ImageLookupOrg is the AWS Organization ID to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupOrg.

ImageLookupBaseOS is the name of the base operating system used to look up machine images when a machine does not specify an AMI. When set, this will be used for all cluster machines unless a machine specifies a different ImageLookupBaseOS.

Bastion contains options to configure the bastion host.

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. If no identity is specified, the default identity for this controller will be used.

S3Bucket contains options to configure a supporting S3 bucket for this cluster - currently used for nodes requiring Ignition (https://coreos.github.io/ignition/) for bootstrapping (requires BootstrapFormatIgnition feature flag to be enabled).

Spec for this AWSClusterStaticIdentity

(Members of AWSClusterIdentitySpec are embedded into this type.)

Reference to a secret containing the credentials. The secret should contain the following data keys: AccessKeyID: AKIAIOSFODNN7EXAMPLE SecretAccessKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY SessionToken: Optional

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata