Kubernetes
This resource will help you to manage a Kubernetes Cluster in Alibaba Cloud Kubernetes Service, see What is kubernetes.
NOTE: From August 21, 2024, Container Service for Kubernetes (ACK) discontinues the creation of ACK dedicated clusters, see Product announcement for more details. NOTE: Available since v1.9.0. NOTE: Kubernetes cluster only supports VPC network and it can access internet while creating kubernetes cluster. A Nat Gateway and configuring a SNAT for it can ensure one VPC network access internet. If there is no nat gateway in the VPC, you can set
new_nat_gatewayto "true" to create one automatically. NOTE: Each kubernetes cluster contains 3 master nodes and those number cannot be changed at now. NOTE: Creating kubernetes cluster need to install several packages and it will cost about 15 minutes. Please be patient. NOTE: From version 1.9.4, the provider supports to download kube config, client certificate, client key and cluster ca certificate after creating cluster successfully, and you can put them into the specified location, like '~/.kube/config'. NOTE: From version 1.16.0, the provider supports Multiple Availability Zones Kubernetes Cluster. To create a cluster of this kind, you must specify 3 or 5 items inmaster_vswitch_idsandmaster_instance_types. NOTE: From version 1.20.0, the provider supports disabling internet load balancer for API Server by settingfalsetoslb_internet_enabled. NOTE: If you want to manage Kubernetes, you can use Kubernetes Provider. NOTE: You need to activate several other products and confirm Authorization Policy used by Container Service before using this resource. Please refer to theAuthorization managementandCluster managementsections in the Document Center. NOTE: From version 1.75.0, Some parameters have been removed from resource,You can check them below and re-import the cluster if necessary. NOTE: From version 1.101.0+, We supported theprofessional managed clusters(ack-pro), You can create a pro cluster by setting the the value ofcluster_spec. NOTE: From version 1.177.0+,exclude_autoscaler_nodes,worker_number,worker_vswitch_ids,worker_instance_types,worker_instance_charge_type,worker_period,worker_period_unit,worker_auto_renew,worker_auto_renew_period,worker_disk_category,worker_disk_size,worker_data_disks,node_port_range,cpu_policy,user_data,taints,worker_disk_performance_level,worker_disk_snapshot_policy_idare deprecated. We Suggest you using resourcealicloud.cs.NodePoolto manage your cluster worker nodes. NOTE: From version 1.212.0,exclude_autoscaler_nodes,worker_number,worker_vswitch_ids,worker_instance_types,worker_instance_charge_type,worker_period,worker_period_unit,worker_auto_renew,worker_auto_renew_period,worker_disk_category,worker_disk_size,worker_data_disks,node_port_range,cpu_policy,user_data,taints,worker_disk_performance_level,worker_disk_snapshot_policy_id,kube_config,availability_zoneare removed. Please use resourcealicloud.cs.NodePoolto manage your cluster worker nodes.
Import
Kubernetes cluster can be imported using the id, e.g. Then complete the main.tf accords to the result of pulumi preview.
$ pulumi import alicloud:cs/kubernetes:Kubernetes main cluster-idConstructors
Properties
The addon you want to install in cluster. See addons below. Only works for Create Operation, use resource cs_kubernetes_addon to manage addons if cluster is created.
A list of API audiences for Service Account Token Volume Projection. Set this to ["https://kubernetes.default.svc"] if you want to enable the Token Volume Projection feature requires specifying service_account_issuer as well. From cluster version 1.22+, Service Account Token Volume Projection will be enabled by default.
From version 1.248.0, new DataSource alicloud.cs.getClusterCredential is recommended to manage cluster's kubeconfig, you can also save the certificate_authority.client_cert attribute content of new DataSource alicloud.cs.getClusterCredential to an appropriate path(like ~/.kube/client-cert.pem) for replace it.
From version 1.248.0, new DataSource alicloud.cs.getClusterCredential is recommended to manage cluster's kubeconfig, you can also save the certificate_authority.client_key attribute content of new DataSource alicloud.cs.getClusterCredential to an appropriate path(like ~/.kube/client-key.pem) for replace it.
From version 1.248.0, new DataSource alicloud.cs.getClusterCredential is recommended to manage cluster's kubeconfig, you can also save the certificate_authority.cluster_cert attribute content of new DataSource alicloud.cs.getClusterCredential to an appropriate path(like ~/.kube/cluster-ca-cert.pem) for replace it. Removed params
Cluster local domain name, Default to cluster.local. A domain name consists of one or more sections separated by a decimal point (.), each of which is up to 63 characters long, and can be lowercase, numerals, and underscores (-), and must be lowercase or numerals at the beginning and end.
Delete options, only work for deleting resource. Make sure you have run pulumi up to make the configuration applied. See delete_options below.
Whether to enable cluster deletion protection.
Install cloud monitor agent on ECS. Default to true.
Enable to create advanced security group. default: false. See Advanced security group. Only works for Create Operation.
An KMS encrypts password used to a cs kubernetes. You have to specify one of password key_name kms_encrypted_password fields.
An KMS encryption context used to decrypt kms_encrypted_password before creating or updating a cs kubernetes with kms_encrypted_password. See Encryption Context. It is valid when kms_encrypted_password is set.
The cluster api server load balancer instance specification. For more information on how to select a LB instance specification, see SLB instance overview. Only works for Create Operation. The spec will not take effect because the charge of the load balancer has been changed to PayByCLCU.
Enable master payment auto-renew, defaults to false.
Master payment auto-renew period, it can be one of {1, 2, 3, 6, 12}.
The system disk category of master node. Its valid value are cloud_ssd, cloud_essd and cloud_efficiency. Default to cloud_efficiency.
Master node system disk performance level. When master_disk_category values cloud_essd, the optional values are PL0, PL1, PL2 or PL3, but the specific performance level is related to the disk capacity. For more information, see Enhanced SSDs. Default is PL1.
The system disk size of master node. Its valid value range 20~500 in GB. Default to 20.
Master node system disk auto snapshot policy. Computed params
Master payment type. or PostPaid or PrePaid, defaults to PostPaid. If value is PrePaid, the files master_period, master_period_unit, master_auto_renew and master_auto_renew_period are required.
The instance type of master node. Specify one type for single AZ Cluster, three types for MultiAZ Cluster.
Master payment period.Its valid value is one of {1, 2, 3, 6, 12, 24, 36, 48, 60}.
Master payment period unit, the valid value is Month.
The vswitches used by master, you can specific 3 or 5 vswitches because of the amount of masters. Detailed below.
Whether to create a new nat gateway while creating kubernetes cluster. Default to true. Then openapi in Alibaba Cloud are not all on intranet, So turn this option on is a good choice. Your cluster nodes and applications will have public network access. If there is a NAT gateway in the selected VPC, ACK will use this gateway by default; if there is no NAT gateway in the selected VPC, ACK will create a new NAT gateway for you and automatically configure SNAT rules. Only works for Create Operation.
The node cidr block to specific how many pods can run on single node. 24-28 is allowed. 24 means 2^(32-24)-1=255 and the node can run at most 255 pods. default: 24
Each node name consists of a prefix, an IP substring, and a suffix, the input format is customized,<prefix>,IPSubStringLen,<suffix>. For example "customized,aliyun.com-,5,-test", if the node IP address is 192.168.59.176, the prefix is aliyun.com-, IP substring length is 5, and the suffix is -test, the node name will be aliyun.com-59176-test.
Terway Specific The vswitches for the pod network when using Terway. It is recommended that pod_vswitch_ids is not belong to worker_vswitch_ids and master_vswitch_ids but must be in same availability zones. Only works for Create Operation.
RDS instance list, You can choose which RDS instances whitelist to add instances to.
The ID of the resource group,by default these cloud resources are automatically assigned to the default resource group.
The runtime of containers. If you select another container runtime, see How do I select between Docker and Sandboxed-Container. See runtime below.
The ID of the security group to which the ECS instances in the cluster belong. If it is not specified, a new Security group will be built.
The issuer of the Service Account token for Service Account Token Volume Projection, corresponds to the iss field in the token payload. Set this to "https://kubernetes.default.svc" to enable the Token Volume Projection feature (requires specifying api_audiences as well). From cluster version 1.22+, Service Account Token Volume Projection will be enabled by default.
The CIDR block for the service network. It cannot be duplicated with the VPC CIDR and CIDR used by Kubernetes cluster in VPC, cannot be modified after creation.
Configure whether to save certificate authority data for your cluster to attribute certificate_authority.For cluster security, recommended configuration as true. Will be removed with attribute certificate_authority removed. Network params
Whether to create internet load balancer for API Server. Default to true. Only works for Create Operation.
Desired Kubernetes version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except you set a higher version number. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by ACK.