Managed
This resource will help you to manage a ManagedKubernetes Cluster in Alibaba Cloud Kubernetes Service.
NOTE: Available since v1.26.0. NOTE: It is recommended to create a cluster with zero worker nodes, and then use a node pool to manage the cluster nodes. NOTE: Kubernetes cluster only supports VPC network and it can access internet while creating kubernetes cluster. A Nat Gateway and configuring a SNAT for it can ensure one VPC network access internet. If there is no nat gateway in the VPC, you can set
new_nat_gatewayto "true" to create one automatically. NOTE: Creating kubernetes cluster need to install several packages and it will cost about 15 minutes. Please be patient. NOTE: From version 1.9.4, the provider supports to download kube config, client certificate, client key and cluster ca certificate after creating cluster successfully, and you can put them into the specified location, like '~/.kube/config'. NOTE: From version 1.20.0, the provider supports disabling internet load balancer for API Server by settingfalsetoslb_internet_enabled. NOTE: If you want to manage Kubernetes, you can use Kubernetes Provider. NOTE: You need to activate several other products and confirm Authorization Policy used by Container Service before using this resource. Please refer to theAuthorization managementandCluster managementsections in the Document Center. NOTE: From version 1.72.0, Some parameters have been removed from resource,You can check them below and re-import the cluster if necessary. NOTE: From version 1.120.0, Support for cluster migration from Standard cluster to professional. NOTE: From version 1.177.0,runtime,enable_ssh,rds_instances,exclude_autoscaler_nodes,worker_number,worker_instance_types,password,key_name,kms_encrypted_password,kms_encryption_context,worker_instance_charge_type,worker_period,worker_period_unit,worker_auto_renew,worker_auto_renew_period,worker_disk_category,worker_disk_size,worker_data_disks,node_name_mode,node_port_range,os_type,platform,image_id,cpu_policy,user_data,taints,worker_disk_performance_level,worker_disk_snapshot_policy_id,install_cloud_monitorare deprecated. We Suggest you using resourcealicloud.cs.NodePoolto manage your cluster worker nodes. NOTE: From version 1.212.0,runtime,enable_ssh,rds_instances,exclude_autoscaler_nodes,worker_number,worker_instance_types,password,key_name,kms_encrypted_password,kms_encryption_context,worker_instance_charge_type,worker_period,worker_period_unit,worker_auto_renew,worker_auto_renew_period,worker_disk_category,worker_disk_size,worker_data_disks,node_name_mode,node_port_range,os_type,platform,image_id,cpu_policy,user_data,taints,worker_disk_performance_level,worker_disk_snapshot_policy_id,install_cloud_monitor,kube_config,availability_zoneare removed. Please use resourcealicloud.cs.NodePoolto manage your cluster worker nodes.
Import
Kubernetes managed cluster can be imported using the id, e.g. Then complete the main.tf accords to the result of pulumi preview.
$ pulumi import alicloud:cs/managedKubernetes:ManagedKubernetes main cluster_idConstructors
Properties
The addon you want to install in cluster. See addons below. Only works for Create Operation, use resource cs_kubernetes_addon to manage addons if cluster is created.
A list of API audiences for Service Account Token Volume Projection. Set this to ["https://kubernetes.default.svc"] if you want to enable the Token Volume Projection feature (requires specifying service_account_issuer as well. From cluster version 1.22, Service Account Token Volume Projection will be enabled by default.
Audit log configuration. See audit_log_config below.
From version 1.248.0, new DataSource alicloud.cs.getClusterCredential is recommended to manage cluster's kubeconfig, you can also save the certificate_authority.client_cert attribute content of new DataSource alicloud.cs.getClusterCredential to an appropriate path(like ~/.kube/client-cert.pem) for replace it.
From version 1.248.0, new DataSource alicloud.cs.getClusterCredential is recommended to manage cluster's kubeconfig, you can also save the certificate_authority.client_key attribute content of new DataSource alicloud.cs.getClusterCredential to an appropriate path(like ~/.kube/client-key.pem) for replace it.
From version 1.248.0, new DataSource alicloud.cs.getClusterCredential is recommended to manage cluster's kubeconfig, you can also save the certificate_authority.cluster_cert attribute content of new DataSource alicloud.cs.getClusterCredential to an appropriate path(like ~/.kube/cluster-ca-cert.pem) for replace it. Removed params
Cluster local domain name, Default to cluster.local. A domain name consists of one or more sections separated by a decimal point (.), each of which is up to 63 characters long, and can be lowercase, numerals, and underscores (-), and must be lowercase or numerals at the beginning and end.
The cluster specifications of kubernetes cluster,which can be empty. Valid values:
List of target components for which logs need to be collected. Supports apiserver, kcm, scheduler, ccm and controlplane-events.
Control plane log project. If this field is not set, a log service project named k8s-log-{ClusterID} will be automatically created.
Control plane log retention duration (unit: day). Default 30. If control plane logs are to be collected, control_plane_log_ttl and control_plane_log_components must be specified.
Delete options, only work for deleting resource. Make sure you have run pulumi up to make the configuration applied. See delete_options below.
Whether to enable cluster deletion protection.
Whether to enable cluster to support RRSA for kubernetes version 1.22.3+. Default to false. Once the RRSA function is turned on, it is not allowed to turn off. If your cluster has enabled this function, please manually modify your tf file and add the rrsa configuration to the file, learn more RAM Roles for Service Accounts.
The ID of the Key Management Service (KMS) key that is used to encrypt Kubernetes Secrets.
Enable to create advanced security group. default: false. Only works for Create Operation. See Advanced security group.
The cluster api server load balancer instance specification. For more information on how to select a LB instance specification, see SLB instance overview. Only works for Create Operation. The spec will not take effect because the charge of the load balancer has been changed to PayByCLCU.
The cluster maintenance window,effective only in the professional managed cluster. Managed node pool will use it. See maintenance_window below.
Whether to create a new nat gateway while creating kubernetes cluster. Default to true. Then openapi in Alibaba Cloud are not all on intranet, So turn this option on is a good choice. Only works for Create Operation.
The node cidr block to specific how many pods can run on single node. 24-28 is allowed. 24 means 2^(32-24)-1=255 and the node can run at most 255 pods. default: 24
The cluster automatic operation policy. See operation_policy below.
Terway Specific The vswitches for the pod network when using Terway. It is recommended that pod_vswitch_ids is not belong to vswitch_ids but must be in same availability zones. Only works for Create Operation.
The ID of the resource group,by default these cloud resources are automatically assigned to the default resource group.
The ID of the security group to which the ECS instances in the cluster belong. If it is not specified, a new Security group will be built.
The issuer of the Service Account token for Service Account Token Volume Projection, corresponds to the iss field in the token payload. Set this to "https://kubernetes.default.svc" to enable the Token Volume Projection feature (requires specifying api_audiences as well). From cluster version 1.22, Service Account Token Volume Projection will be enabled by default.
The CIDR block for the service network. It cannot be duplicated with the VPC CIDR and CIDR used by Kubernetes cluster in VPC, cannot be modified after creation.
Configure whether to save certificate authority data for your cluster to attribute certificate_authority. For cluster security, recommended configuration as true. Will be removed with attribute certificate_authority removed. Network params
Whether to create internet load balancer for API Server. Default to true. Only works for Create Operation.
Desired Kubernetes version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except you set a higher version number. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by ACK. Do not specify if cluster auto upgrade is enabled, see cluster_auto_upgrade for more information.
The vSwitches of the control plane.
The vSwitches used by control plane. Modification after creation will not take effect. Please use vswitch_ids to managed control plane vSwitches, which supports modifying control plane vSwitches.