The product described by this documentation, Anthos Clusters on AWS (previous generation), is now in maintenance mode. All new installs must use the current generation product, Anthos clusters on AWS.
Stay organized with collections
Save and categorize content based on your preferences.
This topic describes the configuration options of the AWSCluster
Custom Resource Definition.
Defining an AWSCluster
AWSCluster is a Kubernetes custom resource defined by
GKE on AWS. This resource represents a GKE on AWS
control plane.
To create a cluster from this template, copy the following YAML and complete the
highlighted values defined in the spec.networking and
spec.controlPlane field definitions. Then, apply
the resource manifest to your management service.
apiVersion:multicloud.cluster.gke.io/v1kind:AWSClustermetadata:name:CLUSTER_NAMEspec:region:AWS_REGIONnetworking:vpcID:VPC_IDpodAddressCIDRBlocks:POD_ADDRESS_CIDR_BLOCKSserviceAddressCIDRBlocks:SERVICE_ADDRESS_CIDR_BLOCKSserviceLoadBalancerSubnetIDs:SERVICE_LOAD_BALANCER_SUBNETScontrolPlane:version:GKE_VERSION# Latest version is 1.25.5-gke.2100instanceType:AWS_INSTANCE_TYPEkeyName:SSH_KEY_NAMEsubnetIDs:-CONTROL_PLANE_SUBNET_IDSsecurityGroupIDs:-CONTROL_PLANE_SECURITY_GROUPSiamInstanceProfile:CONTROL_PLANE_IAM_ROLEdatabaseEncryption:kmsKeyARN:ARN_OF_KMS_KEYhub:membershipName:ANTHOS_CONNECT_NAMEcloudOperations:# OptionalprojectID:YOUR_PROJECTlocation:GCP_LOCATIONenableLogging:ENABLE_LOGGINGenableMonitoring:ENABLE_MONITORINGtags:TAG_KEY:TAG_VALUEproxySecretName:PROXY_SECRET_NAMEworkloadIdentity:oidcDiscoveryGCSBucket:WORKLOAD_IDENTITY_BUCKETrootVolume:# OptionalsizeGiB:ROOT_VOLUME_SIZEvolumeType:ROOT_VOLUME_TYPEiops:ROOT_VOLUME_IOPSkmsKeyARN:ROOT_VOLUME_KEYetcd:# OptionalmainVolume:sizeGiB:ETCD_VOLUME_SIZEvolumeType:ETCD_VOLUME_TYPEiops:ETCD_VOLUME_IOPSkmsKeyARN:ETCD_VOLUME_KEYauthentication:awsIAM:adminIdentityARNs:ADMIN_IAM_ARNoidc:# Optional-certificateAuthorityData:CERTIFICATE_STRINGclientID:CLIENT_IDclientSecret:CLIENT_SECRETextraParams:EXTRA_PARAMSgroupsClaim:GROUPS_CLAIMgroupPrefix:GROUP_PREFIXissuerURI:ISSUER_URLkubectlRedirectURI:KUBECTL_REDIRECT_URLscopes:SCOPESuserClaim:USER_CLAIMuserPrefix:USER_PREFIX
The subfields under spec are described in the following sections.
spec.networking
This object defines cluster-wide networking configuration.
Name
Description
Type
Example
Required
vpcID
The ID of the VPC where your cluster runs. A user cluster's control plane and node pools run in a single VPC.
string
vpc-0814934042d983118
yes
podAddressCIDRBlocks
Range of IPv4 addresses used by the cluster's pods. Currently only a single range is supported. The range must not overlap with any subnets reachable from your network. It is safe to use the same range across multiple different AWSCluster objects.
list(string)
[10.1.0.0/16]
yes
serviceAddressCIDRBlocks
Range of IPv4 addresses used by the cluster's services. Currently only a single range is supported. The range must not overlap with any subnets reachable from your network. It is safe to use the same range across multiple different AWSCluster objects.
list(string)
[10.2.0.0/16]
yes
serviceLoadBalancerSubnetIDs
Subnet IDs where GKE on AWS can create public or private load balancers. GKE on AWS applies tags to each of these subnets to support load balancing. ALB support requires more than one specified subnet.
list(string)
[subnet-abcdefg, subnet-12345678]
spec.controlPlane
This object includes common parameters for the cluster's control plane.
The AWS EC2 key pair assigned to each control plane replica.
string
my-key-pair
yes
subnetIDs
A list of VPC Subnets for control plane replicas.
list(string)
[subnet-06a004869a1eae947]
yes
securityGroupIDs
GKE on AWS automatically creates security groups with minimum rules needed for a functioning cluster. If you would like to add additional security groups with access to control plane replicas, add their IDs to securityGroupIDs.
Key/value metadata assigned to each AWS resource supporting the AWSCluster. For more information, see Tagging best practices
map(string)
{Environment: Production, Team: Analytics}
no
proxySecretName
User-chosen name of a Secret used to define cluster-specific network proxies
string
proxy-secret-0
no
workloadIdentity
Cloud Storage bucket for workload identity configuration. Contains a single field: oidcDiscoveryGCSBucket.
object
{oidcDiscoveryGCSBucket: my-bucket}
no
rootVolume
Parameters for control plane replica root volumes. Contains an object defined in the following section.
object
{sizeGiB: 10}
yes
etcd
Parameters for etcd volumes. Contains an object defined in the following section.
object
{sizeGiB: 10}
yes
spec.controlPlane.rootVolume and spec.etcd.rootVolume
These fields apply to both spec.controlPlane.rootVolume and
spec.etcd.mainVolume.
Name
Description
Type
Example
Required
sizeGiB
Size of the root volume in Gigabytes.
integer
10
yes
volumeType
The control plane node's AWS EBS volume type. Can be gp2 (default) or gp3.
string
gp2
no
iops
The amount of provisioned IO operations per second (IOPS) for volumes. Only valid when volumeType is GP3. For more information, see General Purpose SSD volumes (gp3).
This object specifies roles granted cluster administrator access with AWS IAM.
Name
Description
Type
Example
Required
adminIdentityARNs
ARN of AWS IAM users or roles granted cluster administrator access.
string
arn:aws:iam::123456789012:user/admin
Only required if using AWS IAM authentication.
spec.authentication.oidc
You can specify more than one oidc object. The oidc object is defined below.
For more information, see Authenticating with OIDC.
Field
Required
Description
Format
certificateAuthorityData
No
A base64-encoded
PEM-encoded certificate for the OIDC provider. To create the string,
encode the certificate, including headers, into base64. Include the resulting
string in certificateAuthorityData as a single line. Example:
certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC...k1JSUN2RENDQWFT==
String
clientID
Yes
ID for the client application that makes authentication requests to the
OpenID provider.
String
clientSecret
No
Shared secret between OIDC client application and OIDC provider.
String
extraParams
No
Additional key-value parameters to send to the OpenID provider. If you are
authorizing a group, pass in resource=token-groups-claim.
If your authorization server prompts for consent, for authentication with
Microsoft Azure and Okta, set extraParams to
prompt=consent. For Google Cloud Identity, set
extraParams to
prompt=consent,access_type=offline.
Comma-delimited list
groupsClaim
No
JWT claim that the
provider uses to return your security groups.
String
groupPrefix
No
Prefix prepended to group claims to prevent clashes with existing names.
For example, given a group foobar and a prefix gid-, gid-foobar.
String
issuerURI
Yes
URL where authorization requests are sent to your OpenID, such as
https://example.com/adfs. The Kubernetes API server uses this URL
to discover public keys for verifying tokens. The URI must use HTTPS.
URL String
kubectlRedirectURI
Yes
The redirect url `kubectl` uses for authorization.
URL String
scopes
Yes
Additional scopes to send to the OpenID provider. Microsoft Azure and Okta
require the offline_access scope.
Comma-delimited list
userClaim
No
JWT claim to use as the username. The default is `sub`, which is expected
to be a unique identifier of the end user. You can choose other claims, such
as email or name, depending on the OpenID provider. However, claims other than
email are prefixed with the issuer URL to prevent naming clashes.
String
userPrefix
No
Prefix prepended to username claims to prevent clashes with existing names.
If you do not provide this field, and the username is a value other than an
email address, the prefix defaults to issuerurl#. When you set
userPrefix to -, prefixing is disabled.
