--- apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ${PRODUCT_NAME}-cluster region: ${AWS_REGION} version: "1.23" availabilityZones: ["${AWS_REGION}a", "${AWS_REGION}b"] fargateProfiles: - name: fp-default selectors: # All workloads in the "default" Kubernetes namespace will be # scheduled onto Fargate: - namespace: default # All workloads in the "kube-system" Kubernetes namespace will be # scheduled onto Fargate: - namespace: kube-system - namespace: mcp iam: withOIDC: true serviceAccounts: - metadata: name: ${PRODUCT_NAME}-sa namespace: mcp attachPolicy: Version: '2012-10-17' Statement: - Action: - "aws-marketplace:MeterUsage" - "aws-marketplace:RegisterUsage" - "license-manager:CheckoutLicense" - "license-manager:CheckInLicense" - "license-manager:ExtendLicenseConsumption" - "license-manager:GetLicense" Effect: Allow Resource: "*" - metadata: name: ${PRODUCT_NAME}-icsa namespace: kube-system attachPolicy: Version: '2012-10-17' Statement: - Effect: Allow Action: - acm:DescribeCertificate - acm:ListCertificates - acm:GetCertificate Resource: "*" - Effect: Allow Action: - ec2:AuthorizeSecurityGroupIngress - ec2:CreateSecurityGroup - ec2:CreateTags - ec2:DeleteTags - ec2:DeleteSecurityGroup - ec2:DescribeAccountAttributes - ec2:DescribeAddresses - ec2:DescribeInstances - ec2:DescribeInstanceStatus - ec2:DescribeInternetGateways - ec2:DescribeNetworkInterfaces - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeTags - ec2:DescribeVpcs - ec2:ModifyInstanceAttribute - ec2:ModifyNetworkInterfaceAttribute - ec2:RevokeSecurityGroupIngress Resource: "*" - Effect: Allow Action: - elasticloadbalancing:AddListenerCertificates - elasticloadbalancing:AddTags - elasticloadbalancing:CreateListener - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateRule - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteListener - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DeleteRule - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:DeregisterTargets - elasticloadbalancing:DescribeListenerCertificates - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeRules - elasticloadbalancing:DescribeSSLPolicies - elasticloadbalancing:DescribeTags - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:DescribeTargetGroupAttributes - elasticloadbalancing:DescribeTargetHealth - elasticloadbalancing:ModifyListener - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:ModifyRule - elasticloadbalancing:ModifyTargetGroup - elasticloadbalancing:ModifyTargetGroupAttributes - elasticloadbalancing:RegisterTargets - elasticloadbalancing:RemoveListenerCertificates - elasticloadbalancing:RemoveTags - elasticloadbalancing:SetIpAddressType - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:SetSubnets - elasticloadbalancing:SetWebACL Resource: "*" - Effect: Allow Action: - iam:CreateServiceLinkedRole - iam:GetServerCertificate - iam:ListServerCertificates Resource: "*" - Effect: Allow Action: - cognito-idp:DescribeUserPoolClient Resource: "*" - Effect: Allow Action: - waf-regional:GetWebACLForResource - waf-regional:GetWebACL - waf-regional:AssociateWebACL - waf-regional:DisassociateWebACL Resource: "*" - Effect: Allow Action: - tag:GetResources - tag:TagResources Resource: "*" - Effect: Allow Action: - waf:GetWebACL Resource: "*" - Effect: Allow Action: - shield:DescribeProtection - shield:GetSubscriptionState - shield:DeleteProtection - shield:CreateProtection - shield:DescribeSubscription - shield:ListProtections Resource: "*" cloudWatch: clusterLogging: enableTypes: ["*"] logRetentionInDays: 1