awslabs.eks-mcp-server 0.1.1__py3-none-any.whl

awslabs/eks_mcp_server/templates/eks-templates/eks-with-vpc.yaml

@@ -0,0 +1,454 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Amazon EKS Auto Mode Cluster with dedicated VPC - Private and Public subnets'
+
+Parameters:
+  ClusterName:
+    Type: String
+    Description: Name of the EKS cluster
+    Default: eks-cluster
+
+  KubernetesVersion:
+    Type: String
+    Description: Kubernetes version to use for the EKS cluster
+    Default: 1.32
+    AllowedValues:
+      - 1.28
+      - 1.29
+      - 1.30
+      - 1.31
+      - 1.32
+
+  VpcBlock:
+    Type: String
+    Default: 192.168.0.0/16
+    Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range.
+
+  PublicSubnet01Block:
+    Type: String
+    Default: 192.168.0.0/18
+    Description: CidrBlock for public subnet 01 within the VPC
+
+  PublicSubnet02Block:
+    Type: String
+    Default: 192.168.64.0/18
+    Description: CidrBlock for public subnet 02 within the VPC
+
+  PrivateSubnet01Block:
+    Type: String
+    Default: 192.168.128.0/18
+    Description: CidrBlock for private subnet 01 within the VPC
+
+  PrivateSubnet02Block:
+    Type: String
+    Default: 192.168.192.0/18
+    Description: CidrBlock for private subnet 02 within the VPC
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "EKS Cluster Configuration"
+        Parameters:
+          - ClusterName
+          - KubernetesVersion
+      - Label:
+          default: "Worker Network Configuration"
+        Parameters:
+          - VpcBlock
+          - PublicSubnet01Block
+          - PublicSubnet02Block
+          - PrivateSubnet01Block
+          - PrivateSubnet02Block
+
+Resources:
+  # VPC Resources
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock:
+        Ref: VpcBlock
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: '${AWS::StackName}-VPC'
+
+  InternetGateway:
+    Type: "AWS::EC2::InternetGateway"
+
+  VPCGatewayAttachment:
+    Type: "AWS::EC2::VPCGatewayAttachment"
+    Properties:
+      InternetGatewayId:
+        Ref: InternetGateway
+      VpcId:
+        Ref: VPC
+
+  PublicRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value: Public Subnets
+      - Key: Network
+        Value: Public
+
+  PrivateRouteTable01:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value: Private Subnet AZ1
+      - Key: Network
+        Value: Private01
+
+  PrivateRouteTable02:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value: Private Subnet AZ2
+      - Key: Network
+        Value: Private02
+
+  PublicRoute:
+    DependsOn: VPCGatewayAttachment
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId:
+        Ref: PublicRouteTable
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId:
+        Ref: InternetGateway
+
+  PrivateRoute01:
+    DependsOn:
+    - VPCGatewayAttachment
+    - NatGateway01
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId:
+        Ref: PrivateRouteTable01
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId:
+        Ref: NatGateway01
+
+  PrivateRoute02:
+    DependsOn:
+    - VPCGatewayAttachment
+    - NatGateway02
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId:
+        Ref: PrivateRouteTable02
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId:
+        Ref: NatGateway02
+
+  NatGateway01:
+    DependsOn:
+    - NatGatewayEIP1
+    - PublicSubnet01
+    - VPCGatewayAttachment
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId:
+        Fn::GetAtt: 'NatGatewayEIP1.AllocationId'
+      SubnetId:
+        Ref: PublicSubnet01
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: '${AWS::StackName}-NatGatewayAZ1'
+
+  NatGateway02:
+    DependsOn:
+    - NatGatewayEIP2
+    - PublicSubnet02
+    - VPCGatewayAttachment
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId:
+        Fn::GetAtt: 'NatGatewayEIP2.AllocationId'
+      SubnetId:
+        Ref: PublicSubnet02
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: '${AWS::StackName}-NatGatewayAZ2'
+
+  NatGatewayEIP1:
+    DependsOn:
+    - VPCGatewayAttachment
+    Type: 'AWS::EC2::EIP'
+    Properties:
+      Domain: vpc
+
+  NatGatewayEIP2:
+    DependsOn:
+    - VPCGatewayAttachment
+    Type: 'AWS::EC2::EIP'
+    Properties:
+      Domain: vpc
+
+  PublicSubnet01:
+    Type: AWS::EC2::Subnet
+    Metadata:
+      Comment: Subnet 01
+    Properties:
+      MapPublicIpOnLaunch: true
+      AvailabilityZone:
+        Fn::Select:
+        - '0'
+        - Fn::GetAZs:
+            Ref: AWS::Region
+      CidrBlock:
+        Ref: PublicSubnet01Block
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: "${AWS::StackName}-PublicSubnet01"
+      - Key: kubernetes.io/role/elb
+        Value: 1
+
+  PublicSubnet02:
+    Type: AWS::EC2::Subnet
+    Metadata:
+      Comment: Subnet 02
+    Properties:
+      MapPublicIpOnLaunch: true
+      AvailabilityZone:
+        Fn::Select:
+        - '1'
+        - Fn::GetAZs:
+            Ref: AWS::Region
+      CidrBlock:
+        Ref: PublicSubnet02Block
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: "${AWS::StackName}-PublicSubnet02"
+      - Key: kubernetes.io/role/elb
+        Value: 1
+
+  PrivateSubnet01:
+    Type: AWS::EC2::Subnet
+    Metadata:
+      Comment: Subnet 03
+    Properties:
+      AvailabilityZone:
+        Fn::Select:
+        - '0'
+        - Fn::GetAZs:
+            Ref: AWS::Region
+      CidrBlock:
+        Ref: PrivateSubnet01Block
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: "${AWS::StackName}-PrivateSubnet01"
+      - Key: kubernetes.io/role/internal-elb
+        Value: 1
+
+  PrivateSubnet02:
+    Type: AWS::EC2::Subnet
+    Metadata:
+      Comment: Private Subnet 02
+    Properties:
+      AvailabilityZone:
+        Fn::Select:
+        - '1'
+        - Fn::GetAZs:
+            Ref: AWS::Region
+      CidrBlock:
+        Ref: PrivateSubnet02Block
+      VpcId:
+        Ref: VPC
+      Tags:
+      - Key: Name
+        Value:
+          Fn::Sub: "${AWS::StackName}-PrivateSubnet02"
+      - Key: kubernetes.io/role/internal-elb
+        Value: 1
+
+  PublicSubnet01RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId:
+        Ref: PublicSubnet01
+      RouteTableId:
+        Ref: PublicRouteTable
+
+  PublicSubnet02RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId:
+        Ref: PublicSubnet02
+      RouteTableId:
+        Ref: PublicRouteTable
+
+  PrivateSubnet01RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId:
+        Ref: PrivateSubnet01
+      RouteTableId:
+        Ref: PrivateRouteTable01
+
+  PrivateSubnet02RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId:
+        Ref: PrivateSubnet02
+      RouteTableId:
+        Ref: PrivateRouteTable02
+
+  ControlPlaneSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Cluster communication with worker nodes
+      VpcId:
+        Ref: VPC
+
+  # EKS Cluster IAM Role with required policies for Auto Mode
+  EksClusterRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - eks.amazonaws.com
+          Action:
+          - sts:AssumeRole
+          - sts:TagSession
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+        - arn:aws:iam::aws:policy/AmazonEKSComputePolicy
+        - arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy
+        - arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy
+        - arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy
+
+  # Node IAM Role with required policies for Auto Mode
+  NodeInstanceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - ec2.amazonaws.com
+          Action:
+          - sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy
+        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
+      Path: /
+
+  # EKS Auto Mode Cluster
+  EksCluster:
+    Type: AWS::EKS::Cluster
+    Metadata:
+      checkov:
+        skip:
+          - id: CKV_AWS_58
+            comment: "Secrets encryption is enabled by default in EKS 1.27+"
+    Properties:
+      Name:
+        Ref: ClusterName
+      Version:
+        Ref: KubernetesVersion
+      RoleArn:
+        Fn::GetAtt: EksClusterRole.Arn
+      ResourcesVpcConfig:
+        SecurityGroupIds:
+          - Ref: ControlPlaneSecurityGroup
+        SubnetIds:
+          - Ref: PublicSubnet01
+          - Ref: PublicSubnet02
+          - Ref: PrivateSubnet01
+          - Ref: PrivateSubnet02
+        EndpointPublicAccess: true
+        EndpointPrivateAccess: true
+      # Auto Mode Configuration
+      ComputeConfig:
+        Enabled: true
+        NodeRoleArn:
+          Fn::GetAtt: NodeInstanceRole.Arn
+        NodePools:
+          - general-purpose
+          - system
+      KubernetesNetworkConfig:
+        ElasticLoadBalancing:
+          Enabled: true
+      StorageConfig:
+        BlockStorage:
+          Enabled: true
+      AccessConfig:
+        AuthenticationMode: API
+    DependsOn: [EksClusterRole, NodeInstanceRole, PublicSubnet01, PublicSubnet02, PrivateSubnet01, PrivateSubnet02]
+
+Outputs:
+  SubnetIds:
+    Description: Subnets IDs in the VPC
+    Value:
+      Fn::Join:
+        - ","
+        - - Ref: PublicSubnet01
+          - Ref: PublicSubnet02
+          - Ref: PrivateSubnet01
+          - Ref: PrivateSubnet02
+
+  SecurityGroups:
+    Description: Security group for the cluster control plane communication with worker nodes
+    Value:
+      Fn::Join:
+        - ","
+        - - Ref: ControlPlaneSecurityGroup
+
+  VpcId:
+    Description: The VPC Id
+    Value:
+      Ref: VPC
+
+  ClusterName:
+    Description: The name of the EKS cluster
+    Value:
+      Ref: EksCluster
+
+  ClusterArn:
+    Description: The ARN of the EKS cluster
+    Value:
+      Fn::GetAtt: EksCluster.Arn
+
+  ClusterEndpoint:
+    Description: The endpoint for the EKS cluster
+    Value:
+      Fn::GetAtt: EksCluster.Endpoint
+
+  ClusterSecurityGroupId:
+    Description: Security group for the cluster control plane communication with worker nodes
+    Value:
+      Fn::GetAtt: EksCluster.ClusterSecurityGroupId
+
+  NodeInstanceRoleArn:
+    Description: The node instance role ARN
+    Value:
+      Fn::GetAtt: NodeInstanceRole.Arn

awslabs/eks_mcp_server/templates/k8s-templates/deployment.yaml

@@ -0,0 +1,49 @@
+# Kubernetes Deployment template for ECR images
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: APP_NAME
+  namespace: NAMESPACE
+  annotations:
+    checkov.io/skip1: CKV_K8S_20=This is a template file with placeholders, security context will be configured by the user
+    checkov.io/skip2: CKV_K8S_31=Seccomp profile will be configured by the user based on their specific requirements
+    checkov.io/skip3: CKV_K8S_23=Non-root user will be configured by the user based on their application needs
+    checkov.io/skip4: CKV_K8S_9=Readiness probe will be added by the user based on their application health check requirements
+    checkov.io/skip5: CKV_K8S_38=Service account token mounting will be configured by the user as needed
+    checkov.io/skip6: CKV_K8S_14=This is a template with IMAGE_URI placeholder, actual image tag will be provided by the user
+    checkov.io/skip7: CKV_K8S_43=This is a template with IMAGE_URI placeholder, actual image tag will be provided by the user
+    checkov.io/skip8: CKV_K8S_8=Liveness probe will be added by the user based on their application health check requirements
+    checkov.io/skip9: CKV_K8S_37=Container capabilities will be configured by the user based on their security requirements
+    checkov.io/skip10: CKV_K8S_29=Security context is partially configured with capabilities, full context will be added by the user
+    checkov.io/skip11: CKV_K8S_22=Read-only filesystem will be configured by the user based on their application requirements
+    checkov.io/skip12: CKV_K8S_40=UID will be configured by the user based on their security requirements
+    checkov.io/skip13: CKV2_K8S_6=NetworkPolicy will be configured by the user based on their network security requirements
+  labels:
+    app.kubernetes.io/name: APP_NAME
+spec:
+  replicas: REPLICAS
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: APP_NAME
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: APP_NAME
+    spec:
+      containers:
+      - name: APP_NAME
+        image: IMAGE_URI
+        imagePullPolicy: Always
+        ports:
+        - containerPort: PORT
+        securityContext:
+          capabilities:
+            drop:
+            - NET_RAW
+        resources:
+          requests:
+            cpu: CPU
+            memory: MEMORY
+          limits:
+            cpu: CPU
+            memory: MEMORY

awslabs/eks_mcp_server/templates/k8s-templates/service.yaml

@@ -0,0 +1,18 @@
+# Kubernetes Service template for LoadBalancer services
+apiVersion: v1
+kind: Service
+metadata:
+  name: APP_NAME
+  namespace: NAMESPACE
+  labels:
+    app.kubernetes.io/name: APP_NAME
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-scheme: LOAD_BALANCER_SCHEME
+spec:
+  type: LoadBalancer
+  ports:
+  - port: PORT
+    targetPort: PORT
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: APP_NAME