coreweave_cks_cluster (Resource)

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

​

Example usage

resource "coreweave_networking_vpc" "default" {
  name        = "default"
  zone        = "US-EAST-04A"
  host_prefix = "10.16.192.0/18"
  vpc_prefixes = [
    {
      name  = "pod cidr"
      value = "10.0.0.0/13"
    },
    {
      name  = "service cidr"
      value = "10.16.0.0/22"
    },
    {
      name  = "internal lb cidr"
      value = "10.32.4.0/22"
    },
  ]
}

resource "coreweave_cks_cluster" "default" {
  name                   = "default"
  version                = "v1.35"
  zone                   = "US-EAST-04A"
  vpc_id                 = coreweave_networking_vpc.default.id
  public                 = false
  pod_cidr_name          = "pod cidr"
  service_cidr_name      = "service cidr"
  internal_lb_cidr_names = ["internal lb cidr"]
  audit_policy           = filebase64("${path.module}/audit-policy.yaml")
  oidc = {
    ca              = filebase64("${path.module}/example-ca.crt")
    client_id       = "kbyuFDidLLm280LIwVFiazOqjO3ty8KH"
    groups_claim    = "read-only"
    groups_prefix   = "cw"
    issuer_url      = "https://samples.auth0.com/"
    required_claim  = ""
    signing_algs    = ["SIGNING_ALGORITHM_RS256"]
    username_claim  = "user_id"
    username_prefix = "cw"
  }
  authn_webhook = {
    ca     = filebase64("${path.module}/example-ca.crt")
    server = "https://samples.auth0.com/"
  }
  authz_webhook = {
    ca     = filebase64("${path.module}/example-ca.crt")
    server = "https://samples.auth0.com/"
  }
}

​

Schema

​

Required

• internal_lb_cidr_names (List of String) The names of the vpc prefixes to use as internal load balancer CIDR ranges. Internal load balancers are reachable within the VPC but not accessible from the internet. The prefixes must exist in the cluster’s VPC. This field is append-only.
• name (String) The name of the cluster. Must not be longer than 30 characters.
• pod_cidr_name (String) The name of the vpc prefix to use as the pod CIDR range. The prefix must exist in the cluster’s VPC.
• service_cidr_name (String) The name of the vpc prefix to use as the service CIDR range. The prefix must exist in the cluster’s VPC.
• version (String) The version of Kubernetes to run on the cluster, in minor version format (e.g. ‘v1.35’). Patch versions are automatically applied by CKS as they are released.
• vpc_id (String) The ID of the VPC in which the cluster is located. Must be a VPC in the same Availability Zone as the cluster.
• zone (String) The Availability Zone in which the cluster is located.

​

Optional

• additional_server_sans (Set of String) Additional Subject Alternative Names (SANs) to include in the Kubernetes API server TLS certificate. Maximum 10 entries.
• audit_policy (String) Audit policy for the cluster. Must be provided as a base64-encoded JSON/YAML string.
• authn_webhook (Attributes) Authentication webhook configuration for the cluster. (see below for nested schema)
• authz_webhook (Attributes) Authorization webhook configuration for the cluster. (see below for nested schema)
• internal_lb_cidr_names_v6 (List of String) IPv6 Internal Load Balancer CIDR names. If any IPv6 field is set, then ALL IPv6 fields must be set.
• node_port_range (Attributes) Kubernetes Service NodePort range. NodePort range can be expanded in existing clusters but not shrunk. Updating the NodePort range to a smaller range will require a replacement of the cluster. (see below for nested schema)
• oidc (Attributes) OpenID Connect (OIDC) configuration for authentication to the api-server. (see below for nested schema)
• pod_cidr_name_v6 (String) IPv6 Pod CIDR name. If any IPv6 field is set, then ALL IPv6 fields must be set.
• public (Boolean) Whether the cluster’s api-server is publicly accessible from the internet.
• service_cidr_name_v6 (String) IPv6 Service CIDR name. If any IPv6 field is set, then ALL IPv6 fields must be set.
• shared_storage_cluster_id (String) The cluster_id of the cluster to share storage with. Must be enabled by CoreWeave suppport. Contact CoreWeave support if you are interested in this feature.

​

Read-Only

• api_server_endpoint (String) The endpoint for the cluster’s api-server.
• id (String) The unique identifier of the cluster.
• service_account_oidc_issuer_url (String) The URL of the OIDC issuer for the cluster’s service account tokens. This value corresponds to the --service-account-issuer flag on the kube-apiserver.
• status (String) The current status of the cluster.

​

Nested Schema for authn_webhook

• server (String) The URL of the webhook server.

• ca (String) The CA certificate for the webhook server. Must be a base64-encoded PEM-encoded certificate.

​

Nested Schema for authz_webhook

• server (String) The URL of the webhook server.

• ca (String) The CA certificate for the webhook server. Must be a base64-encoded PEM-encoded certificate.

​

Nested Schema for node_port_range

• end (Number)
• start (Number)

​

Nested Schema for oidc

• client_id (String) The client ID for the OIDC client.
• issuer_url (String) The URL of the OIDC issuer.

• admin_group_binding (String) The OIDC group that is bound to the cluster-admin role for bootstrap access to the cluster.
• ca (String) The CA certificate for the OIDC issuer. Must be a base64-encoded PEM-encoded certificate.
• groups_claim (String) The claim to use as the groups.
• groups_prefix (String) The prefix to use for the groups.
• required_claim (String) The claim to require for authentication.
• signing_algs (Set of String) A list of signing algorithms that the OpenID Connect discovery endpoint uses.
• username_claim (String) The claim to use as the username.
• username_prefix (String) The prefix to use for the username.

​

Import

terraform import coreweave_cks_cluster.default {{id}}