By default Kublr automatically creates all AWS required to run a secure Kubernetes cluster in a single AWS CloudFormation stack. At the same time, sometimes additional resources are necessary to implement complex or extended use-cases.


Kublr supports inclusion of additional AWS Cloudformation resources in the cluster specification.

This makes it possible to tie the additional resources lifecycle to the cluster.


The additional resources can also be referred to in certain cluster specification fields, such as additional security groups, subnets etc.


[Supported in Kublr 1.19.0 and later] Additional resources and parameters can be specified in the following fields in the cluster specification:

  • spec.locations[*].aws.resourcesCloudFormationExtras

    All resources specified in this section in the cluster spec are included as is in the Cloudformation template section Resources.

  • spec.master.locations[*].aws.asgCloudFormationExtras

    spec.nodes[*].locations[*].aws.asgCloudFormationExtras

    All fields specified in this section in the cluster spec in the master or a node group are included as is in the Cloudformation template in the corresponding autoscaling group resource.
    This is useful to specify the group update policy and potentially other top level ASG properties.

  • spec.master.locations[*].aws.asgPropertiesCloudFormationExtras

    spec.nodes[*].locations[*].aws.asgPropertiesCloudFormationExtras

    All fields specified in this section in the cluster spec in the master or a node group are included as is in the Cloudformation template in the corresponding autoscaling group resource in the Properties section.

  • spec.master.locations[*].aws.launchConfigurationPropertiesCloudFormationExtras

    spec.nodes[*].locations[*].aws.launchConfigurationPropertiesCloudFormationExtras

    All fields specified in this section in the cluster spec in the master or a node group are included as is in the Cloudformation template in the corresponding launch configuration resource in the Properties section, if the corresponding instance group uses launch configuration (group type is asg-lc).

  • spec.master.locations[*].aws.launchTemplateDataCloudFormationExtras

    spec.nodes[*].locations[*].aws.launchTemplateDataCloudFormationExtras

    All fields specified in this section in the cluster spec in the master or a node group are included as is in the Cloudformation template in the corresponding launch template resource in the Data section, if the corresponding instance group uses launch template (group type is asg-lt).

  • spec.master.locations[*].aws.mixedInstancesPolicyCloudFormationExtras

    spec.nodes[*].locations[*].aws.mixedInstancesPolicyCloudFormationExtras

    All fields specified in this section in the cluster spec in the master or a node group are included as is in the Cloudformation template in the corresponding autoscaling group resource in the Properties.MixedInstancePolicy section, if the corresponding instance group uses mixed instance policy and launch template (group type is asg-mip).

  • [Kublr 1.19.3+] spec.secretStore.awsS3.secretExchangeBucketCloudFormationExtras

    All fields specified in this section in the cluster spec are included as is in the S3 bucket CloudFormation resource section in the cluster CloudFormation template


[Supported in Kublr 1.19.3 and later] The following fields of the cluster specification can reference AWS resources using Cloudformation functions such as Ref or GetAtt:

  • spec.locations[*].aws.existingSecurityGroupIds

  • spec.master.locations[*].aws.existingSecurityGroupIds
    spec.nodes[*].locations[*].aws.existingSecurityGroupIds


  • spec.master.locations[*].aws.subnetIds
    spec.nodes[*].locations[*].aws.subnetIds

  • spec.master.locations[*].aws.privateMasterPublicElbSubnetIds
    spec.nodes[*].locations[*].aws.privateMasterPublicElbSubnetIds

  • spec.master.locations[*].aws.loadBalancerNames
    spec.nodes[*].locations[*].aws.loadBalancerNames


  • spec.master.locations[*].aws.targetGroupARNs
    spec.nodes[*].locations[*].aws.targetGroupARNs


  • spec.secretStore.awsS3.secretExchangeBucketCloudFormationExtras


See examples of using these capabilities for advanced configurations: