**Help improve this page** To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page. # Create an ACK capability This chapter explains how to create an ACK capability on your Amazon EKS cluster. ## Prerequisites Before creating an ACK capability, ensure you have: + An Amazon EKS cluster + An IAM Capability Role with permissions for ACK to manage AWS resources + Sufficient IAM permissions to create capability resources on EKS clusters + The appropriate CLI tool installed and configured, or access to the EKS Console For instructions on creating the IAM Capability Role, see [Amazon EKS capability IAM role](capability-role.md). **Important** ACK is an infrastructure management capability that grants the ability to create, modify, and delete AWS resources. This is an admin-scoped capability that should be carefully controlled. Anyone with permission to create Kubernetes resources in your cluster can effectively create AWS resources through ACK, subject to the IAM Capability Role permissions. The IAM Capability Role you provide determines which AWS resources ACK can create and manage. For guidance on creating an appropriate role with least-privilege permissions, see [Amazon EKS capability IAM role](capability-role.md) and [Security considerations for EKS Capabilities](capabilities-security.md). ## Choose your tool You can create an ACK capability using the AWS Management Console, AWS CLI, or eksctl: + [Create an ACK capability using the Console](ack-create-console.md) - Use the Console for a guided experience + [Create an ACK capability using the AWS CLI](ack-create-cli.md) - Use the AWS CLI for scripting and automation + [Create an ACK capability using eksctl](ack-create-eksctl.md) - Use eksctl for a Kubernetes-native experience ## What happens when you create an ACK capability When you create an ACK capability: 1. EKS creates the ACK capability service and configures it to monitor and manage resources in your cluster 1. Custom Resource Definitions (CRDs) are installed in your cluster 1. An access entry is automatically created for your IAM Capability Role with capability-specific access entry policies that grant baseline Kubernetes permissions (see [Security considerations for EKS Capabilities](capabilities-security.md)) 1. The capability assumes the IAM Capability Role you provide 1. ACK begins watching for its custom resources in your cluster 1. The capability status changes from `CREATING` to `ACTIVE` Once active, you can create ACK custom resources in your cluster to manage AWS resources. **Note** The automatically created access entry includes the `AmazonEKSACKPolicy` which grants ACK permissions to manage AWS resources. Some ACK resources that reference Kubernetes secrets (such as RDS databases with passwords) require additional access entry policies. To learn more about access entries and how to configure additional permissions, see [Security considerations for EKS Capabilities](capabilities-security.md). ## Next steps After creating the ACK capability: + [ACK concepts](ack-concepts.md) - Understand ACK concepts and get started with AWS resources + [ACK concepts](ack-concepts.md) - Learn about reconciliation, field exports, and resource adoption patterns + [Configure ACK permissions](ack-permissions.md) - Configure IAM permissions and multi-account patterns # Create an ACK capability using the Console This topic describes how to create an AWS Controllers for Kubernetes (ACK) capability using the AWS Management Console. ## Create the ACK capability 1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home\$1/clusters. 1. Select your cluster name to open the cluster detail page. 1. Choose the **Capabilities** tab. 1. In the left navigation, choose ** AWS Controllers for Kubernetes (ACK)**. 1. Choose **Create AWS Controllers for Kubernetes capability**. 1. For **IAM Capability Role**: + If you already have an IAM Capability Role, select it from the dropdown + If you need to create a role, choose **Create admin role** This opens the IAM console in a new tab with pre-populated trust policy and the `AdministratorAccess` managed policy. You can unselect this policy and add other permissions if you prefer. After creating the role, return to the EKS console and the role will be automatically selected. **Important** The suggested `AdministratorAccess` policy grants broad permissions and is intended to streamline getting started. For production use, replace this with a custom policy that grants only the permissions needed for the specific AWS services you plan to manage with ACK. For guidance on creating least-privilege policies, see [Configure ACK permissions](ack-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md). 1. Choose **Create**. The capability creation process begins. ## Verify the capability is active 1. On the **Capabilities** tab, view the ACK capability status. 1. Wait for the status to change from `CREATING` to `ACTIVE`. 1. Once active, the capability is ready to use. For information about capability statuses and troubleshooting, see [Working with capability resources](working-with-capabilities.md). ## Verify custom resources are available After the capability is active, verify that ACK custom resources are available in your cluster. **Using the console** 1. Navigate to your cluster in the Amazon EKS console 1. Choose the **Resources** tab 1. Choose **Extensions** 1. Choose **CustomResourceDefinitions** You should see a number of CRDs listed for AWS resources. **Using kubectl** ``` kubectl api-resources | grep services.k8s.aws ``` You should see a number of APIs listed for AWS resources. **Note** The capability for AWS Controllers for Kubernetes will install a number of CRDs for a variety of AWS resources. ## Next steps + [ACK concepts](ack-concepts.md) - Understand ACK concepts and get started + [Configure ACK permissions](ack-permissions.md) - Configure IAM permissions for other AWS services + [Working with capability resources](working-with-capabilities.md) - Manage your ACK capability resource # Create an ACK capability using the AWS CLI This topic describes how to create an AWS Controllers for Kubernetes (ACK) capability using the AWS CLI. ## Prerequisites + ** AWS CLI** – Version `2.12.3` or later. To check your version, run `aws --version`. For more information, see [Installing](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) in the AWS Command Line Interface User Guide. + ** `kubectl` ** – A command line tool for working with Kubernetes clusters. For more information, see [Set up `kubectl` and `eksctl`](install-kubectl.md). ## Step 1: Create an IAM Capability Role Create a trust policy file: ``` cat > ack-trust-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "capabilities.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] } EOF ``` Create the IAM role: ``` aws iam create-role \ --role-name ACKCapabilityRole \ --assume-role-policy-document file://ack-trust-policy.json ``` Attach the `AdministratorAccess` managed policy to the role: ``` aws iam attach-role-policy \ --role-name ACKCapabilityRole \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess ``` **Important** The suggested `AdministratorAccess` policy grants broad permissions and is intended to streamline getting started. For production use, replace this with a custom policy that grants only the permissions needed for the specific AWS services you plan to manage with ACK. For guidance on creating least-privilege policies, see [Configure ACK permissions](ack-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md). ## Step 2: Create the ACK capability Create the ACK capability resource on your cluster. Replace *region-code* with the AWS Region that your cluster is in and replace *my-cluster* with the name of your cluster. ``` aws eks create-capability \ --region region-code \ --cluster-name my-cluster \ --capability-name my-ack \ --type ACK \ --role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ACKCapabilityRole \ --delete-propagation-policy RETAIN ``` The command returns immediately, but the capability takes some time to become active as EKS creates the required capability infrastructure and components. EKS will install the Kubernetes Custom Resource Definitions related to this capability in your cluster as it is being created. **Note** If you receive an error that the cluster doesn’t exist or you don’t have permissions, verify: The cluster name is correct Your AWS CLI is configured for the correct region You have the required IAM permissions ## Step 3: Verify the capability is active Wait for the capability to become active. Replace *region-code* with the AWS Region that your cluster is in and replace *my-cluster* with the name of your cluster. ``` aws eks describe-capability \ --region region-code \ --cluster-name my-cluster \ --capability-name my-ack \ --query 'capability.status' \ --output text ``` The capability is ready when the status shows `ACTIVE`. Don’t continue to the next step until the status is `ACTIVE`. You can also view the full capability details: ``` aws eks describe-capability \ --region region-code \ --cluster-name my-cluster \ --capability-name my-ack ``` ## Step 4: Verify custom resources are available After the capability is active, verify that ACK custom resources are available in your cluster: ``` kubectl api-resources | grep services.k8s.aws ``` You should see a number of APIs listed for AWS resources. **Note** The capability for AWS Controllers for Kubernetes will install a number of CRDs for a variety of AWS resources. ## Next steps + [ACK concepts](ack-concepts.md) - Understand ACK concepts and get started + [Configure ACK permissions](ack-permissions.md) - Configure IAM permissions for other AWS services + [Working with capability resources](working-with-capabilities.md) - Manage your ACK capability resource # Create an ACK capability using eksctl This topic describes how to create an AWS Controllers for Kubernetes (ACK) capability using eksctl. **Note** The following steps require eksctl version `0.220.0` or later. To check your version, run `eksctl version`. ## Step 1: Create an IAM Capability Role Create a trust policy file: ``` cat > ack-trust-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "capabilities.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] } EOF ``` Create the IAM role: ``` aws iam create-role \ --role-name ACKCapabilityRole \ --assume-role-policy-document file://ack-trust-policy.json ``` Attach the `AdministratorAccess` managed policy to the role: ``` aws iam attach-role-policy \ --role-name ACKCapabilityRole \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess ``` **Important** The suggested `AdministratorAccess` policy grants broad permissions and is intended to streamline getting started. For production use, replace this with a custom policy that grants only the permissions needed for the specific AWS services you plan to manage with ACK. For guidance on creating least-privilege policies, see [Configure ACK permissions](ack-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md). **Important** This policy grants permissions for S3 bucket management with `"Resource": "*"`, which allows operations on all S3 buckets. For production use: \$1 Restrict the `Resource` field to specific bucket ARNs or name patterns \$1 Use IAM condition keys to limit access by resource tags \$1 Grant only the minimum permissions needed for your use case For other AWS services, see [Configure ACK permissions](ack-permissions.md). Attach the policy to the role: ``` aws iam attach-role-policy \ --role-name ACKCapabilityRole \ --policy-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):policy/ACKS3Policy ``` ## Step 2: Create the ACK capability Create the ACK capability using eksctl. Replace *region-code* with the AWS Region that your cluster is in and replace *my-cluster* with the name of your cluster. ``` eksctl create capability \ --cluster [.replaceable]`my-cluster` \ --region [.replaceable]`region-code` \ --name ack \ --type ACK \ --role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ACKCapabilityRole \ --ack-service-controllers s3 ``` **Note** The `--ack-service-controllers` flag is optional. If omitted, ACK enables all available controllers. For better performance and security, consider enabling only the controllers you need. You can specify multiple controllers: `--ack-service-controllers s3,rds,dynamodb` The command returns immediately, but the capability takes some time to become active. ## Step 3: Verify the capability is active Check the capability status: ``` eksctl get capability \ --cluster [.replaceable]`my-cluster` \ --region [.replaceable]`region-code` \ --name ack ``` The capability is ready when the status shows `ACTIVE`. ## Step 4: Verify custom resources are available After the capability is active, verify that ACK custom resources are available in your cluster: ``` kubectl api-resources | grep services.k8s.aws ``` You should see a number of APIs listed for AWS resources. **Note** The capability for AWS Controllers for Kubernetes will install a number of CRDs for a variety of AWS resources. ## Next steps + [ACK concepts](ack-concepts.md) - Understand ACK concepts and get started + [Configure ACK permissions](ack-permissions.md) - Configure IAM permissions for other AWS services + [Working with capability resources](working-with-capabilities.md) - Manage your ACK capability resource