IaC Bazaar
Get started
ExoscalePlan-validated

Exoscale SKS Cluster

SKS Kubernetes with node pools, security groups, and anti-affinity.

terraformAlt & Specialty Clouds#exoscale

Compare Managed Kubernetes across clouds →

exoscale-sks-clusterterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

exoscale-sks-cluster

An Exoscale SKS managed Kubernetes cluster: an SLA-backed control plane with one or more worker node pools, a least-privilege cluster security group, and a dedicated anti-affinity group so a pool's nodes never share a hypervisor. Targets EU-sovereign zones (CH / AT / DE).

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the exoscale/exoscale provider. Not yet applied against a live Exoscale account, so it ships under live-test quarantine.

Design & secure defaults

  • HA control plane by default. service_level = "pro" provisions the SLA-backed, highly-available control plane. Use "starter" only for the free, best-effort tier.
  • Cilium CNI by default so Kubernetes NetworkPolicies are enforced.
  • Least-privilege cluster security group. Only the intra-cluster traffic SKS requires is opened, and only between members of the group itself (self-referencing rules), not the internet: VXLAN overlay (UDP 4789 / 8472), kubelet API (TCP 10250), and Cilium agent health (TCP 4240).
  • NodePort range closed by default. The public NodePort range (30000-32767) is denied until you explicitly pass nodeport_ingress_cidrs; expose services through a load balancer instead.
  • Anti-affinity for resilience. Every node pool is placed in a dedicated anti-affinity group so node failures don't cascade across a single host.
  • CCM / CSI / metrics-server on so load balancers, block-storage PVs, and HPA / kubectl top work out of the box. The CSI depends on the CCM, so exoscale_csi = true requires exoscale_ccm = true (enforced at plan time).
  • Auto-upgrade on for control-plane patch updates.
  • Optional OIDC API-server authentication via the oidc input.

Per-pool input validation enforces minimum size (>= 1), minimum disk (>= 20 GiB), and the <family>.<size> instance-type form. Pools with storage_lvm = true require disk_size >= 100 GiB (the provider's non-standard persistent-storage partitioning needs at least 100 GiB).

Provider

exoscale/exoscale ~> 0.69. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Key inputs
  • Outputs