Linode Kubernetes Engine Cluster
Production LKE cluster with autoscaling node pools, HA control plane, disk encryption, ACL, and optional Enterprise tier.
Verification
Plan-validatedPassed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).
Conformance
- Static validation (fmt · validate · tflint)
- Security scan: findings disclosed (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
linode-lke-cluster
Production LKE cluster with autoscaling node pools, HA control plane, disk
encryption, ACL, and optional Enterprise tier. Works with Terraform and
OpenTofu (>= 1.6), Linode provider >= 3.14, < 4.0.
Secure / production defaults:
- HA control plane on by default (99.99% SLA; the standard-tier control plane itself is free, HA is billed)
- Control-plane ACL support — lock the Kubernetes API to your CIDRs; the module refuses an enabled ACL with an empty address list (lockout guard)
- Node pools with LKE autoscaler, Kubernetes labels, and taints; pool disks use Local Disk Encryption automatically in LDE-capable regions
- Two pool lifecycles: inline
poolblocks on the cluster and standalonelinode_lke_node_poolresources, withexternal_pool_tagswired automatically so they never fight - LKE Enterprise tier gated behind
tier = "enterprise"(flat monthly platform fee + LA/regional availability — never enabled by accident)
Usage
module "lke" {
source = "./linode-lke-cluster"
label = "prod-cluster"
region = "us-ord"
k8s_version = "1.33"
node_pools = {
workers = {
type = "g6-standard-4"
count = 3
autoscaler = { min = 3, max = 10 }
}
batch = {
type = "g6-dedicated-8"
count = 1
taints = [{ key = "workload", value = "batch", effect = "NoSchedule" }]
}
}
control_plane_acl = {
enabled = true
ipv4 = ["203.0.113.0/24"]
}
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
label | string | — | Cluster label, 1-32 chars (required) |
region | string | — | Linode region (required) |
k8s_version | string | — | e.g. 1.33, or v1.31.1+lke1 for enterprise (required) |
tier | string | "standard" | standard or enterprise |
high_availability | bool | true | HA control plane (always on for enterprise) |
control_plane_acl | object | { enabled = false } | { enabled, ipv4 = [...], ipv6 = [...] } |
node_pools | map(object) | — | Inline pools: type, count, labels, taints, autoscaler { min, max } (required) |
external_node_pools | map(object) | {} | Standalone linode_lke_node_pool pools, same shape |
tags | list(string) | [] | Cluster tags |
Outputs
| Name | Description |
|---|---|
cluster_id | Cluster ID |
k8s_version | Running Kubernetes version |
api_endpoints | Kubernetes API endpoints |
kubeconfig | Base64 kubeconfig (sensitive) |
dashboard_url | Kubernetes Dashboard URL |
status | Cluster status |
inline_pools | Inline pools { id, type, count } |
external_node_pool_ids | External pool key => pool ID |
Requirements
- Terraform or OpenTofu
>= 1.6 linode/linodeprovider>= 3.14, < 4.0- Inline pool blocks are positional: treat
node_poolsmap keys as stable identifiers — renaming or reordering keys recreates pools. Useexternal_node_poolsfor pools you expect to churn. - HA cannot be turned off once enabled;
k8s_versionupgrades recycle nodes.
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).