OVHcloud Managed Kubernetes
MKS cluster with node pools and private-network (vRack) attachment.
Verification
Static-verifiedPassed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).
Conformance
- Static validation (fmt · validate · tflint)
- No applicable security policies for this provider
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
ovh-managed-k8s
An OVHcloud Managed Kubernetes (MKS) cluster: private-network-attached (vRack), with one or more node pools that autoscale by default, a hardened API server, and a free control plane (you pay only for worker nodes).
Status: static-validated, live-test pending. Validated with
tofu validate+tflint+checkovagainst theovh/ovhprovider. Not yet applied against a live OVHcloud project, so it ships under live-test quarantine (no cloud sandbox account yet).
Design & secure defaults
- Private network by default. The module creates a dedicated vRack private
network and a subnet for the workers, attaches the cluster to it via the
per-region OpenStack network id, so the node/kubelet network is not on the
public interface. Node egress defaults to the public interface
(
private_network_routing_as_default = false) so the cluster has working outbound internet out of the box; set it totrueonly after adding a vRack gateway. Pass an existing network withcreate_private_network = false+private_network_id(the OpenStack network id) +nodes_subnet_id. - API-server hardening. The
NodeRestrictionadmission plugin is enabled by default; add/remove plugins viaapiserver_admission_plugins_*. - Controlled upgrades.
update_policy = "MINIMAL_DOWNTIME"keeps the control plane patched without a full-cluster outage (useNEVER_UPDATEto pin). - Autoscaling node pools. Each pool autoscales between
min_nodesandmax_nodes; a precondition enforcesmin_nodes <= max_nodes. Pool names may not contain underscores (an OVH constraint).anti_affinityspreads nodes across hypervisors for resilience. - No hardcoded secrets. Credentials come from the provider block /
environment; the generated
kubeconfigoutput is markedsensitive.
Usage
module "mks" {
source = "github.com/ITfreak/iacbazaar//artifacts/terraform/ovh-managed-k8s"
service_name = "00000000000000000000000000000000"
name = "prod"
region = "GRA11"
kubernetes_version = "1.31"
node_pools = {
default = { flavor_name = "b3-8", min_nodes = 3, max_nodes = 6 }
}
}
See examples/basic for a complete configuration.
Key inputs
| Variable | Description | Default |
|---|---|---|
service_name | Public cloud project id (project-scoped API keys) | required |
name | Cluster name | required |
region | OVHcloud region (e.g. GRA11, WAW1) | required |
kubernetes_version | K8s major.minor (e.g. 1.31) | null (latest) |
update_policy | ALWAYS_UPDATE / MINIMAL_DOWNTIME / NEVER_UPDATE | MINIMAL_DOWNTIME |
kube_proxy_mode | iptables or ipvs | iptables |
create_private_network | Create a dedicated vRack network + subnet | true |
private_network_id | Attach to an existing network (OpenStack net id) instead | null |
private_subnet_network | CIDR of the worker subnet (create path) | 10.0.0.0/24 |
private_network_routing_as_default | Route egress via the private interface (needs a vRack gateway) | false |
apiserver_admission_plugins_enabled | Admission plugins to enable | ["NodeRestriction"] |
node_pools | Map of pools (flavor_name, autoscaling bounds, anti_affinity, AZs) | one b3-8 pool |
Outputs
cluster_id, cluster_name, region, kubernetes_version, status, url,
nodes_url, control_plane_is_up_to_date, private_network_id,
kubeconfig (sensitive), node_pool_ids (map).
Provider
ovh/ovh >= 2.0, < 3.0. Requires Terraform/OpenTofu >= 1.6.
License
Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.