Skip to main content

Overview

Cluster Advanced Settings allow you to fine-tune infrastructure-level parameters for your Qovery-managed Kubernetes clusters. These settings provide granular control over networking, logging, security, resource allocation, and cloud provider-specific features.

Cloud Provider Availability

Settings are tagged with their supported cloud providers:
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=39fdefda6b2a184faa10bc1d85b46f7d

AWS

Amazon Web Services
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=193518027f66a4ac6a82d008c61b3c5d

GCP

Google Cloud Platform
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/azure-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=e01d2f798fbdc429f1f4d013772a8be2

Azure

Microsoft Azure
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=9e27c1725260aba1a6fbfcaa78b63370

Scaleway

Scaleway

Configuring Cluster Advanced Settings

The easiest way to configure cluster advanced settings is directly from the Qovery Console:
1

Navigate to Cluster Settings

Go to your cluster page and click on Settings
2

Open Advanced Settings

In the settings menu, select Advanced Settings
3

Configure Settings

Browse and configure the advanced settings you need. Settings are organized by category for easy navigation.
4

Save and Redeploy

Click Save and redeploy your cluster for changes to take effect
Cluster Advanced Settings in Console
Use the “Show only overridden settings” toggle to filter and view only the settings you’ve customized from their default values.
After updating cluster advanced settings, you must redeploy the cluster for changes to take effect.

Via Qovery API

You can also configure advanced settings using the Qovery API: 
curl -X PATCH "https://api.qovery.com/cluster/{cluster_id}/advancedSettings" \
  -H "Authorization: Token YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "loki.log_retention_in_week": 24,
    "nginx.hpa.min_number_instances": 3,
    "database.postgresql.deny_any_access": false,
    "database.postgresql.allowed_cidrs": ["10.0.0.0/16"]
  }'

Via Terraform

Use the Qovery Terraform Provider to manage cluster advanced settings as code: 
resource "qovery_cluster" "my_cluster" {
  name                = "production-cluster"
  organization_id     = var.organization_id
  cloud_provider      = "AWS"
  region              = "us-east-1"

  advanced_settings_json = jsonencode({
    "loki.log_retention_in_week" = 24
    "nginx.hpa.min_number_instances" = 3
    "nginx.controller.enable_client_ip" = true
    "database.postgresql.deny_any_access" = false
    "database.postgresql.allowed_cidrs" = ["10.0.0.0/16"]
  })
}

Cluster sizing

cluster.profile

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Defines the cluster sizing profile, which determines the default resource allocation and performance characteristics of the cluster.
Choosing a larger profile may incur higher costs but provides better performance and capacity for workloads. Here are detailed insights to help you choose the right profile:
  • Small: Suitable for development, testing, or small-scale applications with low resource demands.
    • 3-5 nodes | 12-20 vCPUs | 24-40 GB RAM | ~50-100 pods
    • Node size: 2-4 vCPUs, 4-8 GB RAM per node
    • Use cases: Development, staging, small internal tools
  • Medium: A balanced option for moderate workloads, suitable for most production applications.
    • 6-10 nodes | 48-80 vCPUs | 96-160 GB RAM | ~200-400 pods
    • Node size: 4-8 vCPUs, 8-16 GB RAM per node
    • Use cases: Small to medium production apps, multi-tenant dev environments
  • Large: Designed for high-traffic applications or workloads requiring significant resources.
    • 11-20 nodes | 176-320 vCPUs | 352-640 GB RAM | ~500-1000 pods
    • Node size: 8-16 vCPUs, 16-32 GB RAM per node
    • Use cases: Enterprise production applications, microservices architectures
  • ExtraLarge: Ideal for enterprise-level applications with intensive resource needs and high availability requirements.
    • 20+ nodes | 400+ vCPUs | 800+ GB RAM | 1000+ pods
    • Node size: 16-32+ vCPUs, 32-64+ GB RAM per node
    • Use cases: Large-scale production, ML/AI workloads, intensive data processing
Valid values: Small, Medium, Large, ExtraLarge Default Value: Medium

Logs

aws.cloudwatch.eks_logs_retention_days

Cloud Provider: AWS Type: integer Description: Maximum retention days in CloudWatch for EKS logs. Valid values: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, 3653 Default Value: 90

aws.vpc.enable_s3_flow_logs

Cloud Provider: AWS Type: boolean Description: Enable flow logs on the cluster VPC and store them in an S3 bucket. Default Value: false

aws.vpc.flow_logs_retention_days

Cloud Provider: AWS Type: integer Description: Set the number of retention days for flow logs. Set to 0 for unlimited retention. Default Value: 365

loki.log_retention_in_week

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum Kubernetes pods (containers/applications/jobs/cronjobs) retention logs in weeks. Default Value: 12 (84 days)

gcp.vpc.enable_flow_logs

Cloud Provider: GCP Type: boolean Description: Enable VPC flow logs on the cluster VPC (on each VPC subnetwork). See GCP VPC logs flow documentation. Default Value: false

gcp.vpc.flow_logs_sampling

Cloud Provider: GCP Type: float Description: Set VPC logs flow sampling percentage. Value should be within 0.0 (no sampling) to 1.0 (all logs) range. Default Value: 0.0

object_storage.enable_logging

Cloud Provider: AWS GCP Azure Type: boolean Description: Activate cluster buckets logging into a <bucket>-log bucket. See documentation for AWS and GCP. Default Value: false

DNS

dns.coredns.extra_config

Cloud Provider: AWS Scaleway Azure Type: string Description: Additional configuration to add to CoreDNS. This can be used to customize DNS resolution rules on the cluster. Default Value: null Example: 
example.com:53 {
    errors
    cache 30
    forward . 8.8.8.8 8.8.4.4
}

Image Registry

registry.image_retention_time

Cloud Provider: AWS Type: integer Description: Allows you to specify an amount in seconds after which images in the default registry are deleted.
Changing this setting will only affect new ECR repositories created after the change. Existing repositories will not be affected.
Default Value: 31536000 (1 year)

registry.mirroring_mode

Cloud Provider: AWS Type: string Description: Allows you to specify the image mirroring mode to be used for each image deployed on this cluster. Valid values: Service, Cluster Default Value: Service

cloud_provider.container_registry.tags

Cloud Provider: AWS Scaleway GCP Azure Type: Map<String, String> Description: Add additional tags on the cluster dedicated registry. Default Value: {} Example: 
{
  "cloud_provider.container_registry.tags": {
    "Environment": "Production",
    "Team": "Platform"
  }
}

Network - Load Balancer

aws.eks.enable_alb_controller

Cloud Provider: AWS Type: boolean Description: Enable the AWS ALB controller to manage the load balancer for the cluster.
Enabling this feature will create a 10 min max downtime on your application’s public access (time to delete, replace and propagate DNS of the new load balancer).
Use Case: For custom VPCs (Qovery Managed VPC does not require these), you need to add labels to subnets: kubernetes.io/role/elb=1 on public subnets, kubernetes.io/role/internal-elb=1 on private subnets, and kubernetes.io/cluster/<cluster-name>=shared on all subnets. Default Value: true

aws.eks.alb_controller.replicas

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller number of replicas. For production clusters, it’s recommended to have at least 2 replicas for high availability. Default Value: 2

aws.eks.alb_controller.vpa.vcpu.min_in_milli_cpu

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) vCPU minimum value in milli CPU. Default Value: 250

aws.eks.alb_controller.vpa.vcpu.max_in_milli_cpu

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) vCPU maximum value in milli CPU. Default Value: 250

aws.eks.alb_controller.vpa.memory.min_in_mib

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) memory minimum value in mebibyte. Default Value: 128

aws.eks.alb_controller.vpa.memory.max_in_mib

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) memory maximum value in mebibyte. Default Value: 128

load_balancer.size

Cloud Provider: Scaleway Type: string Description: Allows you to specify the load balancer size in front of your cluster. Valid values: lb-s (200 Mbps), lb-gp-m (500 Mbps), lb-gp-l (1 Gbps), lb-gp-xl (4 Gbps) Default Value: lb-s

Network - NGINX Ingress

nginx.vcpu.request_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU request value in millicores assigned to NGINX pods. Default Value: 200

nginx.vcpu.limit_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU limit value in millicores assigned to NGINX pods. Default Value: 700

nginx.memory.request_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory request value in MiB assigned to NGINX pods. Default Value: 768

nginx.memory.limit_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory limit value in MiB assigned to NGINX pods. Default Value: 768

nginx.hpa.cpu_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: HPA CPU threshold in percentage assigned to NGINX deployment. Default Value: 50

nginx.hpa.min_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Minimum number of NGINX replicas for horizontal pod autoscaling. Default Value: 2

nginx.hpa.max_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum number of NGINX replicas for horizontal pod autoscaling. Default Value: 25

nginx.controller.enable_client_ip

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables ngx_http_realip_module module to get the real client IP address. Default Value: false

nginx.controller.enable_compression

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables compression (Brotli) for HTTP responses. When disabled, content will not be compressed, which may increase bandwidth usage but reduce CPU load. Default Value: true

nginx.controller.use_forwarded_headers

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Passes incoming X-Forwarded-For header upstream. See documentation. Default Value: false

nginx.controller.compute_full_forwarded_for

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Append the remote address to the X-Forwarded-For header instead of replacing it. See documentation. Default Value: false

nginx.controller.log_format_upstream

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX log-format. Default Value: null

nginx.controller.log_format_escaping

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX log-format-escaping setting. Valid values: Default, JSON, None Default Value: Default

nginx.controller.http_snippet

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX http-snippet configuration. Used for cluster-level NGINX configuration that applies to all services. Use Case: See Rate Limiting Guide for practical examples. Default Value: null

nginx.controller.server_snippet

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX server-snippet configuration. Used for server-level NGINX configuration. Use Case: See Rate Limiting Guide for practical examples. Default Value: null

nginx.controller.limit_request_status_code

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Allows to customize NGINX limit-req-status-code. Commonly set to 429 (Too Many Requests) for rate limiting. Default Value: null (defaults to 503)

nginx.controller.custom_http_errors

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX custom-http-errors. Default Value: null Example: "404,503"

nginx.default_backend.enabled

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Allows enabling the default_backend for NGINX.
If you don’t specify custom image repository and tag, ensure your cluster includes nodes with amd64 architecture.
Default Value: false

nginx.default_backend.image_repository

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Specifies the Docker image repository used for the default_backend. Default Value: null

nginx.default_backend.image_tag

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Defines the image tag used by default_backend. Default Value: null

Network - Gateway API

k8s.use_api_gateway

Cloud Provider: AWS Type: boolean Description: Flag to deploy Gateway API resources on the cluster.
  • This is alpha feature, only available on AWS for now and not meant to be used for now but will be handly soon to test ingress to gateway API migration.
Default Value: false

envoy.hpa.cpu_average_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: float Description: HPA CPU average utilization threshold assigned to Envoy Gateway deployment, expressed as a value between 0.0 and 1.0 (e.g., 0.8 for 80%). When CPU usage exceeds this threshold, Kubernetes will scale up the number of Envoy replicas. Valid values: 0.0 to 1.0 Default Value: null (uses Kubernetes default behavior)

envoy.hpa.memory_average_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: float Description: HPA memory average utilization threshold assigned to Envoy Gateway deployment, expressed as a value between 0.0 and 1.0 (e.g., 0.8 for 80%). When memory usage exceeds this threshold, Kubernetes will scale up the number of Envoy replicas. Valid values: 0.0 to 1.0 Default Value: null (uses Kubernetes default behavior)

envoy.hpa.min_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Minimum number of Envoy Gateway replicas for horizontal pod autoscaling. This ensures a baseline level of availability and load distribution. Must be less than or equal to envoy.hpa.max_number_instances. Default Value: 2

envoy.hpa.max_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum number of Envoy Gateway replicas for horizontal pod autoscaling. This sets an upper limit on scaling to control resource consumption. Must be greater than or equal to envoy.hpa.min_number_instances. Default Value: 25

envoy.vcpu.request_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU request value in millicores assigned to Envoy Gateway pods. This defines the minimum CPU resources guaranteed for each pod. Must be less than or equal to envoy.vcpu.limit_in_milli_cpu. Default Value: 100

envoy.vcpu.limit_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU limit value in millicores assigned to Envoy Gateway pods. This defines the maximum CPU resources that each pod can consume. Must be greater than or equal to envoy.vcpu.request_in_milli_cpu. Default Value: 1000

envoy.memory.request_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory request value in MiB assigned to Envoy Gateway pods. This defines the minimum memory resources guaranteed for each pod. Must be less than or equal to envoy.memory.limit_in_mib. Default Value: 256

envoy.memory.limit_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory limit value in MiB assigned to Envoy Gateway pods. This defines the maximum memory resources that each pod can consume. Must be greater than or equal to envoy.memory.request_in_mib. Default Value: 1024

envoy.client_ip_detection.x_forwarded_for.number_trusted_hops

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Number of trusted hops in the X-Forwarded-For header for client IP detection. This setting determines how many proxy hops to trust when extracting the real client IP address from the X-Forwarded-For header. See Envoy Gateway documentation for more details.
For customers migrating from NGINX: This replaces the NGINX use_forwarded_headers and compute_full_forwarded_for settings. Instead of a boolean flag, Envoy uses a hop count to precisely control which IP addresses in the X-Forwarded-For chain to trust.
How to configure:
  • Set to 1 if your traffic passes through 1 trusted proxy (e.g., AWS ALB only)
  • Set to 2 if your traffic passes through 2 trusted proxies (e.g., CloudFront → ALB)
  • Set to 0 to use only the direct connection IP (equivalent to NGINX use_forwarded_headers: false)
  • Leave as null to use Envoy’s default behavior
Example: If a request arrives with X-Forwarded-For: client-ip, proxy1-ip, proxy2-ip and you set number_trusted_hops: 2, Envoy will trust the last 2 hops (proxy1 and proxy2) and identify client-ip as the real client. Default Value: null (uses Envoy default behavior)

envoy.log_format

Cloud Provider: AWS Scaleway GCP Azure Type: string (JSON format) Description: Custom log format for Envoy Gateway access logs. Qovery only allows JSON format as it enables all the Qovery capabilities for application logging and tracing. The value must be a JSON object (provided as a string) with Envoy command operators. See Envoy Gateway access logging documentation for available format variables and configuration options.
For customers migrating from NGINX: This replaces the NGINX log_format_upstream setting. Envoy uses its own format string with command operators like %REQ(X-HEADER)%, %RESP(X-HEADER)%, and %DURATION% instead of NGINX’s $variable syntax.
Default Value: If not specified, the following JSON format is used: 
{
  "start_time": "%START_TIME%",
  "method": "%REQ(:METHOD)%",
  "x-envoy-origin-path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
  "protocol": "%PROTOCOL%",
  "response_code": "%RESPONSE_CODE%",
  "response_flags": "%RESPONSE_FLAGS%",
  "response_code_details": "%RESPONSE_CODE_DETAILS%",
  "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%",
  "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%",
  "bytes_received": "%BYTES_RECEIVED%",
  "bytes_sent": "%BYTES_SENT%",
  "duration": "%DURATION%",
  "x-envoy-upstream-service-time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
  "x-forwarded-for": "%REQ(X-FORWARDED-FOR)%",
  "user-agent": "%REQ(USER-AGENT)%",
  "x-request-id": "%REQ(X-REQUEST-ID)%",
  ":authority": "%REQ(:AUTHORITY)%",
  "upstream_host": "%UPSTREAM_HOST%",
  "upstream_cluster": "%UPSTREAM_CLUSTER%",
  "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",
  "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",
  "downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%",
  "requested_server_name": "%REQUESTED_SERVER_NAME%",
  "route_name": "%ROUTE_NAME%",
  "qovery_com_associated_service_id": "%REQ(x-qovery-com-associated-service-id)%",
  "qovery_com_environment_id": "%REQ(x-qovery-com-environment-id)%"
}
When customizing the log format, you must include these two Qovery-specific fields for service logging to work properly:
  • "qovery_com_associated_service_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_associated_service_id)%"
  • "qovery_com_environment_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_environment_id)%"
Without these fields, Qovery will not be able to properly associate logs with your services and environments.
Example: Custom JSON format with simplified fields (note the required Qovery fields): 
{
  "timestamp": "%START_TIME%",
  "method": "%REQ(:METHOD)%",
  "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
  "protocol": "%PROTOCOL%",
  "status": "%RESPONSE_CODE%",
  "duration_ms": "%DURATION%",
  "bytes_sent": "%BYTES_SENT%",
  "bytes_received": "%BYTES_RECEIVED%",
  "client_ip": "%REQ(X-FORWARDED-FOR)%",
  "user_agent": "%REQ(USER-AGENT)%",
  "request_id": "%REQ(X-REQUEST-ID)%",
  "qovery_com_associated_service_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_associated_service_id)%",
  "qovery_com_environment_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_environment_id)%"
}

envoy.controller.custom_http_errors

Cloud Provider: AWS Scaleway GCP Azure Type: list of integers Description: List of HTTP status codes for which Envoy Gateway should serve custom error pages. When you specify a status code in this list, Envoy Gateway will intercept that error and serve a hardcoded HTML error page instead of passing through the upstream error response. Each HTTP error code has its own hardcoded HTML page built into Envoy Gateway.
The hardcoded error pages cannot be customized at this time. If you need to customize error pages for your use case, please contact us and we can extend this feature.
Valid values: HTTP status codes from 100 to 599 Default Value: null Example: [404, 503, 502, 500] - This will serve custom hardcoded HTML pages for Not Found, Service Unavailable, Bad Gateway, and Internal Server Error responses.

envoy.controller.enable_compression

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables HTTP response compression in Envoy Gateway. When enabled, Envoy Gateway automatically compresses HTTP responses using multiple compression algorithms to reduce bandwidth usage and improve performance. Compression algorithms enabled:
  • Gzip - Compression level 6 (widely supported, good compression ratio)
  • Brotli - Quality level 6 (better compression than Gzip, modern browsers)
  • Zstd - Compression level 6 (fastest compression, newest standard)
Envoy Gateway automatically selects the best compression algorithm based on the client’s Accept-Encoding header.
For customers migrating from NGINX: This replaces NGINX’s compression settings (enable-brotli and use-gzip). The main difference is that Envoy Gateway adds Zstd as a third compression algorithm alongside Gzip and Brotli. All compression levels match NGINX defaults (level 6).
Default Value: true

envoy.default_backend.enabled

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables the default backend for Envoy Gateway. The default backend serves a generic error page for requests that don’t match any route. Default Value: false

envoy.default_backend.image

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Specifies the Docker image used for the default backend. Default Value: null

envoy.default_backend.tag

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Defines the image tag used by the default backend. Default Value: null

Network - Database Access Control

database.postgresql.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all PostgreSQL databases.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.postgresql.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for PostgreSQL database access. Default Value: ["0.0.0.0/0"]

database.mysql.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all MySQL databases.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.mysql.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for MySQL database access. Default Value: ["0.0.0.0/0"]

database.mongodb.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all MongoDB databases.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.mongodb.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for MongoDB database access. Default Value: ["0.0.0.0/0"]

database.redis.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all Redis databases.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.redis.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for Redis database access. Default Value: ["0.0.0.0/0"]

Service Resources

allow_service_cpu_overcommit

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Authorize CPU overcommit (limit > request) for services deployed within this cluster.
Using overcommit on pod resources can lead to instability on your cluster and we strongly discourage it. Be careful when using this feature.
Use Case: Once enabled, you can update the service advanced setting resources.override.limit.cpu_in_mib. Default Value: false

allow_service_ram_overcommit

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Authorize memory overcommit (limit > request) for services deployed within this cluster.
Using overcommit on pod resources can lead to instability on your cluster and we strongly discourage it. Be careful when using this feature.
Use Case: Once enabled, you can update the service advanced setting resources.override.limit.ram_in_mib. Default Value: false

IAM & Security

aws.iam.enable_admin_group_sync

Cloud Provider: AWS Type: boolean Description: Enable IAM admin group sync. See IAM permissions setup.
aws.iam.admin_group must be set when enable_admin_group_sync is true.
Default Value: true

aws.iam.admin_group

Cloud Provider: AWS Type: string Description: Allows you to specify the IAM group name associated with the Qovery user. Configure IAM group permissions for cluster access. Default Value: Admins

aws.iam.enable_sso

Cloud Provider: AWS Type: boolean Description: Enable SSO sync allowing IAM users to connect to cluster using SSO.
aws.iam.sso_role_arn must be set when enable_sso is true.
Default Value: false

aws.iam.sso_role_arn

Cloud Provider: AWS Type: string Description: Allows you to specify the SSO role ARN to be used to connect to your cluster. Default Value: ""

aws.eks.encrypt_secrets_kms_key_arn

Cloud Provider: AWS Type: string Description: Allows you to activate KMS encryption of your Kubernetes secrets. Specify the key ARN of your AWS KMS key.
It won’t be possible to go back once this feature is activated.
Default Value: null

k8s.api.allowed_public_access_cidrs

Cloud Provider: AWS GCP Azure Type: string Description: Contains additional CIDRs that should be whitelisted to access the Kubernetes API.
qovery.static_ip_mode should be set to true to make this setting effective.
Default Value: []

Miscellaneous

aws.eks.ec2.metadata_imds

Cloud Provider: AWS Type: string Description: Specify the IMDS version you want to use. Valid values: required (IMDS v2 only), optional (IMDS v1 and v2) Default Value: required

aws.eks.ec2.ami

Cloud Provider: AWS Type: string Description: Specify the AMI you want to use for EKS nodes. Valid values: AmazonLinux2 (Deprecated, not working after Kubernetes 1.32), AmazonLinux2023 (Default Amazon AMI, recommended), Bottlerocket (Focuses on security and maintainability) Default Value: AmazonLinux2023

aws.metrics_server.replicas

Cloud Provider: AWS Type: integer Description: Specify the number of replicas for the metrics-server pod. Set to 2 or more in production for high availability. Default Value: 1

qovery.static_ip_mode

Cloud Provider: AWS GCP Type: boolean Description: Enable the static IP mode for the Qovery control plane and automatically activate the private endpoint on the Kubernetes API and add the Qovery IP to the CIDR whitelist.
If you need to connect to the Kubernetes cluster from your network, make sure to add your CIDR to k8s.api.allowed_public_access_cidrs.
DockerHub credentials are required to activate this feature. Configure them in Organization settings > Container registry. Why? DockerHub has a rate limit by IP. Since the Qovery control plane will be seen as a single IP, you need authenticated access to increase the limit.
Default Value: false

storageclass.fast_ssd

Type: string Description: Specify the Kubernetes storageClass to be used for storage attached to your container databases and applications. Default Value: Cloud provider specific

Next Steps

Service Advanced Settings

Configure service-level advanced settings

Rate Limiting Guide

Implement rate limiting with NGINX

IP Authorization Guide

Configure IP and header-based authorization

Cluster Management

Learn about cluster operations

Qovery API Reference

Explore the full Qovery API
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/terraform-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=e435f4dfa945bf74f2ed7deff23e009d

Terraform Provider

Manage infrastructure as code