Skip to content

feat(eks): add support for EC2, HYBRID_LINUX, and HYPERPOD_LINUX access entry types #36350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pahud wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat(eks): add support for EC2, HYBRID_LINUX, and HYPERPOD_LINUX access entry types #36350

pahud wants to merge 1 commit into from

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Dec 9, 2025

WIP

Issue # (if applicable)

Closes #34394.

Reason for this change

When provisioning an EKS cluster in Auto Mode with custom node roles, users need to grant the node role access to the cluster with the EC2 access entry type. Currently, the grantAccess() method doesn't support specifying the access entry type, defaulting to STANDARD, which prevents nodes from joining Auto Mode clusters.

Additionally, the AccessEntryType enum is missing three CloudFormation-supported types: EC2, HYBRID_LINUX, and HYPERPOD_LINUX.

Description of changes

This PR adds support for specifying access entry types in the grantAccess() method and extends the AccessEntryType enum with missing CloudFormation-supported values.

Changes made:

  • Extended AccessEntryType enum with three new values:
    • EC2 - For EKS Auto Mode node roles
    • HYBRID_LINUX - For EKS Hybrid Nodes
    • HYPERPOD_LINUX - For Amazon SageMaker HyperPod
  • Added optional accessEntryType parameter to Cluster.grantAccess() method
  • Updated private addToAccessEntry() method to pass type through to AccessEntry constructor
  • Applied changes to both @aws-cdk/aws-eks-v2-alpha (alpha) and aws-cdk-lib/aws-eks (stable) packages

API changes:

// Before (still works - backward compatible)
cluster.grantAccess('MyAccess', roleArn, [policy]);

// After (new capability)
cluster.grantAccess('MyAccess', roleArn, [policy], AccessEntryType.EC2);

CloudFormation impact:

  • When accessEntryType is provided: Type property is set in AWS::EKS::AccessEntry
  • When accessEntryType is not provided: Type property remains undefined (backward compatible)

No breaking changes: This is a fully backward-compatible feature addition. The new parameter is optional and placed at the end of the method signature. All existing code continues to work without modification.

Describe any new or updated permissions being added

N/A - No new IAM permissions required. This change only exposes existing CloudFormation access entry types through the CDK L2 API.

Description of how you validated changes

Unit tests:

  • Alpha package: 314/314 tests passed (100%)
  • Stable package: 368/368 tests passed (100%)
  • Total: 682 unit tests passed
  • Coverage maintained: 93.71% statements, 91.54% branches (alpha)

Integration tests:

  • Created new integration test integ.eks-grant-access-with-type.ts in both packages
  • Tests all three new AccessEntryType values (EC2, HYBRID_LINUX, HYPERPOD_LINUX)
  • Tests explicit STANDARD type with grantAccess()
  • Tests backward compatibility (grantAccess without type parameter)
  • All 42 existing integration test snapshots remain UNCHANGED (confirms backward compatibility)
  • Total: 43 integration tests passed (16 alpha + 26 stable + 1 new)

Backward compatibility verification:

  • All existing integration test snapshots UNCHANGED
  • Existing code works without modification
  • No migration required

JSII compilation: Successful for all target languages (TypeScript, Python, Java, C#, Go)

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
feat(eks): add support for access entry types in EKS clusters
ebe48a3 
- Add `grantAccessWithType` method to EKS cluster for type-safe access entry management
- Update `AccessEntry` class to support access entry type configuration
- Add integration test for EKS grant access with type functionality
- Update README documentation with new access entry type feature
- Generate snapshot files for integration test validation
- Enable fine-grained access control for EKS cluster users and roles
@github-actions github-actions bot added feature-request A feature should be added or improved. p2 labels Dec 9, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team December 9, 2025 22:32
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Dec 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results104 ran97 passed7 failed
TestResult
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-grant-access-with-type.js.snapshot/aws-cdk-eks-grant-access-with-type.template.json
ec2-no-open-security-groups.guard❌ failure
iam-no-wildcard-actions-inline.guard❌ failure
iam-no-world-accessible-trust-policy.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-grant-access-with-type.js.snapshot/awscdkeksgrantaccesswithtypeawscdkawseksClusterResourceProvider6AA9A051.nested.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-grant-access-with-type.js.snapshot/awscdkeksgrantaccesswithtypeawscdkawseksKubectlProvider56047CC0.nested.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-grant-access-with-type.js.snapshot/aws-cdk-eks-grant-access-with-type.template.json
ec2-no-open-security-groups.guard❌ failure
iam-no-wildcard-actions-inline.guard❌ failure

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results with resolved templates104 ran98 passed6 failed
TestResult
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-grant-access-with-type.js.snapshot/aws-cdk-eks-grant-access-with-type.template.json
ec2-no-open-security-groups.guard❌ failure
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-grant-access-with-type.js.snapshot/awscdkeksgrantaccesswithtypeawscdkawseksClusterResourceProvider6AA9A051.nested.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-grant-access-with-type.js.snapshot/awscdkeksgrantaccesswithtypeawscdkawseksKubectlProvider56047CC0.nested.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-grant-access-with-type.js.snapshot/aws-cdk-eks-grant-access-with-type.template.json
ec2-no-open-security-groups.guard❌ failure
iam-no-wildcard-actions-inline.guard❌ failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. feature-request A feature should be added or improved. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-eks-v2-alpha: update EKS access entry types and add type property on grantAccess

1 participant

@pahud