feat(eks): support for Kubernetes version 1.23

packages/@aws-cdk/aws-eks/README.md

@@ -676,14 +676,26 @@ The kubectl handler uses `kubectl`, `helm` and the `aws` CLI in order to
 interact with the cluster. These are bundled into AWS Lambda layers included in
 the `@aws-cdk/lambda-layer-awscli` and `@aws-cdk/lambda-layer-kubectl` modules.
 
-You can specify a custom `lambda.LayerVersion` if you wish to use a different
-version of these tools. The handler expects the layer to include the following
-three executables:
+The version of kubectl used must be compatible wtih the Kubernetes version of the cluster. kubectl is supported within one minor version (older or newer) of Kubernetes (see [Kubernetes version skew policy](https://kubernetes.io/releases/version-skew-policy/#kubectl)). Only version 1.20 of kubectl is available in `aws-cdk-lib`. If you need a different version, you will need to use one of the `@aws-cdk/lambda-layer-kubectlvXY` packages.
+
+```ts
+import { KubectlV22Layer } from '@aws-cdk/lambda-layer-kubectl-v22';
+
+const cluster = new eks.Cluster(this, 'hello-eks', {
+  version: eks.KubernetesVersion.V1_22,
+  kubectlLayer: new KubectlV22Layer(this, 'kubectl'),
+});
+
+```
+
+You can also specify a custom `lambda.LayerVersion` if you wish to use a
+different version of these tools, or a version not available in any of the
+`@aws-cdk/lambda-layer-kubectlvXY` packages. The handler expects the layer to
+include the following two executables:
 
 ```text
 helm/helm
 kubectl/kubectl
-awscli/aws
 ```
 
 See more information in the

packages/@aws-cdk/aws-eks/lib/cluster.ts

@@ -124,12 +124,19 @@ export interface ICluster extends IResource, ec2.IConnectable {
   readonly kubectlLambdaRole?: iam.IRole;
 
   /**
-   * An AWS Lambda layer that includes `kubectl`, `helm` and the `aws` CLI.
+   * An AWS Lambda layer that includes `kubectl` and `helm`
    *
-   * If not defined, a default layer will be used.
+   * If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
    */
   readonly kubectlLayer?: lambda.ILayerVersion;
 
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * If not defined, a default layer will be used containing the AWS CLI 1.x.
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
+
   /**
    * Kubectl Provider for issuing kubectl commands against it
    *
@@ -325,19 +332,38 @@ export interface ClusterAttributes {
   readonly openIdConnectProvider?: iam.IOpenIdConnectProvider;
 
   /**
-   * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI. This layer
-   * is used by the kubectl handler to apply manifests and install helm charts.
+   * An AWS Lambda Layer which includes `kubectl` and Helm.
+   *
+   * This layer is used by the kubectl handler to apply manifests and install
+   * helm charts. You must pick an appropriate releases of one of the
+   * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
+   * Kubernetes you have chosen. If you don't supply this value `kubectl`
+   * 1.20 will be used, but that version is most likely too old.
    *
    * The handler expects the layer to include the following executables:
    *
-   *    helm/helm
-   *    kubectl/kubectl
-   *    awscli/aws
+   * ```
+   * /opt/helm/helm
+   * /opt/kubectl/kubectl
+   * ```
    *
-   * @default - a layer bundled with this module.
+   * @default - a default layer with Kubectl 1.20 and helm 3.8.
    */
   readonly kubectlLayer?: lambda.ILayerVersion;
 
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * The handler expects the layer to include the following executables:
+   *
+   * ```
+   * /opt/awscli/aws
+   * ```
+   *
+   * @default - a default layer with the AWS CLI 1.x
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
+
   /**
    * KubectlProvider for issuing kubectl commands.
    *
@@ -500,29 +526,38 @@ export interface ClusterOptions extends CommonClusterOptions {
   readonly kubectlEnvironment?: { [key: string]: string };
 
   /**
-   * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI.
+   * An AWS Lambda Layer which includes `kubectl` and Helm.
    *
-   * By default, the provider will use the layer included in the
-   * "aws-lambda-layer-kubectl" SAR application which is available in all
-   * commercial regions.
+   * This layer is used by the kubectl handler to apply manifests and install
+   * helm charts. You must pick an appropriate releases of one of the
+   * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
+   * Kubernetes you have chosen. If you don't supply this value `kubectl`
+   * 1.20 will be used, but that version is most likely too old.
    *
-   * To deploy the layer locally, visit
-   * https://github.com/aws-samples/aws-lambda-layer-kubectl/blob/master/cdk/README.md
-   * for instructions on how to prepare the .zip file and then define it in your
-   * app as follows:
+   * The handler expects the layer to include the following executables:
    *
-   * ```ts
-   * const layer = new lambda.LayerVersion(this, 'kubectl-layer', {
-   *   code: lambda.Code.fromAsset(`${__dirname}/layer.zip`),
-   *   compatibleRuntimes: [lambda.Runtime.PROVIDED],
-   * });
+   * ```
+   * /opt/helm/helm
+   * /opt/kubectl/kubectl
    * ```
    *
-   * @default - the layer provided by the `aws-lambda-layer-kubectl` SAR app.
-   * @see https://github.com/aws-samples/aws-lambda-layer-kubectl
+   * @default - a default layer with Kubectl 1.20.
    */
   readonly kubectlLayer?: lambda.ILayerVersion;
 
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * The handler expects the layer to include the following executables:
+   *
+   * ```
+   * /opt/awscli/aws
+   * ```
+   *
+   * @default - a default layer with the AWS CLI 1.x
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
+
   /**
    * Amount of memory to allocate to the provider's lambda function.
    *
@@ -809,6 +844,24 @@ export class KubernetesVersion {
    */
   public static readonly V1_21 = KubernetesVersion.of('1.21');
 
+  /**
+   * Kubernetes version 1.22
+   *
+   * When creating a `Cluster` with this version, you need to also specify the
+   * `kubectlLayer` property with a `KubectlLayer` from
+   * `@aws-cdk/lambda-layer-kubectl-v22`.
+   */
+  public static readonly V1_22 = KubernetesVersion.of('1.22');
+
+  /**
+   * Kubernetes version 1.23
+   *
+   * When creating a `Cluster` with this version, you need to also specify the
+   * `kubectlLayer` property with a `KubectlLayer` from
+   * `@aws-cdk/lambda-layer-kubectl-v23`.
+   */
+  public static readonly V1_23 = KubernetesVersion.of('1.23');
+
   /**
    * Custom cluster version
    * @param version custom version number
@@ -1233,10 +1286,18 @@ export class Cluster extends ClusterBase {
   private _openIdConnectProvider?: iam.IOpenIdConnectProvider;
 
   /**
-   * The AWS Lambda layer that contains `kubectl`, `helm` and the AWS CLI. If
-   * undefined, a SAR app that contains this layer will be used.
+   * An AWS Lambda layer that includes `kubectl` and `helm`
+   *
+   * If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
    */
-  public readonly kubectlLayer?: lambda.ILayerVersion;
+  readonly kubectlLayer?: lambda.ILayerVersion;
+
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * If not defined, a default layer will be used containing the AWS CLI 1.x.
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
 
   /**
    * The amount of memory allocated to the kubectl provider's lambda function.
@@ -1319,6 +1380,11 @@ export class Cluster extends ClusterBase {
 
     this.prune = props.prune ?? true;
     this.vpc = props.vpc || new ec2.Vpc(this, 'DefaultVpc');
+
+    const kubectlMinorVersion = Number(props.version.version) * 100;
+    if (kubectlMinorVersion >= 122 && !props.kubectlLayer) {
+      Annotations.of(this).addWarning(`You created a cluster with Kubernetes Version ${props.version} without specifying the kubectlLayer property. This may cause failures as the kubectl version provided with aws-cdk-lib is 1.20, which is only guaranteed to be compatible with Kubernetes versions 1.19-1.21. Please provide a kubectlLayer from @aws-cdk/lambda-layer-kubectl-v${kubectlMinorVersion % 100}.`);
+    };
     this.version = props.version;
     this.kubectlLambdaRole = props.kubectlLambdaRole ? props.kubectlLambdaRole : undefined;
 
@@ -1359,6 +1425,7 @@ export class Cluster extends ClusterBase {
     this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE;
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlLayer = props.kubectlLayer;
+    this.awscliLayer = props.awscliLayer;
     this.kubectlMemory = props.kubectlMemory;
 
     this.onEventLayer = props.onEventLayer;
@@ -2033,6 +2100,7 @@ class ImportedCluster extends ClusterBase {
   public readonly kubectlSecurityGroup?: ec2.ISecurityGroup | undefined;
   public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined;
   public readonly kubectlLayer?: lambda.ILayerVersion;
+  public readonly awscliLayer?: lambda.ILayerVersion;
   public readonly kubectlProvider?: IKubectlProvider;
   public readonly onEventLayer?: lambda.ILayerVersion;
   public readonly kubectlMemory?: Size;
@@ -2054,6 +2122,7 @@ class ImportedCluster extends ClusterBase {
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlPrivateSubnets = props.kubectlPrivateSubnetIds ? props.kubectlPrivateSubnetIds.map((subnetid, index) => ec2.Subnet.fromSubnetId(this, `KubectlSubnet${index}`, subnetid)) : undefined;
     this.kubectlLayer = props.kubectlLayer;
+    this.awscliLayer = props.awscliLayer;
     this.kubectlMemory = props.kubectlMemory;
     this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterHandlerSecurityGroup', props.clusterHandlerSecurityGroupId) : undefined;
     this.kubectlProvider = props.kubectlProvider;
@@ -2241,7 +2310,7 @@ export enum CoreDnsComputeType {
   /**
    * Deploy CoreDNS on Fargate-managed instances.
    */
-  FARGATE = 'fargate'
+  FARGATE = 'fargate',
 }
 
 /**
@@ -2255,7 +2324,7 @@ export enum DefaultCapacityType {
   /**
    * EC2 autoscaling group
    */
-  EC2
+  EC2,
 }
 
 /**
@@ -2269,7 +2338,7 @@ export enum MachineImageType {
   /**
    * Bottlerocket AMI
    */
-  BOTTLEROCKET
+  BOTTLEROCKET,
 }
 
 function nodeTypeForInstanceType(instanceType: ec2.InstanceType) {

packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts

@@ -149,13 +149,9 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
       vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined,
     });
 
-    // allow user to customize the layer
-    if (!props.cluster.kubectlLayer) {
-      handler.addLayers(new AwsCliLayer(this, 'AwsCliLayer'));
-      handler.addLayers(new KubectlLayer(this, 'KubectlLayer'));
-    } else {
-      handler.addLayers(props.cluster.kubectlLayer);
-    }
+    // allow user to customize the layers with the tools we need
+    handler.addLayers(props.cluster.awscliLayer ?? new AwsCliLayer(this, 'AwsCliLayer'));
+    handler.addLayers(props.cluster.kubectlLayer ?? new KubectlLayer(this, 'KubectlLayer'));
 
     this.handlerRole = handler.role!;
 

packages/@aws-cdk/aws-eks/package.json

@@ -80,6 +80,8 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
+    "@aws-cdk/lambda-layer-kubectl-v22": "^2.0.0",
+    "@aws-cdk/lambda-layer-kubectl-v23": "^2.0.0",
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",

packages/@aws-cdk/aws-eks/test/alb-controller.integ.snapshot/aws-cdk-eks-cluster-alb-controller-test.assets.json

@@ -1,6 +1,19 @@
 {
   "version": "21.0.0",
   "files": {
+    "c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30": {
+      "source": {
+        "path": "asset.c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30.zip",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
     "4288ebb3652acdf2d828b7db7ca44a7162a401ace50ebb4026e84b18a02a06ee": {
       "source": {
         "path": "asset.4288ebb3652acdf2d828b7db7ca44a7162a401ace50ebb4026e84b18a02a06ee.zip",
@@ -66,19 +79,6 @@
         }
       }
     },
-    "c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed": {
-      "source": {
-        "path": "asset.c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed.zip",
-        "packaging": "file"
-      },
-      "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed.zip",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
-        }
-      }
-    },
     "42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174": {
       "source": {
         "path": "asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174",
@@ -131,28 +131,28 @@
         }
       }
     },
-    "b426f1001506d25688ef81611f184e1ef5ebf1662e67bb4933b045477f10a56e": {
+    "a5c54a47681dc263bb296e341ff9500a68cc18f5d368dd66b41793f364332175": {
       "source": {
         "path": "awscdkeksclusteralbcontrollertestawscdkawseksKubectlProviderA1AC28D1.nested.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "b426f1001506d25688ef81611f184e1ef5ebf1662e67bb4933b045477f10a56e.json",
+          "objectKey": "a5c54a47681dc263bb296e341ff9500a68cc18f5d368dd66b41793f364332175.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "a7952c511d282bd028c89eada46178e2c8388a5649c0fc3d3364479c01bca79e": {
+    "4dddd3bf7eb63d312c638e331fc885e2dbb8d3398b739973a85d928c5178ec45": {
       "source": {
         "path": "aws-cdk-eks-cluster-alb-controller-test.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "a7952c511d282bd028c89eada46178e2c8388a5649c0fc3d3364479c01bca79e.json",
+          "objectKey": "4dddd3bf7eb63d312c638e331fc885e2dbb8d3398b739973a85d928c5178ec45.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }