aws-cdk-lib 2.144.0__py3-none-any.whl → 2.146.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -42,6 +42,8 @@ In addition, the library also supports defining Kubernetes resource manifests wi
   * [Permissions and Security](#permissions-and-security)
 
     * [AWS IAM Mapping](#aws-iam-mapping)
+    * [Access Config](#access-config)
+    * [Access Entry](#access-mapping)
     * [Cluster Security Group](#cluster-security-group)
     * [Node SSH Access](#node-ssh-access)
     * [Service Accounts](#service-accounts)
@@ -74,13 +76,13 @@ This example defines an Amazon EKS cluster with the following configuration:
 * A Kubernetes pod with a container based on the [paulbouwer/hello-kubernetes](https://github.com/paulbouwer/hello-kubernetes) image.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v29 import KubectlV29Layer
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
 
 
 # provisioning a cluster
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_29,
-    kubectl_layer=KubectlV29Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "kubectl")
 )
 
 # apply a kubernetes manifest to the cluster
@@ -145,7 +147,7 @@ Creating a new cluster is done using the `Cluster` or `FargateCluster` construct
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 ```
 
@@ -153,7 +155,7 @@ You can also use `FargateCluster` to provision a cluster that uses only fargate
 
 ```python
 eks.FargateCluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 ```
 
@@ -177,7 +179,7 @@ At cluster instantiation time, you can customize the number of instances and the
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     default_capacity=5,
     default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.SMALL)
 )
@@ -189,7 +191,7 @@ Additional customizations are available post instantiation. To apply them, set t
 
 ```python
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     default_capacity=0
 )
 
@@ -291,7 +293,7 @@ eks_cluster_node_group_role = iam.Role(self, "eksClusterNodeGroupRole",
 )
 
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     default_capacity=0
 )
 
@@ -403,7 +405,7 @@ successful replacement. Consider this example if you are renaming the cluster fr
 ```python
 cluster = eks.Cluster(self, "cluster-to-rename",
     cluster_name="foo",  # rename this to 'bar'
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 
 # allow the cluster admin role to delete the cluster 'foo'
@@ -457,7 +459,7 @@ The following code defines an Amazon EKS cluster with a default Fargate Profile
 
 ```python
 cluster = eks.FargateCluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 ```
 
@@ -538,7 +540,7 @@ You can also configure the cluster to use an auto-scaling group as the default c
 
 ```python
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     default_capacity_type=eks.DefaultCapacityType.EC2
 )
 ```
@@ -647,7 +649,7 @@ You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/
 
 ```python
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     endpoint_access=eks.EndpointAccess.PRIVATE
 )
 ```
@@ -669,7 +671,7 @@ To deploy the controller on your EKS cluster, configure the `albController` prop
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     alb_controller=eks.AlbControllerOptions(
         version=eks.AlbControllerVersion.V2_6_2
     )
@@ -713,7 +715,7 @@ You can specify the VPC of the cluster using the `vpc` and `vpcSubnets` properti
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     vpc=vpc,
     vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)]
 )
@@ -762,7 +764,7 @@ You can configure the environment of the Cluster Handler functions by specifying
 # proxy_instance_security_group: ec2.SecurityGroup
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     cluster_handler_environment={
         "https_proxy": "http://proxy.myproxy.com"
     },
@@ -803,7 +805,7 @@ for subnet in subnets:
     subnetcount = subnetcount + 1
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     vpc=vpc,
     ip_family=eks.IpFamily.IP_V6,
     vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)]
@@ -838,7 +840,7 @@ You can configure the environment of this function by specifying it at cluster i
 
 ```python
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     kubectl_environment={
         "http_proxy": "http://proxy.myproxy.com"
     }
@@ -858,12 +860,12 @@ Depending on which version of kubernetes you're targeting, you will need to use
 the `@aws-cdk/lambda-layer-kubectl-vXY` packages.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v29 import KubectlV29Layer
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_29,
-    kubectl_layer=KubectlV29Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "kubectl")
 )
 ```
 
@@ -899,7 +901,7 @@ cluster1 = eks.Cluster(self, "MyCluster",
     kubectl_layer=layer,
     vpc=vpc,
     cluster_name="cluster-name",
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 
 # or
@@ -919,7 +921,7 @@ By default, the kubectl provider is configured with 1024MiB of memory. You can u
 # vpc: ec2.Vpc
 eks.Cluster(self, "MyCluster",
     kubectl_memory=Size.gibibytes(4),
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 eks.Cluster.from_cluster_attributes(self, "MyCluster",
     kubectl_memory=Size.gibibytes(4),
@@ -957,7 +959,7 @@ When you create a cluster, you can specify a `mastersRole`. The `Cluster` constr
 # role: iam.Role
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     masters_role=role
 )
 ```
@@ -1007,7 +1009,7 @@ You can use the `secretsEncryptionKey` to configure which key the cluster will u
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.Cluster(self, "MyCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 ```
 
@@ -1017,7 +1019,7 @@ You can also use a similar configuration for running a cluster built using the F
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.FargateCluster(self, "MyFargateCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_29
+    version=eks.KubernetesVersion.V1_30
 )
 ```
 
@@ -1064,7 +1066,7 @@ To access the Kubernetes resources from the console, make sure your viewing prin
 in the `aws-auth` ConfigMap. Some options to consider:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v29 import KubectlV29Layer
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
 # cluster: eks.Cluster
 # your_current_role: iam.Role
 # vpc: ec2.Vpc
@@ -1082,7 +1084,7 @@ your_current_role.add_to_policy(iam.PolicyStatement(
 
 ```python
 # Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
-from aws_cdk.lambda_layer_kubectl_v29 import KubectlV29Layer
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
 # vpc: ec2.Vpc
 
 
@@ -1092,8 +1094,8 @@ masters_role = iam.Role(self, "MastersRole",
 
 cluster = eks.Cluster(self, "EksCluster",
     vpc=vpc,
-    version=eks.KubernetesVersion.V1_29,
-    kubectl_layer=KubectlV29Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
     masters_role=masters_role
 )
 
@@ -1122,6 +1124,131 @@ console_read_only_role.add_to_policy(iam.PolicyStatement(
 cluster.aws_auth.add_masters_role(console_read_only_role)
 ```
 
+### Access Config
+
+Amazon EKS supports three modes of authentication: `CONFIG_MAP`, `API_AND_CONFIG_MAP`, and `API`. You can enable cluster
+to use access entry APIs by using authenticationMode `API` or `API_AND_CONFIG_MAP`. Use authenticationMode `CONFIG_MAP`
+to continue using aws-auth configMap exclusively. When `API_AND_CONFIG_MAP` is enabled, the cluster will source authenticated
+AWS IAM principals from both Amazon EKS access entry APIs and the aws-auth configMap, with priority given to the access entry API.
+
+To specify the `authenticationMode`:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+# vpc: ec2.Vpc
+
+
+eks.Cluster(self, "Cluster",
+    vpc=vpc,
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+)
+```
+
+> **Note** - Switching authentication modes on an existing cluster is a one-way operation. You can switch from
+> `CONFIG_MAP` to `API_AND_CONFIG_MAP`. You can then switch from `API_AND_CONFIG_MAP` to `API`.
+> You cannot revert these operations in the opposite direction. Meaning you cannot switch back to
+> `CONFIG_MAP` or `API_AND_CONFIG_MAP` from `API`. And you cannot switch back to `CONFIG_MAP` from `API_AND_CONFIG_MAP`.
+
+Read [A deep dive into simplified Amazon EKS access management controls
+](https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/) for more details.
+
+You can disable granting the cluster admin permissions to the cluster creator role on bootstrapping by setting
+`bootstrapClusterCreatorAdminPermissions` to false.
+
+> **Note** - Switching `bootstrapClusterCreatorAdminPermissions` on an existing cluster would cause cluster replacement and should be avoided in production.
+
+### Access Entry
+
+An access entry is a cluster identity—directly linked to an AWS IAM principal user or role that is used to authenticate to
+an Amazon EKS cluster. An Amazon EKS access policy authorizes an access entry to perform specific cluster actions.
+
+Access policies are Amazon EKS-specific policies that assign Kubernetes permissions to access entries. Amazon EKS supports
+only predefined and AWS managed policies. Access policies are not AWS IAM entities and are defined and managed by Amazon EKS.
+Amazon EKS access policies include permission sets that support common use cases of administration, editing, or read-only access
+to Kubernetes resources. See [Access Policy Permissions](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions) for more details.
+
+Use `AccessPolicy` to include predefined AWS managed policies:
+
+```python
+# AmazonEKSClusterAdminPolicy with `cluster` scope
+eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+    access_scope_type=eks.AccessScopeType.CLUSTER
+)
+# AmazonEKSAdminPolicy with `namespace` scope
+eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+    access_scope_type=eks.AccessScopeType.NAMESPACE,
+    namespaces=["foo", "bar"]
+)
+```
+
+Use `grantAccess()` to grant the AccessPolicy to an IAM principal:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+# vpc: ec2.Vpc
+
+
+cluster_admin_role = iam.Role(self, "ClusterAdminRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+eks_admin_role = iam.Role(self, "EKSAdminRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+eks_admin_view_role = iam.Role(self, "EKSAdminViewRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+cluster = eks.Cluster(self, "Cluster",
+    vpc=vpc,
+    masters_role=cluster_admin_role,
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+)
+
+# Cluster Admin role for this cluster
+cluster.grant_access("clusterAdminAccess", cluster_admin_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+        access_scope_type=eks.AccessScopeType.CLUSTER
+    )
+])
+
+# EKS Admin role for specified namespaces of this cluster
+cluster.grant_access("eksAdminRoleAccess", eks_admin_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+        access_scope_type=eks.AccessScopeType.NAMESPACE,
+        namespaces=["foo", "bar"]
+    )
+])
+
+# EKS Admin Viewer role for specified namespaces of this cluster
+cluster.grant_access("eksAdminViewRoleAccess", eks_admin_view_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminViewPolicy",
+        access_scope_type=eks.AccessScopeType.NAMESPACE,
+        namespaces=["foo", "bar"]
+    )
+])
+```
+
+### Migrating from ConfigMap to Access Entry
+
+If the cluster is created with the `authenticationMode` property left undefined,
+it will default to `CONFIG_MAP`.
+
+The update path is:
+
+`undefined`(`CONFIG_MAP`) -> `API_AND_CONFIG_MAP` -> `API`
+
+If you have explicitly declared `AwsAuth` resources and then try to switch to the `API` mode, which no longer supports the
+`ConfigMap`, AWS CDK will throw an error as a protective measure to prevent you from losing all the access entries in the `ConfigMap`. In this case, you will need to remove all the declared `AwsAuth` resources explicitly and define the access entries before you are allowed to transition to the `API` mode.
+
+> **Note** - This is a one-way transition. Once you switch to the `API` mode,
+> you will not be able to switch back. Therefore, it is crucial to ensure that you have defined all the necessary access entries before making the switch to the `API` mode.
+
 ### Cluster Security Group
 
 When you create an Amazon EKS cluster, a [cluster security group](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)
@@ -1372,7 +1499,7 @@ when a cluster is defined:
 
 ```python
 eks.Cluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     prune=False
 )
 ```
@@ -1754,7 +1881,7 @@ property. For example:
 ```python
 cluster = eks.Cluster(self, "Cluster",
     # ...
-    version=eks.KubernetesVersion.V1_29,
+    version=eks.KubernetesVersion.V1_30,
     cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
     ]
 )
@@ -1839,6 +1966,573 @@ from ..aws_lambda import ILayerVersion as _ILayerVersion_5ac127c8
 from ..aws_s3_assets import Asset as _Asset_ac2a7e61
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntryAttributes",
+    jsii_struct_bases=[],
+    name_mapping={
+        "access_entry_arn": "accessEntryArn",
+        "access_entry_name": "accessEntryName",
+    },
+)
+class AccessEntryAttributes:
+    def __init__(
+        self,
+        *,
+        access_entry_arn: builtins.str,
+        access_entry_name: builtins.str,
+    ) -> None:
+        '''Represents the attributes of an access entry.
+
+        :param access_entry_arn: The Amazon Resource Name (ARN) of the access entry.
+        :param access_entry_name: The name of the access entry.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            access_entry_attributes = eks.AccessEntryAttributes(
+                access_entry_arn="accessEntryArn",
+                access_entry_name="accessEntryName"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ea57d074f938dd093d38b977c20869681c2abd3bacc2931046328147dc4d8d72)
+            check_type(argname="argument access_entry_arn", value=access_entry_arn, expected_type=type_hints["access_entry_arn"])
+            check_type(argname="argument access_entry_name", value=access_entry_name, expected_type=type_hints["access_entry_name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_entry_arn": access_entry_arn,
+            "access_entry_name": access_entry_name,
+        }
+
+    @builtins.property
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.'''
+        result = self._values.get("access_entry_arn")
+        assert result is not None, "Required property 'access_entry_arn' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.'''
+        result = self._values.get("access_entry_name")
+        assert result is not None, "Required property 'access_entry_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessEntryAttributes(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntryProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "access_policies": "accessPolicies",
+        "cluster": "cluster",
+        "principal": "principal",
+        "access_entry_name": "accessEntryName",
+        "access_entry_type": "accessEntryType",
+    },
+)
+class AccessEntryProps:
+    def __init__(
+        self,
+        *,
+        access_policies: typing.Sequence["IAccessPolicy"],
+        cluster: "ICluster",
+        principal: builtins.str,
+        access_entry_name: typing.Optional[builtins.str] = None,
+        access_entry_type: typing.Optional["AccessEntryType"] = None,
+    ) -> None:
+        '''Represents the properties required to create an Amazon EKS access entry.
+
+        :param access_policies: The access policies that define the permissions and scope for the access entry.
+        :param cluster: The Amazon EKS cluster to which the access entry applies.
+        :param principal: The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
+        :param access_entry_name: The name of the AccessEntry. Default: - No access entry name is provided
+        :param access_entry_type: The type of the AccessEntry. Default: STANDARD
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # access_policy: eks.AccessPolicy
+            # cluster: eks.Cluster
+            
+            access_entry_props = eks.AccessEntryProps(
+                access_policies=[access_policy],
+                cluster=cluster,
+                principal="principal",
+            
+                # the properties below are optional
+                access_entry_name="accessEntryName",
+                access_entry_type=eks.AccessEntryType.STANDARD
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0cc467f068aa2e977dd81e9c0227cfe45f7381ea6d31cea9c6f7f80e6d83e048)
+            check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
+            check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
+            check_type(argname="argument principal", value=principal, expected_type=type_hints["principal"])
+            check_type(argname="argument access_entry_name", value=access_entry_name, expected_type=type_hints["access_entry_name"])
+            check_type(argname="argument access_entry_type", value=access_entry_type, expected_type=type_hints["access_entry_type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_policies": access_policies,
+            "cluster": cluster,
+            "principal": principal,
+        }
+        if access_entry_name is not None:
+            self._values["access_entry_name"] = access_entry_name
+        if access_entry_type is not None:
+            self._values["access_entry_type"] = access_entry_type
+
+    @builtins.property
+    def access_policies(self) -> typing.List["IAccessPolicy"]:
+        '''The access policies that define the permissions and scope for the access entry.'''
+        result = self._values.get("access_policies")
+        assert result is not None, "Required property 'access_policies' is missing"
+        return typing.cast(typing.List["IAccessPolicy"], result)
+
+    @builtins.property
+    def cluster(self) -> "ICluster":
+        '''The Amazon EKS cluster to which the access entry applies.'''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    @builtins.property
+    def principal(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.'''
+        result = self._values.get("principal")
+        assert result is not None, "Required property 'principal' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def access_entry_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the AccessEntry.
+
+        :default: - No access entry name is provided
+        '''
+        result = self._values.get("access_entry_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def access_entry_type(self) -> typing.Optional["AccessEntryType"]:
+        '''The type of the AccessEntry.
+
+        :default: STANDARD
+        '''
+        result = self._values.get("access_entry_type")
+        return typing.cast(typing.Optional["AccessEntryType"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessEntryProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AccessEntryType")
+class AccessEntryType(enum.Enum):
+    '''Represents the different types of access entries that can be used in an Amazon EKS cluster.
+
+    :enum: true
+    '''
+
+    STANDARD = "STANDARD"
+    '''Represents a standard access entry.'''
+    FARGATE_LINUX = "FARGATE_LINUX"
+    '''Represents a Fargate Linux access entry.'''
+    EC2_LINUX = "EC2_LINUX"
+    '''Represents an EC2 Linux access entry.'''
+    EC2_WINDOWS = "EC2_WINDOWS"
+    '''Represents an EC2 Windows access entry.'''
+
+
+class AccessPolicyArn(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyArn",
+):
+    '''Represents an Amazon EKS Access Policy ARN.
+
+    Amazon EKS Access Policies are used to control access to Amazon EKS clusters.
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        access_policy_arn = eks.AccessPolicyArn.AMAZON_EKS_ADMIN_POLICY
+    '''
+
+    def __init__(self, policy_name: builtins.str) -> None:
+        '''Constructs a new instance of the ``AccessEntry`` class.
+
+        :param policy_name: - The name of the Amazon EKS access policy. This is used to construct the policy ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0ac946189967c669f9d1c47c0772f99ed1ce20197e6c76e4496836bbe19d2a72)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        jsii.create(self.__class__, self, [policy_name])
+
+    @jsii.member(jsii_name="of")
+    @builtins.classmethod
+    def of(cls, policy_name: builtins.str) -> "AccessPolicyArn":
+        '''Creates a new instance of the AccessPolicy class with the specified policy name.
+
+        :param policy_name: The name of the access policy.
+
+        :return: A new instance of the AccessPolicy class.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__23236f8d1dae1650ef58623c900288d55afe1fd4ead26b7b1aff290d073de854)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        return typing.cast("AccessPolicyArn", jsii.sinvoke(cls, "of", [policy_name]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_ADMIN_POLICY")
+    def AMAZON_EKS_ADMIN_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Admin Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        most permissions to resources. When associated to an access entry, its access scope is typically
+        one or more Kubernetes namespaces.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_ADMIN_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_ADMIN_VIEW_POLICY")
+    def AMAZON_EKS_ADMIN_VIEW_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Admin View Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        access to list/view all resources in a cluster.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_ADMIN_VIEW_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_CLUSTER_ADMIN_POLICY")
+    def AMAZON_EKS_CLUSTER_ADMIN_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Cluster Admin Policy.
+
+        This access policy includes permissions that grant an IAM
+        principal administrator access to a cluster. When associated to an access entry, its access scope
+        is typically the cluster, rather than a Kubernetes namespace.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_CLUSTER_ADMIN_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_EDIT_POLICY")
+    def AMAZON_EKS_EDIT_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Edit Policy.
+
+        This access policy includes permissions that allow an IAM principal
+        to edit most Kubernetes resources.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_EDIT_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_VIEW_POLICY")
+    def AMAZON_EKS_VIEW_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS View Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        access to list/view all resources in a cluster.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_VIEW_POLICY"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policyArn")
+    def policy_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access policy.'''
+        return typing.cast(builtins.str, jsii.get(self, "policyArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policyName")
+    def policy_name(self) -> builtins.str:
+        '''- The name of the Amazon EKS access policy.
+
+        This is used to construct the policy ARN.
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "policyName"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyNameOptions",
+    jsii_struct_bases=[],
+    name_mapping={"access_scope_type": "accessScopeType", "namespaces": "namespaces"},
+)
+class AccessPolicyNameOptions:
+    def __init__(
+        self,
+        *,
+        access_scope_type: "AccessScopeType",
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Represents the options required to create an Amazon EKS Access Policy using the ``fromAccessPolicyName()`` method.
+
+        :param access_scope_type: The scope of the access policy. This determines the level of access granted by the policy.
+        :param namespaces: An optional array of Kubernetes namespaces to which the access policy applies. Default: - no specific namespaces for this scope
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # AmazonEKSClusterAdminPolicy with `cluster` scope
+            eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+                access_scope_type=eks.AccessScopeType.CLUSTER
+            )
+            # AmazonEKSAdminPolicy with `namespace` scope
+            eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+                access_scope_type=eks.AccessScopeType.NAMESPACE,
+                namespaces=["foo", "bar"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__249ef277acd24f14314e76608ae6685b8ec176bb0872ba8327c446714e5afaee)
+            check_type(argname="argument access_scope_type", value=access_scope_type, expected_type=type_hints["access_scope_type"])
+            check_type(argname="argument namespaces", value=namespaces, expected_type=type_hints["namespaces"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_scope_type": access_scope_type,
+        }
+        if namespaces is not None:
+            self._values["namespaces"] = namespaces
+
+    @builtins.property
+    def access_scope_type(self) -> "AccessScopeType":
+        '''The scope of the access policy.
+
+        This determines the level of access granted by the policy.
+        '''
+        result = self._values.get("access_scope_type")
+        assert result is not None, "Required property 'access_scope_type' is missing"
+        return typing.cast("AccessScopeType", result)
+
+    @builtins.property
+    def namespaces(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''An optional array of Kubernetes namespaces to which the access policy applies.
+
+        :default: - no specific namespaces for this scope
+        '''
+        result = self._values.get("namespaces")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessPolicyNameOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyProps",
+    jsii_struct_bases=[],
+    name_mapping={"access_scope": "accessScope", "policy": "policy"},
+)
+class AccessPolicyProps:
+    def __init__(
+        self,
+        *,
+        access_scope: typing.Union["AccessScope", typing.Dict[builtins.str, typing.Any]],
+        policy: AccessPolicyArn,
+    ) -> None:
+        '''Properties for configuring an Amazon EKS Access Policy.
+
+        :param access_scope: The scope of the access policy, which determines the level of access granted.
+        :param policy: The access policy itself, which defines the specific permissions.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # access_policy_arn: eks.AccessPolicyArn
+            
+            access_policy_props = eks.AccessPolicyProps(
+                access_scope=eks.AccessScope(
+                    type=eks.AccessScopeType.NAMESPACE,
+            
+                    # the properties below are optional
+                    namespaces=["namespaces"]
+                ),
+                policy=access_policy_arn
+            )
+        '''
+        if isinstance(access_scope, dict):
+            access_scope = AccessScope(**access_scope)
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d76ffc136ce61df3ec4331aefef6219d2ab1e0d4a6c6da1cd604f5d3a29a1c20)
+            check_type(argname="argument access_scope", value=access_scope, expected_type=type_hints["access_scope"])
+            check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_scope": access_scope,
+            "policy": policy,
+        }
+
+    @builtins.property
+    def access_scope(self) -> "AccessScope":
+        '''The scope of the access policy, which determines the level of access granted.'''
+        result = self._values.get("access_scope")
+        assert result is not None, "Required property 'access_scope' is missing"
+        return typing.cast("AccessScope", result)
+
+    @builtins.property
+    def policy(self) -> AccessPolicyArn:
+        '''The access policy itself, which defines the specific permissions.'''
+        result = self._values.get("policy")
+        assert result is not None, "Required property 'policy' is missing"
+        return typing.cast(AccessPolicyArn, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessPolicyProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessScope",
+    jsii_struct_bases=[],
+    name_mapping={"type": "type", "namespaces": "namespaces"},
+)
+class AccessScope:
+    def __init__(
+        self,
+        *,
+        type: "AccessScopeType",
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Represents the scope of an access policy.
+
+        The scope defines the namespaces or cluster-level access granted by the policy.
+
+        :param type: The scope type of the policy, either 'namespace' or 'cluster'.
+        :param namespaces: A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type. Default: - no specific namespaces for this scope.
+
+        :interface: AccessScope
+        :property: {AccessScopeType} type - The scope type of the policy, either 'namespace' or 'cluster'.
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            access_scope = eks.AccessScope(
+                type=eks.AccessScopeType.NAMESPACE,
+            
+                # the properties below are optional
+                namespaces=["namespaces"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b6a0a8f8)
+            check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+            check_type(argname="argument namespaces", value=namespaces, expected_type=type_hints["namespaces"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "type": type,
+        }
+        if namespaces is not None:
+            self._values["namespaces"] = namespaces
+
+    @builtins.property
+    def type(self) -> "AccessScopeType":
+        '''The scope type of the policy, either 'namespace' or 'cluster'.'''
+        result = self._values.get("type")
+        assert result is not None, "Required property 'type' is missing"
+        return typing.cast("AccessScopeType", result)
+
+    @builtins.property
+    def namespaces(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''A Kubernetes namespace that an access policy is scoped to.
+
+        A value is required if you specified
+        namespace for Type.
+
+        :default: - no specific namespaces for this scope.
+        '''
+        result = self._values.get("namespaces")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessScope(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AccessScopeType")
+class AccessScopeType(enum.Enum):
+    '''Represents the scope type of an access policy.
+
+    The scope type determines the level of access granted by the policy.
+
+    :enum: true
+    :export: true
+    :exampleMetadata: infused
+
+    Example::
+
+        # AmazonEKSClusterAdminPolicy with `cluster` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+            access_scope_type=eks.AccessScopeType.CLUSTER
+        )
+        # AmazonEKSAdminPolicy with `namespace` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+            access_scope_type=eks.AccessScopeType.NAMESPACE,
+            namespaces=["foo", "bar"]
+        )
+    '''
+
+    NAMESPACE = "NAMESPACE"
+    '''The policy applies to a specific namespace within the cluster.'''
+    CLUSTER = "CLUSTER"
+    '''The policy applies to the entire cluster.'''
+
+
 class AlbController(
     _constructs_77d1e7e8.Construct,
     metaclass=jsii.JSIIMeta,
@@ -1958,7 +2652,7 @@ class AlbControllerOptions:
         Example::
 
             eks.Cluster(self, "HelloEKS",
-                version=eks.KubernetesVersion.V1_29,
+                version=eks.KubernetesVersion.V1_30,
                 alb_controller=eks.AlbControllerOptions(
                     version=eks.AlbControllerVersion.V2_6_2
                 )
@@ -2151,7 +2845,7 @@ class AlbControllerVersion(
     Example::
 
         eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_29,
+            version=eks.KubernetesVersion.V1_30,
             alb_controller=eks.AlbControllerOptions(
                 version=eks.AlbControllerVersion.V2_6_2
             )
@@ -2386,6 +3080,34 @@ class AlbScheme(enum.Enum):
     '''An internet-facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer.'''
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AuthenticationMode")
+class AuthenticationMode(enum.Enum):
+    '''Represents the authentication mode for an Amazon EKS cluster.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+        # vpc: ec2.Vpc
+        
+        
+        eks.Cluster(self, "Cluster",
+            vpc=vpc,
+            version=eks.KubernetesVersion.V1_30,
+            kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+            authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+        )
+    '''
+
+    CONFIG_MAP = "CONFIG_MAP"
+    '''Authenticates using a Kubernetes ConfigMap.'''
+    API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP"
+    '''Authenticates using both the Kubernetes API server and a ConfigMap.'''
+    API = "API"
+    '''Authenticates using the Kubernetes API server.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.AutoScalingGroupCapacityOptions",
     jsii_struct_bases=[_CommonAutoScalingGroupProps_808bbf2d],
@@ -4207,6 +4929,10 @@ class CfnAddon(
             # the properties below are optional
             addon_version="addonVersion",
             configuration_values="configurationValues",
+            pod_identity_associations=[eks.CfnAddon.PodIdentityAssociationProperty(
+                role_arn="roleArn",
+                service_account="serviceAccount"
+            )],
             preserve_on_delete=False,
             resolve_conflicts="resolveConflicts",
             service_account_role_arn="serviceAccountRoleArn",
@@ -4226,6 +4952,7 @@ class CfnAddon(
         cluster_name: builtins.str,
         addon_version: typing.Optional[builtins.str] = None,
         configuration_values: typing.Optional[builtins.str] = None,
+        pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAddon.PodIdentityAssociationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         resolve_conflicts: typing.Optional[builtins.str] = None,
         service_account_role_arn: typing.Optional[builtins.str] = None,
@@ -4238,6 +4965,7 @@ class CfnAddon(
         :param cluster_name: The name of your cluster.
         :param addon_version: The version of the add-on.
         :param configuration_values: The configuration values that you provided.
+        :param pod_identity_associations: An array of pod identities to apply to this add-on.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
         :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
@@ -4252,6 +4980,7 @@ class CfnAddon(
             cluster_name=cluster_name,
             addon_version=addon_version,
             configuration_values=configuration_values,
+            pod_identity_associations=pod_identity_associations,
             preserve_on_delete=preserve_on_delete,
             resolve_conflicts=resolve_conflicts,
             service_account_role_arn=service_account_role_arn,
@@ -4362,6 +5091,24 @@ class CfnAddon(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "configurationValues", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="podIdentityAssociations")
+    def pod_identity_associations(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]]:
+        '''An array of pod identities to apply to this add-on.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]], jsii.get(self, "podIdentityAssociations"))
+
+    @pod_identity_associations.setter
+    def pod_identity_associations(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__04a430658e28600fba10a8c3e5edab2978904829dda6f2c70e9cca8560f7e400)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "podIdentityAssociations", value)
+
     @builtins.property
     @jsii.member(jsii_name="preserveOnDelete")
     def preserve_on_delete(
@@ -4419,6 +5166,77 @@ class CfnAddon(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tagsRaw", value)
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_eks.CfnAddon.PodIdentityAssociationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"role_arn": "roleArn", "service_account": "serviceAccount"},
+    )
+    class PodIdentityAssociationProperty:
+        def __init__(
+            self,
+            *,
+            role_arn: builtins.str,
+            service_account: builtins.str,
+        ) -> None:
+            '''A pod identity to associate with an add-on.
+
+            :param role_arn: The IAM role ARN that the pod identity association is created for.
+            :param service_account: The Kubernetes service account that the pod identity association is created for.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_eks as eks
+                
+                pod_identity_association_property = eks.CfnAddon.PodIdentityAssociationProperty(
+                    role_arn="roleArn",
+                    service_account="serviceAccount"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__3925c850dd0d0ad3b9faeea87aafbe69220a7bf33d95af5527715674625c9891)
+                check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
+                check_type(argname="argument service_account", value=service_account, expected_type=type_hints["service_account"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "role_arn": role_arn,
+                "service_account": service_account,
+            }
+
+        @builtins.property
+        def role_arn(self) -> builtins.str:
+            '''The IAM role ARN that the pod identity association is created for.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html#cfn-eks-addon-podidentityassociation-rolearn
+            '''
+            result = self._values.get("role_arn")
+            assert result is not None, "Required property 'role_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def service_account(self) -> builtins.str:
+            '''The Kubernetes service account that the pod identity association is created for.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html#cfn-eks-addon-podidentityassociation-serviceaccount
+            '''
+            result = self._values.get("service_account")
+            assert result is not None, "Required property 'service_account' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "PodIdentityAssociationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.CfnAddonProps",
@@ -4428,6 +5246,7 @@ class CfnAddon(
         "cluster_name": "clusterName",
         "addon_version": "addonVersion",
         "configuration_values": "configurationValues",
+        "pod_identity_associations": "podIdentityAssociations",
         "preserve_on_delete": "preserveOnDelete",
         "resolve_conflicts": "resolveConflicts",
         "service_account_role_arn": "serviceAccountRoleArn",
@@ -4442,6 +5261,7 @@ class CfnAddonProps:
         cluster_name: builtins.str,
         addon_version: typing.Optional[builtins.str] = None,
         configuration_values: typing.Optional[builtins.str] = None,
+        pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.PodIdentityAssociationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         resolve_conflicts: typing.Optional[builtins.str] = None,
         service_account_role_arn: typing.Optional[builtins.str] = None,
@@ -4453,6 +5273,7 @@ class CfnAddonProps:
         :param cluster_name: The name of your cluster.
         :param addon_version: The version of the add-on.
         :param configuration_values: The configuration values that you provided.
+        :param pod_identity_associations: An array of pod identities to apply to this add-on.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
         :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
@@ -4474,6 +5295,10 @@ class CfnAddonProps:
                 # the properties below are optional
                 addon_version="addonVersion",
                 configuration_values="configurationValues",
+                pod_identity_associations=[eks.CfnAddon.PodIdentityAssociationProperty(
+                    role_arn="roleArn",
+                    service_account="serviceAccount"
+                )],
                 preserve_on_delete=False,
                 resolve_conflicts="resolveConflicts",
                 service_account_role_arn="serviceAccountRoleArn",
@@ -4489,6 +5314,7 @@ class CfnAddonProps:
             check_type(argname="argument cluster_name", value=cluster_name, expected_type=type_hints["cluster_name"])
             check_type(argname="argument addon_version", value=addon_version, expected_type=type_hints["addon_version"])
             check_type(argname="argument configuration_values", value=configuration_values, expected_type=type_hints["configuration_values"])
+            check_type(argname="argument pod_identity_associations", value=pod_identity_associations, expected_type=type_hints["pod_identity_associations"])
             check_type(argname="argument preserve_on_delete", value=preserve_on_delete, expected_type=type_hints["preserve_on_delete"])
             check_type(argname="argument resolve_conflicts", value=resolve_conflicts, expected_type=type_hints["resolve_conflicts"])
             check_type(argname="argument service_account_role_arn", value=service_account_role_arn, expected_type=type_hints["service_account_role_arn"])
@@ -4501,6 +5327,8 @@ class CfnAddonProps:
             self._values["addon_version"] = addon_version
         if configuration_values is not None:
             self._values["configuration_values"] = configuration_values
+        if pod_identity_associations is not None:
+            self._values["pod_identity_associations"] = pod_identity_associations
         if preserve_on_delete is not None:
             self._values["preserve_on_delete"] = preserve_on_delete
         if resolve_conflicts is not None:
@@ -4548,6 +5376,17 @@ class CfnAddonProps:
         result = self._values.get("configuration_values")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def pod_identity_associations(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAddon.PodIdentityAssociationProperty]]]]:
+        '''An array of pod identities to apply to this add-on.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-addon.html#cfn-eks-addon-podidentityassociations
+        '''
+        result = self._values.get("pod_identity_associations")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAddon.PodIdentityAssociationProperty]]]], result)
+
     @builtins.property
     def preserve_on_delete(
         self,
@@ -9340,7 +10179,7 @@ class ClusterLoggingTypes(enum.Enum):
 
         cluster = eks.Cluster(self, "Cluster",
             # ...
-            version=eks.KubernetesVersion.V1_29,
+            version=eks.KubernetesVersion.V1_30,
             cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
             ]
         )
@@ -9579,7 +10418,7 @@ class DefaultCapacityType(enum.Enum):
     Example::
 
         cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_29,
+            version=eks.KubernetesVersion.V1_30,
             default_capacity_type=eks.DefaultCapacityType.EC2
         )
     '''
@@ -9748,7 +10587,7 @@ class EndpointAccess(
     Example::
 
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_29,
+            version=eks.KubernetesVersion.V1_30,
             endpoint_access=eks.EndpointAccess.PRIVATE
         )
     '''
@@ -10802,22 +11641,132 @@ class HelmChartProps(HelmChartOptions):
     def cluster(self) -> "ICluster":
         '''The EKS cluster to apply this configuration to.
 
-        [disable-awslint:ref-via-interface]
-        '''
-        result = self._values.get("cluster")
-        assert result is not None, "Required property 'cluster' is missing"
-        return typing.cast("ICluster", result)
+        [disable-awslint:ref-via-interface]
+        '''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "HelmChartProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAccessEntry")
+class IAccessEntry(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :extends: IResource *
+    :interface: IAccessEntry
+    :property: {string} accessEntryArn - The Amazon Resource Name (ARN) of the access entry.
+    '''
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _IAccessEntryProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :extends: IResource *
+    :interface: IAccessEntry
+    :property: {string} accessEntryArn - The Amazon Resource Name (ARN) of the access entry.
+    '''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAccessEntry"
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryName"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAccessEntry).__jsii_proxy_class__ = lambda : _IAccessEntryProxy
+
+
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAccessPolicy")
+class IAccessPolicy(typing_extensions.Protocol):
+    '''Represents an access policy that defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :interface: IAccessPolicy
+    '''
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        ...
+
+
+class _IAccessPolicyProxy:
+    '''Represents an access policy that defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :interface: IAccessPolicy
+    '''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAccessPolicy"
 
-    def __eq__(self, rhs: typing.Any) -> builtins.bool:
-        return isinstance(rhs, self.__class__) and rhs._values == self._values
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        return typing.cast(AccessScope, jsii.get(self, "accessScope"))
 
-    def __ne__(self, rhs: typing.Any) -> builtins.bool:
-        return not (rhs == self)
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        return typing.cast(builtins.str, jsii.get(self, "policy"))
 
-    def __repr__(self) -> str:
-        return "HelmChartProps(%s)" % ", ".join(
-            k + "=" + repr(v) for k, v in self._values.items()
-        )
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAccessPolicy).__jsii_proxy_class__ = lambda : _IAccessPolicyProxy
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_eks.ICluster")
@@ -10910,6 +11859,15 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
         '''The VPC in which this Cluster was created.'''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        ...
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -11261,6 +12219,15 @@ class _IClusterProxy(
         '''The VPC in which this Cluster was created.'''
         return typing.cast(_IVpc_f30d5663, jsii.get(self, "vpc"))
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        return typing.cast(typing.Optional[AuthenticationMode], jsii.get(self, "authenticationMode"))
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -11690,7 +12657,7 @@ class IpFamily(enum.Enum):
             subnetcount = subnetcount + 1
         
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_29,
+            version=eks.KubernetesVersion.V1_30,
             vpc=vpc,
             ip_family=eks.IpFamily.IP_V6,
             vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)]
@@ -12814,15 +13781,16 @@ class KubernetesVersion(
 
     Example::
 
-        cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_29,
-            default_capacity=0
+        # or
+        # vpc: ec2.Vpc
+        eks.Cluster(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            version=eks.KubernetesVersion.V1_30
         )
-        
-        cluster.add_nodegroup_capacity("custom-node-group",
-            instance_types=[ec2.InstanceType("m5.large")],
-            min_size=4,
-            disk_size=100
+        eks.Cluster.from_cluster_attributes(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            vpc=vpc,
+            cluster_name="cluster-name"
         )
     '''
 
@@ -13020,6 +13988,17 @@ class KubernetesVersion(
         '''
         return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_29"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="V1_30")
+    def V1_30(cls) -> "KubernetesVersion":
+        '''Kubernetes version 1.30.
+
+        When creating a ``Cluster`` with this version, you need to also specify the
+        ``kubectlLayer`` property with a ``KubectlV29Layer`` from
+        ``@aws-cdk/lambda-layer-kubectl-v30``.
+        '''
+        return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_30"))
+
     @builtins.property
     @jsii.member(jsii_name="version")
     def version(self) -> builtins.str:
@@ -15104,6 +16083,204 @@ class TaintSpec:
         )
 
 
+@jsii.implements(IAccessEntry)
+class AccessEntry(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntry",
+):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :implements: IAccessEntry
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        # access_policy: eks.AccessPolicy
+        # cluster: eks.Cluster
+        
+        access_entry = eks.AccessEntry(self, "MyAccessEntry",
+            access_policies=[access_policy],
+            cluster=cluster,
+            principal="principal",
+        
+            # the properties below are optional
+            access_entry_name="accessEntryName",
+            access_entry_type=eks.AccessEntryType.STANDARD
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        access_policies: typing.Sequence[IAccessPolicy],
+        cluster: ICluster,
+        principal: builtins.str,
+        access_entry_name: typing.Optional[builtins.str] = None,
+        access_entry_type: typing.Optional[AccessEntryType] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param access_policies: The access policies that define the permissions and scope for the access entry.
+        :param cluster: The Amazon EKS cluster to which the access entry applies.
+        :param principal: The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
+        :param access_entry_name: The name of the AccessEntry. Default: - No access entry name is provided
+        :param access_entry_type: The type of the AccessEntry. Default: STANDARD
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__76acfe0dd4f79a87279c3d9cbf3bd8c7327733233aec66908901483da7f17d5b)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = AccessEntryProps(
+            access_policies=access_policies,
+            cluster=cluster,
+            principal=principal,
+            access_entry_name=access_entry_name,
+            access_entry_type=access_entry_type,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromAccessEntryAttributes")
+    @builtins.classmethod
+    def from_access_entry_attributes(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        access_entry_arn: builtins.str,
+        access_entry_name: builtins.str,
+    ) -> IAccessEntry:
+        '''Imports an ``AccessEntry`` from its attributes.
+
+        :param scope: - The parent construct.
+        :param id: - The ID of the imported construct.
+        :param access_entry_arn: The Amazon Resource Name (ARN) of the access entry.
+        :param access_entry_name: The name of the access entry.
+
+        :return: The imported access entry.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f179e9982369f73f3bb7a13ff87f073fda0da2cd11932479d54f6d69d8849141)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        attrs = AccessEntryAttributes(
+            access_entry_arn=access_entry_arn, access_entry_name=access_entry_name
+        )
+
+        return typing.cast(IAccessEntry, jsii.sinvoke(cls, "fromAccessEntryAttributes", [scope, id, attrs]))
+
+    @jsii.member(jsii_name="addAccessPolicies")
+    def add_access_policies(
+        self,
+        new_access_policies: typing.Sequence[IAccessPolicy],
+    ) -> None:
+        '''Add the access policies for this entry.
+
+        :param new_access_policies: - The new access policies to add.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e1007432e51c3db7b596578b73c0068b372fc6af638d2adb2faa12db70799372)
+            check_type(argname="argument new_access_policies", value=new_access_policies, expected_type=type_hints["new_access_policies"])
+        return typing.cast(None, jsii.invoke(self, "addAccessPolicies", [new_access_policies]))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.'''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.'''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryName"))
+
+
+@jsii.implements(IAccessPolicy)
+class AccessPolicy(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicy",
+):
+    '''Represents an Amazon EKS Access Policy that implements the IAccessPolicy interface.
+
+    :implements: IAccessPolicy
+    :exampleMetadata: infused
+
+    Example::
+
+        # AmazonEKSClusterAdminPolicy with `cluster` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+            access_scope_type=eks.AccessScopeType.CLUSTER
+        )
+        # AmazonEKSAdminPolicy with `namespace` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+            access_scope_type=eks.AccessScopeType.NAMESPACE,
+            namespaces=["foo", "bar"]
+        )
+    '''
+
+    def __init__(
+        self,
+        *,
+        access_scope: typing.Union[AccessScope, typing.Dict[builtins.str, typing.Any]],
+        policy: AccessPolicyArn,
+    ) -> None:
+        '''Constructs a new instance of the AccessPolicy class.
+
+        :param access_scope: The scope of the access policy, which determines the level of access granted.
+        :param policy: The access policy itself, which defines the specific permissions.
+        '''
+        props = AccessPolicyProps(access_scope=access_scope, policy=policy)
+
+        jsii.create(self.__class__, self, [props])
+
+    @jsii.member(jsii_name="fromAccessPolicyName")
+    @builtins.classmethod
+    def from_access_policy_name(
+        cls,
+        policy_name: builtins.str,
+        *,
+        access_scope_type: AccessScopeType,
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> IAccessPolicy:
+        '''Import AccessPolicy by name.
+
+        :param policy_name: -
+        :param access_scope_type: The scope of the access policy. This determines the level of access granted by the policy.
+        :param namespaces: An optional array of Kubernetes namespaces to which the access policy applies. Default: - no specific namespaces for this scope
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5af842aa)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        options = AccessPolicyNameOptions(
+            access_scope_type=access_scope_type, namespaces=namespaces
+        )
+
+        return typing.cast(IAccessPolicy, jsii.sinvoke(cls, "fromAccessPolicyName", [policy_name, options]))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        return typing.cast(AccessScope, jsii.get(self, "accessScope"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        return typing.cast(builtins.str, jsii.get(self, "policy"))
+
+
 @jsii.implements(ICluster)
 class Cluster(
     _Resource_45bc6135,
@@ -15119,18 +16296,16 @@ class Cluster(
 
     Example::
 
-        import aws_cdk.aws_eks as eks
-        
-        
-        my_eks_cluster = eks.Cluster(self, "my sample cluster",
-            version=eks.KubernetesVersion.V1_18,
-            cluster_name="myEksCluster"
+        # or
+        # vpc: ec2.Vpc
+        eks.Cluster(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            version=eks.KubernetesVersion.V1_30
         )
-        
-        tasks.EksCall(self, "Call a EKS Endpoint",
-            cluster=my_eks_cluster,
-            http_method=tasks.HttpMethods.GET,
-            http_path="/api/v1/namespaces/default/pods"
+        eks.Cluster.from_cluster_attributes(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            vpc=vpc,
+            cluster_name="cluster-name"
         )
     '''
 
@@ -15139,12 +16314,14 @@ class Cluster(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
+        bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
         kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -15175,12 +16352,14 @@ class Cluster(
 
         :param scope: a Construct, most likely a cdk.Stack created.
         :param id: the id of the Construct to create.
+        :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
         :param kubectl_lambda_role: The IAM role to pass to the Kubectl Lambda Handler. Default: - Default Lambda IAM Execution Role
         :param tags: The tags assigned to the EKS cluster. Default: - none
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -15212,12 +16391,14 @@ class Cluster(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ClusterProps(
+            bootstrap_cluster_creator_admin_permissions=bootstrap_cluster_creator_admin_permissions,
             default_capacity=default_capacity,
             default_capacity_instance=default_capacity_instance,
             default_capacity_type=default_capacity_type,
             kubectl_lambda_role=kubectl_lambda_role,
             tags=tags,
             alb_controller=alb_controller,
+            authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
             cluster_handler_environment=cluster_handler_environment,
             cluster_handler_security_group=cluster_handler_security_group,
@@ -15805,6 +16986,30 @@ class Cluster(
 
         return typing.cast(builtins.str, jsii.invoke(self, "getServiceLoadBalancerAddress", [service_name, options]))
 
+    @jsii.member(jsii_name="grantAccess")
+    def grant_access(
+        self,
+        id: builtins.str,
+        principal: builtins.str,
+        access_policies: typing.Sequence[IAccessPolicy],
+    ) -> None:
+        '''Grants the specified IAM principal access to the EKS cluster based on the provided access policies.
+
+        This method creates an ``AccessEntry`` construct that grants the specified IAM principal the access permissions
+        defined by the provided ``IAccessPolicy`` array. This allows the IAM principal to perform the actions permitted
+        by the access policies within the EKS cluster.
+
+        :param id: - The ID of the ``AccessEntry`` construct to be created.
+        :param principal: - The IAM principal (role or user) to be granted access to the EKS cluster.
+        :param access_policies: - An array of ``IAccessPolicy`` objects that define the access permissions to be granted to the IAM principal.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c595337c9bbbcf6eb001ec015e579e32f72cb323ae83c9fa92eef98034ea8936)
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument principal", value=principal, expected_type=type_hints["principal"])
+            check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
+        return typing.cast(None, jsii.invoke(self, "grantAccess", [id, principal, access_policies]))
+
     @builtins.property
     @jsii.member(jsii_name="adminRole")
     def admin_role(self) -> _Role_e8c6e11f:
@@ -15942,6 +17147,19 @@ class Cluster(
         '''
         return typing.cast(typing.Optional[AlbController], jsii.get(self, "albController"))
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the Amazon EKS cluster.
+
+        The authentication mode determines how users and applications authenticate to the Kubernetes API server.
+
+        :default: CONFIG_MAP.
+
+        :property: {AuthenticationMode} [authenticationMode] - The authentication mode for the Amazon EKS cluster.
+        '''
+        return typing.cast(typing.Optional[AuthenticationMode], jsii.get(self, "authenticationMode"))
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -16095,6 +17313,7 @@ class Cluster(
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -16127,6 +17346,7 @@ class ClusterOptions(CommonClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -16156,6 +17376,7 @@ class ClusterOptions(CommonClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -16211,6 +17432,7 @@ class ClusterOptions(CommonClusterOptions):
                     policy=policy,
                     repository="repository"
                 ),
+                authentication_mode=eks.AuthenticationMode.CONFIG_MAP,
                 awscli_layer=layer_version,
                 cluster_handler_environment={
                     "cluster_handler_environment_key": "clusterHandlerEnvironment"
@@ -16261,6 +17483,7 @@ class ClusterOptions(CommonClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -16297,6 +17520,8 @@ class ClusterOptions(CommonClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -16420,6 +17645,15 @@ class ClusterOptions(CommonClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -16658,6 +17892,7 @@ class ClusterOptions(CommonClusterOptions):
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -16675,6 +17910,7 @@ class ClusterOptions(CommonClusterOptions):
         "prune": "prune",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
+        "bootstrap_cluster_creator_admin_permissions": "bootstrapClusterCreatorAdminPermissions",
         "default_capacity": "defaultCapacity",
         "default_capacity_instance": "defaultCapacityInstance",
         "default_capacity_type": "defaultCapacityType",
@@ -16695,6 +17931,7 @@ class ClusterProps(ClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -16712,6 +17949,7 @@ class ClusterProps(ClusterOptions):
         prune: typing.Optional[builtins.bool] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
+        bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -16729,6 +17967,7 @@ class ClusterProps(ClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -16746,6 +17985,7 @@ class ClusterProps(ClusterOptions):
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
+        :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
@@ -16760,7 +18000,7 @@ class ClusterProps(ClusterOptions):
             # vpc: ec2.Vpc
             eks.Cluster(self, "MyCluster",
                 kubectl_memory=Size.gibibytes(4),
-                version=eks.KubernetesVersion.V1_29
+                version=eks.KubernetesVersion.V1_30
             )
             eks.Cluster.from_cluster_attributes(self, "MyCluster",
                 kubectl_memory=Size.gibibytes(4),
@@ -16781,6 +18021,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -16798,6 +18039,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
+            check_type(argname="argument bootstrap_cluster_creator_admin_permissions", value=bootstrap_cluster_creator_admin_permissions, expected_type=type_hints["bootstrap_cluster_creator_admin_permissions"])
             check_type(argname="argument default_capacity", value=default_capacity, expected_type=type_hints["default_capacity"])
             check_type(argname="argument default_capacity_instance", value=default_capacity_instance, expected_type=type_hints["default_capacity_instance"])
             check_type(argname="argument default_capacity_type", value=default_capacity_type, expected_type=type_hints["default_capacity_type"])
@@ -16822,6 +18064,8 @@ class ClusterProps(ClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -16856,6 +18100,8 @@ class ClusterProps(ClusterOptions):
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
             self._values["service_ipv4_cidr"] = service_ipv4_cidr
+        if bootstrap_cluster_creator_admin_permissions is not None:
+            self._values["bootstrap_cluster_creator_admin_permissions"] = bootstrap_cluster_creator_admin_permissions
         if default_capacity is not None:
             self._values["default_capacity"] = default_capacity
         if default_capacity_instance is not None:
@@ -16955,6 +18201,15 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -17168,6 +18423,19 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("service_ipv4_cidr")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def bootstrap_cluster_creator_admin_permissions(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time.
+
+        Changing this value after the cluster has been created will result in the cluster being replaced.
+
+        :default: true
+        '''
+        result = self._values.get("bootstrap_cluster_creator_admin_permissions")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def default_capacity(self) -> typing.Optional[jsii.Number]:
         '''Number of instances to allocate as an initial capacity for this cluster.
@@ -17250,7 +18518,7 @@ class FargateCluster(
     Example::
 
         cluster = eks.FargateCluster(self, "MyCluster",
-            version=eks.KubernetesVersion.V1_29
+            version=eks.KubernetesVersion.V1_30
         )
     '''
 
@@ -17261,6 +18529,7 @@ class FargateCluster(
         *,
         default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -17292,6 +18561,7 @@ class FargateCluster(
         :param id: -
         :param default_profile: Fargate Profile to create along with the cluster. Default: - A profile called "default" with 'default' and 'kube-system' selectors will be created if this is left undefined.
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -17325,6 +18595,7 @@ class FargateCluster(
         props = FargateClusterProps(
             default_profile=default_profile,
             alb_controller=alb_controller,
+            authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
             cluster_handler_environment=cluster_handler_environment,
             cluster_handler_security_group=cluster_handler_security_group,
@@ -17374,6 +18645,7 @@ class FargateCluster(
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -17407,6 +18679,7 @@ class FargateClusterProps(ClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -17437,6 +18710,7 @@ class FargateClusterProps(ClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -17461,7 +18735,7 @@ class FargateClusterProps(ClusterOptions):
         Example::
 
             cluster = eks.FargateCluster(self, "MyCluster",
-                version=eks.KubernetesVersion.V1_29
+                version=eks.KubernetesVersion.V1_30
             )
         '''
         if isinstance(alb_controller, dict):
@@ -17479,6 +18753,7 @@ class FargateClusterProps(ClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -17516,6 +18791,8 @@ class FargateClusterProps(ClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -17641,6 +18918,15 @@ class FargateClusterProps(ClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -17950,11 +19236,22 @@ class IngressLoadBalancerAddressOptions(ServiceLoadBalancerAddressOptions):
 
 
 __all__ = [
+    "AccessEntry",
+    "AccessEntryAttributes",
+    "AccessEntryProps",
+    "AccessEntryType",
+    "AccessPolicy",
+    "AccessPolicyArn",
+    "AccessPolicyNameOptions",
+    "AccessPolicyProps",
+    "AccessScope",
+    "AccessScopeType",
     "AlbController",
     "AlbControllerOptions",
     "AlbControllerProps",
     "AlbControllerVersion",
     "AlbScheme",
+    "AuthenticationMode",
     "AutoScalingGroupCapacityOptions",
     "AutoScalingGroupOptions",
     "AwsAuth",
@@ -17996,6 +19293,8 @@ __all__ = [
     "HelmChart",
     "HelmChartOptions",
     "HelmChartProps",
+    "IAccessEntry",
+    "IAccessPolicy",
     "ICluster",
     "IKubectlProvider",
     "INodegroup",
@@ -18034,6 +19333,61 @@ __all__ = [
 
 publication.publish()
 
+def _typecheckingstub__ea57d074f938dd093d38b977c20869681c2abd3bacc2931046328147dc4d8d72(
+    *,
+    access_entry_arn: builtins.str,
+    access_entry_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0cc467f068aa2e977dd81e9c0227cfe45f7381ea6d31cea9c6f7f80e6d83e048(
+    *,
+    access_policies: typing.Sequence[IAccessPolicy],
+    cluster: ICluster,
+    principal: builtins.str,
+    access_entry_name: typing.Optional[builtins.str] = None,
+    access_entry_type: typing.Optional[AccessEntryType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0ac946189967c669f9d1c47c0772f99ed1ce20197e6c76e4496836bbe19d2a72(
+    policy_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__23236f8d1dae1650ef58623c900288d55afe1fd4ead26b7b1aff290d073de854(
+    policy_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__249ef277acd24f14314e76608ae6685b8ec176bb0872ba8327c446714e5afaee(
+    *,
+    access_scope_type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d76ffc136ce61df3ec4331aefef6219d2ab1e0d4a6c6da1cd604f5d3a29a1c20(
+    *,
+    access_scope: typing.Union[AccessScope, typing.Dict[builtins.str, typing.Any]],
+    policy: AccessPolicyArn,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b6a0a8f8(
+    *,
+    type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__5e2ca421e3f17c3114d53057ba096ab3f90bd3b8ed6c2e0f75f61c88dd5aed4b(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -18306,6 +19660,7 @@ def _typecheckingstub__45ff0728c7d6fc5f47c97aa791c327f70a32e19bdf463d94d9351053f
     cluster_name: builtins.str,
     addon_version: typing.Optional[builtins.str] = None,
     configuration_values: typing.Optional[builtins.str] = None,
+    pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.PodIdentityAssociationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     resolve_conflicts: typing.Optional[builtins.str] = None,
     service_account_role_arn: typing.Optional[builtins.str] = None,
@@ -18350,6 +19705,12 @@ def _typecheckingstub__f2b158aed78a78d2962c2650df64f6c3880ccb508ebd6b281bda6c1a1
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__04a430658e28600fba10a8c3e5edab2978904829dda6f2c70e9cca8560f7e400(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAddon.PodIdentityAssociationProperty]]]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__c38bc0bc32707ba96b79f5dda73d99054ea5b77577796b10a0f95ff6fe51b133(
     value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
 ) -> None:
@@ -18374,12 +19735,21 @@ def _typecheckingstub__61cfcc2cd9aba81e02df7f2a5c976044dc5e5cbf6c05b880c4944cb35
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__3925c850dd0d0ad3b9faeea87aafbe69220a7bf33d95af5527715674625c9891(
+    *,
+    role_arn: builtins.str,
+    service_account: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__484b2779e40e4780cb0940ac7bc9daaf91fa04347613d732138d3be3d3f5a2d9(
     *,
     addon_name: builtins.str,
     cluster_name: builtins.str,
     addon_version: typing.Optional[builtins.str] = None,
     configuration_values: typing.Optional[builtins.str] = None,
+    pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.PodIdentityAssociationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     resolve_conflicts: typing.Optional[builtins.str] = None,
     service_account_role_arn: typing.Optional[builtins.str] = None,
@@ -19571,16 +20941,56 @@ def _typecheckingstub__be119d20277d81d5cacb542dcf0ff7927e8c934305e8be443e95ce321
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__76acfe0dd4f79a87279c3d9cbf3bd8c7327733233aec66908901483da7f17d5b(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    access_policies: typing.Sequence[IAccessPolicy],
+    cluster: ICluster,
+    principal: builtins.str,
+    access_entry_name: typing.Optional[builtins.str] = None,
+    access_entry_type: typing.Optional[AccessEntryType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f179e9982369f73f3bb7a13ff87f073fda0da2cd11932479d54f6d69d8849141(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    access_entry_arn: builtins.str,
+    access_entry_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e1007432e51c3db7b596578b73c0068b372fc6af638d2adb2faa12db70799372(
+    new_access_policies: typing.Sequence[IAccessPolicy],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5af842aa(
+    policy_name: builtins.str,
+    *,
+    access_scope_type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c575cac9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
+    bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
     kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19795,6 +21205,14 @@ def _typecheckingstub__1125553e51a293d46862ded8c9242c2427ed871d469da6db3ac9d9ace
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c595337c9bbbcf6eb001ec015e579e32f72cb323ae83c9fa92eef98034ea8936(
+    id: builtins.str,
+    principal: builtins.str,
+    access_policies: typing.Sequence[IAccessPolicy],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef40c0cb1(
     *,
     version: KubernetesVersion,
@@ -19806,6 +21224,7 @@ def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19838,6 +21257,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19855,6 +21275,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     prune: typing.Optional[builtins.bool] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
+    bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -19870,6 +21291,7 @@ def _typecheckingstub__ae166d791f5d5176f3386726c22bc44afedf5d336437a3513e3740387
     *,
     default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19910,6 +21332,7 @@ def _typecheckingstub__f11c7f989209f6213cb855d2846bb0b2b79a6a2b85eb0d65939e981df
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,