aws-cdk-lib 2.145.0__py3-none-any.whl → 2.146.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -42,6 +42,8 @@ In addition, the library also supports defining Kubernetes resource manifests wi
   * [Permissions and Security](#permissions-and-security)
 
     * [AWS IAM Mapping](#aws-iam-mapping)
+    * [Access Config](#access-config)
+    * [Access Entry](#access-mapping)
     * [Cluster Security Group](#cluster-security-group)
     * [Node SSH Access](#node-ssh-access)
     * [Service Accounts](#service-accounts)
@@ -1122,6 +1124,131 @@ console_read_only_role.add_to_policy(iam.PolicyStatement(
 cluster.aws_auth.add_masters_role(console_read_only_role)
 ```
 
+### Access Config
+
+Amazon EKS supports three modes of authentication: `CONFIG_MAP`, `API_AND_CONFIG_MAP`, and `API`. You can enable cluster
+to use access entry APIs by using authenticationMode `API` or `API_AND_CONFIG_MAP`. Use authenticationMode `CONFIG_MAP`
+to continue using aws-auth configMap exclusively. When `API_AND_CONFIG_MAP` is enabled, the cluster will source authenticated
+AWS IAM principals from both Amazon EKS access entry APIs and the aws-auth configMap, with priority given to the access entry API.
+
+To specify the `authenticationMode`:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+# vpc: ec2.Vpc
+
+
+eks.Cluster(self, "Cluster",
+    vpc=vpc,
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+)
+```
+
+> **Note** - Switching authentication modes on an existing cluster is a one-way operation. You can switch from
+> `CONFIG_MAP` to `API_AND_CONFIG_MAP`. You can then switch from `API_AND_CONFIG_MAP` to `API`.
+> You cannot revert these operations in the opposite direction. Meaning you cannot switch back to
+> `CONFIG_MAP` or `API_AND_CONFIG_MAP` from `API`. And you cannot switch back to `CONFIG_MAP` from `API_AND_CONFIG_MAP`.
+
+Read [A deep dive into simplified Amazon EKS access management controls
+](https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/) for more details.
+
+You can disable granting the cluster admin permissions to the cluster creator role on bootstrapping by setting
+`bootstrapClusterCreatorAdminPermissions` to false.
+
+> **Note** - Switching `bootstrapClusterCreatorAdminPermissions` on an existing cluster would cause cluster replacement and should be avoided in production.
+
+### Access Entry
+
+An access entry is a cluster identity—directly linked to an AWS IAM principal user or role that is used to authenticate to
+an Amazon EKS cluster. An Amazon EKS access policy authorizes an access entry to perform specific cluster actions.
+
+Access policies are Amazon EKS-specific policies that assign Kubernetes permissions to access entries. Amazon EKS supports
+only predefined and AWS managed policies. Access policies are not AWS IAM entities and are defined and managed by Amazon EKS.
+Amazon EKS access policies include permission sets that support common use cases of administration, editing, or read-only access
+to Kubernetes resources. See [Access Policy Permissions](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions) for more details.
+
+Use `AccessPolicy` to include predefined AWS managed policies:
+
+```python
+# AmazonEKSClusterAdminPolicy with `cluster` scope
+eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+    access_scope_type=eks.AccessScopeType.CLUSTER
+)
+# AmazonEKSAdminPolicy with `namespace` scope
+eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+    access_scope_type=eks.AccessScopeType.NAMESPACE,
+    namespaces=["foo", "bar"]
+)
+```
+
+Use `grantAccess()` to grant the AccessPolicy to an IAM principal:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+# vpc: ec2.Vpc
+
+
+cluster_admin_role = iam.Role(self, "ClusterAdminRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+eks_admin_role = iam.Role(self, "EKSAdminRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+eks_admin_view_role = iam.Role(self, "EKSAdminViewRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+cluster = eks.Cluster(self, "Cluster",
+    vpc=vpc,
+    masters_role=cluster_admin_role,
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+)
+
+# Cluster Admin role for this cluster
+cluster.grant_access("clusterAdminAccess", cluster_admin_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+        access_scope_type=eks.AccessScopeType.CLUSTER
+    )
+])
+
+# EKS Admin role for specified namespaces of this cluster
+cluster.grant_access("eksAdminRoleAccess", eks_admin_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+        access_scope_type=eks.AccessScopeType.NAMESPACE,
+        namespaces=["foo", "bar"]
+    )
+])
+
+# EKS Admin Viewer role for specified namespaces of this cluster
+cluster.grant_access("eksAdminViewRoleAccess", eks_admin_view_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminViewPolicy",
+        access_scope_type=eks.AccessScopeType.NAMESPACE,
+        namespaces=["foo", "bar"]
+    )
+])
+```
+
+### Migrating from ConfigMap to Access Entry
+
+If the cluster is created with the `authenticationMode` property left undefined,
+it will default to `CONFIG_MAP`.
+
+The update path is:
+
+`undefined`(`CONFIG_MAP`) -> `API_AND_CONFIG_MAP` -> `API`
+
+If you have explicitly declared `AwsAuth` resources and then try to switch to the `API` mode, which no longer supports the
+`ConfigMap`, AWS CDK will throw an error as a protective measure to prevent you from losing all the access entries in the `ConfigMap`. In this case, you will need to remove all the declared `AwsAuth` resources explicitly and define the access entries before you are allowed to transition to the `API` mode.
+
+> **Note** - This is a one-way transition. Once you switch to the `API` mode,
+> you will not be able to switch back. Therefore, it is crucial to ensure that you have defined all the necessary access entries before making the switch to the `API` mode.
+
 ### Cluster Security Group
 
 When you create an Amazon EKS cluster, a [cluster security group](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)
@@ -1839,6 +1966,573 @@ from ..aws_lambda import ILayerVersion as _ILayerVersion_5ac127c8
 from ..aws_s3_assets import Asset as _Asset_ac2a7e61
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntryAttributes",
+    jsii_struct_bases=[],
+    name_mapping={
+        "access_entry_arn": "accessEntryArn",
+        "access_entry_name": "accessEntryName",
+    },
+)
+class AccessEntryAttributes:
+    def __init__(
+        self,
+        *,
+        access_entry_arn: builtins.str,
+        access_entry_name: builtins.str,
+    ) -> None:
+        '''Represents the attributes of an access entry.
+
+        :param access_entry_arn: The Amazon Resource Name (ARN) of the access entry.
+        :param access_entry_name: The name of the access entry.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            access_entry_attributes = eks.AccessEntryAttributes(
+                access_entry_arn="accessEntryArn",
+                access_entry_name="accessEntryName"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ea57d074f938dd093d38b977c20869681c2abd3bacc2931046328147dc4d8d72)
+            check_type(argname="argument access_entry_arn", value=access_entry_arn, expected_type=type_hints["access_entry_arn"])
+            check_type(argname="argument access_entry_name", value=access_entry_name, expected_type=type_hints["access_entry_name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_entry_arn": access_entry_arn,
+            "access_entry_name": access_entry_name,
+        }
+
+    @builtins.property
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.'''
+        result = self._values.get("access_entry_arn")
+        assert result is not None, "Required property 'access_entry_arn' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.'''
+        result = self._values.get("access_entry_name")
+        assert result is not None, "Required property 'access_entry_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessEntryAttributes(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntryProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "access_policies": "accessPolicies",
+        "cluster": "cluster",
+        "principal": "principal",
+        "access_entry_name": "accessEntryName",
+        "access_entry_type": "accessEntryType",
+    },
+)
+class AccessEntryProps:
+    def __init__(
+        self,
+        *,
+        access_policies: typing.Sequence["IAccessPolicy"],
+        cluster: "ICluster",
+        principal: builtins.str,
+        access_entry_name: typing.Optional[builtins.str] = None,
+        access_entry_type: typing.Optional["AccessEntryType"] = None,
+    ) -> None:
+        '''Represents the properties required to create an Amazon EKS access entry.
+
+        :param access_policies: The access policies that define the permissions and scope for the access entry.
+        :param cluster: The Amazon EKS cluster to which the access entry applies.
+        :param principal: The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
+        :param access_entry_name: The name of the AccessEntry. Default: - No access entry name is provided
+        :param access_entry_type: The type of the AccessEntry. Default: STANDARD
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # access_policy: eks.AccessPolicy
+            # cluster: eks.Cluster
+            
+            access_entry_props = eks.AccessEntryProps(
+                access_policies=[access_policy],
+                cluster=cluster,
+                principal="principal",
+            
+                # the properties below are optional
+                access_entry_name="accessEntryName",
+                access_entry_type=eks.AccessEntryType.STANDARD
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0cc467f068aa2e977dd81e9c0227cfe45f7381ea6d31cea9c6f7f80e6d83e048)
+            check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
+            check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
+            check_type(argname="argument principal", value=principal, expected_type=type_hints["principal"])
+            check_type(argname="argument access_entry_name", value=access_entry_name, expected_type=type_hints["access_entry_name"])
+            check_type(argname="argument access_entry_type", value=access_entry_type, expected_type=type_hints["access_entry_type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_policies": access_policies,
+            "cluster": cluster,
+            "principal": principal,
+        }
+        if access_entry_name is not None:
+            self._values["access_entry_name"] = access_entry_name
+        if access_entry_type is not None:
+            self._values["access_entry_type"] = access_entry_type
+
+    @builtins.property
+    def access_policies(self) -> typing.List["IAccessPolicy"]:
+        '''The access policies that define the permissions and scope for the access entry.'''
+        result = self._values.get("access_policies")
+        assert result is not None, "Required property 'access_policies' is missing"
+        return typing.cast(typing.List["IAccessPolicy"], result)
+
+    @builtins.property
+    def cluster(self) -> "ICluster":
+        '''The Amazon EKS cluster to which the access entry applies.'''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    @builtins.property
+    def principal(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.'''
+        result = self._values.get("principal")
+        assert result is not None, "Required property 'principal' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def access_entry_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the AccessEntry.
+
+        :default: - No access entry name is provided
+        '''
+        result = self._values.get("access_entry_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def access_entry_type(self) -> typing.Optional["AccessEntryType"]:
+        '''The type of the AccessEntry.
+
+        :default: STANDARD
+        '''
+        result = self._values.get("access_entry_type")
+        return typing.cast(typing.Optional["AccessEntryType"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessEntryProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AccessEntryType")
+class AccessEntryType(enum.Enum):
+    '''Represents the different types of access entries that can be used in an Amazon EKS cluster.
+
+    :enum: true
+    '''
+
+    STANDARD = "STANDARD"
+    '''Represents a standard access entry.'''
+    FARGATE_LINUX = "FARGATE_LINUX"
+    '''Represents a Fargate Linux access entry.'''
+    EC2_LINUX = "EC2_LINUX"
+    '''Represents an EC2 Linux access entry.'''
+    EC2_WINDOWS = "EC2_WINDOWS"
+    '''Represents an EC2 Windows access entry.'''
+
+
+class AccessPolicyArn(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyArn",
+):
+    '''Represents an Amazon EKS Access Policy ARN.
+
+    Amazon EKS Access Policies are used to control access to Amazon EKS clusters.
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        access_policy_arn = eks.AccessPolicyArn.AMAZON_EKS_ADMIN_POLICY
+    '''
+
+    def __init__(self, policy_name: builtins.str) -> None:
+        '''Constructs a new instance of the ``AccessEntry`` class.
+
+        :param policy_name: - The name of the Amazon EKS access policy. This is used to construct the policy ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0ac946189967c669f9d1c47c0772f99ed1ce20197e6c76e4496836bbe19d2a72)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        jsii.create(self.__class__, self, [policy_name])
+
+    @jsii.member(jsii_name="of")
+    @builtins.classmethod
+    def of(cls, policy_name: builtins.str) -> "AccessPolicyArn":
+        '''Creates a new instance of the AccessPolicy class with the specified policy name.
+
+        :param policy_name: The name of the access policy.
+
+        :return: A new instance of the AccessPolicy class.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__23236f8d1dae1650ef58623c900288d55afe1fd4ead26b7b1aff290d073de854)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        return typing.cast("AccessPolicyArn", jsii.sinvoke(cls, "of", [policy_name]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_ADMIN_POLICY")
+    def AMAZON_EKS_ADMIN_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Admin Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        most permissions to resources. When associated to an access entry, its access scope is typically
+        one or more Kubernetes namespaces.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_ADMIN_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_ADMIN_VIEW_POLICY")
+    def AMAZON_EKS_ADMIN_VIEW_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Admin View Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        access to list/view all resources in a cluster.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_ADMIN_VIEW_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_CLUSTER_ADMIN_POLICY")
+    def AMAZON_EKS_CLUSTER_ADMIN_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Cluster Admin Policy.
+
+        This access policy includes permissions that grant an IAM
+        principal administrator access to a cluster. When associated to an access entry, its access scope
+        is typically the cluster, rather than a Kubernetes namespace.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_CLUSTER_ADMIN_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_EDIT_POLICY")
+    def AMAZON_EKS_EDIT_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Edit Policy.
+
+        This access policy includes permissions that allow an IAM principal
+        to edit most Kubernetes resources.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_EDIT_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_VIEW_POLICY")
+    def AMAZON_EKS_VIEW_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS View Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        access to list/view all resources in a cluster.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_VIEW_POLICY"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policyArn")
+    def policy_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access policy.'''
+        return typing.cast(builtins.str, jsii.get(self, "policyArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policyName")
+    def policy_name(self) -> builtins.str:
+        '''- The name of the Amazon EKS access policy.
+
+        This is used to construct the policy ARN.
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "policyName"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyNameOptions",
+    jsii_struct_bases=[],
+    name_mapping={"access_scope_type": "accessScopeType", "namespaces": "namespaces"},
+)
+class AccessPolicyNameOptions:
+    def __init__(
+        self,
+        *,
+        access_scope_type: "AccessScopeType",
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Represents the options required to create an Amazon EKS Access Policy using the ``fromAccessPolicyName()`` method.
+
+        :param access_scope_type: The scope of the access policy. This determines the level of access granted by the policy.
+        :param namespaces: An optional array of Kubernetes namespaces to which the access policy applies. Default: - no specific namespaces for this scope
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # AmazonEKSClusterAdminPolicy with `cluster` scope
+            eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+                access_scope_type=eks.AccessScopeType.CLUSTER
+            )
+            # AmazonEKSAdminPolicy with `namespace` scope
+            eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+                access_scope_type=eks.AccessScopeType.NAMESPACE,
+                namespaces=["foo", "bar"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__249ef277acd24f14314e76608ae6685b8ec176bb0872ba8327c446714e5afaee)
+            check_type(argname="argument access_scope_type", value=access_scope_type, expected_type=type_hints["access_scope_type"])
+            check_type(argname="argument namespaces", value=namespaces, expected_type=type_hints["namespaces"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_scope_type": access_scope_type,
+        }
+        if namespaces is not None:
+            self._values["namespaces"] = namespaces
+
+    @builtins.property
+    def access_scope_type(self) -> "AccessScopeType":
+        '''The scope of the access policy.
+
+        This determines the level of access granted by the policy.
+        '''
+        result = self._values.get("access_scope_type")
+        assert result is not None, "Required property 'access_scope_type' is missing"
+        return typing.cast("AccessScopeType", result)
+
+    @builtins.property
+    def namespaces(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''An optional array of Kubernetes namespaces to which the access policy applies.
+
+        :default: - no specific namespaces for this scope
+        '''
+        result = self._values.get("namespaces")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessPolicyNameOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyProps",
+    jsii_struct_bases=[],
+    name_mapping={"access_scope": "accessScope", "policy": "policy"},
+)
+class AccessPolicyProps:
+    def __init__(
+        self,
+        *,
+        access_scope: typing.Union["AccessScope", typing.Dict[builtins.str, typing.Any]],
+        policy: AccessPolicyArn,
+    ) -> None:
+        '''Properties for configuring an Amazon EKS Access Policy.
+
+        :param access_scope: The scope of the access policy, which determines the level of access granted.
+        :param policy: The access policy itself, which defines the specific permissions.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # access_policy_arn: eks.AccessPolicyArn
+            
+            access_policy_props = eks.AccessPolicyProps(
+                access_scope=eks.AccessScope(
+                    type=eks.AccessScopeType.NAMESPACE,
+            
+                    # the properties below are optional
+                    namespaces=["namespaces"]
+                ),
+                policy=access_policy_arn
+            )
+        '''
+        if isinstance(access_scope, dict):
+            access_scope = AccessScope(**access_scope)
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d76ffc136ce61df3ec4331aefef6219d2ab1e0d4a6c6da1cd604f5d3a29a1c20)
+            check_type(argname="argument access_scope", value=access_scope, expected_type=type_hints["access_scope"])
+            check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_scope": access_scope,
+            "policy": policy,
+        }
+
+    @builtins.property
+    def access_scope(self) -> "AccessScope":
+        '''The scope of the access policy, which determines the level of access granted.'''
+        result = self._values.get("access_scope")
+        assert result is not None, "Required property 'access_scope' is missing"
+        return typing.cast("AccessScope", result)
+
+    @builtins.property
+    def policy(self) -> AccessPolicyArn:
+        '''The access policy itself, which defines the specific permissions.'''
+        result = self._values.get("policy")
+        assert result is not None, "Required property 'policy' is missing"
+        return typing.cast(AccessPolicyArn, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessPolicyProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessScope",
+    jsii_struct_bases=[],
+    name_mapping={"type": "type", "namespaces": "namespaces"},
+)
+class AccessScope:
+    def __init__(
+        self,
+        *,
+        type: "AccessScopeType",
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Represents the scope of an access policy.
+
+        The scope defines the namespaces or cluster-level access granted by the policy.
+
+        :param type: The scope type of the policy, either 'namespace' or 'cluster'.
+        :param namespaces: A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type. Default: - no specific namespaces for this scope.
+
+        :interface: AccessScope
+        :property: {AccessScopeType} type - The scope type of the policy, either 'namespace' or 'cluster'.
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            access_scope = eks.AccessScope(
+                type=eks.AccessScopeType.NAMESPACE,
+            
+                # the properties below are optional
+                namespaces=["namespaces"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b6a0a8f8)
+            check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+            check_type(argname="argument namespaces", value=namespaces, expected_type=type_hints["namespaces"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "type": type,
+        }
+        if namespaces is not None:
+            self._values["namespaces"] = namespaces
+
+    @builtins.property
+    def type(self) -> "AccessScopeType":
+        '''The scope type of the policy, either 'namespace' or 'cluster'.'''
+        result = self._values.get("type")
+        assert result is not None, "Required property 'type' is missing"
+        return typing.cast("AccessScopeType", result)
+
+    @builtins.property
+    def namespaces(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''A Kubernetes namespace that an access policy is scoped to.
+
+        A value is required if you specified
+        namespace for Type.
+
+        :default: - no specific namespaces for this scope.
+        '''
+        result = self._values.get("namespaces")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessScope(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AccessScopeType")
+class AccessScopeType(enum.Enum):
+    '''Represents the scope type of an access policy.
+
+    The scope type determines the level of access granted by the policy.
+
+    :enum: true
+    :export: true
+    :exampleMetadata: infused
+
+    Example::
+
+        # AmazonEKSClusterAdminPolicy with `cluster` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+            access_scope_type=eks.AccessScopeType.CLUSTER
+        )
+        # AmazonEKSAdminPolicy with `namespace` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+            access_scope_type=eks.AccessScopeType.NAMESPACE,
+            namespaces=["foo", "bar"]
+        )
+    '''
+
+    NAMESPACE = "NAMESPACE"
+    '''The policy applies to a specific namespace within the cluster.'''
+    CLUSTER = "CLUSTER"
+    '''The policy applies to the entire cluster.'''
+
+
 class AlbController(
     _constructs_77d1e7e8.Construct,
     metaclass=jsii.JSIIMeta,
@@ -2386,6 +3080,34 @@ class AlbScheme(enum.Enum):
     '''An internet-facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer.'''
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AuthenticationMode")
+class AuthenticationMode(enum.Enum):
+    '''Represents the authentication mode for an Amazon EKS cluster.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+        # vpc: ec2.Vpc
+        
+        
+        eks.Cluster(self, "Cluster",
+            vpc=vpc,
+            version=eks.KubernetesVersion.V1_30,
+            kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+            authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+        )
+    '''
+
+    CONFIG_MAP = "CONFIG_MAP"
+    '''Authenticates using a Kubernetes ConfigMap.'''
+    API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP"
+    '''Authenticates using both the Kubernetes API server and a ConfigMap.'''
+    API = "API"
+    '''Authenticates using the Kubernetes API server.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.AutoScalingGroupCapacityOptions",
     jsii_struct_bases=[_CommonAutoScalingGroupProps_808bbf2d],
@@ -10907,34 +11629,144 @@ class HelmChartProps(HelmChartOptions):
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def wait(self) -> typing.Optional[builtins.bool]:
-        '''Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful.
-
-        :default: - Helm will not wait before marking release as successful
-        '''
-        result = self._values.get("wait")
-        return typing.cast(typing.Optional[builtins.bool], result)
+    def wait(self) -> typing.Optional[builtins.bool]:
+        '''Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful.
+
+        :default: - Helm will not wait before marking release as successful
+        '''
+        result = self._values.get("wait")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def cluster(self) -> "ICluster":
+        '''The EKS cluster to apply this configuration to.
+
+        [disable-awslint:ref-via-interface]
+        '''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "HelmChartProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAccessEntry")
+class IAccessEntry(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :extends: IResource *
+    :interface: IAccessEntry
+    :property: {string} accessEntryArn - The Amazon Resource Name (ARN) of the access entry.
+    '''
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _IAccessEntryProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :extends: IResource *
+    :interface: IAccessEntry
+    :property: {string} accessEntryArn - The Amazon Resource Name (ARN) of the access entry.
+    '''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAccessEntry"
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryName"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAccessEntry).__jsii_proxy_class__ = lambda : _IAccessEntryProxy
+
+
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAccessPolicy")
+class IAccessPolicy(typing_extensions.Protocol):
+    '''Represents an access policy that defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :interface: IAccessPolicy
+    '''
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        ...
 
     @builtins.property
-    def cluster(self) -> "ICluster":
-        '''The EKS cluster to apply this configuration to.
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        ...
 
-        [disable-awslint:ref-via-interface]
-        '''
-        result = self._values.get("cluster")
-        assert result is not None, "Required property 'cluster' is missing"
-        return typing.cast("ICluster", result)
 
-    def __eq__(self, rhs: typing.Any) -> builtins.bool:
-        return isinstance(rhs, self.__class__) and rhs._values == self._values
+class _IAccessPolicyProxy:
+    '''Represents an access policy that defines the permissions and scope for a user or role to access an Amazon EKS cluster.
 
-    def __ne__(self, rhs: typing.Any) -> builtins.bool:
-        return not (rhs == self)
+    :interface: IAccessPolicy
+    '''
 
-    def __repr__(self) -> str:
-        return "HelmChartProps(%s)" % ", ".join(
-            k + "=" + repr(v) for k, v in self._values.items()
-        )
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAccessPolicy"
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        return typing.cast(AccessScope, jsii.get(self, "accessScope"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        return typing.cast(builtins.str, jsii.get(self, "policy"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAccessPolicy).__jsii_proxy_class__ = lambda : _IAccessPolicyProxy
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_eks.ICluster")
@@ -11027,6 +11859,15 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
         '''The VPC in which this Cluster was created.'''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        ...
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -11378,6 +12219,15 @@ class _IClusterProxy(
         '''The VPC in which this Cluster was created.'''
         return typing.cast(_IVpc_f30d5663, jsii.get(self, "vpc"))
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        return typing.cast(typing.Optional[AuthenticationMode], jsii.get(self, "authenticationMode"))
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -12931,15 +13781,16 @@ class KubernetesVersion(
 
     Example::
 
-        cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_30,
-            default_capacity=0
+        # or
+        # vpc: ec2.Vpc
+        eks.Cluster(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            version=eks.KubernetesVersion.V1_30
         )
-        
-        cluster.add_nodegroup_capacity("custom-node-group",
-            instance_types=[ec2.InstanceType("m5.large")],
-            min_size=4,
-            disk_size=100
+        eks.Cluster.from_cluster_attributes(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            vpc=vpc,
+            cluster_name="cluster-name"
         )
     '''
 
@@ -15232,6 +16083,204 @@ class TaintSpec:
         )
 
 
+@jsii.implements(IAccessEntry)
+class AccessEntry(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntry",
+):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :implements: IAccessEntry
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        # access_policy: eks.AccessPolicy
+        # cluster: eks.Cluster
+        
+        access_entry = eks.AccessEntry(self, "MyAccessEntry",
+            access_policies=[access_policy],
+            cluster=cluster,
+            principal="principal",
+        
+            # the properties below are optional
+            access_entry_name="accessEntryName",
+            access_entry_type=eks.AccessEntryType.STANDARD
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        access_policies: typing.Sequence[IAccessPolicy],
+        cluster: ICluster,
+        principal: builtins.str,
+        access_entry_name: typing.Optional[builtins.str] = None,
+        access_entry_type: typing.Optional[AccessEntryType] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param access_policies: The access policies that define the permissions and scope for the access entry.
+        :param cluster: The Amazon EKS cluster to which the access entry applies.
+        :param principal: The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
+        :param access_entry_name: The name of the AccessEntry. Default: - No access entry name is provided
+        :param access_entry_type: The type of the AccessEntry. Default: STANDARD
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__76acfe0dd4f79a87279c3d9cbf3bd8c7327733233aec66908901483da7f17d5b)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = AccessEntryProps(
+            access_policies=access_policies,
+            cluster=cluster,
+            principal=principal,
+            access_entry_name=access_entry_name,
+            access_entry_type=access_entry_type,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromAccessEntryAttributes")
+    @builtins.classmethod
+    def from_access_entry_attributes(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        access_entry_arn: builtins.str,
+        access_entry_name: builtins.str,
+    ) -> IAccessEntry:
+        '''Imports an ``AccessEntry`` from its attributes.
+
+        :param scope: - The parent construct.
+        :param id: - The ID of the imported construct.
+        :param access_entry_arn: The Amazon Resource Name (ARN) of the access entry.
+        :param access_entry_name: The name of the access entry.
+
+        :return: The imported access entry.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f179e9982369f73f3bb7a13ff87f073fda0da2cd11932479d54f6d69d8849141)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        attrs = AccessEntryAttributes(
+            access_entry_arn=access_entry_arn, access_entry_name=access_entry_name
+        )
+
+        return typing.cast(IAccessEntry, jsii.sinvoke(cls, "fromAccessEntryAttributes", [scope, id, attrs]))
+
+    @jsii.member(jsii_name="addAccessPolicies")
+    def add_access_policies(
+        self,
+        new_access_policies: typing.Sequence[IAccessPolicy],
+    ) -> None:
+        '''Add the access policies for this entry.
+
+        :param new_access_policies: - The new access policies to add.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e1007432e51c3db7b596578b73c0068b372fc6af638d2adb2faa12db70799372)
+            check_type(argname="argument new_access_policies", value=new_access_policies, expected_type=type_hints["new_access_policies"])
+        return typing.cast(None, jsii.invoke(self, "addAccessPolicies", [new_access_policies]))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.'''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.'''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryName"))
+
+
+@jsii.implements(IAccessPolicy)
+class AccessPolicy(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicy",
+):
+    '''Represents an Amazon EKS Access Policy that implements the IAccessPolicy interface.
+
+    :implements: IAccessPolicy
+    :exampleMetadata: infused
+
+    Example::
+
+        # AmazonEKSClusterAdminPolicy with `cluster` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+            access_scope_type=eks.AccessScopeType.CLUSTER
+        )
+        # AmazonEKSAdminPolicy with `namespace` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+            access_scope_type=eks.AccessScopeType.NAMESPACE,
+            namespaces=["foo", "bar"]
+        )
+    '''
+
+    def __init__(
+        self,
+        *,
+        access_scope: typing.Union[AccessScope, typing.Dict[builtins.str, typing.Any]],
+        policy: AccessPolicyArn,
+    ) -> None:
+        '''Constructs a new instance of the AccessPolicy class.
+
+        :param access_scope: The scope of the access policy, which determines the level of access granted.
+        :param policy: The access policy itself, which defines the specific permissions.
+        '''
+        props = AccessPolicyProps(access_scope=access_scope, policy=policy)
+
+        jsii.create(self.__class__, self, [props])
+
+    @jsii.member(jsii_name="fromAccessPolicyName")
+    @builtins.classmethod
+    def from_access_policy_name(
+        cls,
+        policy_name: builtins.str,
+        *,
+        access_scope_type: AccessScopeType,
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> IAccessPolicy:
+        '''Import AccessPolicy by name.
+
+        :param policy_name: -
+        :param access_scope_type: The scope of the access policy. This determines the level of access granted by the policy.
+        :param namespaces: An optional array of Kubernetes namespaces to which the access policy applies. Default: - no specific namespaces for this scope
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5af842aa)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        options = AccessPolicyNameOptions(
+            access_scope_type=access_scope_type, namespaces=namespaces
+        )
+
+        return typing.cast(IAccessPolicy, jsii.sinvoke(cls, "fromAccessPolicyName", [policy_name, options]))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        return typing.cast(AccessScope, jsii.get(self, "accessScope"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        return typing.cast(builtins.str, jsii.get(self, "policy"))
+
+
 @jsii.implements(ICluster)
 class Cluster(
     _Resource_45bc6135,
@@ -15247,18 +16296,16 @@ class Cluster(
 
     Example::
 
-        import aws_cdk.aws_eks as eks
-        
-        
-        my_eks_cluster = eks.Cluster(self, "my sample cluster",
-            version=eks.KubernetesVersion.V1_18,
-            cluster_name="myEksCluster"
+        # or
+        # vpc: ec2.Vpc
+        eks.Cluster(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            version=eks.KubernetesVersion.V1_30
         )
-        
-        tasks.EksCall(self, "Call a EKS Endpoint",
-            cluster=my_eks_cluster,
-            http_method=tasks.HttpMethods.GET,
-            http_path="/api/v1/namespaces/default/pods"
+        eks.Cluster.from_cluster_attributes(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            vpc=vpc,
+            cluster_name="cluster-name"
         )
     '''
 
@@ -15267,12 +16314,14 @@ class Cluster(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
+        bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
         kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -15303,12 +16352,14 @@ class Cluster(
 
         :param scope: a Construct, most likely a cdk.Stack created.
         :param id: the id of the Construct to create.
+        :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
         :param kubectl_lambda_role: The IAM role to pass to the Kubectl Lambda Handler. Default: - Default Lambda IAM Execution Role
         :param tags: The tags assigned to the EKS cluster. Default: - none
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -15340,12 +16391,14 @@ class Cluster(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ClusterProps(
+            bootstrap_cluster_creator_admin_permissions=bootstrap_cluster_creator_admin_permissions,
             default_capacity=default_capacity,
             default_capacity_instance=default_capacity_instance,
             default_capacity_type=default_capacity_type,
             kubectl_lambda_role=kubectl_lambda_role,
             tags=tags,
             alb_controller=alb_controller,
+            authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
             cluster_handler_environment=cluster_handler_environment,
             cluster_handler_security_group=cluster_handler_security_group,
@@ -15933,6 +16986,30 @@ class Cluster(
 
         return typing.cast(builtins.str, jsii.invoke(self, "getServiceLoadBalancerAddress", [service_name, options]))
 
+    @jsii.member(jsii_name="grantAccess")
+    def grant_access(
+        self,
+        id: builtins.str,
+        principal: builtins.str,
+        access_policies: typing.Sequence[IAccessPolicy],
+    ) -> None:
+        '''Grants the specified IAM principal access to the EKS cluster based on the provided access policies.
+
+        This method creates an ``AccessEntry`` construct that grants the specified IAM principal the access permissions
+        defined by the provided ``IAccessPolicy`` array. This allows the IAM principal to perform the actions permitted
+        by the access policies within the EKS cluster.
+
+        :param id: - The ID of the ``AccessEntry`` construct to be created.
+        :param principal: - The IAM principal (role or user) to be granted access to the EKS cluster.
+        :param access_policies: - An array of ``IAccessPolicy`` objects that define the access permissions to be granted to the IAM principal.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c595337c9bbbcf6eb001ec015e579e32f72cb323ae83c9fa92eef98034ea8936)
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument principal", value=principal, expected_type=type_hints["principal"])
+            check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
+        return typing.cast(None, jsii.invoke(self, "grantAccess", [id, principal, access_policies]))
+
     @builtins.property
     @jsii.member(jsii_name="adminRole")
     def admin_role(self) -> _Role_e8c6e11f:
@@ -16070,6 +17147,19 @@ class Cluster(
         '''
         return typing.cast(typing.Optional[AlbController], jsii.get(self, "albController"))
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the Amazon EKS cluster.
+
+        The authentication mode determines how users and applications authenticate to the Kubernetes API server.
+
+        :default: CONFIG_MAP.
+
+        :property: {AuthenticationMode} [authenticationMode] - The authentication mode for the Amazon EKS cluster.
+        '''
+        return typing.cast(typing.Optional[AuthenticationMode], jsii.get(self, "authenticationMode"))
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -16223,6 +17313,7 @@ class Cluster(
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -16255,6 +17346,7 @@ class ClusterOptions(CommonClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -16284,6 +17376,7 @@ class ClusterOptions(CommonClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -16339,6 +17432,7 @@ class ClusterOptions(CommonClusterOptions):
                     policy=policy,
                     repository="repository"
                 ),
+                authentication_mode=eks.AuthenticationMode.CONFIG_MAP,
                 awscli_layer=layer_version,
                 cluster_handler_environment={
                     "cluster_handler_environment_key": "clusterHandlerEnvironment"
@@ -16389,6 +17483,7 @@ class ClusterOptions(CommonClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -16425,6 +17520,8 @@ class ClusterOptions(CommonClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -16548,6 +17645,15 @@ class ClusterOptions(CommonClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -16786,6 +17892,7 @@ class ClusterOptions(CommonClusterOptions):
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -16803,6 +17910,7 @@ class ClusterOptions(CommonClusterOptions):
         "prune": "prune",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
+        "bootstrap_cluster_creator_admin_permissions": "bootstrapClusterCreatorAdminPermissions",
         "default_capacity": "defaultCapacity",
         "default_capacity_instance": "defaultCapacityInstance",
         "default_capacity_type": "defaultCapacityType",
@@ -16823,6 +17931,7 @@ class ClusterProps(ClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -16840,6 +17949,7 @@ class ClusterProps(ClusterOptions):
         prune: typing.Optional[builtins.bool] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
+        bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -16857,6 +17967,7 @@ class ClusterProps(ClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -16874,6 +17985,7 @@ class ClusterProps(ClusterOptions):
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
+        :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
@@ -16909,6 +18021,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -16926,6 +18039,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
+            check_type(argname="argument bootstrap_cluster_creator_admin_permissions", value=bootstrap_cluster_creator_admin_permissions, expected_type=type_hints["bootstrap_cluster_creator_admin_permissions"])
             check_type(argname="argument default_capacity", value=default_capacity, expected_type=type_hints["default_capacity"])
             check_type(argname="argument default_capacity_instance", value=default_capacity_instance, expected_type=type_hints["default_capacity_instance"])
             check_type(argname="argument default_capacity_type", value=default_capacity_type, expected_type=type_hints["default_capacity_type"])
@@ -16950,6 +18064,8 @@ class ClusterProps(ClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -16984,6 +18100,8 @@ class ClusterProps(ClusterOptions):
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
             self._values["service_ipv4_cidr"] = service_ipv4_cidr
+        if bootstrap_cluster_creator_admin_permissions is not None:
+            self._values["bootstrap_cluster_creator_admin_permissions"] = bootstrap_cluster_creator_admin_permissions
         if default_capacity is not None:
             self._values["default_capacity"] = default_capacity
         if default_capacity_instance is not None:
@@ -17083,6 +18201,15 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -17296,6 +18423,19 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("service_ipv4_cidr")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def bootstrap_cluster_creator_admin_permissions(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time.
+
+        Changing this value after the cluster has been created will result in the cluster being replaced.
+
+        :default: true
+        '''
+        result = self._values.get("bootstrap_cluster_creator_admin_permissions")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def default_capacity(self) -> typing.Optional[jsii.Number]:
         '''Number of instances to allocate as an initial capacity for this cluster.
@@ -17389,6 +18529,7 @@ class FargateCluster(
         *,
         default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -17420,6 +18561,7 @@ class FargateCluster(
         :param id: -
         :param default_profile: Fargate Profile to create along with the cluster. Default: - A profile called "default" with 'default' and 'kube-system' selectors will be created if this is left undefined.
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -17453,6 +18595,7 @@ class FargateCluster(
         props = FargateClusterProps(
             default_profile=default_profile,
             alb_controller=alb_controller,
+            authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
             cluster_handler_environment=cluster_handler_environment,
             cluster_handler_security_group=cluster_handler_security_group,
@@ -17502,6 +18645,7 @@ class FargateCluster(
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -17535,6 +18679,7 @@ class FargateClusterProps(ClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -17565,6 +18710,7 @@ class FargateClusterProps(ClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -17607,6 +18753,7 @@ class FargateClusterProps(ClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -17644,6 +18791,8 @@ class FargateClusterProps(ClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -17769,6 +18918,15 @@ class FargateClusterProps(ClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -18078,11 +19236,22 @@ class IngressLoadBalancerAddressOptions(ServiceLoadBalancerAddressOptions):
 
 
 __all__ = [
+    "AccessEntry",
+    "AccessEntryAttributes",
+    "AccessEntryProps",
+    "AccessEntryType",
+    "AccessPolicy",
+    "AccessPolicyArn",
+    "AccessPolicyNameOptions",
+    "AccessPolicyProps",
+    "AccessScope",
+    "AccessScopeType",
     "AlbController",
     "AlbControllerOptions",
     "AlbControllerProps",
     "AlbControllerVersion",
     "AlbScheme",
+    "AuthenticationMode",
     "AutoScalingGroupCapacityOptions",
     "AutoScalingGroupOptions",
     "AwsAuth",
@@ -18124,6 +19293,8 @@ __all__ = [
     "HelmChart",
     "HelmChartOptions",
     "HelmChartProps",
+    "IAccessEntry",
+    "IAccessPolicy",
     "ICluster",
     "IKubectlProvider",
     "INodegroup",
@@ -18162,6 +19333,61 @@ __all__ = [
 
 publication.publish()
 
+def _typecheckingstub__ea57d074f938dd093d38b977c20869681c2abd3bacc2931046328147dc4d8d72(
+    *,
+    access_entry_arn: builtins.str,
+    access_entry_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0cc467f068aa2e977dd81e9c0227cfe45f7381ea6d31cea9c6f7f80e6d83e048(
+    *,
+    access_policies: typing.Sequence[IAccessPolicy],
+    cluster: ICluster,
+    principal: builtins.str,
+    access_entry_name: typing.Optional[builtins.str] = None,
+    access_entry_type: typing.Optional[AccessEntryType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0ac946189967c669f9d1c47c0772f99ed1ce20197e6c76e4496836bbe19d2a72(
+    policy_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__23236f8d1dae1650ef58623c900288d55afe1fd4ead26b7b1aff290d073de854(
+    policy_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__249ef277acd24f14314e76608ae6685b8ec176bb0872ba8327c446714e5afaee(
+    *,
+    access_scope_type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d76ffc136ce61df3ec4331aefef6219d2ab1e0d4a6c6da1cd604f5d3a29a1c20(
+    *,
+    access_scope: typing.Union[AccessScope, typing.Dict[builtins.str, typing.Any]],
+    policy: AccessPolicyArn,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b6a0a8f8(
+    *,
+    type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__5e2ca421e3f17c3114d53057ba096ab3f90bd3b8ed6c2e0f75f61c88dd5aed4b(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -19715,16 +20941,56 @@ def _typecheckingstub__be119d20277d81d5cacb542dcf0ff7927e8c934305e8be443e95ce321
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__76acfe0dd4f79a87279c3d9cbf3bd8c7327733233aec66908901483da7f17d5b(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    access_policies: typing.Sequence[IAccessPolicy],
+    cluster: ICluster,
+    principal: builtins.str,
+    access_entry_name: typing.Optional[builtins.str] = None,
+    access_entry_type: typing.Optional[AccessEntryType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f179e9982369f73f3bb7a13ff87f073fda0da2cd11932479d54f6d69d8849141(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    access_entry_arn: builtins.str,
+    access_entry_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e1007432e51c3db7b596578b73c0068b372fc6af638d2adb2faa12db70799372(
+    new_access_policies: typing.Sequence[IAccessPolicy],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5af842aa(
+    policy_name: builtins.str,
+    *,
+    access_scope_type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c575cac9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
+    bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
     kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19939,6 +21205,14 @@ def _typecheckingstub__1125553e51a293d46862ded8c9242c2427ed871d469da6db3ac9d9ace
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c595337c9bbbcf6eb001ec015e579e32f72cb323ae83c9fa92eef98034ea8936(
+    id: builtins.str,
+    principal: builtins.str,
+    access_policies: typing.Sequence[IAccessPolicy],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef40c0cb1(
     *,
     version: KubernetesVersion,
@@ -19950,6 +21224,7 @@ def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19982,6 +21257,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19999,6 +21275,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     prune: typing.Optional[builtins.bool] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
+    bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -20014,6 +21291,7 @@ def _typecheckingstub__ae166d791f5d5176f3386726c22bc44afedf5d336437a3513e3740387
     *,
     default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -20054,6 +21332,7 @@ def _typecheckingstub__f11c7f989209f6213cb855d2846bb0b2b79a6a2b85eb0d65939e981df
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,