aws-cdk-lib 2.145.0__py3-none-any.whl → 2.147.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -42,6 +42,8 @@ In addition, the library also supports defining Kubernetes resource manifests wi
   * [Permissions and Security](#permissions-and-security)
 
     * [AWS IAM Mapping](#aws-iam-mapping)
+    * [Access Config](#access-config)
+    * [Access Entry](#access-mapping)
     * [Cluster Security Group](#cluster-security-group)
     * [Node SSH Access](#node-ssh-access)
     * [Service Accounts](#service-accounts)
@@ -1122,6 +1124,131 @@ console_read_only_role.add_to_policy(iam.PolicyStatement(
 cluster.aws_auth.add_masters_role(console_read_only_role)
 ```
 
+### Access Config
+
+Amazon EKS supports three modes of authentication: `CONFIG_MAP`, `API_AND_CONFIG_MAP`, and `API`. You can enable cluster
+to use access entry APIs by using authenticationMode `API` or `API_AND_CONFIG_MAP`. Use authenticationMode `CONFIG_MAP`
+to continue using aws-auth configMap exclusively. When `API_AND_CONFIG_MAP` is enabled, the cluster will source authenticated
+AWS IAM principals from both Amazon EKS access entry APIs and the aws-auth configMap, with priority given to the access entry API.
+
+To specify the `authenticationMode`:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+# vpc: ec2.Vpc
+
+
+eks.Cluster(self, "Cluster",
+    vpc=vpc,
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+)
+```
+
+> **Note** - Switching authentication modes on an existing cluster is a one-way operation. You can switch from
+> `CONFIG_MAP` to `API_AND_CONFIG_MAP`. You can then switch from `API_AND_CONFIG_MAP` to `API`.
+> You cannot revert these operations in the opposite direction. Meaning you cannot switch back to
+> `CONFIG_MAP` or `API_AND_CONFIG_MAP` from `API`. And you cannot switch back to `CONFIG_MAP` from `API_AND_CONFIG_MAP`.
+
+Read [A deep dive into simplified Amazon EKS access management controls
+](https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/) for more details.
+
+You can disable granting the cluster admin permissions to the cluster creator role on bootstrapping by setting
+`bootstrapClusterCreatorAdminPermissions` to false.
+
+> **Note** - Switching `bootstrapClusterCreatorAdminPermissions` on an existing cluster would cause cluster replacement and should be avoided in production.
+
+### Access Entry
+
+An access entry is a cluster identity—directly linked to an AWS IAM principal user or role that is used to authenticate to
+an Amazon EKS cluster. An Amazon EKS access policy authorizes an access entry to perform specific cluster actions.
+
+Access policies are Amazon EKS-specific policies that assign Kubernetes permissions to access entries. Amazon EKS supports
+only predefined and AWS managed policies. Access policies are not AWS IAM entities and are defined and managed by Amazon EKS.
+Amazon EKS access policies include permission sets that support common use cases of administration, editing, or read-only access
+to Kubernetes resources. See [Access Policy Permissions](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions) for more details.
+
+Use `AccessPolicy` to include predefined AWS managed policies:
+
+```python
+# AmazonEKSClusterAdminPolicy with `cluster` scope
+eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+    access_scope_type=eks.AccessScopeType.CLUSTER
+)
+# AmazonEKSAdminPolicy with `namespace` scope
+eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+    access_scope_type=eks.AccessScopeType.NAMESPACE,
+    namespaces=["foo", "bar"]
+)
+```
+
+Use `grantAccess()` to grant the AccessPolicy to an IAM principal:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+# vpc: ec2.Vpc
+
+
+cluster_admin_role = iam.Role(self, "ClusterAdminRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+eks_admin_role = iam.Role(self, "EKSAdminRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+eks_admin_view_role = iam.Role(self, "EKSAdminViewRole",
+    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+)
+
+cluster = eks.Cluster(self, "Cluster",
+    vpc=vpc,
+    masters_role=cluster_admin_role,
+    version=eks.KubernetesVersion.V1_30,
+    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+)
+
+# Cluster Admin role for this cluster
+cluster.grant_access("clusterAdminAccess", cluster_admin_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+        access_scope_type=eks.AccessScopeType.CLUSTER
+    )
+])
+
+# EKS Admin role for specified namespaces of this cluster
+cluster.grant_access("eksAdminRoleAccess", eks_admin_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+        access_scope_type=eks.AccessScopeType.NAMESPACE,
+        namespaces=["foo", "bar"]
+    )
+])
+
+# EKS Admin Viewer role for specified namespaces of this cluster
+cluster.grant_access("eksAdminViewRoleAccess", eks_admin_view_role.role_arn, [
+    eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminViewPolicy",
+        access_scope_type=eks.AccessScopeType.NAMESPACE,
+        namespaces=["foo", "bar"]
+    )
+])
+```
+
+### Migrating from ConfigMap to Access Entry
+
+If the cluster is created with the `authenticationMode` property left undefined,
+it will default to `CONFIG_MAP`.
+
+The update path is:
+
+`undefined`(`CONFIG_MAP`) -> `API_AND_CONFIG_MAP` -> `API`
+
+If you have explicitly declared `AwsAuth` resources and then try to switch to the `API` mode, which no longer supports the
+`ConfigMap`, AWS CDK will throw an error as a protective measure to prevent you from losing all the access entries in the `ConfigMap`. In this case, you will need to remove all the declared `AwsAuth` resources explicitly and define the access entries before you are allowed to transition to the `API` mode.
+
+> **Note** - This is a one-way transition. Once you switch to the `API` mode,
+> you will not be able to switch back. Therefore, it is crucial to ensure that you have defined all the necessary access entries before making the switch to the `API` mode.
+
 ### Cluster Security Group
 
 When you create an Amazon EKS cluster, a [cluster security group](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)
@@ -1839,6 +1966,573 @@ from ..aws_lambda import ILayerVersion as _ILayerVersion_5ac127c8
 from ..aws_s3_assets import Asset as _Asset_ac2a7e61
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntryAttributes",
+    jsii_struct_bases=[],
+    name_mapping={
+        "access_entry_arn": "accessEntryArn",
+        "access_entry_name": "accessEntryName",
+    },
+)
+class AccessEntryAttributes:
+    def __init__(
+        self,
+        *,
+        access_entry_arn: builtins.str,
+        access_entry_name: builtins.str,
+    ) -> None:
+        '''Represents the attributes of an access entry.
+
+        :param access_entry_arn: The Amazon Resource Name (ARN) of the access entry.
+        :param access_entry_name: The name of the access entry.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            access_entry_attributes = eks.AccessEntryAttributes(
+                access_entry_arn="accessEntryArn",
+                access_entry_name="accessEntryName"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ea57d074f938dd093d38b977c20869681c2abd3bacc2931046328147dc4d8d72)
+            check_type(argname="argument access_entry_arn", value=access_entry_arn, expected_type=type_hints["access_entry_arn"])
+            check_type(argname="argument access_entry_name", value=access_entry_name, expected_type=type_hints["access_entry_name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_entry_arn": access_entry_arn,
+            "access_entry_name": access_entry_name,
+        }
+
+    @builtins.property
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.'''
+        result = self._values.get("access_entry_arn")
+        assert result is not None, "Required property 'access_entry_arn' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.'''
+        result = self._values.get("access_entry_name")
+        assert result is not None, "Required property 'access_entry_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessEntryAttributes(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntryProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "access_policies": "accessPolicies",
+        "cluster": "cluster",
+        "principal": "principal",
+        "access_entry_name": "accessEntryName",
+        "access_entry_type": "accessEntryType",
+    },
+)
+class AccessEntryProps:
+    def __init__(
+        self,
+        *,
+        access_policies: typing.Sequence["IAccessPolicy"],
+        cluster: "ICluster",
+        principal: builtins.str,
+        access_entry_name: typing.Optional[builtins.str] = None,
+        access_entry_type: typing.Optional["AccessEntryType"] = None,
+    ) -> None:
+        '''Represents the properties required to create an Amazon EKS access entry.
+
+        :param access_policies: The access policies that define the permissions and scope for the access entry.
+        :param cluster: The Amazon EKS cluster to which the access entry applies.
+        :param principal: The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
+        :param access_entry_name: The name of the AccessEntry. Default: - No access entry name is provided
+        :param access_entry_type: The type of the AccessEntry. Default: STANDARD
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # access_policy: eks.AccessPolicy
+            # cluster: eks.Cluster
+            
+            access_entry_props = eks.AccessEntryProps(
+                access_policies=[access_policy],
+                cluster=cluster,
+                principal="principal",
+            
+                # the properties below are optional
+                access_entry_name="accessEntryName",
+                access_entry_type=eks.AccessEntryType.STANDARD
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0cc467f068aa2e977dd81e9c0227cfe45f7381ea6d31cea9c6f7f80e6d83e048)
+            check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
+            check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
+            check_type(argname="argument principal", value=principal, expected_type=type_hints["principal"])
+            check_type(argname="argument access_entry_name", value=access_entry_name, expected_type=type_hints["access_entry_name"])
+            check_type(argname="argument access_entry_type", value=access_entry_type, expected_type=type_hints["access_entry_type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_policies": access_policies,
+            "cluster": cluster,
+            "principal": principal,
+        }
+        if access_entry_name is not None:
+            self._values["access_entry_name"] = access_entry_name
+        if access_entry_type is not None:
+            self._values["access_entry_type"] = access_entry_type
+
+    @builtins.property
+    def access_policies(self) -> typing.List["IAccessPolicy"]:
+        '''The access policies that define the permissions and scope for the access entry.'''
+        result = self._values.get("access_policies")
+        assert result is not None, "Required property 'access_policies' is missing"
+        return typing.cast(typing.List["IAccessPolicy"], result)
+
+    @builtins.property
+    def cluster(self) -> "ICluster":
+        '''The Amazon EKS cluster to which the access entry applies.'''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    @builtins.property
+    def principal(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.'''
+        result = self._values.get("principal")
+        assert result is not None, "Required property 'principal' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def access_entry_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the AccessEntry.
+
+        :default: - No access entry name is provided
+        '''
+        result = self._values.get("access_entry_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def access_entry_type(self) -> typing.Optional["AccessEntryType"]:
+        '''The type of the AccessEntry.
+
+        :default: STANDARD
+        '''
+        result = self._values.get("access_entry_type")
+        return typing.cast(typing.Optional["AccessEntryType"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessEntryProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AccessEntryType")
+class AccessEntryType(enum.Enum):
+    '''Represents the different types of access entries that can be used in an Amazon EKS cluster.
+
+    :enum: true
+    '''
+
+    STANDARD = "STANDARD"
+    '''Represents a standard access entry.'''
+    FARGATE_LINUX = "FARGATE_LINUX"
+    '''Represents a Fargate Linux access entry.'''
+    EC2_LINUX = "EC2_LINUX"
+    '''Represents an EC2 Linux access entry.'''
+    EC2_WINDOWS = "EC2_WINDOWS"
+    '''Represents an EC2 Windows access entry.'''
+
+
+class AccessPolicyArn(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyArn",
+):
+    '''Represents an Amazon EKS Access Policy ARN.
+
+    Amazon EKS Access Policies are used to control access to Amazon EKS clusters.
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        access_policy_arn = eks.AccessPolicyArn.AMAZON_EKS_ADMIN_POLICY
+    '''
+
+    def __init__(self, policy_name: builtins.str) -> None:
+        '''Constructs a new instance of the ``AccessEntry`` class.
+
+        :param policy_name: - The name of the Amazon EKS access policy. This is used to construct the policy ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0ac946189967c669f9d1c47c0772f99ed1ce20197e6c76e4496836bbe19d2a72)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        jsii.create(self.__class__, self, [policy_name])
+
+    @jsii.member(jsii_name="of")
+    @builtins.classmethod
+    def of(cls, policy_name: builtins.str) -> "AccessPolicyArn":
+        '''Creates a new instance of the AccessPolicy class with the specified policy name.
+
+        :param policy_name: The name of the access policy.
+
+        :return: A new instance of the AccessPolicy class.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__23236f8d1dae1650ef58623c900288d55afe1fd4ead26b7b1aff290d073de854)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        return typing.cast("AccessPolicyArn", jsii.sinvoke(cls, "of", [policy_name]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_ADMIN_POLICY")
+    def AMAZON_EKS_ADMIN_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Admin Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        most permissions to resources. When associated to an access entry, its access scope is typically
+        one or more Kubernetes namespaces.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_ADMIN_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_ADMIN_VIEW_POLICY")
+    def AMAZON_EKS_ADMIN_VIEW_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Admin View Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        access to list/view all resources in a cluster.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_ADMIN_VIEW_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_CLUSTER_ADMIN_POLICY")
+    def AMAZON_EKS_CLUSTER_ADMIN_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Cluster Admin Policy.
+
+        This access policy includes permissions that grant an IAM
+        principal administrator access to a cluster. When associated to an access entry, its access scope
+        is typically the cluster, rather than a Kubernetes namespace.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_CLUSTER_ADMIN_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_EDIT_POLICY")
+    def AMAZON_EKS_EDIT_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS Edit Policy.
+
+        This access policy includes permissions that allow an IAM principal
+        to edit most Kubernetes resources.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_EDIT_POLICY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="AMAZON_EKS_VIEW_POLICY")
+    def AMAZON_EKS_VIEW_POLICY(cls) -> "AccessPolicyArn":
+        '''The Amazon EKS View Policy.
+
+        This access policy includes permissions that grant an IAM principal
+        access to list/view all resources in a cluster.
+        '''
+        return typing.cast("AccessPolicyArn", jsii.sget(cls, "AMAZON_EKS_VIEW_POLICY"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policyArn")
+    def policy_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access policy.'''
+        return typing.cast(builtins.str, jsii.get(self, "policyArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policyName")
+    def policy_name(self) -> builtins.str:
+        '''- The name of the Amazon EKS access policy.
+
+        This is used to construct the policy ARN.
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "policyName"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyNameOptions",
+    jsii_struct_bases=[],
+    name_mapping={"access_scope_type": "accessScopeType", "namespaces": "namespaces"},
+)
+class AccessPolicyNameOptions:
+    def __init__(
+        self,
+        *,
+        access_scope_type: "AccessScopeType",
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Represents the options required to create an Amazon EKS Access Policy using the ``fromAccessPolicyName()`` method.
+
+        :param access_scope_type: The scope of the access policy. This determines the level of access granted by the policy.
+        :param namespaces: An optional array of Kubernetes namespaces to which the access policy applies. Default: - no specific namespaces for this scope
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # AmazonEKSClusterAdminPolicy with `cluster` scope
+            eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+                access_scope_type=eks.AccessScopeType.CLUSTER
+            )
+            # AmazonEKSAdminPolicy with `namespace` scope
+            eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+                access_scope_type=eks.AccessScopeType.NAMESPACE,
+                namespaces=["foo", "bar"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__249ef277acd24f14314e76608ae6685b8ec176bb0872ba8327c446714e5afaee)
+            check_type(argname="argument access_scope_type", value=access_scope_type, expected_type=type_hints["access_scope_type"])
+            check_type(argname="argument namespaces", value=namespaces, expected_type=type_hints["namespaces"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_scope_type": access_scope_type,
+        }
+        if namespaces is not None:
+            self._values["namespaces"] = namespaces
+
+    @builtins.property
+    def access_scope_type(self) -> "AccessScopeType":
+        '''The scope of the access policy.
+
+        This determines the level of access granted by the policy.
+        '''
+        result = self._values.get("access_scope_type")
+        assert result is not None, "Required property 'access_scope_type' is missing"
+        return typing.cast("AccessScopeType", result)
+
+    @builtins.property
+    def namespaces(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''An optional array of Kubernetes namespaces to which the access policy applies.
+
+        :default: - no specific namespaces for this scope
+        '''
+        result = self._values.get("namespaces")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessPolicyNameOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicyProps",
+    jsii_struct_bases=[],
+    name_mapping={"access_scope": "accessScope", "policy": "policy"},
+)
+class AccessPolicyProps:
+    def __init__(
+        self,
+        *,
+        access_scope: typing.Union["AccessScope", typing.Dict[builtins.str, typing.Any]],
+        policy: AccessPolicyArn,
+    ) -> None:
+        '''Properties for configuring an Amazon EKS Access Policy.
+
+        :param access_scope: The scope of the access policy, which determines the level of access granted.
+        :param policy: The access policy itself, which defines the specific permissions.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # access_policy_arn: eks.AccessPolicyArn
+            
+            access_policy_props = eks.AccessPolicyProps(
+                access_scope=eks.AccessScope(
+                    type=eks.AccessScopeType.NAMESPACE,
+            
+                    # the properties below are optional
+                    namespaces=["namespaces"]
+                ),
+                policy=access_policy_arn
+            )
+        '''
+        if isinstance(access_scope, dict):
+            access_scope = AccessScope(**access_scope)
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d76ffc136ce61df3ec4331aefef6219d2ab1e0d4a6c6da1cd604f5d3a29a1c20)
+            check_type(argname="argument access_scope", value=access_scope, expected_type=type_hints["access_scope"])
+            check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "access_scope": access_scope,
+            "policy": policy,
+        }
+
+    @builtins.property
+    def access_scope(self) -> "AccessScope":
+        '''The scope of the access policy, which determines the level of access granted.'''
+        result = self._values.get("access_scope")
+        assert result is not None, "Required property 'access_scope' is missing"
+        return typing.cast("AccessScope", result)
+
+    @builtins.property
+    def policy(self) -> AccessPolicyArn:
+        '''The access policy itself, which defines the specific permissions.'''
+        result = self._values.get("policy")
+        assert result is not None, "Required property 'policy' is missing"
+        return typing.cast(AccessPolicyArn, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessPolicyProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AccessScope",
+    jsii_struct_bases=[],
+    name_mapping={"type": "type", "namespaces": "namespaces"},
+)
+class AccessScope:
+    def __init__(
+        self,
+        *,
+        type: "AccessScopeType",
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Represents the scope of an access policy.
+
+        The scope defines the namespaces or cluster-level access granted by the policy.
+
+        :param type: The scope type of the policy, either 'namespace' or 'cluster'.
+        :param namespaces: A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type. Default: - no specific namespaces for this scope.
+
+        :interface: AccessScope
+        :property: {AccessScopeType} type - The scope type of the policy, either 'namespace' or 'cluster'.
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            access_scope = eks.AccessScope(
+                type=eks.AccessScopeType.NAMESPACE,
+            
+                # the properties below are optional
+                namespaces=["namespaces"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b6a0a8f8)
+            check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+            check_type(argname="argument namespaces", value=namespaces, expected_type=type_hints["namespaces"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "type": type,
+        }
+        if namespaces is not None:
+            self._values["namespaces"] = namespaces
+
+    @builtins.property
+    def type(self) -> "AccessScopeType":
+        '''The scope type of the policy, either 'namespace' or 'cluster'.'''
+        result = self._values.get("type")
+        assert result is not None, "Required property 'type' is missing"
+        return typing.cast("AccessScopeType", result)
+
+    @builtins.property
+    def namespaces(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''A Kubernetes namespace that an access policy is scoped to.
+
+        A value is required if you specified
+        namespace for Type.
+
+        :default: - no specific namespaces for this scope.
+        '''
+        result = self._values.get("namespaces")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AccessScope(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AccessScopeType")
+class AccessScopeType(enum.Enum):
+    '''Represents the scope type of an access policy.
+
+    The scope type determines the level of access granted by the policy.
+
+    :enum: true
+    :export: true
+    :exampleMetadata: infused
+
+    Example::
+
+        # AmazonEKSClusterAdminPolicy with `cluster` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+            access_scope_type=eks.AccessScopeType.CLUSTER
+        )
+        # AmazonEKSAdminPolicy with `namespace` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+            access_scope_type=eks.AccessScopeType.NAMESPACE,
+            namespaces=["foo", "bar"]
+        )
+    '''
+
+    NAMESPACE = "NAMESPACE"
+    '''The policy applies to a specific namespace within the cluster.'''
+    CLUSTER = "CLUSTER"
+    '''The policy applies to the entire cluster.'''
+
+
 class AlbController(
     _constructs_77d1e7e8.Construct,
     metaclass=jsii.JSIIMeta,
@@ -2386,6 +3080,34 @@ class AlbScheme(enum.Enum):
     '''An internet-facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer.'''
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.AuthenticationMode")
+class AuthenticationMode(enum.Enum):
+    '''Represents the authentication mode for an Amazon EKS cluster.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
+        # vpc: ec2.Vpc
+        
+        
+        eks.Cluster(self, "Cluster",
+            vpc=vpc,
+            version=eks.KubernetesVersion.V1_30,
+            kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
+            authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
+        )
+    '''
+
+    CONFIG_MAP = "CONFIG_MAP"
+    '''Authenticates using a Kubernetes ConfigMap.'''
+    API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP"
+    '''Authenticates using both the Kubernetes API server and a ConfigMap.'''
+    API = "API"
+    '''Authenticates using the Kubernetes API server.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.AutoScalingGroupCapacityOptions",
     jsii_struct_bases=[_CommonAutoScalingGroupProps_808bbf2d],
@@ -4243,7 +4965,7 @@ class CfnAddon(
         :param cluster_name: The name of your cluster.
         :param addon_version: The version of the add-on.
         :param configuration_values: The configuration values that you provided.
-        :param pod_identity_associations: An array of pod identities to apply to this add-on.
+        :param pod_identity_associations: An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the EKS User Guide.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
         :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
@@ -4374,7 +5096,7 @@ class CfnAddon(
     def pod_identity_associations(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]]:
-        '''An array of pod identities to apply to this add-on.'''
+        '''An array of Pod Identity Assocations owned by the Addon.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]], jsii.get(self, "podIdentityAssociations"))
 
     @pod_identity_associations.setter
@@ -4456,10 +5178,10 @@ class CfnAddon(
             role_arn: builtins.str,
             service_account: builtins.str,
         ) -> None:
-            '''A pod identity to associate with an add-on.
+            '''Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
 
-            :param role_arn: The IAM role ARN that the pod identity association is created for.
-            :param service_account: The Kubernetes service account that the pod identity association is created for.
+            :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+            :param service_account: The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html
             :exampleMetadata: fixture=_generated
@@ -4486,7 +5208,9 @@ class CfnAddon(
 
         @builtins.property
         def role_arn(self) -> builtins.str:
-            '''The IAM role ARN that the pod identity association is created for.
+            '''The Amazon Resource Name (ARN) of the IAM role to associate with the service account.
+
+            The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html#cfn-eks-addon-podidentityassociation-rolearn
             '''
@@ -4496,7 +5220,7 @@ class CfnAddon(
 
         @builtins.property
         def service_account(self) -> builtins.str:
-            '''The Kubernetes service account that the pod identity association is created for.
+            '''The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html#cfn-eks-addon-podidentityassociation-serviceaccount
             '''
@@ -4551,7 +5275,7 @@ class CfnAddonProps:
         :param cluster_name: The name of your cluster.
         :param addon_version: The version of the add-on.
         :param configuration_values: The configuration values that you provided.
-        :param pod_identity_associations: An array of pod identities to apply to this add-on.
+        :param pod_identity_associations: An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the EKS User Guide.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
         :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
@@ -4658,7 +5382,11 @@ class CfnAddonProps:
     def pod_identity_associations(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAddon.PodIdentityAssociationProperty]]]]:
-        '''An array of pod identities to apply to this add-on.
+        '''An array of Pod Identity Assocations owned by the Addon.
+
+        Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.
+
+        For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the EKS User Guide.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-addon.html#cfn-eks-addon-podidentityassociations
         '''
@@ -10907,34 +11635,144 @@ class HelmChartProps(HelmChartOptions):
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def wait(self) -> typing.Optional[builtins.bool]:
-        '''Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful.
-
-        :default: - Helm will not wait before marking release as successful
-        '''
-        result = self._values.get("wait")
-        return typing.cast(typing.Optional[builtins.bool], result)
+    def wait(self) -> typing.Optional[builtins.bool]:
+        '''Whether or not Helm should wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful.
+
+        :default: - Helm will not wait before marking release as successful
+        '''
+        result = self._values.get("wait")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def cluster(self) -> "ICluster":
+        '''The EKS cluster to apply this configuration to.
+
+        [disable-awslint:ref-via-interface]
+        '''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "HelmChartProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAccessEntry")
+class IAccessEntry(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :extends: IResource *
+    :interface: IAccessEntry
+    :property: {string} accessEntryArn - The Amazon Resource Name (ARN) of the access entry.
+    '''
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _IAccessEntryProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :extends: IResource *
+    :interface: IAccessEntry
+    :property: {string} accessEntryArn - The Amazon Resource Name (ARN) of the access entry.
+    '''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAccessEntry"
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryName"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAccessEntry).__jsii_proxy_class__ = lambda : _IAccessEntryProxy
+
+
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAccessPolicy")
+class IAccessPolicy(typing_extensions.Protocol):
+    '''Represents an access policy that defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :interface: IAccessPolicy
+    '''
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        ...
 
     @builtins.property
-    def cluster(self) -> "ICluster":
-        '''The EKS cluster to apply this configuration to.
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        ...
 
-        [disable-awslint:ref-via-interface]
-        '''
-        result = self._values.get("cluster")
-        assert result is not None, "Required property 'cluster' is missing"
-        return typing.cast("ICluster", result)
 
-    def __eq__(self, rhs: typing.Any) -> builtins.bool:
-        return isinstance(rhs, self.__class__) and rhs._values == self._values
+class _IAccessPolicyProxy:
+    '''Represents an access policy that defines the permissions and scope for a user or role to access an Amazon EKS cluster.
 
-    def __ne__(self, rhs: typing.Any) -> builtins.bool:
-        return not (rhs == self)
+    :interface: IAccessPolicy
+    '''
 
-    def __repr__(self) -> str:
-        return "HelmChartProps(%s)" % ", ".join(
-            k + "=" + repr(v) for k, v in self._values.items()
-        )
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAccessPolicy"
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        return typing.cast(AccessScope, jsii.get(self, "accessScope"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        return typing.cast(builtins.str, jsii.get(self, "policy"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAccessPolicy).__jsii_proxy_class__ = lambda : _IAccessPolicyProxy
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_eks.ICluster")
@@ -11027,6 +11865,15 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
         '''The VPC in which this Cluster was created.'''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        ...
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -11378,6 +12225,15 @@ class _IClusterProxy(
         '''The VPC in which this Cluster was created.'''
         return typing.cast(_IVpc_f30d5663, jsii.get(self, "vpc"))
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        return typing.cast(typing.Optional[AuthenticationMode], jsii.get(self, "authenticationMode"))
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -12931,15 +13787,16 @@ class KubernetesVersion(
 
     Example::
 
-        cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_30,
-            default_capacity=0
+        # or
+        # vpc: ec2.Vpc
+        eks.Cluster(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            version=eks.KubernetesVersion.V1_30
         )
-        
-        cluster.add_nodegroup_capacity("custom-node-group",
-            instance_types=[ec2.InstanceType("m5.large")],
-            min_size=4,
-            disk_size=100
+        eks.Cluster.from_cluster_attributes(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            vpc=vpc,
+            cluster_name="cluster-name"
         )
     '''
 
@@ -15232,6 +16089,204 @@ class TaintSpec:
         )
 
 
+@jsii.implements(IAccessEntry)
+class AccessEntry(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessEntry",
+):
+    '''Represents an access entry in an Amazon EKS cluster.
+
+    An access entry defines the permissions and scope for a user or role to access an Amazon EKS cluster.
+
+    :implements: IAccessEntry
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        # access_policy: eks.AccessPolicy
+        # cluster: eks.Cluster
+        
+        access_entry = eks.AccessEntry(self, "MyAccessEntry",
+            access_policies=[access_policy],
+            cluster=cluster,
+            principal="principal",
+        
+            # the properties below are optional
+            access_entry_name="accessEntryName",
+            access_entry_type=eks.AccessEntryType.STANDARD
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        access_policies: typing.Sequence[IAccessPolicy],
+        cluster: ICluster,
+        principal: builtins.str,
+        access_entry_name: typing.Optional[builtins.str] = None,
+        access_entry_type: typing.Optional[AccessEntryType] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param access_policies: The access policies that define the permissions and scope for the access entry.
+        :param cluster: The Amazon EKS cluster to which the access entry applies.
+        :param principal: The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
+        :param access_entry_name: The name of the AccessEntry. Default: - No access entry name is provided
+        :param access_entry_type: The type of the AccessEntry. Default: STANDARD
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__76acfe0dd4f79a87279c3d9cbf3bd8c7327733233aec66908901483da7f17d5b)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = AccessEntryProps(
+            access_policies=access_policies,
+            cluster=cluster,
+            principal=principal,
+            access_entry_name=access_entry_name,
+            access_entry_type=access_entry_type,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromAccessEntryAttributes")
+    @builtins.classmethod
+    def from_access_entry_attributes(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        access_entry_arn: builtins.str,
+        access_entry_name: builtins.str,
+    ) -> IAccessEntry:
+        '''Imports an ``AccessEntry`` from its attributes.
+
+        :param scope: - The parent construct.
+        :param id: - The ID of the imported construct.
+        :param access_entry_arn: The Amazon Resource Name (ARN) of the access entry.
+        :param access_entry_name: The name of the access entry.
+
+        :return: The imported access entry.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f179e9982369f73f3bb7a13ff87f073fda0da2cd11932479d54f6d69d8849141)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        attrs = AccessEntryAttributes(
+            access_entry_arn=access_entry_arn, access_entry_name=access_entry_name
+        )
+
+        return typing.cast(IAccessEntry, jsii.sinvoke(cls, "fromAccessEntryAttributes", [scope, id, attrs]))
+
+    @jsii.member(jsii_name="addAccessPolicies")
+    def add_access_policies(
+        self,
+        new_access_policies: typing.Sequence[IAccessPolicy],
+    ) -> None:
+        '''Add the access policies for this entry.
+
+        :param new_access_policies: - The new access policies to add.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e1007432e51c3db7b596578b73c0068b372fc6af638d2adb2faa12db70799372)
+            check_type(argname="argument new_access_policies", value=new_access_policies, expected_type=type_hints["new_access_policies"])
+        return typing.cast(None, jsii.invoke(self, "addAccessPolicies", [new_access_policies]))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryArn")
+    def access_entry_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the access entry.'''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryName")
+    def access_entry_name(self) -> builtins.str:
+        '''The name of the access entry.'''
+        return typing.cast(builtins.str, jsii.get(self, "accessEntryName"))
+
+
+@jsii.implements(IAccessPolicy)
+class AccessPolicy(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.AccessPolicy",
+):
+    '''Represents an Amazon EKS Access Policy that implements the IAccessPolicy interface.
+
+    :implements: IAccessPolicy
+    :exampleMetadata: infused
+
+    Example::
+
+        # AmazonEKSClusterAdminPolicy with `cluster` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSClusterAdminPolicy",
+            access_scope_type=eks.AccessScopeType.CLUSTER
+        )
+        # AmazonEKSAdminPolicy with `namespace` scope
+        eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
+            access_scope_type=eks.AccessScopeType.NAMESPACE,
+            namespaces=["foo", "bar"]
+        )
+    '''
+
+    def __init__(
+        self,
+        *,
+        access_scope: typing.Union[AccessScope, typing.Dict[builtins.str, typing.Any]],
+        policy: AccessPolicyArn,
+    ) -> None:
+        '''Constructs a new instance of the AccessPolicy class.
+
+        :param access_scope: The scope of the access policy, which determines the level of access granted.
+        :param policy: The access policy itself, which defines the specific permissions.
+        '''
+        props = AccessPolicyProps(access_scope=access_scope, policy=policy)
+
+        jsii.create(self.__class__, self, [props])
+
+    @jsii.member(jsii_name="fromAccessPolicyName")
+    @builtins.classmethod
+    def from_access_policy_name(
+        cls,
+        policy_name: builtins.str,
+        *,
+        access_scope_type: AccessScopeType,
+        namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> IAccessPolicy:
+        '''Import AccessPolicy by name.
+
+        :param policy_name: -
+        :param access_scope_type: The scope of the access policy. This determines the level of access granted by the policy.
+        :param namespaces: An optional array of Kubernetes namespaces to which the access policy applies. Default: - no specific namespaces for this scope
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5af842aa)
+            check_type(argname="argument policy_name", value=policy_name, expected_type=type_hints["policy_name"])
+        options = AccessPolicyNameOptions(
+            access_scope_type=access_scope_type, namespaces=namespaces
+        )
+
+        return typing.cast(IAccessPolicy, jsii.sinvoke(cls, "fromAccessPolicyName", [policy_name, options]))
+
+    @builtins.property
+    @jsii.member(jsii_name="accessScope")
+    def access_scope(self) -> AccessScope:
+        '''The scope of the access policy, which determines the level of access granted.'''
+        return typing.cast(AccessScope, jsii.get(self, "accessScope"))
+
+    @builtins.property
+    @jsii.member(jsii_name="policy")
+    def policy(self) -> builtins.str:
+        '''The access policy itself, which defines the specific permissions.'''
+        return typing.cast(builtins.str, jsii.get(self, "policy"))
+
+
 @jsii.implements(ICluster)
 class Cluster(
     _Resource_45bc6135,
@@ -15247,18 +16302,16 @@ class Cluster(
 
     Example::
 
-        import aws_cdk.aws_eks as eks
-        
-        
-        my_eks_cluster = eks.Cluster(self, "my sample cluster",
-            version=eks.KubernetesVersion.V1_18,
-            cluster_name="myEksCluster"
+        # or
+        # vpc: ec2.Vpc
+        eks.Cluster(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            version=eks.KubernetesVersion.V1_30
         )
-        
-        tasks.EksCall(self, "Call a EKS Endpoint",
-            cluster=my_eks_cluster,
-            http_method=tasks.HttpMethods.GET,
-            http_path="/api/v1/namespaces/default/pods"
+        eks.Cluster.from_cluster_attributes(self, "MyCluster",
+            kubectl_memory=Size.gibibytes(4),
+            vpc=vpc,
+            cluster_name="cluster-name"
         )
     '''
 
@@ -15267,12 +16320,14 @@ class Cluster(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
+        bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
         kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -15303,12 +16358,14 @@ class Cluster(
 
         :param scope: a Construct, most likely a cdk.Stack created.
         :param id: the id of the Construct to create.
+        :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
         :param kubectl_lambda_role: The IAM role to pass to the Kubectl Lambda Handler. Default: - Default Lambda IAM Execution Role
         :param tags: The tags assigned to the EKS cluster. Default: - none
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -15340,12 +16397,14 @@ class Cluster(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ClusterProps(
+            bootstrap_cluster_creator_admin_permissions=bootstrap_cluster_creator_admin_permissions,
             default_capacity=default_capacity,
             default_capacity_instance=default_capacity_instance,
             default_capacity_type=default_capacity_type,
             kubectl_lambda_role=kubectl_lambda_role,
             tags=tags,
             alb_controller=alb_controller,
+            authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
             cluster_handler_environment=cluster_handler_environment,
             cluster_handler_security_group=cluster_handler_security_group,
@@ -15933,6 +16992,30 @@ class Cluster(
 
         return typing.cast(builtins.str, jsii.invoke(self, "getServiceLoadBalancerAddress", [service_name, options]))
 
+    @jsii.member(jsii_name="grantAccess")
+    def grant_access(
+        self,
+        id: builtins.str,
+        principal: builtins.str,
+        access_policies: typing.Sequence[IAccessPolicy],
+    ) -> None:
+        '''Grants the specified IAM principal access to the EKS cluster based on the provided access policies.
+
+        This method creates an ``AccessEntry`` construct that grants the specified IAM principal the access permissions
+        defined by the provided ``IAccessPolicy`` array. This allows the IAM principal to perform the actions permitted
+        by the access policies within the EKS cluster.
+
+        :param id: - The ID of the ``AccessEntry`` construct to be created.
+        :param principal: - The IAM principal (role or user) to be granted access to the EKS cluster.
+        :param access_policies: - An array of ``IAccessPolicy`` objects that define the access permissions to be granted to the IAM principal.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c595337c9bbbcf6eb001ec015e579e32f72cb323ae83c9fa92eef98034ea8936)
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument principal", value=principal, expected_type=type_hints["principal"])
+            check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
+        return typing.cast(None, jsii.invoke(self, "grantAccess", [id, principal, access_policies]))
+
     @builtins.property
     @jsii.member(jsii_name="adminRole")
     def admin_role(self) -> _Role_e8c6e11f:
@@ -16070,6 +17153,19 @@ class Cluster(
         '''
         return typing.cast(typing.Optional[AlbController], jsii.get(self, "albController"))
 
+    @builtins.property
+    @jsii.member(jsii_name="authenticationMode")
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The authentication mode for the Amazon EKS cluster.
+
+        The authentication mode determines how users and applications authenticate to the Kubernetes API server.
+
+        :default: CONFIG_MAP.
+
+        :property: {AuthenticationMode} [authenticationMode] - The authentication mode for the Amazon EKS cluster.
+        '''
+        return typing.cast(typing.Optional[AuthenticationMode], jsii.get(self, "authenticationMode"))
+
     @builtins.property
     @jsii.member(jsii_name="awscliLayer")
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
@@ -16223,6 +17319,7 @@ class Cluster(
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -16255,6 +17352,7 @@ class ClusterOptions(CommonClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -16284,6 +17382,7 @@ class ClusterOptions(CommonClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -16339,6 +17438,7 @@ class ClusterOptions(CommonClusterOptions):
                     policy=policy,
                     repository="repository"
                 ),
+                authentication_mode=eks.AuthenticationMode.CONFIG_MAP,
                 awscli_layer=layer_version,
                 cluster_handler_environment={
                     "cluster_handler_environment_key": "clusterHandlerEnvironment"
@@ -16389,6 +17489,7 @@ class ClusterOptions(CommonClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -16425,6 +17526,8 @@ class ClusterOptions(CommonClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -16548,6 +17651,15 @@ class ClusterOptions(CommonClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -16786,6 +17898,7 @@ class ClusterOptions(CommonClusterOptions):
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -16803,6 +17916,7 @@ class ClusterOptions(CommonClusterOptions):
         "prune": "prune",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
+        "bootstrap_cluster_creator_admin_permissions": "bootstrapClusterCreatorAdminPermissions",
         "default_capacity": "defaultCapacity",
         "default_capacity_instance": "defaultCapacityInstance",
         "default_capacity_type": "defaultCapacityType",
@@ -16823,6 +17937,7 @@ class ClusterProps(ClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -16840,6 +17955,7 @@ class ClusterProps(ClusterOptions):
         prune: typing.Optional[builtins.bool] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
+        bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -16857,6 +17973,7 @@ class ClusterProps(ClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -16874,6 +17991,7 @@ class ClusterProps(ClusterOptions):
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
+        :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
@@ -16909,6 +18027,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -16926,6 +18045,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
+            check_type(argname="argument bootstrap_cluster_creator_admin_permissions", value=bootstrap_cluster_creator_admin_permissions, expected_type=type_hints["bootstrap_cluster_creator_admin_permissions"])
             check_type(argname="argument default_capacity", value=default_capacity, expected_type=type_hints["default_capacity"])
             check_type(argname="argument default_capacity_instance", value=default_capacity_instance, expected_type=type_hints["default_capacity_instance"])
             check_type(argname="argument default_capacity_type", value=default_capacity_type, expected_type=type_hints["default_capacity_type"])
@@ -16950,6 +18070,8 @@ class ClusterProps(ClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -16984,6 +18106,8 @@ class ClusterProps(ClusterOptions):
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
             self._values["service_ipv4_cidr"] = service_ipv4_cidr
+        if bootstrap_cluster_creator_admin_permissions is not None:
+            self._values["bootstrap_cluster_creator_admin_permissions"] = bootstrap_cluster_creator_admin_permissions
         if default_capacity is not None:
             self._values["default_capacity"] = default_capacity
         if default_capacity_instance is not None:
@@ -17083,6 +18207,15 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -17296,6 +18429,19 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("service_ipv4_cidr")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def bootstrap_cluster_creator_admin_permissions(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time.
+
+        Changing this value after the cluster has been created will result in the cluster being replaced.
+
+        :default: true
+        '''
+        result = self._values.get("bootstrap_cluster_creator_admin_permissions")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def default_capacity(self) -> typing.Optional[jsii.Number]:
         '''Number of instances to allocate as an initial capacity for this cluster.
@@ -17389,6 +18535,7 @@ class FargateCluster(
         *,
         default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -17420,6 +18567,7 @@ class FargateCluster(
         :param id: -
         :param default_profile: Fargate Profile to create along with the cluster. Default: - A profile called "default" with 'default' and 'kube-system' selectors will be created if this is left undefined.
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -17453,6 +18601,7 @@ class FargateCluster(
         props = FargateClusterProps(
             default_profile=default_profile,
             alb_controller=alb_controller,
+            authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
             cluster_handler_environment=cluster_handler_environment,
             cluster_handler_security_group=cluster_handler_security_group,
@@ -17502,6 +18651,7 @@ class FargateCluster(
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
         "alb_controller": "albController",
+        "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
         "cluster_handler_environment": "clusterHandlerEnvironment",
         "cluster_handler_security_group": "clusterHandlerSecurityGroup",
@@ -17535,6 +18685,7 @@ class FargateClusterProps(ClusterOptions):
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -17565,6 +18716,7 @@ class FargateClusterProps(ClusterOptions):
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
+        :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
         :param cluster_handler_environment: Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. Default: - No environment variables.
         :param cluster_handler_security_group: A security group to associate with the Cluster Handler's Lambdas. The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. Requires ``placeClusterHandlerInVpc`` to be set to true. Default: - No security group.
@@ -17607,6 +18759,7 @@ class FargateClusterProps(ClusterOptions):
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
+            check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
             check_type(argname="argument cluster_handler_environment", value=cluster_handler_environment, expected_type=type_hints["cluster_handler_environment"])
             check_type(argname="argument cluster_handler_security_group", value=cluster_handler_security_group, expected_type=type_hints["cluster_handler_security_group"])
@@ -17644,6 +18797,8 @@ class FargateClusterProps(ClusterOptions):
             self._values["vpc_subnets"] = vpc_subnets
         if alb_controller is not None:
             self._values["alb_controller"] = alb_controller
+        if authentication_mode is not None:
+            self._values["authentication_mode"] = authentication_mode
         if awscli_layer is not None:
             self._values["awscli_layer"] = awscli_layer
         if cluster_handler_environment is not None:
@@ -17769,6 +18924,15 @@ class FargateClusterProps(ClusterOptions):
         result = self._values.get("alb_controller")
         return typing.cast(typing.Optional[AlbControllerOptions], result)
 
+    @builtins.property
+    def authentication_mode(self) -> typing.Optional[AuthenticationMode]:
+        '''The desired authentication mode for the cluster.
+
+        :default: AuthenticationMode.CONFIG_MAP
+        '''
+        result = self._values.get("authentication_mode")
+        return typing.cast(typing.Optional[AuthenticationMode], result)
+
     @builtins.property
     def awscli_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
         '''An AWS Lambda layer that contains the ``aws`` CLI.
@@ -18078,11 +19242,22 @@ class IngressLoadBalancerAddressOptions(ServiceLoadBalancerAddressOptions):
 
 
 __all__ = [
+    "AccessEntry",
+    "AccessEntryAttributes",
+    "AccessEntryProps",
+    "AccessEntryType",
+    "AccessPolicy",
+    "AccessPolicyArn",
+    "AccessPolicyNameOptions",
+    "AccessPolicyProps",
+    "AccessScope",
+    "AccessScopeType",
     "AlbController",
     "AlbControllerOptions",
     "AlbControllerProps",
     "AlbControllerVersion",
     "AlbScheme",
+    "AuthenticationMode",
     "AutoScalingGroupCapacityOptions",
     "AutoScalingGroupOptions",
     "AwsAuth",
@@ -18124,6 +19299,8 @@ __all__ = [
     "HelmChart",
     "HelmChartOptions",
     "HelmChartProps",
+    "IAccessEntry",
+    "IAccessPolicy",
     "ICluster",
     "IKubectlProvider",
     "INodegroup",
@@ -18162,6 +19339,61 @@ __all__ = [
 
 publication.publish()
 
+def _typecheckingstub__ea57d074f938dd093d38b977c20869681c2abd3bacc2931046328147dc4d8d72(
+    *,
+    access_entry_arn: builtins.str,
+    access_entry_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0cc467f068aa2e977dd81e9c0227cfe45f7381ea6d31cea9c6f7f80e6d83e048(
+    *,
+    access_policies: typing.Sequence[IAccessPolicy],
+    cluster: ICluster,
+    principal: builtins.str,
+    access_entry_name: typing.Optional[builtins.str] = None,
+    access_entry_type: typing.Optional[AccessEntryType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0ac946189967c669f9d1c47c0772f99ed1ce20197e6c76e4496836bbe19d2a72(
+    policy_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__23236f8d1dae1650ef58623c900288d55afe1fd4ead26b7b1aff290d073de854(
+    policy_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__249ef277acd24f14314e76608ae6685b8ec176bb0872ba8327c446714e5afaee(
+    *,
+    access_scope_type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d76ffc136ce61df3ec4331aefef6219d2ab1e0d4a6c6da1cd604f5d3a29a1c20(
+    *,
+    access_scope: typing.Union[AccessScope, typing.Dict[builtins.str, typing.Any]],
+    policy: AccessPolicyArn,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b6a0a8f8(
+    *,
+    type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__5e2ca421e3f17c3114d53057ba096ab3f90bd3b8ed6c2e0f75f61c88dd5aed4b(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -19715,16 +20947,56 @@ def _typecheckingstub__be119d20277d81d5cacb542dcf0ff7927e8c934305e8be443e95ce321
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__76acfe0dd4f79a87279c3d9cbf3bd8c7327733233aec66908901483da7f17d5b(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    access_policies: typing.Sequence[IAccessPolicy],
+    cluster: ICluster,
+    principal: builtins.str,
+    access_entry_name: typing.Optional[builtins.str] = None,
+    access_entry_type: typing.Optional[AccessEntryType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f179e9982369f73f3bb7a13ff87f073fda0da2cd11932479d54f6d69d8849141(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    access_entry_arn: builtins.str,
+    access_entry_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e1007432e51c3db7b596578b73c0068b372fc6af638d2adb2faa12db70799372(
+    new_access_policies: typing.Sequence[IAccessPolicy],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5af842aa(
+    policy_name: builtins.str,
+    *,
+    access_scope_type: AccessScopeType,
+    namespaces: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c575cac9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
+    bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
     kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19939,6 +21211,14 @@ def _typecheckingstub__1125553e51a293d46862ded8c9242c2427ed871d469da6db3ac9d9ace
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c595337c9bbbcf6eb001ec015e579e32f72cb323ae83c9fa92eef98034ea8936(
+    id: builtins.str,
+    principal: builtins.str,
+    access_policies: typing.Sequence[IAccessPolicy],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef40c0cb1(
     *,
     version: KubernetesVersion,
@@ -19950,6 +21230,7 @@ def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19982,6 +21263,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -19999,6 +21281,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     prune: typing.Optional[builtins.bool] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
+    bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -20014,6 +21297,7 @@ def _typecheckingstub__ae166d791f5d5176f3386726c22bc44afedf5d336437a3513e3740387
     *,
     default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
@@ -20054,6 +21338,7 @@ def _typecheckingstub__f11c7f989209f6213cb855d2846bb0b2b79a6a2b85eb0d65939e981df
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     cluster_handler_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     cluster_handler_security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,