aws-cdk-lib 2.147.2__py3-none-any.whl → 2.148.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -1,4 +1,4 @@
-'''
+r'''
 # Amazon EKS Construct Library
 
 This construct library allows you to define [Amazon Elastic Container Service for Kubernetes (EKS)](https://aws.amazon.com/eks/) clusters.
@@ -47,6 +47,7 @@ In addition, the library also supports defining Kubernetes resource manifests wi
     * [Cluster Security Group](#cluster-security-group)
     * [Node SSH Access](#node-ssh-access)
     * [Service Accounts](#service-accounts)
+    * [Pod Identities](#pod-identities)
   * [Applying Kubernetes Resources](#applying-kubernetes-resources)
 
     * [Kubernetes Manifests](#kubernetes-manifests)
@@ -1356,6 +1357,45 @@ Note that adding service accounts requires running `kubectl` commands against th
 This means you must also pass the `kubectlRoleArn` when importing the cluster.
 See [Using existing Clusters](https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk-lib/aws-eks#using-existing-clusters).
 
+### Pod Identities
+
+[Amazon EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) is a feature that simplifies how
+Kubernetes applications running on Amazon EKS can obtain AWS IAM credentials. It provides a way to associate an IAM role with a
+Kubernetes service account, allowing pods to retrieve temporary AWS credentials without the need
+to manage IAM roles and policies directly.
+
+By default, `ServiceAccount` creates an `OpenIdConnectProvider` for
+[IRSA(IAM roles for service accounts)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) if
+`identityType` is `undefined` or `IdentityType.IRSA`.
+
+You may opt in Amaozn EKS Pod Identities as below:
+
+```python
+# cluster: eks.Cluster
+
+
+eks.ServiceAccount(self, "ServiceAccount",
+    cluster=cluster,
+    name="test-sa",
+    namespace="default",
+    identity_type=eks.IdentityType.POD_IDENTITY
+)
+```
+
+When you create the ServiceAccount with the `identityType` set to `POD_IDENTITY`,
+`ServiceAccount` contruct will perform the following actions behind the scenes:
+
+1. It will create an IAM role with the necessary trust policy to allow the "pods.eks.amazonaws.com" principal to assume the role.
+   This trust policy grants the EKS service the permission to retrieve temporary AWS credentials on behalf of the pods using this service account.
+2. It will enable the "Amazon EKS Pod Identity Agent" add-on on the EKS cluster. This add-on is responsible for managing the temporary
+   AWS credentials and making them available to the pods.
+3. It will create an association between the IAM role and the Kubernetes service account. This association allows the pods using this
+   service account to obtain the temporary AWS credentials from the associated IAM role.
+
+This simplifies the process of configuring IAM permissions for your Kubernetes applications running on Amazon EKS. It handles the creation of the IAM role,
+the installation of the Pod Identity Agent add-on, and the association between the role and the service account, making it easier to manage AWS credentials
+for your applications.
+
 ## Applying Kubernetes Resources
 
 The library supports several popular resource deployment mechanisms, among which are:
@@ -2533,6 +2573,159 @@ class AccessScopeType(enum.Enum):
     '''The policy applies to the entire cluster.'''
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AddonAttributes",
+    jsii_struct_bases=[],
+    name_mapping={"addon_name": "addonName", "cluster_name": "clusterName"},
+)
+class AddonAttributes:
+    def __init__(self, *, addon_name: builtins.str, cluster_name: builtins.str) -> None:
+        '''Represents the attributes of an addon for an Amazon EKS cluster.
+
+        :param addon_name: The name of the addon.
+        :param cluster_name: The name of the Amazon EKS cluster the addon is associated with.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            addon_attributes = eks.AddonAttributes(
+                addon_name="addonName",
+                cluster_name="clusterName"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__77d0746018f1cbe3ed090d492996344d98293f7a76446705a3ac043408c02cfe)
+            check_type(argname="argument addon_name", value=addon_name, expected_type=type_hints["addon_name"])
+            check_type(argname="argument cluster_name", value=cluster_name, expected_type=type_hints["cluster_name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "addon_name": addon_name,
+            "cluster_name": cluster_name,
+        }
+
+    @builtins.property
+    def addon_name(self) -> builtins.str:
+        '''The name of the addon.'''
+        result = self._values.get("addon_name")
+        assert result is not None, "Required property 'addon_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def cluster_name(self) -> builtins.str:
+        '''The name of the Amazon EKS cluster the addon is associated with.'''
+        result = self._values.get("cluster_name")
+        assert result is not None, "Required property 'cluster_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AddonAttributes(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.AddonProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "addon_name": "addonName",
+        "cluster": "cluster",
+        "addon_version": "addonVersion",
+    },
+)
+class AddonProps:
+    def __init__(
+        self,
+        *,
+        addon_name: builtins.str,
+        cluster: "ICluster",
+        addon_version: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties for creating an Amazon EKS Add-On.
+
+        :param addon_name: Name of the Add-On.
+        :param cluster: The EKS cluster the Add-On is associated with.
+        :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versons. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            # cluster: eks.Cluster
+            
+            addon_props = eks.AddonProps(
+                addon_name="addonName",
+                cluster=cluster,
+            
+                # the properties below are optional
+                addon_version="addonVersion"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__febc9f6cb4243d885b1b1838be38d633e7c5fc6534eaaf731f00a24653ee7591)
+            check_type(argname="argument addon_name", value=addon_name, expected_type=type_hints["addon_name"])
+            check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
+            check_type(argname="argument addon_version", value=addon_version, expected_type=type_hints["addon_version"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "addon_name": addon_name,
+            "cluster": cluster,
+        }
+        if addon_version is not None:
+            self._values["addon_version"] = addon_version
+
+    @builtins.property
+    def addon_name(self) -> builtins.str:
+        '''Name of the Add-On.'''
+        result = self._values.get("addon_name")
+        assert result is not None, "Required property 'addon_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def cluster(self) -> "ICluster":
+        '''The EKS cluster the Add-On is associated with.'''
+        result = self._values.get("cluster")
+        assert result is not None, "Required property 'cluster' is missing"
+        return typing.cast("ICluster", result)
+
+    @builtins.property
+    def addon_version(self) -> typing.Optional[builtins.str]:
+        '''Version of the Add-On.
+
+        You can check all available versions with describe-addon-versons.
+        For example, this lists all available versions for the ``eks-pod-identity-agent`` addon:
+        $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent
+        --query 'addons[*].addonVersions[*].addonVersion'
+
+        :default: the latest version.
+        '''
+        result = self._values.get("addon_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AddonProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 class AlbController(
     _constructs_77d1e7e8.Construct,
     metaclass=jsii.JSIIMeta,
@@ -5510,6 +5703,7 @@ class CfnCluster(
                 authentication_mode="authenticationMode",
                 bootstrap_cluster_creator_admin_permissions=False
             ),
+            bootstrap_self_managed_addons=False,
             encryption_config=[eks.CfnCluster.EncryptionConfigProperty(
                 provider=eks.CfnCluster.ProviderProperty(
                     key_arn="keyArn"
@@ -5554,6 +5748,7 @@ class CfnCluster(
         resources_vpc_config: typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.ResourcesVpcConfigProperty", typing.Dict[builtins.str, typing.Any]]],
         role_arn: builtins.str,
         access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.AccessConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.EncryptionConfigProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.KubernetesNetworkConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.LoggingProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -5568,6 +5763,7 @@ class CfnCluster(
         :param resources_vpc_config: The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see `Cluster VPC Considerations <https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html>`_ and `Cluster Security Group Considerations <https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html>`_ in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.
         :param role_arn: The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see `Amazon EKS Service IAM Role <https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html>`_ in the **Amazon EKS User Guide** .
         :param access_config: The access configuration for the cluster.
+        :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
         :param encryption_config: The encryption configuration for the cluster.
         :param kubernetes_network_config: The Kubernetes network configuration for the cluster.
         :param logging: The logging configuration for your cluster.
@@ -5584,6 +5780,7 @@ class CfnCluster(
             resources_vpc_config=resources_vpc_config,
             role_arn=role_arn,
             access_config=access_config,
+            bootstrap_self_managed_addons=bootstrap_self_managed_addons,
             encryption_config=encryption_config,
             kubernetes_network_config=kubernetes_network_config,
             logging=logging,
@@ -5765,6 +5962,24 @@ class CfnCluster(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "accessConfig", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="bootstrapSelfManagedAddons")
+    def bootstrap_self_managed_addons(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "bootstrapSelfManagedAddons"))
+
+    @bootstrap_self_managed_addons.setter
+    def bootstrap_self_managed_addons(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1b3725246139251af199def1d548b17a13e8ddd4df825377563ea01cdea555c4)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "bootstrapSelfManagedAddons", value)
+
     @builtins.property
     @jsii.member(jsii_name="encryptionConfig")
     def encryption_config(
@@ -6688,6 +6903,7 @@ class CfnCluster(
         "resources_vpc_config": "resourcesVpcConfig",
         "role_arn": "roleArn",
         "access_config": "accessConfig",
+        "bootstrap_self_managed_addons": "bootstrapSelfManagedAddons",
         "encryption_config": "encryptionConfig",
         "kubernetes_network_config": "kubernetesNetworkConfig",
         "logging": "logging",
@@ -6704,6 +6920,7 @@ class CfnClusterProps:
         resources_vpc_config: typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ResourcesVpcConfigProperty, typing.Dict[builtins.str, typing.Any]]],
         role_arn: builtins.str,
         access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.AccessConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.LoggingProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -6717,6 +6934,7 @@ class CfnClusterProps:
         :param resources_vpc_config: The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see `Cluster VPC Considerations <https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html>`_ and `Cluster Security Group Considerations <https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html>`_ in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.
         :param role_arn: The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see `Amazon EKS Service IAM Role <https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html>`_ in the **Amazon EKS User Guide** .
         :param access_config: The access configuration for the cluster.
+        :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
         :param encryption_config: The encryption configuration for the cluster.
         :param kubernetes_network_config: The Kubernetes network configuration for the cluster.
         :param logging: The logging configuration for your cluster.
@@ -6751,6 +6969,7 @@ class CfnClusterProps:
                     authentication_mode="authenticationMode",
                     bootstrap_cluster_creator_admin_permissions=False
                 ),
+                bootstrap_self_managed_addons=False,
                 encryption_config=[eks.CfnCluster.EncryptionConfigProperty(
                     provider=eks.CfnCluster.ProviderProperty(
                         key_arn="keyArn"
@@ -6791,6 +7010,7 @@ class CfnClusterProps:
             check_type(argname="argument resources_vpc_config", value=resources_vpc_config, expected_type=type_hints["resources_vpc_config"])
             check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
             check_type(argname="argument access_config", value=access_config, expected_type=type_hints["access_config"])
+            check_type(argname="argument bootstrap_self_managed_addons", value=bootstrap_self_managed_addons, expected_type=type_hints["bootstrap_self_managed_addons"])
             check_type(argname="argument encryption_config", value=encryption_config, expected_type=type_hints["encryption_config"])
             check_type(argname="argument kubernetes_network_config", value=kubernetes_network_config, expected_type=type_hints["kubernetes_network_config"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
@@ -6804,6 +7024,8 @@ class CfnClusterProps:
         }
         if access_config is not None:
             self._values["access_config"] = access_config
+        if bootstrap_self_managed_addons is not None:
+            self._values["bootstrap_self_managed_addons"] = bootstrap_self_managed_addons
         if encryption_config is not None:
             self._values["encryption_config"] = encryption_config
         if kubernetes_network_config is not None:
@@ -6856,6 +7078,21 @@ class CfnClusterProps:
         result = self._values.get("access_config")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnCluster.AccessConfigProperty]], result)
 
+    @builtins.property
+    def bootstrap_self_managed_addons(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed.
+
+        The default networking addons include vpc-cni, coredns, and kube-proxy.
+
+        Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-bootstrapselfmanagedaddons
+        '''
+        result = self._values.get("bootstrap_self_managed_addons")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
     @builtins.property
     def encryption_config(
         self,
@@ -11775,6 +12012,58 @@ class _IAccessPolicyProxy:
 typing.cast(typing.Any, IAccessPolicy).__jsii_proxy_class__ = lambda : _IAccessPolicyProxy
 
 
+@jsii.interface(jsii_type="aws-cdk-lib.aws_eks.IAddon")
+class IAddon(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents an Amazon EKS Add-On.'''
+
+    @builtins.property
+    @jsii.member(jsii_name="addonArn")
+    def addon_arn(self) -> builtins.str:
+        '''ARN of the Add-On.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="addonName")
+    def addon_name(self) -> builtins.str:
+        '''Name of the Add-On.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _IAddonProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents an Amazon EKS Add-On.'''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_eks.IAddon"
+
+    @builtins.property
+    @jsii.member(jsii_name="addonArn")
+    def addon_arn(self) -> builtins.str:
+        '''ARN of the Add-On.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "addonArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="addonName")
+    def addon_name(self) -> builtins.str:
+        '''Name of the Add-On.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "addonName"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IAddon).__jsii_proxy_class__ = lambda : _IAddonProxy
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_eks.ICluster")
 class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Protocol):
     '''An EKS cluster.'''
@@ -11900,6 +12189,22 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
         '''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="eksPodIdentityAgent")
+    def eks_pod_identity_agent(self) -> typing.Optional[IAddon]:
+        '''The EKS Pod Identity Agent addon for the EKS cluster.
+
+        The EKS Pod Identity Agent is responsible for managing the temporary credentials
+        used by pods in the cluster to access AWS resources. It runs as a DaemonSet on
+        each node and provides the necessary credentials to the pods based on their
+        associated service account.
+
+        This property returns the ``CfnAddon`` resource representing the EKS Pod Identity
+        Agent addon. If the addon has not been created yet, it will be created and
+        returned.
+        '''
+        ...
+
     @builtins.property
     @jsii.member(jsii_name="ipFamily")
     def ip_family(self) -> typing.Optional["IpFamily"]:
@@ -12079,6 +12384,7 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
         id: builtins.str,
         *,
         annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        identity_type: typing.Optional["IdentityType"] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         name: typing.Optional[builtins.str] = None,
         namespace: typing.Optional[builtins.str] = None,
@@ -12087,6 +12393,7 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
 
         :param id: logical id of service account.
         :param annotations: Additional annotations of the service account. Default: - no additional annotations
+        :param identity_type: The identity type to use for the service account. Default: IdentityType.IRSA
         :param labels: Additional labels of the service account. Default: - no additional labels
         :param name: The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
         :param namespace: The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: "default"
@@ -12260,6 +12567,22 @@ class _IClusterProxy(
         '''
         return typing.cast(typing.Optional[_ISecurityGroup_acf8a799], jsii.get(self, "clusterHandlerSecurityGroup"))
 
+    @builtins.property
+    @jsii.member(jsii_name="eksPodIdentityAgent")
+    def eks_pod_identity_agent(self) -> typing.Optional[IAddon]:
+        '''The EKS Pod Identity Agent addon for the EKS cluster.
+
+        The EKS Pod Identity Agent is responsible for managing the temporary credentials
+        used by pods in the cluster to access AWS resources. It runs as a DaemonSet on
+        each node and provides the necessary credentials to the pods based on their
+        associated service account.
+
+        This property returns the ``CfnAddon`` resource representing the EKS Pod Identity
+        Agent addon. If the addon has not been created yet, it will be created and
+        returned.
+        '''
+        return typing.cast(typing.Optional[IAddon], jsii.get(self, "eksPodIdentityAgent"))
+
     @builtins.property
     @jsii.member(jsii_name="ipFamily")
     def ip_family(self) -> typing.Optional["IpFamily"]:
@@ -12472,6 +12795,7 @@ class _IClusterProxy(
         id: builtins.str,
         *,
         annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        identity_type: typing.Optional["IdentityType"] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         name: typing.Optional[builtins.str] = None,
         namespace: typing.Optional[builtins.str] = None,
@@ -12480,6 +12804,7 @@ class _IClusterProxy(
 
         :param id: logical id of service account.
         :param annotations: Additional annotations of the service account. Default: - no additional annotations
+        :param identity_type: The identity type to use for the service account. Default: IdentityType.IRSA
         :param labels: Additional labels of the service account. Default: - no additional labels
         :param name: The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
         :param namespace: The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: "default"
@@ -12488,7 +12813,11 @@ class _IClusterProxy(
             type_hints = typing.get_type_hints(_typecheckingstub__e1ebfaeb10359620b55323126554d3e31b14090625de1618808646a519d578de)
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = ServiceAccountOptions(
-            annotations=annotations, labels=labels, name=name, namespace=namespace
+            annotations=annotations,
+            identity_type=identity_type,
+            labels=labels,
+            name=name,
+            namespace=namespace,
         )
 
         return typing.cast("ServiceAccount", jsii.invoke(self, "addServiceAccount", [id, options]))
@@ -12631,6 +12960,49 @@ class _INodegroupProxy(
 typing.cast(typing.Any, INodegroup).__jsii_proxy_class__ = lambda : _INodegroupProxy
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_eks.IdentityType")
+class IdentityType(enum.Enum):
+    '''Enum representing the different identity types that can be used for a Kubernetes service account.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # cluster: eks.Cluster
+        
+        
+        eks.ServiceAccount(self, "ServiceAccount",
+            cluster=cluster,
+            name="test-sa",
+            namespace="default",
+            identity_type=eks.IdentityType.POD_IDENTITY
+        )
+    '''
+
+    IRSA = "IRSA"
+    '''Use the IAM Roles for Service Accounts (IRSA) identity type.
+
+    IRSA allows you to associate an IAM role with a Kubernetes service account.
+    This provides a way to grant permissions to Kubernetes pods by associating an IAM role with a Kubernetes service account.
+    The IAM role can then be used to provide AWS credentials to the pods, allowing them to access other AWS resources.
+
+    When enabled, the openIdConnectProvider of the cluster would be created when you create the ServiceAccount.
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+    '''
+    POD_IDENTITY = "POD_IDENTITY"
+    '''Use the EKS Pod Identities identity type.
+
+    EKS Pod Identities provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles
+    provide credentials to Amazon EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the
+    Amazon EC2 instance's role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account.
+
+    When enabled, the Pod Identity Agent AddOn of the cluster would be created when you create the ServiceAccount.
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html
+    '''
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_eks.IpFamily")
 class IpFamily(enum.Enum):
     '''EKS cluster IP family.
@@ -13905,13 +14277,7 @@ class KubernetesVersion(
     def V1_22(cls) -> "KubernetesVersion":
         '''(deprecated) Kubernetes version 1.22.
 
-        :deprecated:
-
-        Use newer version of EKS
-
-        When creating a ``Cluster`` with this version, you need to also specify the
-        ``kubectlLayer`` property with a ``KubectlV22Layer`` from
-        ``@aws-cdk/lambda-layer-kubectl-v22``.
+        :deprecated: Use newer version of EKS
 
         :stability: deprecated
         '''
@@ -14000,7 +14366,7 @@ class KubernetesVersion(
         '''Kubernetes version 1.30.
 
         When creating a ``Cluster`` with this version, you need to also specify the
-        ``kubectlLayer`` property with a ``KubectlV29Layer`` from
+        ``kubectlLayer`` property with a ``KubectlV30Layer`` from
         ``@aws-cdk/lambda-layer-kubectl-v30``.
         '''
         return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_30"))
@@ -14611,7 +14977,7 @@ class NodegroupOptions:
 
         :default: t3.medium will be used according to the cloudformation document.
 
-        :see: - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-instancetypes
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-instancetypes
         '''
         result = self._values.get("instance_types")
         return typing.cast(typing.Optional[typing.List[_InstanceType_f64915b9]], result)
@@ -14631,7 +14997,7 @@ class NodegroupOptions:
 
         :default: - no launch template
 
-        :see: - https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html
+        :see: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html
         '''
         result = self._values.get("launch_template_spec")
         return typing.cast(typing.Optional[LaunchTemplateSpec], result)
@@ -15053,7 +15419,7 @@ class NodegroupProps(NodegroupOptions):
 
         :default: t3.medium will be used according to the cloudformation document.
 
-        :see: - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-instancetypes
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-instancetypes
         '''
         result = self._values.get("instance_types")
         return typing.cast(typing.Optional[typing.List[_InstanceType_f64915b9]], result)
@@ -15073,7 +15439,7 @@ class NodegroupProps(NodegroupOptions):
 
         :default: - no launch template
 
-        :see: - https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html
+        :see: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html
         '''
         result = self._values.get("launch_template_spec")
         return typing.cast(typing.Optional[LaunchTemplateSpec], result)
@@ -15577,6 +15943,7 @@ class ServiceAccount(
         *,
         cluster: ICluster,
         annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        identity_type: typing.Optional[IdentityType] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         name: typing.Optional[builtins.str] = None,
         namespace: typing.Optional[builtins.str] = None,
@@ -15586,6 +15953,7 @@ class ServiceAccount(
         :param id: -
         :param cluster: The cluster to apply the patch to.
         :param annotations: Additional annotations of the service account. Default: - no additional annotations
+        :param identity_type: The identity type to use for the service account. Default: IdentityType.IRSA
         :param labels: Additional labels of the service account. Default: - no additional labels
         :param name: The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
         :param namespace: The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: "default"
@@ -15597,6 +15965,7 @@ class ServiceAccount(
         props = ServiceAccountProps(
             cluster=cluster,
             annotations=annotations,
+            identity_type=identity_type,
             labels=labels,
             name=name,
             namespace=namespace,
@@ -15660,6 +16029,7 @@ class ServiceAccount(
     jsii_struct_bases=[],
     name_mapping={
         "annotations": "annotations",
+        "identity_type": "identityType",
         "labels": "labels",
         "name": "name",
         "namespace": "namespace",
@@ -15670,6 +16040,7 @@ class ServiceAccountOptions:
         self,
         *,
         annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        identity_type: typing.Optional[IdentityType] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         name: typing.Optional[builtins.str] = None,
         namespace: typing.Optional[builtins.str] = None,
@@ -15677,6 +16048,7 @@ class ServiceAccountOptions:
         '''Options for ``ServiceAccount``.
 
         :param annotations: Additional annotations of the service account. Default: - no additional annotations
+        :param identity_type: The identity type to use for the service account. Default: IdentityType.IRSA
         :param labels: Additional labels of the service account. Default: - no additional labels
         :param name: The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
         :param namespace: The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: "default"
@@ -15700,12 +16072,15 @@ class ServiceAccountOptions:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__c16813f7f34b0f551b6879a204a04016f3eb45d120b546a7afd47fee08551d86)
             check_type(argname="argument annotations", value=annotations, expected_type=type_hints["annotations"])
+            check_type(argname="argument identity_type", value=identity_type, expected_type=type_hints["identity_type"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
             check_type(argname="argument namespace", value=namespace, expected_type=type_hints["namespace"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if annotations is not None:
             self._values["annotations"] = annotations
+        if identity_type is not None:
+            self._values["identity_type"] = identity_type
         if labels is not None:
             self._values["labels"] = labels
         if name is not None:
@@ -15724,6 +16099,15 @@ class ServiceAccountOptions:
         result = self._values.get("annotations")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def identity_type(self) -> typing.Optional[IdentityType]:
+        '''The identity type to use for the service account.
+
+        :default: IdentityType.IRSA
+        '''
+        result = self._values.get("identity_type")
+        return typing.cast(typing.Optional[IdentityType], result)
+
     @builtins.property
     def labels(self) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
         '''Additional labels of the service account.
@@ -15774,6 +16158,7 @@ class ServiceAccountOptions:
     jsii_struct_bases=[ServiceAccountOptions],
     name_mapping={
         "annotations": "annotations",
+        "identity_type": "identityType",
         "labels": "labels",
         "name": "name",
         "namespace": "namespace",
@@ -15785,6 +16170,7 @@ class ServiceAccountProps(ServiceAccountOptions):
         self,
         *,
         annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        identity_type: typing.Optional[IdentityType] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         name: typing.Optional[builtins.str] = None,
         namespace: typing.Optional[builtins.str] = None,
@@ -15793,38 +16179,30 @@ class ServiceAccountProps(ServiceAccountOptions):
         '''Properties for defining service accounts.
 
         :param annotations: Additional annotations of the service account. Default: - no additional annotations
+        :param identity_type: The identity type to use for the service account. Default: IdentityType.IRSA
         :param labels: Additional labels of the service account. Default: - no additional labels
         :param name: The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
         :param namespace: The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: "default"
         :param cluster: The cluster to apply the patch to.
 
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_eks as eks
-            
             # cluster: eks.Cluster
             
-            service_account_props = eks.ServiceAccountProps(
-                cluster=cluster,
             
-                # the properties below are optional
-                annotations={
-                    "annotations_key": "annotations"
-                },
-                labels={
-                    "labels_key": "labels"
-                },
-                name="name",
-                namespace="namespace"
+            eks.ServiceAccount(self, "ServiceAccount",
+                cluster=cluster,
+                name="test-sa",
+                namespace="default",
+                identity_type=eks.IdentityType.POD_IDENTITY
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f409e147cd54788bf9d9542d66a6b0445436e408deb553426c2dca2bd73b6d76)
             check_type(argname="argument annotations", value=annotations, expected_type=type_hints["annotations"])
+            check_type(argname="argument identity_type", value=identity_type, expected_type=type_hints["identity_type"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
             check_type(argname="argument namespace", value=namespace, expected_type=type_hints["namespace"])
@@ -15834,6 +16212,8 @@ class ServiceAccountProps(ServiceAccountOptions):
         }
         if annotations is not None:
             self._values["annotations"] = annotations
+        if identity_type is not None:
+            self._values["identity_type"] = identity_type
         if labels is not None:
             self._values["labels"] = labels
         if name is not None:
@@ -15852,6 +16232,15 @@ class ServiceAccountProps(ServiceAccountOptions):
         result = self._values.get("annotations")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def identity_type(self) -> typing.Optional[IdentityType]:
+        '''The identity type to use for the service account.
+
+        :default: IdentityType.IRSA
+        '''
+        result = self._values.get("identity_type")
+        return typing.cast(typing.Optional[IdentityType], result)
+
     @builtins.property
     def labels(self) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
         '''Additional labels of the service account.
@@ -16287,6 +16676,123 @@ class AccessPolicy(
         return typing.cast(builtins.str, jsii.get(self, "policy"))
 
 
+@jsii.implements(IAddon)
+class Addon(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_eks.Addon",
+):
+    '''Represents an Amazon EKS Add-On.
+
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_eks as eks
+        
+        # cluster: eks.Cluster
+        
+        addon = eks.Addon(self, "MyAddon",
+            addon_name="addonName",
+            cluster=cluster,
+        
+            # the properties below are optional
+            addon_version="addonVersion"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        addon_name: builtins.str,
+        cluster: ICluster,
+        addon_version: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Creates a new Amazon EKS Add-On.
+
+        :param scope: The parent construct.
+        :param id: The construct ID.
+        :param addon_name: Name of the Add-On.
+        :param cluster: The EKS cluster the Add-On is associated with.
+        :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versons. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a8342124e215d4789acf852df764143c4809251dbcaa86f6b4a11860e46f830d)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = AddonProps(
+            addon_name=addon_name, cluster=cluster, addon_version=addon_version
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromAddonArn")
+    @builtins.classmethod
+    def from_addon_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        addon_arn: builtins.str,
+    ) -> IAddon:
+        '''Creates an ``IAddon`` from an existing addon ARN.
+
+        :param scope: - The parent construct.
+        :param id: - The ID of the construct.
+        :param addon_arn: - The ARN of the addon.
+
+        :return: An ``IAddon`` implementation.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d4c2296edfe5b5c8603ac11e589a95341ba550799d11a043d66684ed98365879)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument addon_arn", value=addon_arn, expected_type=type_hints["addon_arn"])
+        return typing.cast(IAddon, jsii.sinvoke(cls, "fromAddonArn", [scope, id, addon_arn]))
+
+    @jsii.member(jsii_name="fromAddonAttributes")
+    @builtins.classmethod
+    def from_addon_attributes(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        addon_name: builtins.str,
+        cluster_name: builtins.str,
+    ) -> IAddon:
+        '''Creates an ``IAddon`` instance from the given addon attributes.
+
+        :param scope: - The parent construct.
+        :param id: - The construct ID.
+        :param addon_name: The name of the addon.
+        :param cluster_name: The name of the Amazon EKS cluster the addon is associated with.
+
+        :return: An ``IAddon`` instance.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8a990f16d21217e79d80780ad054930c23d18b30b674b483763b39dcdb7fdac7)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        attrs = AddonAttributes(addon_name=addon_name, cluster_name=cluster_name)
+
+        return typing.cast(IAddon, jsii.sinvoke(cls, "fromAddonAttributes", [scope, id, attrs]))
+
+    @builtins.property
+    @jsii.member(jsii_name="addonArn")
+    def addon_arn(self) -> builtins.str:
+        '''Arn of the addon.'''
+        return typing.cast(builtins.str, jsii.get(self, "addonArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="addonName")
+    def addon_name(self) -> builtins.str:
+        '''Name of the addon.'''
+        return typing.cast(builtins.str, jsii.get(self, "addonName"))
+
+
 @jsii.implements(ICluster)
 class Cluster(
     _Resource_45bc6135,
@@ -16877,6 +17383,7 @@ class Cluster(
         id: builtins.str,
         *,
         annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        identity_type: typing.Optional[IdentityType] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         name: typing.Optional[builtins.str] = None,
         namespace: typing.Optional[builtins.str] = None,
@@ -16885,6 +17392,7 @@ class Cluster(
 
         :param id: -
         :param annotations: Additional annotations of the service account. Default: - no additional annotations
+        :param identity_type: The identity type to use for the service account. Default: IdentityType.IRSA
         :param labels: Additional labels of the service account. Default: - no additional labels
         :param name: The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
         :param namespace: The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: "default"
@@ -16893,7 +17401,11 @@ class Cluster(
             type_hints = typing.get_type_hints(_typecheckingstub__a242c66f1c038c3d983fd703316e9b6709e3aed4c6773ed4ea290f2c0f5749be)
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = ServiceAccountOptions(
-            annotations=annotations, labels=labels, name=name, namespace=namespace
+            annotations=annotations,
+            identity_type=identity_type,
+            labels=labels,
+            name=name,
+            namespace=namespace,
         )
 
         return typing.cast(ServiceAccount, jsii.invoke(self, "addServiceAccount", [id, options]))
@@ -17210,6 +17722,18 @@ class Cluster(
         '''
         return typing.cast(typing.Optional[Nodegroup], jsii.get(self, "defaultNodegroup"))
 
+    @builtins.property
+    @jsii.member(jsii_name="eksPodIdentityAgent")
+    def eks_pod_identity_agent(self) -> typing.Optional[IAddon]:
+        '''Retrieves the EKS Pod Identity Agent addon for the EKS cluster.
+
+        The EKS Pod Identity Agent is responsible for managing the temporary credentials
+        used by pods in the cluster to access AWS resources. It runs as a DaemonSet on
+        each node and provides the necessary credentials to the pods based on their
+        associated service account.
+        '''
+        return typing.cast(typing.Optional[IAddon], jsii.get(self, "eksPodIdentityAgent"))
+
     @builtins.property
     @jsii.member(jsii_name="ipFamily")
     def ip_family(self) -> typing.Optional[IpFamily]:
@@ -19252,6 +19776,9 @@ __all__ = [
     "AccessPolicyProps",
     "AccessScope",
     "AccessScopeType",
+    "Addon",
+    "AddonAttributes",
+    "AddonProps",
     "AlbController",
     "AlbControllerOptions",
     "AlbControllerProps",
@@ -19301,9 +19828,11 @@ __all__ = [
     "HelmChartProps",
     "IAccessEntry",
     "IAccessPolicy",
+    "IAddon",
     "ICluster",
     "IKubectlProvider",
     "INodegroup",
+    "IdentityType",
     "IngressLoadBalancerAddressOptions",
     "IpFamily",
     "KubectlProvider",
@@ -19394,6 +19923,23 @@ def _typecheckingstub__5f979c2154a9a6bd2f77cf7ff51d6f83944d3c1290fcb70cdab0b403b
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__77d0746018f1cbe3ed090d492996344d98293f7a76446705a3ac043408c02cfe(
+    *,
+    addon_name: builtins.str,
+    cluster_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__febc9f6cb4243d885b1b1838be38d633e7c5fc6534eaaf731f00a24653ee7591(
+    *,
+    addon_name: builtins.str,
+    cluster: ICluster,
+    addon_version: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__5e2ca421e3f17c3114d53057ba096ab3f90bd3b8ed6c2e0f75f61c88dd5aed4b(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -19771,6 +20317,7 @@ def _typecheckingstub__d3e62a858014f3867f3039d1328d57223fb0d16e3fb6d1e2d79279938
     resources_vpc_config: typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ResourcesVpcConfigProperty, typing.Dict[builtins.str, typing.Any]]],
     role_arn: builtins.str,
     access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.AccessConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.LoggingProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -19812,6 +20359,12 @@ def _typecheckingstub__249431e71bfb6d15cdb94aea4df14d4b3371f709cb261f00cb7dc77e7
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__1b3725246139251af199def1d548b17a13e8ddd4df825377563ea01cdea555c4(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b161fda542258d1cd8a20fecd3943cacecb658f19ab16b918baf49908459644c(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnCluster.EncryptionConfigProperty]]]],
 ) -> None:
@@ -19939,6 +20492,7 @@ def _typecheckingstub__270f142a59c249328ab174c5b0484cfdae6e3110ab52578dbe783d6f8
     resources_vpc_config: typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ResourcesVpcConfigProperty, typing.Dict[builtins.str, typing.Any]]],
     role_arn: builtins.str,
     access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.AccessConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.LoggingProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -20605,6 +21159,7 @@ def _typecheckingstub__e1ebfaeb10359620b55323126554d3e31b14090625de1618808646a51
     id: builtins.str,
     *,
     annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    identity_type: typing.Optional[IdentityType] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     name: typing.Optional[builtins.str] = None,
     namespace: typing.Optional[builtins.str] = None,
@@ -20896,6 +21451,7 @@ def _typecheckingstub__c59483a03e00366cbc5eed954b787cea3e7b09f1579c5c9badd84776c
     *,
     cluster: ICluster,
     annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    identity_type: typing.Optional[IdentityType] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     name: typing.Optional[builtins.str] = None,
     namespace: typing.Optional[builtins.str] = None,
@@ -20912,6 +21468,7 @@ def _typecheckingstub__644b8e999f78647ce72c2476e43febe6c5bec18a337cfb7b041c87773
 def _typecheckingstub__c16813f7f34b0f551b6879a204a04016f3eb45d120b546a7afd47fee08551d86(
     *,
     annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    identity_type: typing.Optional[IdentityType] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     name: typing.Optional[builtins.str] = None,
     namespace: typing.Optional[builtins.str] = None,
@@ -20922,6 +21479,7 @@ def _typecheckingstub__c16813f7f34b0f551b6879a204a04016f3eb45d120b546a7afd47fee0
 def _typecheckingstub__f409e147cd54788bf9d9542d66a6b0445436e408deb553426c2dca2bd73b6d76(
     *,
     annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    identity_type: typing.Optional[IdentityType] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     name: typing.Optional[builtins.str] = None,
     namespace: typing.Optional[builtins.str] = None,
@@ -20985,6 +21543,35 @@ def _typecheckingstub__a928f26a921cd1d01ec556e4421fe3bf4a1ac17a9b598a554215bfae5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a8342124e215d4789acf852df764143c4809251dbcaa86f6b4a11860e46f830d(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    addon_name: builtins.str,
+    cluster: ICluster,
+    addon_version: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d4c2296edfe5b5c8603ac11e589a95341ba550799d11a043d66684ed98365879(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    addon_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8a990f16d21217e79d80780ad054930c23d18b30b674b483763b39dcdb7fdac7(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    addon_name: builtins.str,
+    cluster_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c575cac9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -21174,6 +21761,7 @@ def _typecheckingstub__a242c66f1c038c3d983fd703316e9b6709e3aed4c6773ed4ea290f2c0
     id: builtins.str,
     *,
     annotations: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    identity_type: typing.Optional[IdentityType] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     name: typing.Optional[builtins.str] = None,
     namespace: typing.Optional[builtins.str] = None,