aws-cdk-lib 2.178.1__py3-none-any.whl → 2.179.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -39,6 +39,7 @@ In addition, the library also supports defining Kubernetes resource manifests wi
     * [ARM64 Support](#arm64-support)
     * [Masters Role](#masters-role)
     * [Encryption](#encryption)
+    * [Hybrid nodes](#hybrid-nodes)
   * [Permissions and Security](#permissions-and-security)
 
     * [AWS IAM Mapping](#aws-iam-mapping)
@@ -78,13 +79,13 @@ This example defines an Amazon EKS cluster with the following configuration:
 * A Kubernetes pod with a container based on the [paulbouwer/hello-kubernetes](https://github.com/paulbouwer/hello-kubernetes) image.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 
 
 # provisioning a cluster
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_31,
-    kubectl_layer=KubectlV31Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 
 # apply a kubernetes manifest to the cluster
@@ -145,19 +146,27 @@ A more detailed breakdown of each is provided further down this README.
 
 ## Provisioning clusters
 
-Creating a new cluster is done using the `Cluster` or `FargateCluster` constructs. The only required property is the kubernetes `version`.
+Creating a new cluster is done using the `Cluster` or `FargateCluster` constructs. The only required properties are the kubernetes `version` and `kubectlLayer`.
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
 You can also use `FargateCluster` to provision a cluster that uses only fargate workers.
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 eks.FargateCluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -169,7 +178,7 @@ Capacity is the amount and the type of worker nodes that are available to the cl
 ### Managed node groups
 
 Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters.
-With Amazon EKS managed node groups, you don’t need to separately provision or register the Amazon EC2 instances that provide compute capacity to run your Kubernetes applications. You can create, update, or terminate nodes for your cluster with a single operation. Nodes run using the latest Amazon EKS optimized AMIs in your AWS account while node updates and terminations gracefully drain nodes to ensure that your applications stay available.
+With Amazon EKS managed node groups, you don't need to separately provision or register the Amazon EC2 instances that provide compute capacity to run your Kubernetes applications. You can create, update, or terminate nodes for your cluster with a single operation. Nodes run using the latest Amazon EKS optimized AMIs in your AWS account while node updates and terminations gracefully drain nodes to ensure that your applications stay available.
 
 > For more details visit [Amazon EKS Managed Node Groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html).
 
@@ -180,10 +189,14 @@ By default, this library will allocate a managed node group with 2 *m5.large* in
 At cluster instantiation time, you can customize the number of instances and their type:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     default_capacity=5,
-    default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.SMALL)
+    default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.SMALL),
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -192,9 +205,13 @@ To access the node group that was created on your behalf, you can use `cluster.d
 Additional customizations are available post instantiation. To apply them, set the default capacity to 0, and use the `cluster.addNodegroupCapacity` method:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
-    default_capacity=0
+    version=eks.KubernetesVersion.V1_32,
+    default_capacity=0,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 
 cluster.add_nodegroup_capacity("custom-node-group",
@@ -273,6 +290,9 @@ Node groups are available with IPv6 configured networks.  For custom roles assig
 > For more details visit [Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-role)
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 ipv6_management = iam.PolicyDocument(
     statements=[iam.PolicyStatement(
         resources=["arn:aws:ec2:*:*:network-interface/*"],
@@ -295,8 +315,9 @@ eks_cluster_node_group_role = iam.Role(self, "eksClusterNodeGroupRole",
 )
 
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
-    default_capacity=0
+    version=eks.KubernetesVersion.V1_32,
+    default_capacity=0,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 
 cluster.add_nodegroup_capacity("custom-node-group",
@@ -405,9 +426,13 @@ has been changed. As a workaround, you need to add a temporary policy to the clu
 successful replacement. Consider this example if you are renaming the cluster from `foo` to `bar`:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.Cluster(self, "cluster-to-rename",
     cluster_name="foo",  # rename this to 'bar'
-    version=eks.KubernetesVersion.V1_31
+    kubectl_layer=KubectlV32Layer(self, "kubectl"),
+    version=eks.KubernetesVersion.V1_32
 )
 
 # allow the cluster admin role to delete the cluster 'foo'
@@ -460,8 +485,12 @@ To create an EKS cluster that **only** uses Fargate capacity, you can use `Farga
 The following code defines an Amazon EKS cluster with a default Fargate Profile that matches all pods from the "kube-system" and "default" namespaces. It is also configured to [run CoreDNS on Fargate](https://docs.aws.amazon.com/eks/latest/userguide/fargate-getting-started.html#fargate-gs-coredns).
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.FargateCluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -541,9 +570,13 @@ To disable bootstrapping altogether (i.e. to fully customize user-data), set `bo
 You can also configure the cluster to use an auto-scaling group as the default capacity:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
-    default_capacity_type=eks.DefaultCapacityType.EC2
+    version=eks.KubernetesVersion.V1_32,
+    default_capacity_type=eks.DefaultCapacityType.EC2,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -650,9 +683,13 @@ AWS Identity and Access Management (IAM) and native Kubernetes [Role Based Acces
 You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) by using the `endpointAccess` property:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_31,
-    endpoint_access=eks.EndpointAccess.PRIVATE
+    version=eks.KubernetesVersion.V1_32,
+    endpoint_access=eks.EndpointAccess.PRIVATE,  # No access outside of your VPC.
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -672,11 +709,15 @@ From the docs:
 To deploy the controller on your EKS cluster, configure the `albController` property:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     alb_controller=eks.AlbControllerOptions(
         version=eks.AlbControllerVersion.V2_8_2
-    )
+    ),
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -713,13 +754,16 @@ if cluster.alb_controller:
 You can specify the VPC of the cluster using the `vpc` and `vpcSubnets` properties:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
 # vpc: ec2.Vpc
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     vpc=vpc,
-    vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)]
+    vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)],
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -763,10 +807,12 @@ The `ClusterHandler` is a set of Lambda functions (`onEventHandler`, `isComplete
 You can configure the environment of the Cluster Handler functions by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
 # proxy_instance_security_group: ec2.SecurityGroup
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     cluster_handler_environment={
         "https_proxy": "http://proxy.myproxy.com"
     },
@@ -774,7 +820,8 @@ cluster = eks.Cluster(self, "hello-eks",
     # If the proxy is not open publicly, you can pass a security group to the
     # Cluster Handler Lambdas so that it can reach the proxy.
     #
-    cluster_handler_security_group=proxy_instance_security_group
+    cluster_handler_security_group=proxy_instance_security_group,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -783,6 +830,7 @@ cluster = eks.Cluster(self, "hello-eks",
 You can optionally choose to configure your cluster to use IPv6 using the [`ipFamily`](https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily) definition for your cluster.  Note that this will require the underlying subnets to have an associated IPv6 CIDR.
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 # vpc: ec2.Vpc
 
 
@@ -807,10 +855,11 @@ for subnet in subnets:
     subnetcount = subnetcount + 1
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     vpc=vpc,
     ip_family=eks.IpFamily.IP_V6,
-    vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)]
+    vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -841,11 +890,15 @@ cluster = eks.Cluster.from_cluster_attributes(self, "Cluster",
 You can configure the environment of this function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     kubectl_environment={
         "http_proxy": "http://proxy.myproxy.com"
-    }
+    },
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -862,12 +915,12 @@ Depending on which version of kubernetes you're targeting, you will need to use
 the `@aws-cdk/lambda-layer-kubectl-vXY` packages.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_31,
-    kubectl_layer=KubectlV31Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -903,7 +956,7 @@ cluster1 = eks.Cluster(self, "MyCluster",
     kubectl_layer=layer,
     vpc=vpc,
     cluster_name="cluster-name",
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32
 )
 
 # or
@@ -919,11 +972,16 @@ cluster2 = eks.Cluster.from_cluster_attributes(self, "MyCluster",
 By default, the kubectl provider is configured with 1024MiB of memory. You can use the `kubectlMemory` option to specify the memory size for the AWS Lambda function:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
 # or
 # vpc: ec2.Vpc
+
+
 eks.Cluster(self, "MyCluster",
     kubectl_memory=Size.gibibytes(4),
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 eks.Cluster.from_cluster_attributes(self, "MyCluster",
     kubectl_memory=Size.gibibytes(4),
@@ -958,11 +1016,14 @@ cluster.add_auto_scaling_group_capacity("self-ng-arm",
 When you create a cluster, you can specify a `mastersRole`. The `Cluster` construct will associate this role with the `system:masters` [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) group, giving it super-user access to the cluster.
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
 # role: iam.Role
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_31,
-    masters_role=role
+    version=eks.KubernetesVersion.V1_32,
+    masters_role=role,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -1008,20 +1069,28 @@ You can use the `secretsEncryptionKey` to configure which key the cluster will u
 > This setting can only be specified when the cluster is created and cannot be updated.
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.Cluster(self, "MyCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
 You can also use a similar configuration for running a cluster built using the FargateCluster construct.
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.FargateCluster(self, "MyFargateCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_31
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -1033,6 +1102,30 @@ The Amazon Resource Name (ARN) for that CMK can be retrieved.
 cluster_encryption_config_key_arn = cluster.cluster_encryption_config_key_arn
 ```
 
+### Hybrid Nodes
+
+When you create an Amazon EKS cluster, you can configure it to leverage the [EKS Hybrid Nodes](https://aws.amazon.com/eks/hybrid-nodes/) feature, allowing you to use your on-premises and edge infrastructure as nodes in your EKS cluster. Refer to the Hyrid Nodes [networking documentation](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-networking.html) to configure your on-premises network, node and pod CIDRs, access control, etc before creating your EKS Cluster.
+
+Once you have identified the on-premises node and pod (optional) CIDRs you will use for your hybrid nodes and the workloads running on them, you can specify them during cluster creation using the `remoteNodeNetworks` and `remotePodNetworks` (optional) properties:
+
+```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
+eks.Cluster(self, "Cluster",
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+    remote_node_networks=[eks.RemoteNodeNetwork(
+        cidrs=["10.0.0.0/16"]
+    )
+    ],
+    remote_pod_networks=[eks.RemotePodNetwork(
+        cidrs=["192.168.0.0/16"]
+    )
+    ]
+)
+```
+
 ## Permissions and Security
 
 Amazon EKS provides several mechanism of securing the cluster and granting permissions to specific IAM users and roles.
@@ -1068,7 +1161,7 @@ To access the Kubernetes resources from the console, make sure your viewing prin
 in the `aws-auth` ConfigMap. Some options to consider:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 # cluster: eks.Cluster
 # your_current_role: iam.Role
 # vpc: ec2.Vpc
@@ -1086,7 +1179,7 @@ your_current_role.add_to_policy(iam.PolicyStatement(
 
 ```python
 # Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
-from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 # vpc: ec2.Vpc
 
 
@@ -1096,8 +1189,8 @@ masters_role = iam.Role(self, "MastersRole",
 
 cluster = eks.Cluster(self, "EksCluster",
     vpc=vpc,
-    version=eks.KubernetesVersion.V1_31,
-    kubectl_layer=KubectlV31Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
     masters_role=masters_role
 )
 
@@ -1136,14 +1229,14 @@ AWS IAM principals from both Amazon EKS access entry APIs and the aws-auth confi
 To specify the `authenticationMode`:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 # vpc: ec2.Vpc
 
 
 eks.Cluster(self, "Cluster",
     vpc=vpc,
-    version=eks.KubernetesVersion.V1_31,
-    kubectl_layer=KubectlV31Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
     authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
 )
 ```
@@ -1188,7 +1281,7 @@ eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
 Use `grantAccess()` to grant the AccessPolicy to an IAM principal:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 # vpc: ec2.Vpc
 
 
@@ -1207,8 +1300,8 @@ eks_admin_view_role = iam.Role(self, "EKSAdminViewRole",
 cluster = eks.Cluster(self, "Cluster",
     vpc=vpc,
     masters_role=cluster_admin_role,
-    version=eks.KubernetesVersion.V1_31,
-    kubectl_layer=KubectlV31Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_32,
+    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
     authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
 )
 
@@ -1539,9 +1632,13 @@ Pruning is enabled by default but can be disabled through the `prune` option
 when a cluster is defined:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 eks.Cluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_31,
-    prune=False
+    version=eks.KubernetesVersion.V1_32,
+    prune=False,
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -1937,11 +2034,15 @@ You can enable logging for each one separately using the `clusterLogging`
 property. For example:
 
 ```python
+from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+
+
 cluster = eks.Cluster(self, "Cluster",
     # ...
-    version=eks.KubernetesVersion.V1_31,
+    version=eks.KubernetesVersion.V1_32,
     cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
-    ]
+    ],
+    kubectl_layer=KubectlV32Layer(self, "kubectl")
 )
 ```
 
@@ -2892,11 +2993,15 @@ class AlbControllerOptions:
 
         Example::
 
+            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            
+            
             eks.Cluster(self, "HelloEKS",
-                version=eks.KubernetesVersion.V1_31,
+                version=eks.KubernetesVersion.V1_32,
                 alb_controller=eks.AlbControllerOptions(
                     version=eks.AlbControllerVersion.V2_8_2
-                )
+                ),
+                kubectl_layer=KubectlV32Layer(self, "kubectl")
             )
         '''
         if __debug__:
@@ -3085,11 +3190,15 @@ class AlbControllerVersion(
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
+        
         eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_31,
+            version=eks.KubernetesVersion.V1_32,
             alb_controller=eks.AlbControllerOptions(
                 version=eks.AlbControllerVersion.V2_8_2
-            )
+            ),
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
     '''
 
@@ -3365,14 +3474,14 @@ class AuthenticationMode(enum.Enum):
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v31 import KubectlV31Layer
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
         # vpc: ec2.Vpc
         
         
         eks.Cluster(self, "Cluster",
             vpc=vpc,
-            version=eks.KubernetesVersion.V1_31,
-            kubectl_layer=KubectlV31Layer(self, "KubectlLayer"),
+            version=eks.KubernetesVersion.V1_32,
+            kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
             authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
         )
     '''
@@ -11215,7 +11324,7 @@ class ClusterAttributes:
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables to use when running ``kubectl`` against this cluster. Default: - no additional variables
         :param kubectl_lambda_role: An IAM role that can perform kubectl operations against this cluster. The role should be mapped to the ``system:masters`` Kubernetes RBAC role. This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster. Default: - if not specified, the default role created by a lambda function will be used.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20 and helm 3.8.
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - No default layer will be provided
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param kubectl_private_subnet_ids: Subnets to host the ``kubectl`` compute resources. If not specified, the k8s endpoint is expected to be accessible publicly. Default: - k8s endpoint is expected to be accessible publicly
         :param kubectl_provider: KubectlProvider for issuing kubectl commands. Default: - Default CDK provider
@@ -11430,15 +11539,14 @@ class ClusterAttributes:
         This layer is used by the kubectl handler to apply manifests and install
         helm charts. You must pick an appropriate releases of one of the
         ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
-        Kubernetes you have chosen. If you don't supply this value ``kubectl``
-        1.20 will be used, but that version is most likely too old.
+        Kubernetes you have chosen.
 
         The handler expects the layer to include the following executables::
 
            /opt/helm/helm
            /opt/kubectl/kubectl
 
-        :default: - a default layer with Kubectl 1.20 and helm 3.8.
+        :default: - No default layer will be provided
         '''
         result = self._values.get("kubectl_layer")
         return typing.cast(typing.Optional[_ILayerVersion_5ac127c8], result)
@@ -11581,11 +11689,15 @@ class ClusterLoggingTypes(enum.Enum):
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
+        
         cluster = eks.Cluster(self, "Cluster",
             # ...
-            version=eks.KubernetesVersion.V1_31,
+            version=eks.KubernetesVersion.V1_32,
             cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
-            ]
+            ],
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
     '''
 
@@ -11821,9 +11933,13 @@ class DefaultCapacityType(enum.Enum):
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
+        
         cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_31,
-            default_capacity_type=eks.DefaultCapacityType.EC2
+            version=eks.KubernetesVersion.V1_32,
+            default_capacity_type=eks.DefaultCapacityType.EC2,
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
     '''
 
@@ -11990,9 +12106,13 @@ class EndpointAccess(
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
+        
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_31,
-            endpoint_access=eks.EndpointAccess.PRIVATE
+            version=eks.KubernetesVersion.V1_32,
+            endpoint_access=eks.EndpointAccess.PRIVATE,  # No access outside of your VPC.
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
     '''
 
@@ -13399,10 +13519,7 @@ class ICluster(_IResource_c80c4260, _IConnectable_10015a05, typing_extensions.Pr
     @builtins.property
     @jsii.member(jsii_name="kubectlLayer")
     def kubectl_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
-        '''An AWS Lambda layer that includes ``kubectl`` and ``helm``.
-
-        If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
-        '''
+        '''An AWS Lambda layer that includes ``kubectl`` and ``helm``.'''
         ...
 
     @builtins.property
@@ -13777,10 +13894,7 @@ class _IClusterProxy(
     @builtins.property
     @jsii.member(jsii_name="kubectlLayer")
     def kubectl_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
-        '''An AWS Lambda layer that includes ``kubectl`` and ``helm``.
-
-        If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
-        '''
+        '''An AWS Lambda layer that includes ``kubectl`` and ``helm``.'''
         return typing.cast(typing.Optional[_ILayerVersion_5ac127c8], jsii.get(self, "kubectlLayer"))
 
     @builtins.property
@@ -14172,6 +14286,7 @@ class IpFamily(enum.Enum):
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
         # vpc: ec2.Vpc
         
         
@@ -14196,10 +14311,11 @@ class IpFamily(enum.Enum):
             subnetcount = subnetcount + 1
         
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_31,
+            version=eks.KubernetesVersion.V1_32,
             vpc=vpc,
             ip_family=eks.IpFamily.IP_V6,
-            vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)]
+            vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
     '''
 
@@ -15320,11 +15436,16 @@ class KubernetesVersion(
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
         # or
         # vpc: ec2.Vpc
+        
+        
         eks.Cluster(self, "MyCluster",
             kubectl_memory=Size.gibibytes(4),
-            version=eks.KubernetesVersion.V1_31
+            version=eks.KubernetesVersion.V1_32,
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
         eks.Cluster.from_cluster_attributes(self, "MyCluster",
             kubectl_memory=Size.gibibytes(4),
@@ -15543,6 +15664,17 @@ class KubernetesVersion(
         '''
         return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_31"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="V1_32")
+    def V1_32(cls) -> "KubernetesVersion":
+        '''Kubernetes version 1.32.
+
+        When creating a ``Cluster`` with this version, you need to also specify the
+        ``kubectlLayer`` property with a ``KubectlV32Layer`` from
+        ``@aws-cdk/lambda-layer-kubectl-v32``.
+        '''
+        return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_32"))
+
     @builtins.property
     @jsii.member(jsii_name="version")
     def version(self) -> builtins.str:
@@ -16999,6 +17131,110 @@ class PatchType(enum.Enum):
     '''Strategic merge patch.'''
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.RemoteNodeNetwork",
+    jsii_struct_bases=[],
+    name_mapping={"cidrs": "cidrs"},
+)
+class RemoteNodeNetwork:
+    def __init__(self, *, cidrs: typing.Sequence[builtins.str]) -> None:
+        '''Network configuration of nodes run on-premises with EKS Hybrid Nodes.
+
+        :param cidrs: Specifies the list of remote node CIDRs.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            remote_node_network = eks.RemoteNodeNetwork(
+                cidrs=["cidrs"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__600789f5d1adc105e950fc1e01201ea975b89bb797b63227b757a633425a0f09)
+            check_type(argname="argument cidrs", value=cidrs, expected_type=type_hints["cidrs"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "cidrs": cidrs,
+        }
+
+    @builtins.property
+    def cidrs(self) -> typing.List[builtins.str]:
+        '''Specifies the list of remote node CIDRs.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotenodenetwork.html#cfn-eks-cluster-remotenodenetwork-cidrs
+        '''
+        result = self._values.get("cidrs")
+        assert result is not None, "Required property 'cidrs' is missing"
+        return typing.cast(typing.List[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "RemoteNodeNetwork(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_eks.RemotePodNetwork",
+    jsii_struct_bases=[],
+    name_mapping={"cidrs": "cidrs"},
+)
+class RemotePodNetwork:
+    def __init__(self, *, cidrs: typing.Sequence[builtins.str]) -> None:
+        '''Network configuration of pods run on-premises with EKS Hybrid Nodes.
+
+        :param cidrs: Specifies the list of remote pod CIDRs.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_eks as eks
+            
+            remote_pod_network = eks.RemotePodNetwork(
+                cidrs=["cidrs"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f9878a6e6680b6c2c6cb0db908c65c1de65fe68965909386c87176ba98e30705)
+            check_type(argname="argument cidrs", value=cidrs, expected_type=type_hints["cidrs"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "cidrs": cidrs,
+        }
+
+    @builtins.property
+    def cidrs(self) -> typing.List[builtins.str]:
+        '''Specifies the list of remote pod CIDRs.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotepodnetwork.html#cfn-eks-cluster-remotepodnetwork-cidrs
+        '''
+        result = self._values.get("cidrs")
+        assert result is not None, "Required property 'cidrs' is missing"
+        return typing.cast(typing.List[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "RemotePodNetwork(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.Selector",
     jsii_struct_bases=[],
@@ -17986,11 +18222,16 @@ class Cluster(
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
         # or
         # vpc: ec2.Vpc
+        
+        
         eks.Cluster(self, "MyCluster",
             kubectl_memory=Size.gibibytes(4),
-            version=eks.KubernetesVersion.V1_31
+            version=eks.KubernetesVersion.V1_32,
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
         eks.Cluster.from_cluster_attributes(self, "MyCluster",
             kubectl_memory=Size.gibibytes(4),
@@ -18010,6 +18251,7 @@ class Cluster(
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
         kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        kubectl_layer: _ILayerVersion_5ac127c8,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -18020,13 +18262,14 @@ class Cluster(
         endpoint_access: typing.Optional[EndpointAccess] = None,
         ip_family: typing.Optional[IpFamily] = None,
         kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-        kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         kubectl_memory: typing.Optional[_Size_7b441c34] = None,
         masters_role: typing.Optional[_IRole_235f5d8e] = None,
         on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         output_masters_role_arn: typing.Optional[builtins.bool] = None,
         place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
         prune: typing.Optional[builtins.bool] = None,
+        remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+        remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         version: KubernetesVersion,
@@ -18048,6 +18291,7 @@ class Cluster(
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
         :param kubectl_lambda_role: The IAM role to pass to the Kubectl Lambda Handler. Default: - Default Lambda IAM Execution Role
         :param tags: The tags assigned to the EKS cluster. Default: - none
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
         :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
@@ -18058,13 +18302,14 @@ class Cluster(
         :param endpoint_access: Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param masters_role: An IAM role that will be added to the ``system:masters`` Kubernetes RBAC group. Default: - no masters role.
         :param on_event_layer: An AWS Lambda Layer which includes the NPM dependency ``proxy-agent``. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the "aws-lambda-layer-node-proxy-agent" SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { code: lambda.Code.fromAsset(`${__dirname}/layer.zip`), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.
         :param output_masters_role_arn: Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if ``mastersRole`` is specified). Default: false
         :param place_cluster_handler_in_vpc: If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the ``vpcSubnets`` selection strategy. Default: false
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
+        :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
+        :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param version: The Kubernetes version to run in the cluster.
@@ -18087,6 +18332,7 @@ class Cluster(
             default_capacity_type=default_capacity_type,
             kubectl_lambda_role=kubectl_lambda_role,
             tags=tags,
+            kubectl_layer=kubectl_layer,
             alb_controller=alb_controller,
             authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
@@ -18097,13 +18343,14 @@ class Cluster(
             endpoint_access=endpoint_access,
             ip_family=ip_family,
             kubectl_environment=kubectl_environment,
-            kubectl_layer=kubectl_layer,
             kubectl_memory=kubectl_memory,
             masters_role=masters_role,
             on_event_layer=on_event_layer,
             output_masters_role_arn=output_masters_role_arn,
             place_cluster_handler_in_vpc=place_cluster_handler_in_vpc,
             prune=prune,
+            remote_node_networks=remote_node_networks,
+            remote_pod_networks=remote_pod_networks,
             secrets_encryption_key=secrets_encryption_key,
             service_ipv4_cidr=service_ipv4_cidr,
             version=version,
@@ -18161,7 +18408,7 @@ class Cluster(
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables to use when running ``kubectl`` against this cluster. Default: - no additional variables
         :param kubectl_lambda_role: An IAM role that can perform kubectl operations against this cluster. The role should be mapped to the ``system:masters`` Kubernetes RBAC role. This role is directly passed to the lambda handler that sends Kube Ctl commands to the cluster. Default: - if not specified, the default role created by a lambda function will be used.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20 and helm 3.8.
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - No default layer will be provided
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param kubectl_private_subnet_ids: Subnets to host the ``kubectl`` compute resources. If not specified, the k8s endpoint is expected to be accessible publicly. Default: - k8s endpoint is expected to be accessible publicly
         :param kubectl_provider: KubectlProvider for issuing kubectl commands. Default: - Default CDK provider
@@ -18953,10 +19200,7 @@ class Cluster(
     @builtins.property
     @jsii.member(jsii_name="kubectlLayer")
     def kubectl_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
-        '''An AWS Lambda layer that includes ``kubectl`` and ``helm``.
-
-        If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
-        '''
+        '''An AWS Lambda layer that includes ``kubectl`` and ``helm``.'''
         return typing.cast(typing.Optional[_ILayerVersion_5ac127c8], jsii.get(self, "kubectlLayer"))
 
     @builtins.property
@@ -19023,6 +19267,7 @@ class Cluster(
         "security_group": "securityGroup",
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
+        "kubectl_layer": "kubectlLayer",
         "alb_controller": "albController",
         "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
@@ -19033,13 +19278,14 @@ class Cluster(
         "endpoint_access": "endpointAccess",
         "ip_family": "ipFamily",
         "kubectl_environment": "kubectlEnvironment",
-        "kubectl_layer": "kubectlLayer",
         "kubectl_memory": "kubectlMemory",
         "masters_role": "mastersRole",
         "on_event_layer": "onEventLayer",
         "output_masters_role_arn": "outputMastersRoleArn",
         "place_cluster_handler_in_vpc": "placeClusterHandlerInVpc",
         "prune": "prune",
+        "remote_node_networks": "remoteNodeNetworks",
+        "remote_pod_networks": "remotePodNetworks",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
     },
@@ -19056,6 +19302,7 @@ class ClusterOptions(CommonClusterOptions):
         security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
+        kubectl_layer: _ILayerVersion_5ac127c8,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -19066,13 +19313,14 @@ class ClusterOptions(CommonClusterOptions):
         endpoint_access: typing.Optional[EndpointAccess] = None,
         ip_family: typing.Optional[IpFamily] = None,
         kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-        kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         kubectl_memory: typing.Optional[_Size_7b441c34] = None,
         masters_role: typing.Optional[_IRole_235f5d8e] = None,
         on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         output_masters_role_arn: typing.Optional[builtins.bool] = None,
         place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
         prune: typing.Optional[builtins.bool] = None,
+        remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+        remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -19086,6 +19334,7 @@ class ClusterOptions(CommonClusterOptions):
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
         :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
@@ -19096,13 +19345,14 @@ class ClusterOptions(CommonClusterOptions):
         :param endpoint_access: Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param masters_role: An IAM role that will be added to the ``system:masters`` Kubernetes RBAC group. Default: - no masters role.
         :param on_event_layer: An AWS Lambda Layer which includes the NPM dependency ``proxy-agent``. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the "aws-lambda-layer-node-proxy-agent" SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { code: lambda.Code.fromAsset(`${__dirname}/layer.zip`), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.
         :param output_masters_role_arn: Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if ``mastersRole`` is specified). Default: false
         :param place_cluster_handler_in_vpc: If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the ``vpcSubnets`` selection strategy. Default: false
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
+        :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
+        :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
 
@@ -19133,6 +19383,7 @@ class ClusterOptions(CommonClusterOptions):
             # vpc: ec2.Vpc
             
             cluster_options = eks.ClusterOptions(
+                kubectl_layer=layer_version,
                 version=kubernetes_version,
             
                 # the properties below are optional
@@ -19157,7 +19408,6 @@ class ClusterOptions(CommonClusterOptions):
                 kubectl_environment={
                     "kubectl_environment_key": "kubectlEnvironment"
                 },
-                kubectl_layer=layer_version,
                 kubectl_memory=size,
                 masters_role=role,
                 on_event_layer=layer_version,
@@ -19166,6 +19416,12 @@ class ClusterOptions(CommonClusterOptions):
                 output_masters_role_arn=False,
                 place_cluster_handler_in_vpc=False,
                 prune=False,
+                remote_node_networks=[eks.RemoteNodeNetwork(
+                    cidrs=["cidrs"]
+                )],
+                remote_pod_networks=[eks.RemotePodNetwork(
+                    cidrs=["cidrs"]
+                )],
                 role=role,
                 secrets_encryption_key=key,
                 security_group=security_group,
@@ -19193,6 +19449,7 @@ class ClusterOptions(CommonClusterOptions):
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
+            check_type(argname="argument kubectl_layer", value=kubectl_layer, expected_type=type_hints["kubectl_layer"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
             check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
@@ -19203,17 +19460,19 @@ class ClusterOptions(CommonClusterOptions):
             check_type(argname="argument endpoint_access", value=endpoint_access, expected_type=type_hints["endpoint_access"])
             check_type(argname="argument ip_family", value=ip_family, expected_type=type_hints["ip_family"])
             check_type(argname="argument kubectl_environment", value=kubectl_environment, expected_type=type_hints["kubectl_environment"])
-            check_type(argname="argument kubectl_layer", value=kubectl_layer, expected_type=type_hints["kubectl_layer"])
             check_type(argname="argument kubectl_memory", value=kubectl_memory, expected_type=type_hints["kubectl_memory"])
             check_type(argname="argument masters_role", value=masters_role, expected_type=type_hints["masters_role"])
             check_type(argname="argument on_event_layer", value=on_event_layer, expected_type=type_hints["on_event_layer"])
             check_type(argname="argument output_masters_role_arn", value=output_masters_role_arn, expected_type=type_hints["output_masters_role_arn"])
             check_type(argname="argument place_cluster_handler_in_vpc", value=place_cluster_handler_in_vpc, expected_type=type_hints["place_cluster_handler_in_vpc"])
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
+            check_type(argname="argument remote_node_networks", value=remote_node_networks, expected_type=type_hints["remote_node_networks"])
+            check_type(argname="argument remote_pod_networks", value=remote_pod_networks, expected_type=type_hints["remote_pod_networks"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "version": version,
+            "kubectl_layer": kubectl_layer,
         }
         if cluster_name is not None:
             self._values["cluster_name"] = cluster_name
@@ -19249,8 +19508,6 @@ class ClusterOptions(CommonClusterOptions):
             self._values["ip_family"] = ip_family
         if kubectl_environment is not None:
             self._values["kubectl_environment"] = kubectl_environment
-        if kubectl_layer is not None:
-            self._values["kubectl_layer"] = kubectl_layer
         if kubectl_memory is not None:
             self._values["kubectl_memory"] = kubectl_memory
         if masters_role is not None:
@@ -19263,6 +19520,10 @@ class ClusterOptions(CommonClusterOptions):
             self._values["place_cluster_handler_in_vpc"] = place_cluster_handler_in_vpc
         if prune is not None:
             self._values["prune"] = prune
+        if remote_node_networks is not None:
+            self._values["remote_node_networks"] = remote_node_networks
+        if remote_pod_networks is not None:
+            self._values["remote_pod_networks"] = remote_pod_networks
         if secrets_encryption_key is not None:
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
@@ -19345,6 +19606,24 @@ class ClusterOptions(CommonClusterOptions):
         result = self._values.get("vpc_subnets")
         return typing.cast(typing.Optional[typing.List[_SubnetSelection_e57d76df]], result)
 
+    @builtins.property
+    def kubectl_layer(self) -> _ILayerVersion_5ac127c8:
+        '''An AWS Lambda Layer which includes ``kubectl`` and Helm.
+
+        This layer is used by the kubectl handler to apply manifests and install
+        helm charts. You must pick an appropriate releases of one of the
+        ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
+        Kubernetes you have chosen.
+
+        The handler expects the layer to include the following executables::
+
+           /opt/helm/helm
+           /opt/kubectl/kubectl
+        '''
+        result = self._values.get("kubectl_layer")
+        assert result is not None, "Required property 'kubectl_layer' is missing"
+        return typing.cast(_ILayerVersion_5ac127c8, result)
+
     @builtins.property
     def alb_controller(self) -> typing.Optional[AlbControllerOptions]:
         '''Install the AWS Load Balancer Controller onto the cluster.
@@ -19457,26 +19736,6 @@ class ClusterOptions(CommonClusterOptions):
         result = self._values.get("kubectl_environment")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
-    @builtins.property
-    def kubectl_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
-        '''An AWS Lambda Layer which includes ``kubectl`` and Helm.
-
-        This layer is used by the kubectl handler to apply manifests and install
-        helm charts. You must pick an appropriate releases of one of the
-        ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
-        Kubernetes you have chosen. If you don't supply this value ``kubectl``
-        1.20 will be used, but that version is most likely too old.
-
-        The handler expects the layer to include the following executables::
-
-           /opt/helm/helm
-           /opt/kubectl/kubectl
-
-        :default: - a default layer with Kubectl 1.20.
-        '''
-        result = self._values.get("kubectl_layer")
-        return typing.cast(typing.Optional[_ILayerVersion_5ac127c8], result)
-
     @builtins.property
     def kubectl_memory(self) -> typing.Optional[_Size_7b441c34]:
         '''Amount of memory to allocate to the provider's lambda function.
@@ -19551,6 +19810,24 @@ class ClusterOptions(CommonClusterOptions):
         result = self._values.get("prune")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def remote_node_networks(self) -> typing.Optional[typing.List[RemoteNodeNetwork]]:
+        '''IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster.
+
+        :default: - none
+        '''
+        result = self._values.get("remote_node_networks")
+        return typing.cast(typing.Optional[typing.List[RemoteNodeNetwork]], result)
+
+    @builtins.property
+    def remote_pod_networks(self) -> typing.Optional[typing.List[RemotePodNetwork]]:
+        '''IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes.
+
+        :default: - none
+        '''
+        result = self._values.get("remote_pod_networks")
+        return typing.cast(typing.Optional[typing.List[RemotePodNetwork]], result)
+
     @builtins.property
     def secrets_encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
         '''KMS secret for envelope encryption for Kubernetes secrets.
@@ -19602,6 +19879,7 @@ class ClusterOptions(CommonClusterOptions):
         "security_group": "securityGroup",
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
+        "kubectl_layer": "kubectlLayer",
         "alb_controller": "albController",
         "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
@@ -19612,13 +19890,14 @@ class ClusterOptions(CommonClusterOptions):
         "endpoint_access": "endpointAccess",
         "ip_family": "ipFamily",
         "kubectl_environment": "kubectlEnvironment",
-        "kubectl_layer": "kubectlLayer",
         "kubectl_memory": "kubectlMemory",
         "masters_role": "mastersRole",
         "on_event_layer": "onEventLayer",
         "output_masters_role_arn": "outputMastersRoleArn",
         "place_cluster_handler_in_vpc": "placeClusterHandlerInVpc",
         "prune": "prune",
+        "remote_node_networks": "remoteNodeNetworks",
+        "remote_pod_networks": "remotePodNetworks",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
         "bootstrap_cluster_creator_admin_permissions": "bootstrapClusterCreatorAdminPermissions",
@@ -19641,6 +19920,7 @@ class ClusterProps(ClusterOptions):
         security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
+        kubectl_layer: _ILayerVersion_5ac127c8,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -19651,13 +19931,14 @@ class ClusterProps(ClusterOptions):
         endpoint_access: typing.Optional[EndpointAccess] = None,
         ip_family: typing.Optional[IpFamily] = None,
         kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-        kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         kubectl_memory: typing.Optional[_Size_7b441c34] = None,
         masters_role: typing.Optional[_IRole_235f5d8e] = None,
         on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         output_masters_role_arn: typing.Optional[builtins.bool] = None,
         place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
         prune: typing.Optional[builtins.bool] = None,
+        remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+        remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
@@ -19677,6 +19958,7 @@ class ClusterProps(ClusterOptions):
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
         :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
@@ -19687,13 +19969,14 @@ class ClusterProps(ClusterOptions):
         :param endpoint_access: Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param masters_role: An IAM role that will be added to the ``system:masters`` Kubernetes RBAC group. Default: - no masters role.
         :param on_event_layer: An AWS Lambda Layer which includes the NPM dependency ``proxy-agent``. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the "aws-lambda-layer-node-proxy-agent" SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { code: lambda.Code.fromAsset(`${__dirname}/layer.zip`), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.
         :param output_masters_role_arn: Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if ``mastersRole`` is specified). Default: false
         :param place_cluster_handler_in_vpc: If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the ``vpcSubnets`` selection strategy. Default: false
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
+        :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
+        :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
@@ -19707,11 +19990,16 @@ class ClusterProps(ClusterOptions):
 
         Example::
 
+            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            
             # or
             # vpc: ec2.Vpc
+            
+            
             eks.Cluster(self, "MyCluster",
                 kubectl_memory=Size.gibibytes(4),
-                version=eks.KubernetesVersion.V1_31
+                version=eks.KubernetesVersion.V1_32,
+                kubectl_layer=KubectlV32Layer(self, "kubectl")
             )
             eks.Cluster.from_cluster_attributes(self, "MyCluster",
                 kubectl_memory=Size.gibibytes(4),
@@ -19731,6 +20019,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
+            check_type(argname="argument kubectl_layer", value=kubectl_layer, expected_type=type_hints["kubectl_layer"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
             check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
@@ -19741,13 +20030,14 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument endpoint_access", value=endpoint_access, expected_type=type_hints["endpoint_access"])
             check_type(argname="argument ip_family", value=ip_family, expected_type=type_hints["ip_family"])
             check_type(argname="argument kubectl_environment", value=kubectl_environment, expected_type=type_hints["kubectl_environment"])
-            check_type(argname="argument kubectl_layer", value=kubectl_layer, expected_type=type_hints["kubectl_layer"])
             check_type(argname="argument kubectl_memory", value=kubectl_memory, expected_type=type_hints["kubectl_memory"])
             check_type(argname="argument masters_role", value=masters_role, expected_type=type_hints["masters_role"])
             check_type(argname="argument on_event_layer", value=on_event_layer, expected_type=type_hints["on_event_layer"])
             check_type(argname="argument output_masters_role_arn", value=output_masters_role_arn, expected_type=type_hints["output_masters_role_arn"])
             check_type(argname="argument place_cluster_handler_in_vpc", value=place_cluster_handler_in_vpc, expected_type=type_hints["place_cluster_handler_in_vpc"])
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
+            check_type(argname="argument remote_node_networks", value=remote_node_networks, expected_type=type_hints["remote_node_networks"])
+            check_type(argname="argument remote_pod_networks", value=remote_pod_networks, expected_type=type_hints["remote_pod_networks"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
             check_type(argname="argument bootstrap_cluster_creator_admin_permissions", value=bootstrap_cluster_creator_admin_permissions, expected_type=type_hints["bootstrap_cluster_creator_admin_permissions"])
@@ -19758,6 +20048,7 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "version": version,
+            "kubectl_layer": kubectl_layer,
         }
         if cluster_name is not None:
             self._values["cluster_name"] = cluster_name
@@ -19793,8 +20084,6 @@ class ClusterProps(ClusterOptions):
             self._values["ip_family"] = ip_family
         if kubectl_environment is not None:
             self._values["kubectl_environment"] = kubectl_environment
-        if kubectl_layer is not None:
-            self._values["kubectl_layer"] = kubectl_layer
         if kubectl_memory is not None:
             self._values["kubectl_memory"] = kubectl_memory
         if masters_role is not None:
@@ -19807,6 +20096,10 @@ class ClusterProps(ClusterOptions):
             self._values["place_cluster_handler_in_vpc"] = place_cluster_handler_in_vpc
         if prune is not None:
             self._values["prune"] = prune
+        if remote_node_networks is not None:
+            self._values["remote_node_networks"] = remote_node_networks
+        if remote_pod_networks is not None:
+            self._values["remote_pod_networks"] = remote_pod_networks
         if secrets_encryption_key is not None:
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
@@ -19901,6 +20194,24 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("vpc_subnets")
         return typing.cast(typing.Optional[typing.List[_SubnetSelection_e57d76df]], result)
 
+    @builtins.property
+    def kubectl_layer(self) -> _ILayerVersion_5ac127c8:
+        '''An AWS Lambda Layer which includes ``kubectl`` and Helm.
+
+        This layer is used by the kubectl handler to apply manifests and install
+        helm charts. You must pick an appropriate releases of one of the
+        ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
+        Kubernetes you have chosen.
+
+        The handler expects the layer to include the following executables::
+
+           /opt/helm/helm
+           /opt/kubectl/kubectl
+        '''
+        result = self._values.get("kubectl_layer")
+        assert result is not None, "Required property 'kubectl_layer' is missing"
+        return typing.cast(_ILayerVersion_5ac127c8, result)
+
     @builtins.property
     def alb_controller(self) -> typing.Optional[AlbControllerOptions]:
         '''Install the AWS Load Balancer Controller onto the cluster.
@@ -20013,26 +20324,6 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("kubectl_environment")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
-    @builtins.property
-    def kubectl_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
-        '''An AWS Lambda Layer which includes ``kubectl`` and Helm.
-
-        This layer is used by the kubectl handler to apply manifests and install
-        helm charts. You must pick an appropriate releases of one of the
-        ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
-        Kubernetes you have chosen. If you don't supply this value ``kubectl``
-        1.20 will be used, but that version is most likely too old.
-
-        The handler expects the layer to include the following executables::
-
-           /opt/helm/helm
-           /opt/kubectl/kubectl
-
-        :default: - a default layer with Kubectl 1.20.
-        '''
-        result = self._values.get("kubectl_layer")
-        return typing.cast(typing.Optional[_ILayerVersion_5ac127c8], result)
-
     @builtins.property
     def kubectl_memory(self) -> typing.Optional[_Size_7b441c34]:
         '''Amount of memory to allocate to the provider's lambda function.
@@ -20107,6 +20398,24 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("prune")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def remote_node_networks(self) -> typing.Optional[typing.List[RemoteNodeNetwork]]:
+        '''IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster.
+
+        :default: - none
+        '''
+        result = self._values.get("remote_node_networks")
+        return typing.cast(typing.Optional[typing.List[RemoteNodeNetwork]], result)
+
+    @builtins.property
+    def remote_pod_networks(self) -> typing.Optional[typing.List[RemotePodNetwork]]:
+        '''IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes.
+
+        :default: - none
+        '''
+        result = self._values.get("remote_pod_networks")
+        return typing.cast(typing.Optional[typing.List[RemotePodNetwork]], result)
+
     @builtins.property
     def secrets_encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
         '''KMS secret for envelope encryption for Kubernetes secrets.
@@ -20228,8 +20537,12 @@ class FargateCluster(
 
     Example::
 
+        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        
+        
         cluster = eks.FargateCluster(self, "MyCluster",
-            version=eks.KubernetesVersion.V1_31
+            version=eks.KubernetesVersion.V1_32,
+            kubectl_layer=KubectlV32Layer(self, "kubectl")
         )
     '''
 
@@ -20239,6 +20552,7 @@ class FargateCluster(
         id: builtins.str,
         *,
         default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        kubectl_layer: _ILayerVersion_5ac127c8,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -20249,13 +20563,14 @@ class FargateCluster(
         endpoint_access: typing.Optional[EndpointAccess] = None,
         ip_family: typing.Optional[IpFamily] = None,
         kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-        kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         kubectl_memory: typing.Optional[_Size_7b441c34] = None,
         masters_role: typing.Optional[_IRole_235f5d8e] = None,
         on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         output_masters_role_arn: typing.Optional[builtins.bool] = None,
         place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
         prune: typing.Optional[builtins.bool] = None,
+        remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+        remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         version: KubernetesVersion,
@@ -20271,6 +20586,7 @@ class FargateCluster(
         :param scope: -
         :param id: -
         :param default_profile: Fargate Profile to create along with the cluster. Default: - A profile called "default" with 'default' and 'kube-system' selectors will be created if this is left undefined.
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
         :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
@@ -20281,13 +20597,14 @@ class FargateCluster(
         :param endpoint_access: Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param masters_role: An IAM role that will be added to the ``system:masters`` Kubernetes RBAC group. Default: - no masters role.
         :param on_event_layer: An AWS Lambda Layer which includes the NPM dependency ``proxy-agent``. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the "aws-lambda-layer-node-proxy-agent" SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { code: lambda.Code.fromAsset(`${__dirname}/layer.zip`), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.
         :param output_masters_role_arn: Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if ``mastersRole`` is specified). Default: false
         :param place_cluster_handler_in_vpc: If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the ``vpcSubnets`` selection strategy. Default: false
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
+        :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
+        :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param version: The Kubernetes version to run in the cluster.
@@ -20305,6 +20622,7 @@ class FargateCluster(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = FargateClusterProps(
             default_profile=default_profile,
+            kubectl_layer=kubectl_layer,
             alb_controller=alb_controller,
             authentication_mode=authentication_mode,
             awscli_layer=awscli_layer,
@@ -20315,13 +20633,14 @@ class FargateCluster(
             endpoint_access=endpoint_access,
             ip_family=ip_family,
             kubectl_environment=kubectl_environment,
-            kubectl_layer=kubectl_layer,
             kubectl_memory=kubectl_memory,
             masters_role=masters_role,
             on_event_layer=on_event_layer,
             output_masters_role_arn=output_masters_role_arn,
             place_cluster_handler_in_vpc=place_cluster_handler_in_vpc,
             prune=prune,
+            remote_node_networks=remote_node_networks,
+            remote_pod_networks=remote_pod_networks,
             secrets_encryption_key=secrets_encryption_key,
             service_ipv4_cidr=service_ipv4_cidr,
             version=version,
@@ -20355,6 +20674,7 @@ class FargateCluster(
         "security_group": "securityGroup",
         "vpc": "vpc",
         "vpc_subnets": "vpcSubnets",
+        "kubectl_layer": "kubectlLayer",
         "alb_controller": "albController",
         "authentication_mode": "authenticationMode",
         "awscli_layer": "awscliLayer",
@@ -20365,13 +20685,14 @@ class FargateCluster(
         "endpoint_access": "endpointAccess",
         "ip_family": "ipFamily",
         "kubectl_environment": "kubectlEnvironment",
-        "kubectl_layer": "kubectlLayer",
         "kubectl_memory": "kubectlMemory",
         "masters_role": "mastersRole",
         "on_event_layer": "onEventLayer",
         "output_masters_role_arn": "outputMastersRoleArn",
         "place_cluster_handler_in_vpc": "placeClusterHandlerInVpc",
         "prune": "prune",
+        "remote_node_networks": "remoteNodeNetworks",
+        "remote_pod_networks": "remotePodNetworks",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
         "default_profile": "defaultProfile",
@@ -20389,6 +20710,7 @@ class FargateClusterProps(ClusterOptions):
         security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
         vpc: typing.Optional[_IVpc_f30d5663] = None,
         vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
+        kubectl_layer: _ILayerVersion_5ac127c8,
         alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         authentication_mode: typing.Optional[AuthenticationMode] = None,
         awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -20399,13 +20721,14 @@ class FargateClusterProps(ClusterOptions):
         endpoint_access: typing.Optional[EndpointAccess] = None,
         ip_family: typing.Optional[IpFamily] = None,
         kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-        kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         kubectl_memory: typing.Optional[_Size_7b441c34] = None,
         masters_role: typing.Optional[_IRole_235f5d8e] = None,
         on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
         output_masters_role_arn: typing.Optional[builtins.bool] = None,
         place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
         prune: typing.Optional[builtins.bool] = None,
+        remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+        remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -20420,6 +20743,7 @@ class FargateClusterProps(ClusterOptions):
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
         :param vpc_subnets: Where to place EKS Control Plane ENIs. For example, to only select private subnets, supply the following: ``vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }]`` Default: - All public and private subnets
+        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl
         :param alb_controller: Install the AWS Load Balancer Controller onto the cluster. Default: - The controller is not installed.
         :param authentication_mode: The desired authentication mode for the cluster. Default: AuthenticationMode.CONFIG_MAP
         :param awscli_layer: An AWS Lambda layer that contains the ``aws`` CLI. The handler expects the layer to include the following executables:: /opt/awscli/aws Default: - a default layer with the AWS CLI 1.x
@@ -20430,13 +20754,14 @@ class FargateClusterProps(ClusterOptions):
         :param endpoint_access: Configure access to the Kubernetes API server endpoint.. Default: EndpointAccess.PUBLIC_AND_PRIVATE
         :param ip_family: Specify which IP family is used to assign Kubernetes pod and service IP addresses. Default: - IpFamily.IP_V4
         :param kubectl_environment: Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. Default: - No environment variables.
-        :param kubectl_layer: An AWS Lambda Layer which includes ``kubectl`` and Helm. This layer is used by the kubectl handler to apply manifests and install helm charts. You must pick an appropriate releases of one of the ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of Kubernetes you have chosen. If you don't supply this value ``kubectl`` 1.20 will be used, but that version is most likely too old. The handler expects the layer to include the following executables:: /opt/helm/helm /opt/kubectl/kubectl Default: - a default layer with Kubectl 1.20.
         :param kubectl_memory: Amount of memory to allocate to the provider's lambda function. Default: Size.gibibytes(1)
         :param masters_role: An IAM role that will be added to the ``system:masters`` Kubernetes RBAC group. Default: - no masters role.
         :param on_event_layer: An AWS Lambda Layer which includes the NPM dependency ``proxy-agent``. This layer is used by the onEvent handler to route AWS SDK requests through a proxy. By default, the provider will use the layer included in the "aws-lambda-layer-node-proxy-agent" SAR application which is available in all commercial regions. To deploy the layer locally define it in your app as follows:: const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { code: lambda.Code.fromAsset(`${__dirname}/layer.zip`), compatibleRuntimes: [lambda.Runtime.NODEJS_LATEST], }); Default: - a layer bundled with this module.
         :param output_masters_role_arn: Determines whether a CloudFormation output with the ARN of the "masters" IAM role will be synthesized (if ``mastersRole`` is specified). Default: false
         :param place_cluster_handler_in_vpc: If set to true, the cluster handler functions will be placed in the private subnets of the cluster vpc, subject to the ``vpcSubnets`` selection strategy. Default: false
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
+        :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
+        :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param default_profile: Fargate Profile to create along with the cluster. Default: - A profile called "default" with 'default' and 'kube-system' selectors will be created if this is left undefined.
@@ -20445,8 +20770,12 @@ class FargateClusterProps(ClusterOptions):
 
         Example::
 
+            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            
+            
             cluster = eks.FargateCluster(self, "MyCluster",
-                version=eks.KubernetesVersion.V1_31
+                version=eks.KubernetesVersion.V1_32,
+                kubectl_layer=KubectlV32Layer(self, "kubectl")
             )
         '''
         if isinstance(alb_controller, dict):
@@ -20463,6 +20792,7 @@ class FargateClusterProps(ClusterOptions):
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
+            check_type(argname="argument kubectl_layer", value=kubectl_layer, expected_type=type_hints["kubectl_layer"])
             check_type(argname="argument alb_controller", value=alb_controller, expected_type=type_hints["alb_controller"])
             check_type(argname="argument authentication_mode", value=authentication_mode, expected_type=type_hints["authentication_mode"])
             check_type(argname="argument awscli_layer", value=awscli_layer, expected_type=type_hints["awscli_layer"])
@@ -20473,18 +20803,20 @@ class FargateClusterProps(ClusterOptions):
             check_type(argname="argument endpoint_access", value=endpoint_access, expected_type=type_hints["endpoint_access"])
             check_type(argname="argument ip_family", value=ip_family, expected_type=type_hints["ip_family"])
             check_type(argname="argument kubectl_environment", value=kubectl_environment, expected_type=type_hints["kubectl_environment"])
-            check_type(argname="argument kubectl_layer", value=kubectl_layer, expected_type=type_hints["kubectl_layer"])
             check_type(argname="argument kubectl_memory", value=kubectl_memory, expected_type=type_hints["kubectl_memory"])
             check_type(argname="argument masters_role", value=masters_role, expected_type=type_hints["masters_role"])
             check_type(argname="argument on_event_layer", value=on_event_layer, expected_type=type_hints["on_event_layer"])
             check_type(argname="argument output_masters_role_arn", value=output_masters_role_arn, expected_type=type_hints["output_masters_role_arn"])
             check_type(argname="argument place_cluster_handler_in_vpc", value=place_cluster_handler_in_vpc, expected_type=type_hints["place_cluster_handler_in_vpc"])
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
+            check_type(argname="argument remote_node_networks", value=remote_node_networks, expected_type=type_hints["remote_node_networks"])
+            check_type(argname="argument remote_pod_networks", value=remote_pod_networks, expected_type=type_hints["remote_pod_networks"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
             check_type(argname="argument default_profile", value=default_profile, expected_type=type_hints["default_profile"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "version": version,
+            "kubectl_layer": kubectl_layer,
         }
         if cluster_name is not None:
             self._values["cluster_name"] = cluster_name
@@ -20520,8 +20852,6 @@ class FargateClusterProps(ClusterOptions):
             self._values["ip_family"] = ip_family
         if kubectl_environment is not None:
             self._values["kubectl_environment"] = kubectl_environment
-        if kubectl_layer is not None:
-            self._values["kubectl_layer"] = kubectl_layer
         if kubectl_memory is not None:
             self._values["kubectl_memory"] = kubectl_memory
         if masters_role is not None:
@@ -20534,6 +20864,10 @@ class FargateClusterProps(ClusterOptions):
             self._values["place_cluster_handler_in_vpc"] = place_cluster_handler_in_vpc
         if prune is not None:
             self._values["prune"] = prune
+        if remote_node_networks is not None:
+            self._values["remote_node_networks"] = remote_node_networks
+        if remote_pod_networks is not None:
+            self._values["remote_pod_networks"] = remote_pod_networks
         if secrets_encryption_key is not None:
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
@@ -20618,6 +20952,24 @@ class FargateClusterProps(ClusterOptions):
         result = self._values.get("vpc_subnets")
         return typing.cast(typing.Optional[typing.List[_SubnetSelection_e57d76df]], result)
 
+    @builtins.property
+    def kubectl_layer(self) -> _ILayerVersion_5ac127c8:
+        '''An AWS Lambda Layer which includes ``kubectl`` and Helm.
+
+        This layer is used by the kubectl handler to apply manifests and install
+        helm charts. You must pick an appropriate releases of one of the
+        ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
+        Kubernetes you have chosen.
+
+        The handler expects the layer to include the following executables::
+
+           /opt/helm/helm
+           /opt/kubectl/kubectl
+        '''
+        result = self._values.get("kubectl_layer")
+        assert result is not None, "Required property 'kubectl_layer' is missing"
+        return typing.cast(_ILayerVersion_5ac127c8, result)
+
     @builtins.property
     def alb_controller(self) -> typing.Optional[AlbControllerOptions]:
         '''Install the AWS Load Balancer Controller onto the cluster.
@@ -20730,26 +21082,6 @@ class FargateClusterProps(ClusterOptions):
         result = self._values.get("kubectl_environment")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
-    @builtins.property
-    def kubectl_layer(self) -> typing.Optional[_ILayerVersion_5ac127c8]:
-        '''An AWS Lambda Layer which includes ``kubectl`` and Helm.
-
-        This layer is used by the kubectl handler to apply manifests and install
-        helm charts. You must pick an appropriate releases of one of the
-        ``@aws-cdk/layer-kubectl-vXX`` packages, that works with the version of
-        Kubernetes you have chosen. If you don't supply this value ``kubectl``
-        1.20 will be used, but that version is most likely too old.
-
-        The handler expects the layer to include the following executables::
-
-           /opt/helm/helm
-           /opt/kubectl/kubectl
-
-        :default: - a default layer with Kubectl 1.20.
-        '''
-        result = self._values.get("kubectl_layer")
-        return typing.cast(typing.Optional[_ILayerVersion_5ac127c8], result)
-
     @builtins.property
     def kubectl_memory(self) -> typing.Optional[_Size_7b441c34]:
         '''Amount of memory to allocate to the provider's lambda function.
@@ -20824,6 +21156,24 @@ class FargateClusterProps(ClusterOptions):
         result = self._values.get("prune")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def remote_node_networks(self) -> typing.Optional[typing.List[RemoteNodeNetwork]]:
+        '''IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster.
+
+        :default: - none
+        '''
+        result = self._values.get("remote_node_networks")
+        return typing.cast(typing.Optional[typing.List[RemoteNodeNetwork]], result)
+
+    @builtins.property
+    def remote_pod_networks(self) -> typing.Optional[typing.List[RemotePodNetwork]]:
+        '''IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes.
+
+        :default: - none
+        '''
+        result = self._values.get("remote_pod_networks")
+        return typing.cast(typing.Optional[typing.List[RemotePodNetwork]], result)
+
     @builtins.property
     def secrets_encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
         '''KMS secret for envelope encryption for Kubernetes secrets.
@@ -21038,6 +21388,8 @@ __all__ = [
     "OpenIdConnectProvider",
     "OpenIdConnectProviderProps",
     "PatchType",
+    "RemoteNodeNetwork",
+    "RemotePodNetwork",
     "Selector",
     "ServiceAccount",
     "ServiceAccountOptions",
@@ -22743,6 +23095,20 @@ def _typecheckingstub__c02764139ca6306efb78e2db6695149f8ddc6b3e8adb63a11131864ce
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__600789f5d1adc105e950fc1e01201ea975b89bb797b63227b757a633425a0f09(
+    *,
+    cidrs: typing.Sequence[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f9878a6e6680b6c2c6cb0db908c65c1de65fe68965909386c87176ba98e30705(
+    *,
+    cidrs: typing.Sequence[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__594b3f5a610588bf33bb1a98e98b19b5ddfb0609f59e93022c2cec8d2a17f411(
     *,
     namespace: builtins.str,
@@ -22889,6 +23255,7 @@ def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
     kubectl_lambda_role: typing.Optional[_IRole_235f5d8e] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    kubectl_layer: _ILayerVersion_5ac127c8,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -22899,13 +23266,14 @@ def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c
     endpoint_access: typing.Optional[EndpointAccess] = None,
     ip_family: typing.Optional[IpFamily] = None,
     kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     kubectl_memory: typing.Optional[_Size_7b441c34] = None,
     masters_role: typing.Optional[_IRole_235f5d8e] = None,
     on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     output_masters_role_arn: typing.Optional[builtins.bool] = None,
     place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
     prune: typing.Optional[builtins.bool] = None,
+    remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+    remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     version: KubernetesVersion,
@@ -23125,6 +23493,7 @@ def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef
     security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
+    kubectl_layer: _ILayerVersion_5ac127c8,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -23135,13 +23504,14 @@ def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef
     endpoint_access: typing.Optional[EndpointAccess] = None,
     ip_family: typing.Optional[IpFamily] = None,
     kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     kubectl_memory: typing.Optional[_Size_7b441c34] = None,
     masters_role: typing.Optional[_IRole_235f5d8e] = None,
     on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     output_masters_role_arn: typing.Optional[builtins.bool] = None,
     place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
     prune: typing.Optional[builtins.bool] = None,
+    remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+    remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -23158,6 +23528,7 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
+    kubectl_layer: _ILayerVersion_5ac127c8,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -23168,13 +23539,14 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     endpoint_access: typing.Optional[EndpointAccess] = None,
     ip_family: typing.Optional[IpFamily] = None,
     kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     kubectl_memory: typing.Optional[_Size_7b441c34] = None,
     masters_role: typing.Optional[_IRole_235f5d8e] = None,
     on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     output_masters_role_arn: typing.Optional[builtins.bool] = None,
     place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
     prune: typing.Optional[builtins.bool] = None,
+    remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+    remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
@@ -23192,6 +23564,7 @@ def _typecheckingstub__ae166d791f5d5176f3386726c22bc44afedf5d336437a3513e3740387
     id: builtins.str,
     *,
     default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    kubectl_layer: _ILayerVersion_5ac127c8,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -23202,13 +23575,14 @@ def _typecheckingstub__ae166d791f5d5176f3386726c22bc44afedf5d336437a3513e3740387
     endpoint_access: typing.Optional[EndpointAccess] = None,
     ip_family: typing.Optional[IpFamily] = None,
     kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     kubectl_memory: typing.Optional[_Size_7b441c34] = None,
     masters_role: typing.Optional[_IRole_235f5d8e] = None,
     on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     output_masters_role_arn: typing.Optional[builtins.bool] = None,
     place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
     prune: typing.Optional[builtins.bool] = None,
+    remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+    remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     version: KubernetesVersion,
@@ -23233,6 +23607,7 @@ def _typecheckingstub__f11c7f989209f6213cb855d2846bb0b2b79a6a2b85eb0d65939e981df
     security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
     vpc: typing.Optional[_IVpc_f30d5663] = None,
     vpc_subnets: typing.Optional[typing.Sequence[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]]] = None,
+    kubectl_layer: _ILayerVersion_5ac127c8,
     alb_controller: typing.Optional[typing.Union[AlbControllerOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     authentication_mode: typing.Optional[AuthenticationMode] = None,
     awscli_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
@@ -23243,13 +23618,14 @@ def _typecheckingstub__f11c7f989209f6213cb855d2846bb0b2b79a6a2b85eb0d65939e981df
     endpoint_access: typing.Optional[EndpointAccess] = None,
     ip_family: typing.Optional[IpFamily] = None,
     kubectl_environment: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-    kubectl_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     kubectl_memory: typing.Optional[_Size_7b441c34] = None,
     masters_role: typing.Optional[_IRole_235f5d8e] = None,
     on_event_layer: typing.Optional[_ILayerVersion_5ac127c8] = None,
     output_masters_role_arn: typing.Optional[builtins.bool] = None,
     place_cluster_handler_in_vpc: typing.Optional[builtins.bool] = None,
     prune: typing.Optional[builtins.bool] = None,
+    remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
+    remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,