aws-cdk-lib 2.195.0__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -79,13 +79,13 @@ This example defines an Amazon EKS cluster with the following configuration:
 * A Kubernetes pod with a container based on the [paulbouwer/hello-kubernetes](https://github.com/paulbouwer/hello-kubernetes) image.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 # provisioning a cluster
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 
 # apply a kubernetes manifest to the cluster
@@ -149,24 +149,46 @@ A more detailed breakdown of each is provided further down this README.
 Creating a new cluster is done using the `Cluster` or `FargateCluster` constructs. The only required properties are the kubernetes `version` and `kubectlLayer`.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
+)
+```
+
+You can control what happens to the resources created by the cluster construct when they are no longer managed by CloudFormation by specifying a `removalPolicy`.
+
+This can happen in one of three situations:
+
+* The resource is removed from the template, so CloudFormation stops managing it;
+* A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it;
+* The stack is deleted, so CloudFormation stops managing all resources in it.
+
+This affects the EKS cluster itself, the custom resource that created the cluster, associated IAM roles, node groups, security groups, VPC and any other CloudFormation resources managed by this construct.
+
+```python
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
+import aws_cdk as core
+
+
+eks.Cluster(self, "HelloEKS",
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl"),
+    removal_policy=core.RemovalPolicy.RETAIN
 )
 ```
 
 You can also use `FargateCluster` to provision a cluster that uses only fargate workers.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.FargateCluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -189,14 +211,14 @@ By default, this library will allocate a managed node group with 2 *m5.large* in
 At cluster instantiation time, you can customize the number of instances and their type:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity=5,
     default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.SMALL),
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -205,13 +227,13 @@ To access the node group that was created on your behalf, you can use `cluster.d
 Additional customizations are available post instantiation. To apply them, set the default capacity to 0, and use the `cluster.addNodegroupCapacity` method:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity=0,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 
 cluster.add_nodegroup_capacity("custom-node-group",
@@ -290,7 +312,7 @@ Node groups are available with IPv6 configured networks.  For custom roles assig
 > For more details visit [Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-role)
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 ipv6_management = iam.PolicyDocument(
@@ -315,9 +337,9 @@ eks_cluster_node_group_role = iam.Role(self, "eksClusterNodeGroupRole",
 )
 
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity=0,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 
 cluster.add_nodegroup_capacity("custom-node-group",
@@ -426,13 +448,13 @@ has been changed. As a workaround, you need to add a temporary policy to the clu
 successful replacement. Consider this example if you are renaming the cluster from `foo` to `bar`:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "cluster-to-rename",
     cluster_name="foo",  # rename this to 'bar'
-    kubectl_layer=KubectlV32Layer(self, "kubectl"),
-    version=eks.KubernetesVersion.V1_32
+    kubectl_layer=KubectlV34Layer(self, "kubectl"),
+    version=eks.KubernetesVersion.V1_34
 )
 
 # allow the cluster admin role to delete the cluster 'foo'
@@ -485,12 +507,12 @@ To create an EKS cluster that **only** uses Fargate capacity, you can use `Farga
 The following code defines an Amazon EKS cluster with a default Fargate Profile that matches all pods from the "kube-system" and "default" namespaces. It is also configured to [run CoreDNS on Fargate](https://docs.aws.amazon.com/eks/latest/userguide/fargate-getting-started.html#fargate-gs-coredns).
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.FargateCluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -570,13 +592,13 @@ To disable bootstrapping altogether (i.e. to fully customize user-data), set `bo
 You can also configure the cluster to use an auto-scaling group as the default capacity:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.EC2,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -683,13 +705,13 @@ AWS Identity and Access Management (IAM) and native Kubernetes [Role Based Acces
 You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) by using the `endpointAccess` property:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     endpoint_access=eks.EndpointAccess.PRIVATE,  # No access outside of your VPC.
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -709,33 +731,33 @@ From the docs:
 To deploy the controller on your EKS cluster, configure the `albController` property:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     alb_controller=eks.AlbControllerOptions(
         version=eks.AlbControllerVersion.V2_8_2
     ),
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
 To provide additional Helm chart values supported by `albController` in CDK, use the `additionalHelmChartValues` property. For example, the following code snippet shows how to set the `enableWafV2` flag:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     alb_controller=eks.AlbControllerOptions(
         version=eks.AlbControllerVersion.V2_8_2,
         additional_helm_chart_values=eks.AlbControllerHelmChartOptions(
             enable_wafv2=False
         )
     ),
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -772,16 +794,16 @@ if cluster.alb_controller:
 You can specify the VPC of the cluster using the `vpc` and `vpcSubnets` properties:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 # vpc: ec2.Vpc
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     vpc=vpc,
     vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)],
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -825,12 +847,12 @@ The `ClusterHandler` is a set of Lambda functions (`onEventHandler`, `isComplete
 You can configure the environment of the Cluster Handler functions by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 # proxy_instance_security_group: ec2.SecurityGroup
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     cluster_handler_environment={
         "https_proxy": "http://proxy.myproxy.com"
     },
@@ -839,7 +861,7 @@ cluster = eks.Cluster(self, "hello-eks",
     # Cluster Handler Lambdas so that it can reach the proxy.
     #
     cluster_handler_security_group=proxy_instance_security_group,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -848,7 +870,7 @@ cluster = eks.Cluster(self, "hello-eks",
 You can optionally choose to configure your cluster to use IPv6 using the [`ipFamily`](https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-ipFamily) definition for your cluster.  Note that this will require the underlying subnets to have an associated IPv6 CIDR.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 # vpc: ec2.Vpc
 
 
@@ -873,11 +895,11 @@ for subnet in subnets:
     subnetcount = subnetcount + 1
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     vpc=vpc,
     ip_family=eks.IpFamily.IP_V6,
     vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -908,15 +930,15 @@ cluster = eks.Cluster.from_cluster_attributes(self, "Cluster",
 You can configure the environment of this function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     kubectl_environment={
         "http_proxy": "http://proxy.myproxy.com"
     },
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -933,12 +955,12 @@ Depending on which version of kubernetes you're targeting, you will need to use
 the `@aws-cdk/lambda-layer-kubectl-vXY` packages.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -974,7 +996,7 @@ cluster1 = eks.Cluster(self, "MyCluster",
     kubectl_layer=layer,
     vpc=vpc,
     cluster_name="cluster-name",
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 
 # or
@@ -990,7 +1012,7 @@ cluster2 = eks.Cluster.from_cluster_attributes(self, "MyCluster",
 By default, the kubectl provider is configured with 1024MiB of memory. You can use the `kubectlMemory` option to specify the memory size for the AWS Lambda function:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 # or
 # vpc: ec2.Vpc
@@ -998,8 +1020,8 @@ from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
 
 eks.Cluster(self, "MyCluster",
     kubectl_memory=Size.gibibytes(4),
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 eks.Cluster.from_cluster_attributes(self, "MyCluster",
     kubectl_memory=Size.gibibytes(4),
@@ -1034,14 +1056,14 @@ cluster.add_auto_scaling_group_capacity("self-ng-arm",
 When you create a cluster, you can specify a `mastersRole`. The `Cluster` construct will associate this role with the `system:masters` [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) group, giving it super-user access to the cluster.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 # role: iam.Role
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     masters_role=role,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -1087,28 +1109,28 @@ You can use the `secretsEncryptionKey` to configure which key the cluster will u
 > This setting can only be specified when the cluster is created and cannot be updated.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.Cluster(self, "MyCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
 You can also use a similar configuration for running a cluster built using the FargateCluster construct.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.FargateCluster(self, "MyFargateCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -1127,12 +1149,12 @@ When you create an Amazon EKS cluster, you can configure it to leverage the [EKS
 Once you have identified the on-premises node and pod (optional) CIDRs you will use for your hybrid nodes and the workloads running on them, you can specify them during cluster creation using the `remoteNodeNetworks` and `remotePodNetworks` (optional) properties:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "Cluster",
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "KubectlLayer"),
     remote_node_networks=[eks.RemoteNodeNetwork(
         cidrs=["10.0.0.0/16"]
     )
@@ -1144,6 +1166,12 @@ eks.Cluster(self, "Cluster",
 )
 ```
 
+### Self-Managed Add-ons
+
+Amazon EKS automatically installs self-managed add-ons such as the Amazon VPC CNI plugin for Kubernetes, kube-proxy, and CoreDNS for every cluster. You can change the default configuration of the add-ons and update them when desired. If you wish to create a cluster without the default add-ons, set `bootstrapSelfManagedAddons` as `false`. When this is set to false, make sure to install the necessary alternatives which provide functionality that enables pod and service operations for your EKS cluster.
+
+> Changing the value of `bootstrapSelfManagedAddons` after the EKS cluster creation will result in a replacement of the cluster.
+
 ## Permissions and Security
 
 Amazon EKS provides several mechanism of securing the cluster and granting permissions to specific IAM users and roles.
@@ -1179,7 +1207,7 @@ To access the Kubernetes resources from the console, make sure your viewing prin
 in the `aws-auth` ConfigMap. Some options to consider:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 # cluster: eks.Cluster
 # your_current_role: iam.Role
 # vpc: ec2.Vpc
@@ -1197,7 +1225,7 @@ your_current_role.add_to_policy(iam.PolicyStatement(
 
 ```python
 # Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 # vpc: ec2.Vpc
 
 
@@ -1207,8 +1235,8 @@ masters_role = iam.Role(self, "MastersRole",
 
 cluster = eks.Cluster(self, "EksCluster",
     vpc=vpc,
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "KubectlLayer"),
     masters_role=masters_role
 )
 
@@ -1247,14 +1275,14 @@ AWS IAM principals from both Amazon EKS access entry APIs and the aws-auth confi
 To specify the `authenticationMode`:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 # vpc: ec2.Vpc
 
 
 eks.Cluster(self, "Cluster",
     vpc=vpc,
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "KubectlLayer"),
     authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
 )
 ```
@@ -1299,7 +1327,7 @@ eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
 Use `grantAccess()` to grant the AccessPolicy to an IAM principal:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 # vpc: ec2.Vpc
 
 
@@ -1318,8 +1346,8 @@ eks_admin_view_role = iam.Role(self, "EKSAdminViewRole",
 cluster = eks.Cluster(self, "Cluster",
     vpc=vpc,
     masters_role=cluster_admin_role,
-    version=eks.KubernetesVersion.V1_32,
-    kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+    version=eks.KubernetesVersion.V1_34,
+    kubectl_layer=KubectlV34Layer(self, "KubectlLayer"),
     authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
 )
 
@@ -1650,13 +1678,13 @@ Pruning is enabled by default but can be disabled through the `prune` option
 when a cluster is defined:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     prune=False,
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -1976,10 +2004,13 @@ load_balancer_address = cluster.get_service_load_balancer_address("my-service")
 
 eks.Addon(self, "Addon",
     cluster=cluster,
-    addon_name="aws-guardduty-agent",
-    addon_version="v1.6.1",
+    addon_name="coredns",
+    addon_version="v1.11.4-eksbuild.2",
     # whether to preserve the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on.
-    preserve_on_delete=False
+    preserve_on_delete=False,
+    configuration_values={
+        "replica_count": 2
+    }
 )
 ```
 
@@ -2052,15 +2083,15 @@ You can enable logging for each one separately using the `clusterLogging`
 property. For example:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "Cluster",
     # ...
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
     ],
-    kubectl_layer=KubectlV32Layer(self, "kubectl")
+    kubectl_layer=KubectlV34Layer(self, "kubectl")
 )
 ```
 
@@ -2127,6 +2158,7 @@ from .. import (
     ITaggable as _ITaggable_36806126,
     ITaggableV2 as _ITaggableV2_4e6798f8,
     NestedStack as _NestedStack_dd393a45,
+    RemovalPolicy as _RemovalPolicy_9f93c814,
     Resource as _Resource_45bc6135,
     Size as _Size_7b441c34,
     TagManager as _TagManager_0a598cb3,
@@ -2169,9 +2201,25 @@ from ..aws_iam import (
     PrincipalPolicyFragment as _PrincipalPolicyFragment_6a855d11,
     Role as _Role_e8c6e11f,
 )
-from ..aws_kms import IKey as _IKey_5f11635f
 from ..aws_lambda import ILayerVersion as _ILayerVersion_5ac127c8
 from ..aws_s3_assets import Asset as _Asset_ac2a7e61
+from ..interfaces.aws_eks import (
+    AccessEntryReference as _AccessEntryReference_447195cd,
+    AddonReference as _AddonReference_afb1bd13,
+    ClusterReference as _ClusterReference_d6e6b9ff,
+    FargateProfileReference as _FargateProfileReference_5fd534f8,
+    IAccessEntryRef as _IAccessEntryRef_14bb9c0a,
+    IAddonRef as _IAddonRef_fb5de88c,
+    IClusterRef as _IClusterRef_5527f448,
+    IFargateProfileRef as _IFargateProfileRef_ebba9623,
+    IIdentityProviderConfigRef as _IIdentityProviderConfigRef_0106e882,
+    INodegroupRef as _INodegroupRef_cac0d8aa,
+    IPodIdentityAssociationRef as _IPodIdentityAssociationRef_21f8b2b1,
+    IdentityProviderConfigReference as _IdentityProviderConfigReference_7c0f381e,
+    NodegroupReference as _NodegroupReference_eab944f6,
+    PodIdentityAssociationReference as _PodIdentityAssociationReference_14e19bbb,
+)
+from ..interfaces.aws_kms import IKeyRef as _IKeyRef_d4fc6ef3
 
 
 @jsii.data_type(
@@ -2808,6 +2856,7 @@ class AddonAttributes:
         "addon_name": "addonName",
         "cluster": "cluster",
         "addon_version": "addonVersion",
+        "configuration_values": "configurationValues",
         "preserve_on_delete": "preserveOnDelete",
     },
 )
@@ -2818,6 +2867,7 @@ class AddonProps:
         addon_name: builtins.str,
         cluster: "ICluster",
         addon_version: typing.Optional[builtins.str] = None,
+        configuration_values: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
         preserve_on_delete: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''Properties for creating an Amazon EKS Add-On.
@@ -2825,6 +2875,7 @@ class AddonProps:
         :param addon_name: Name of the Add-On.
         :param cluster: The EKS cluster the Add-On is associated with.
         :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versions. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
+        :param configuration_values: The configuration values for the Add-on. Default: - Use default configuration.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed. Default: true
 
         :exampleMetadata: infused
@@ -2836,10 +2887,13 @@ class AddonProps:
             
             eks.Addon(self, "Addon",
                 cluster=cluster,
-                addon_name="aws-guardduty-agent",
-                addon_version="v1.6.1",
+                addon_name="coredns",
+                addon_version="v1.11.4-eksbuild.2",
                 # whether to preserve the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on.
-                preserve_on_delete=False
+                preserve_on_delete=False,
+                configuration_values={
+                    "replica_count": 2
+                }
             )
         '''
         if __debug__:
@@ -2847,6 +2901,7 @@ class AddonProps:
             check_type(argname="argument addon_name", value=addon_name, expected_type=type_hints["addon_name"])
             check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
             check_type(argname="argument addon_version", value=addon_version, expected_type=type_hints["addon_version"])
+            check_type(argname="argument configuration_values", value=configuration_values, expected_type=type_hints["configuration_values"])
             check_type(argname="argument preserve_on_delete", value=preserve_on_delete, expected_type=type_hints["preserve_on_delete"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "addon_name": addon_name,
@@ -2854,6 +2909,8 @@ class AddonProps:
         }
         if addon_version is not None:
             self._values["addon_version"] = addon_version
+        if configuration_values is not None:
+            self._values["configuration_values"] = configuration_values
         if preserve_on_delete is not None:
             self._values["preserve_on_delete"] = preserve_on_delete
 
@@ -2885,6 +2942,17 @@ class AddonProps:
         result = self._values.get("addon_version")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def configuration_values(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
+        '''The configuration values for the Add-on.
+
+        :default: - Use default configuration.
+        '''
+        result = self._values.get("configuration_values")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, typing.Any]], result)
+
     @builtins.property
     def preserve_on_delete(self) -> typing.Optional[builtins.bool]:
         '''Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on.
@@ -3036,18 +3104,18 @@ class AlbControllerHelmChartOptions:
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
             
             
             eks.Cluster(self, "HelloEKS",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_34,
                 alb_controller=eks.AlbControllerOptions(
                     version=eks.AlbControllerVersion.V2_8_2,
                     additional_helm_chart_values=eks.AlbControllerHelmChartOptions(
                         enable_wafv2=False
                     )
                 ),
-                kubectl_layer=KubectlV32Layer(self, "kubectl")
+                kubectl_layer=KubectlV34Layer(self, "kubectl")
             )
         '''
         if __debug__:
@@ -3120,15 +3188,15 @@ class AlbControllerOptions:
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
             
             
             eks.Cluster(self, "HelloEKS",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_34,
                 alb_controller=eks.AlbControllerOptions(
                     version=eks.AlbControllerVersion.V2_8_2
                 ),
-                kubectl_layer=KubectlV32Layer(self, "kubectl")
+                kubectl_layer=KubectlV34Layer(self, "kubectl")
             )
         '''
         if isinstance(additional_helm_chart_values, dict):
@@ -3356,15 +3424,15 @@ class AlbControllerVersion(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         
         eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             alb_controller=eks.AlbControllerOptions(
                 version=eks.AlbControllerVersion.V2_8_2
             ),
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
     '''
 
@@ -3640,14 +3708,14 @@ class AuthenticationMode(enum.Enum):
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         # vpc: ec2.Vpc
         
         
         eks.Cluster(self, "Cluster",
             vpc=vpc,
-            version=eks.KubernetesVersion.V1_32,
-            kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+            version=eks.KubernetesVersion.V1_34,
+            kubectl_layer=KubectlV34Layer(self, "KubectlLayer"),
             authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP
         )
     '''
@@ -3758,7 +3826,7 @@ class AutoScalingGroupCapacityOptions(_CommonAutoScalingGroupProps_808bbf2d):
         :param key_name: (deprecated) Name of SSH keypair to grant access to instances. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Feature flag ``AUTOSCALING_GENERATE_LAUNCH_TEMPLATE`` must be enabled to use this property. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified. You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param max_capacity: Maximum number of instances in the fleet. Default: desiredCapacity
-        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value, leave this property undefined. Default: none
+        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, leave this property undefined. Default: none
         :param min_capacity: Minimum number of instances in the fleet. Default: 1
         :param new_instances_protected_from_scale_in: Whether newly-launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. By default, Auto Scaling can terminate an instance at any time after launch when scaling in an Auto Scaling Group, subject to the group's termination policy. However, you may wish to protect newly-launched instances from being scaled in if they are going to run critical applications that should not be prematurely terminated. This flag must be enabled if the Auto Scaling Group will be associated with an ECS Capacity Provider with managed termination protection. Default: false
         :param notifications: Configure autoscaling group to send notifications about fleet changes to an SNS topic(s). Default: - No fleet change notifications will be sent.
@@ -4134,7 +4202,7 @@ class AutoScalingGroupCapacityOptions(_CommonAutoScalingGroupProps_808bbf2d):
         to all current and future instances in the group. As an instance approaches its maximum duration,
         it is terminated and replaced, and cannot be used again.
 
-        You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value,
+        You must specify a value of at least 86,400 seconds (one day). To clear a previously set value,
         leave this property undefined.
 
         :default: none
@@ -4912,7 +4980,7 @@ class CapacityType(enum.Enum):
     '''capacity block instances.'''
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IAccessEntryRef_14bb9c0a, _ITaggableV2_4e6798f8)
 class CfnAccessEntry(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4971,7 +5039,8 @@ class CfnAccessEntry(
         type: typing.Optional[builtins.str] = None,
         username: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::AccessEntry``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param cluster_name: The name of your cluster.
@@ -5028,6 +5097,12 @@ class CfnAccessEntry(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessEntryRef")
+    def access_entry_ref(self) -> _AccessEntryReference_447195cd:
+        '''A reference to a AccessEntry resource.'''
+        return typing.cast(_AccessEntryReference_447195cd, jsii.get(self, "accessEntryRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAccessEntryArn")
     def attr_access_entry_arn(self) -> builtins.str:
@@ -5495,7 +5570,7 @@ class CfnAccessEntryProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IAddonRef_fb5de88c, _ITaggable_36806126)
 class CfnAddon(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5522,6 +5597,9 @@ class CfnAddon(
             # the properties below are optional
             addon_version="addonVersion",
             configuration_values="configurationValues",
+            namespace_config=eks.CfnAddon.NamespaceConfigProperty(
+                namespace="namespace"
+            ),
             pod_identity_associations=[eks.CfnAddon.PodIdentityAssociationProperty(
                 role_arn="roleArn",
                 service_account="serviceAccount"
@@ -5545,20 +5623,23 @@ class CfnAddon(
         cluster_name: builtins.str,
         addon_version: typing.Optional[builtins.str] = None,
         configuration_values: typing.Optional[builtins.str] = None,
+        namespace_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAddon.NamespaceConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAddon.PodIdentityAssociationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         resolve_conflicts: typing.Optional[builtins.str] = None,
         service_account_role_arn: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::Addon``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param addon_name: The name of the add-on.
         :param cluster_name: The name of your cluster.
         :param addon_version: The version of the add-on.
         :param configuration_values: The configuration values that you provided.
-        :param pod_identity_associations: An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
+        :param namespace_config: The namespace configuration for the addon. This specifies the Kubernetes namespace where the addon is installed.
+        :param pod_identity_associations: An array of EKS Pod Identity associations owned by the add-on. Each association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using EKS Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
         :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see ```UpdateAddon`` <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
@@ -5573,6 +5654,7 @@ class CfnAddon(
             cluster_name=cluster_name,
             addon_version=addon_version,
             configuration_values=configuration_values,
+            namespace_config=namespace_config,
             pod_identity_associations=pod_identity_associations,
             preserve_on_delete=preserve_on_delete,
             resolve_conflicts=resolve_conflicts,
@@ -5612,6 +5694,12 @@ class CfnAddon(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="addonRef")
+    def addon_ref(self) -> _AddonReference_afb1bd13:
+        '''A reference to a Addon resource.'''
+        return typing.cast(_AddonReference_afb1bd13, jsii.get(self, "addonRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrArn")
     def attr_arn(self) -> builtins.str:
@@ -5684,12 +5772,30 @@ class CfnAddon(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "configurationValues", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="namespaceConfig")
+    def namespace_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAddon.NamespaceConfigProperty"]]:
+        '''The namespace configuration for the addon.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAddon.NamespaceConfigProperty"]], jsii.get(self, "namespaceConfig"))
+
+    @namespace_config.setter
+    def namespace_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAddon.NamespaceConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__039b518895f39f54dce3ea31a35bed66445fb7b5e7f4c52a89adafc86911f331)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "namespaceConfig", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="podIdentityAssociations")
     def pod_identity_associations(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]]:
-        '''An array of Pod Identity Assocations owned by the Addon.'''
+        '''An array of EKS Pod Identity associations owned by the add-on.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAddon.PodIdentityAssociationProperty"]]]], jsii.get(self, "podIdentityAssociations"))
 
     @pod_identity_associations.setter
@@ -5759,6 +5865,58 @@ class CfnAddon(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_eks.CfnAddon.NamespaceConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"namespace": "namespace"},
+    )
+    class NamespaceConfigProperty:
+        def __init__(self, *, namespace: builtins.str) -> None:
+            '''The custom namespace configuration to use with the add-on.
+
+            :param namespace: The custom namespace for creating the add-on.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-namespaceconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_eks as eks
+                
+                namespace_config_property = eks.CfnAddon.NamespaceConfigProperty(
+                    namespace="namespace"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__c336eaf5f7476c60c3b0b8dc688fc9ea53319525b39f820a30e2510a38e67cbc)
+                check_type(argname="argument namespace", value=namespace, expected_type=type_hints["namespace"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "namespace": namespace,
+            }
+
+        @builtins.property
+        def namespace(self) -> builtins.str:
+            '''The custom namespace for creating the add-on.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-namespaceconfig.html#cfn-eks-addon-namespaceconfig-namespace
+            '''
+            result = self._values.get("namespace")
+            assert result is not None, "Required property 'namespace' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "NamespaceConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_eks.CfnAddon.PodIdentityAssociationProperty",
         jsii_struct_bases=[],
@@ -5773,7 +5931,7 @@ class CfnAddon(
         ) -> None:
             '''Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
 
-            :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+            :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
             :param service_account: The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html
@@ -5803,7 +5961,7 @@ class CfnAddon(
         def role_arn(self) -> builtins.str:
             '''The Amazon Resource Name (ARN) of the IAM role to associate with the service account.
 
-            The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+            The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-addon-podidentityassociation.html#cfn-eks-addon-podidentityassociation-rolearn
             '''
@@ -5841,6 +5999,7 @@ class CfnAddon(
         "cluster_name": "clusterName",
         "addon_version": "addonVersion",
         "configuration_values": "configurationValues",
+        "namespace_config": "namespaceConfig",
         "pod_identity_associations": "podIdentityAssociations",
         "preserve_on_delete": "preserveOnDelete",
         "resolve_conflicts": "resolveConflicts",
@@ -5856,6 +6015,7 @@ class CfnAddonProps:
         cluster_name: builtins.str,
         addon_version: typing.Optional[builtins.str] = None,
         configuration_values: typing.Optional[builtins.str] = None,
+        namespace_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.NamespaceConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.PodIdentityAssociationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         resolve_conflicts: typing.Optional[builtins.str] = None,
@@ -5868,7 +6028,8 @@ class CfnAddonProps:
         :param cluster_name: The name of your cluster.
         :param addon_version: The version of the add-on.
         :param configuration_values: The configuration values that you provided.
-        :param pod_identity_associations: An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
+        :param namespace_config: The namespace configuration for the addon. This specifies the Kubernetes namespace where the addon is installed.
+        :param pod_identity_associations: An array of EKS Pod Identity associations owned by the add-on. Each association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using EKS Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
         :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see ```UpdateAddon`` <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
@@ -5890,6 +6051,9 @@ class CfnAddonProps:
                 # the properties below are optional
                 addon_version="addonVersion",
                 configuration_values="configurationValues",
+                namespace_config=eks.CfnAddon.NamespaceConfigProperty(
+                    namespace="namespace"
+                ),
                 pod_identity_associations=[eks.CfnAddon.PodIdentityAssociationProperty(
                     role_arn="roleArn",
                     service_account="serviceAccount"
@@ -5909,6 +6073,7 @@ class CfnAddonProps:
             check_type(argname="argument cluster_name", value=cluster_name, expected_type=type_hints["cluster_name"])
             check_type(argname="argument addon_version", value=addon_version, expected_type=type_hints["addon_version"])
             check_type(argname="argument configuration_values", value=configuration_values, expected_type=type_hints["configuration_values"])
+            check_type(argname="argument namespace_config", value=namespace_config, expected_type=type_hints["namespace_config"])
             check_type(argname="argument pod_identity_associations", value=pod_identity_associations, expected_type=type_hints["pod_identity_associations"])
             check_type(argname="argument preserve_on_delete", value=preserve_on_delete, expected_type=type_hints["preserve_on_delete"])
             check_type(argname="argument resolve_conflicts", value=resolve_conflicts, expected_type=type_hints["resolve_conflicts"])
@@ -5922,6 +6087,8 @@ class CfnAddonProps:
             self._values["addon_version"] = addon_version
         if configuration_values is not None:
             self._values["configuration_values"] = configuration_values
+        if namespace_config is not None:
+            self._values["namespace_config"] = namespace_config
         if pod_identity_associations is not None:
             self._values["pod_identity_associations"] = pod_identity_associations
         if preserve_on_delete is not None:
@@ -5971,15 +6138,28 @@ class CfnAddonProps:
         result = self._values.get("configuration_values")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def namespace_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnAddon.NamespaceConfigProperty]]:
+        '''The namespace configuration for the addon.
+
+        This specifies the Kubernetes namespace where the addon is installed.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-addon.html#cfn-eks-addon-namespaceconfig
+        '''
+        result = self._values.get("namespace_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnAddon.NamespaceConfigProperty]], result)
+
     @builtins.property
     def pod_identity_associations(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAddon.PodIdentityAssociationProperty]]]]:
-        '''An array of Pod Identity Assocations owned by the Addon.
+        '''An array of EKS Pod Identity associations owned by the add-on.
 
-        Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.
+        Each association maps a role to a service account in a namespace in the cluster.
 
-        For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
+        For more information, see `Attach an IAM Role to an Amazon EKS add-on using EKS Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-addon.html#cfn-eks-addon-podidentityassociations
         '''
@@ -6053,7 +6233,7 @@ class CfnAddonProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IClusterRef_5527f448, _ITaggable_36806126)
 class CfnCluster(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -6067,7 +6247,7 @@ class CfnCluster(
 
     Amazon EKS nodes run in your AWS account and connect to your cluster's control plane over the Kubernetes API server endpoint and a certificate file that is created for your cluster.
 
-    You can use the ``endpointPublicAccess`` and ``endpointPrivateAccess`` parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see `Amazon EKS Cluster Endpoint Access Control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+    You can use the ``endpointPublicAccess`` and ``endpointPrivateAccess`` parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. The endpoint domain name and IP address family depends on the value of the ``ipFamily`` for the cluster. For more information, see `Amazon EKS Cluster Endpoint Access Control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
 
     You can use the ``logging`` parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see `Amazon EKS Cluster Control Plane Logs <https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html>`_ in the **Amazon EKS User Guide** .
     .. epigraph::
@@ -6109,6 +6289,7 @@ class CfnCluster(
                 node_pools=["nodePools"],
                 node_role_arn="nodeRoleArn"
             ),
+            deletion_protection=False,
             encryption_config=[eks.CfnCluster.EncryptionConfigProperty(
                 provider=eks.CfnCluster.ProviderProperty(
                     key_arn="keyArn"
@@ -6180,6 +6361,7 @@ class CfnCluster(
         access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.AccessConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.ComputeConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.EncryptionConfigProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.KubernetesNetworkConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -6193,14 +6375,16 @@ class CfnCluster(
         version: typing.Optional[builtins.str] = None,
         zonal_shift_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.ZonalShiftConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::Cluster``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param resources_vpc_config: The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see `Cluster VPC Considerations <https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html>`_ and `Cluster Security Group Considerations <https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html>`_ in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.
         :param role_arn: The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see `Amazon EKS Service IAM Role <https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html>`_ in the **Amazon EKS User Guide** .
         :param access_config: The access configuration for the cluster.
-        :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
+        :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking add-ons include ``vpc-cni`` , ``coredns`` , and ``kube-proxy`` . Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
         :param compute_config: Indicates the current configuration of the compute capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your AWS account. For more information, see EKS Auto Mode compute capability in the *Amazon EKS User Guide* .
+        :param deletion_protection: The current deletion protection setting for the cluster. When ``true`` , deletion protection is enabled and the cluster cannot be deleted until protection is disabled. When ``false`` , the cluster can be deleted normally. This setting only applies to clusters in an active state.
         :param encryption_config: The encryption configuration for the cluster.
         :param force: Set this value to ``true`` to override upgrade-blocking readiness checks when updating a cluster. Default: - false
         :param kubernetes_network_config: The Kubernetes network configuration for the cluster.
@@ -6224,6 +6408,7 @@ class CfnCluster(
             access_config=access_config,
             bootstrap_self_managed_addons=bootstrap_self_managed_addons,
             compute_config=compute_config,
+            deletion_protection=deletion_protection,
             encryption_config=encryption_config,
             force=force,
             kubernetes_network_config=kubernetes_network_config,
@@ -6240,6 +6425,48 @@ class CfnCluster(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="fromClusterArn")
+    @builtins.classmethod
+    def from_cluster_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        arn: builtins.str,
+    ) -> _IClusterRef_5527f448:
+        '''Creates a new IClusterRef from an ARN.
+
+        :param scope: -
+        :param id: -
+        :param arn: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b7520097767a23a7f7b750879adb8df71436766d2ad7c356ce08243330524e31)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
+        return typing.cast(_IClusterRef_5527f448, jsii.sinvoke(cls, "fromClusterArn", [scope, id, arn]))
+
+    @jsii.member(jsii_name="fromClusterName")
+    @builtins.classmethod
+    def from_cluster_name(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        cluster_name: builtins.str,
+    ) -> _IClusterRef_5527f448:
+        '''Creates a new IClusterRef from a clusterName.
+
+        :param scope: -
+        :param id: -
+        :param cluster_name: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__06b7df746bf67240facb00749c1c399634c9167d5acb1747f034220efaf30f49)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument cluster_name", value=cluster_name, expected_type=type_hints["cluster_name"])
+        return typing.cast(_IClusterRef_5527f448, jsii.sinvoke(cls, "fromClusterName", [scope, id, cluster_name]))
+
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -6355,6 +6582,12 @@ class CfnCluster(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="clusterRef")
+    def cluster_ref(self) -> _ClusterReference_d6e6b9ff:
+        '''A reference to a Cluster resource.'''
+        return typing.cast(_ClusterReference_d6e6b9ff, jsii.get(self, "clusterRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -6446,6 +6679,24 @@ class CfnCluster(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "computeConfig", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="deletionProtection")
+    def deletion_protection(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''The current deletion protection setting for the cluster.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "deletionProtection"))
+
+    @deletion_protection.setter
+    def deletion_protection(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__19e2a4eccf6e2e232dc5d0a9572dba914015320e88042ef8f90020cd0d14b037)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "deletionProtection", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="encryptionConfig")
     def encryption_config(
@@ -7567,8 +7818,8 @@ class CfnCluster(
 
             You can add, change, or remove this configuration after the cluster is created.
 
-            :param remote_node_networks: The list of network CIDRs that can contain hybrid nodes. These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range. - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect . - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` . - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations. - Each host must allow TCP and UDP network connectivity to and from other hosts that are running ``CoreDNS`` on UDP port ``53`` for service and pod DNS names.
-            :param remote_pod_networks: The list of network CIDRs that can contain pods that run Kubernetes webhooks on hybrid nodes. These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
+            :param remote_node_networks: The list of network CIDRs that can contain hybrid nodes. These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range. - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect . - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` . - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations. - Each host must allow TCP and UDP network connectivity to and from other hosts that are running ``CoreDNS`` on UDP port ``53`` for service and pod DNS names.
+            :param remote_pod_networks: The list of network CIDRs that can contain pods that run Kubernetes webhooks on hybrid nodes. These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotenetworkconfig.html
             :exampleMetadata: fixture=_generated
@@ -7612,7 +7863,7 @@ class CfnCluster(
 
             It must satisfy the following requirements:
 
-            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
+            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
             - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
             - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
             - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` .
@@ -7637,7 +7888,7 @@ class CfnCluster(
 
             It must satisfy the following requirements:
 
-            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
+            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
             - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotenetworkconfig.html#cfn-eks-cluster-remotenetworkconfig-remotepodnetworks
@@ -7671,14 +7922,14 @@ class CfnCluster(
 
             It must satisfy the following requirements:
 
-            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
+            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
             - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
             - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
             - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` .
             - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
             - Each host must allow TCP and UDP network connectivity to and from other hosts that are running ``CoreDNS`` on UDP port ``53`` for service and pod DNS names.
 
-            :param cidrs: A network CIDR that can contain hybrid nodes. These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range. - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect . - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` . - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations. - Each host must allow TCP and UDP network connectivity to and from other hosts that are running ``CoreDNS`` on UDP port ``53`` for service and pod DNS names.
+            :param cidrs: A network CIDR that can contain hybrid nodes. These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range. - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect . - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` . - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations. - Each host must allow TCP and UDP network connectivity to and from other hosts that are running ``CoreDNS`` on UDP port ``53`` for service and pod DNS names.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotenodenetwork.html
             :exampleMetadata: fixture=_generated
@@ -7710,7 +7961,7 @@ class CfnCluster(
 
             It must satisfy the following requirements:
 
-            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
+            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
             - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
             - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
             - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` .
@@ -7749,10 +8000,10 @@ class CfnCluster(
 
             It must satisfy the following requirements:
 
-            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
+            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
             - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
 
-            :param cidrs: A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes. These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
+            :param cidrs: A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes. These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotepodnetwork.html
             :exampleMetadata: fixture=_generated
@@ -7784,7 +8035,7 @@ class CfnCluster(
 
             It must satisfy the following requirements:
 
-            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
+            - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
             - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-remotepodnetwork.html#cfn-eks-cluster-remotepodnetwork-cidrs
@@ -7836,9 +8087,9 @@ class CfnCluster(
                - ``PublicAccessCidrs``
 
             :param subnet_ids: Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.
-            :param endpoint_private_access: Set this value to ``true`` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is ``false`` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that ``publicAccessCidrs`` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see `Amazon EKS cluster endpoint access control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
-            :param endpoint_public_access: Set this value to ``false`` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is ``true`` , which enables public access for your Kubernetes API server. For more information, see `Amazon EKS cluster endpoint access control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
-            :param public_access_cidrs: The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is ``0.0.0.0/0`` . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate ``Pod`` in the cluster. For more information, see `Amazon EKS cluster endpoint access control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+            :param endpoint_private_access: Set this value to ``true`` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is ``false`` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that ``publicAccessCidrs`` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see `Cluster API server endpoint <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+            :param endpoint_public_access: Set this value to ``false`` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is ``true`` , which enables public access for your Kubernetes API server. The endpoint domain name and IP address family depends on the value of the ``ipFamily`` for the cluster. For more information, see `Cluster API server endpoint <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+            :param public_access_cidrs: The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is ``0.0.0.0/0`` and additionally ``::/0`` for dual-stack ``IPv6`` clusters. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate ``Pod`` in the cluster. For more information, see `Cluster API server endpoint <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** . Note that the public endpoints are dual-stack for only ``IPv6`` clusters that are made after October 2024. You can't add ``IPv6`` CIDR blocks to ``IPv4`` clusters or ``IPv6`` clusters that were made before October 2024.
             :param security_group_ids: Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see `Amazon EKS security group considerations <https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html>`_ in the **Amazon EKS User Guide** .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-resourcesvpcconfig.html
@@ -7897,7 +8148,7 @@ class CfnCluster(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Set this value to ``true`` to enable private access for your cluster's Kubernetes API server endpoint.
 
-            If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is ``false`` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that ``publicAccessCidrs`` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see `Amazon EKS cluster endpoint access control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+            If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is ``false`` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that ``publicAccessCidrs`` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see `Cluster API server endpoint <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-resourcesvpcconfig.html#cfn-eks-cluster-resourcesvpcconfig-endpointprivateaccess
             '''
@@ -7910,7 +8161,7 @@ class CfnCluster(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Set this value to ``false`` to disable public access to your cluster's Kubernetes API server endpoint.
 
-            If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is ``true`` , which enables public access for your Kubernetes API server. For more information, see `Amazon EKS cluster endpoint access control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+            If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is ``true`` , which enables public access for your Kubernetes API server. The endpoint domain name and IP address family depends on the value of the ``ipFamily`` for the cluster. For more information, see `Cluster API server endpoint <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-resourcesvpcconfig.html#cfn-eks-cluster-resourcesvpcconfig-endpointpublicaccess
             '''
@@ -7921,7 +8172,9 @@ class CfnCluster(
         def public_access_cidrs(self) -> typing.Optional[typing.List[builtins.str]]:
             '''The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
 
-            Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is ``0.0.0.0/0`` . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate ``Pod`` in the cluster. For more information, see `Amazon EKS cluster endpoint access control <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+            Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is ``0.0.0.0/0`` and additionally ``::/0`` for dual-stack ``IPv6`` clusters. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate ``Pod`` in the cluster. For more information, see `Cluster API server endpoint <https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html>`_ in the **Amazon EKS User Guide** .
+
+            Note that the public endpoints are dual-stack for only ``IPv6`` clusters that are made after October 2024. You can't add ``IPv6`` CIDR blocks to ``IPv4`` clusters or ``IPv6`` clusters that were made before October 2024.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-resourcesvpcconfig.html#cfn-eks-cluster-resourcesvpcconfig-publicaccesscidrs
             '''
@@ -8141,6 +8394,7 @@ class CfnCluster(
         "access_config": "accessConfig",
         "bootstrap_self_managed_addons": "bootstrapSelfManagedAddons",
         "compute_config": "computeConfig",
+        "deletion_protection": "deletionProtection",
         "encryption_config": "encryptionConfig",
         "force": "force",
         "kubernetes_network_config": "kubernetesNetworkConfig",
@@ -8164,6 +8418,7 @@ class CfnClusterProps:
         access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.AccessConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ComputeConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -8182,8 +8437,9 @@ class CfnClusterProps:
         :param resources_vpc_config: The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see `Cluster VPC Considerations <https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html>`_ and `Cluster Security Group Considerations <https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html>`_ in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.
         :param role_arn: The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see `Amazon EKS Service IAM Role <https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html>`_ in the **Amazon EKS User Guide** .
         :param access_config: The access configuration for the cluster.
-        :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
+        :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking add-ons include ``vpc-cni`` , ``coredns`` , and ``kube-proxy`` . Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
         :param compute_config: Indicates the current configuration of the compute capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your AWS account. For more information, see EKS Auto Mode compute capability in the *Amazon EKS User Guide* .
+        :param deletion_protection: The current deletion protection setting for the cluster. When ``true`` , deletion protection is enabled and the cluster cannot be deleted until protection is disabled. When ``false`` , the cluster can be deleted normally. This setting only applies to clusters in an active state.
         :param encryption_config: The encryption configuration for the cluster.
         :param force: Set this value to ``true`` to override upgrade-blocking readiness checks when updating a cluster. Default: - false
         :param kubernetes_network_config: The Kubernetes network configuration for the cluster.
@@ -8229,6 +8485,7 @@ class CfnClusterProps:
                     node_pools=["nodePools"],
                     node_role_arn="nodeRoleArn"
                 ),
+                deletion_protection=False,
                 encryption_config=[eks.CfnCluster.EncryptionConfigProperty(
                     provider=eks.CfnCluster.ProviderProperty(
                         key_arn="keyArn"
@@ -8296,6 +8553,7 @@ class CfnClusterProps:
             check_type(argname="argument access_config", value=access_config, expected_type=type_hints["access_config"])
             check_type(argname="argument bootstrap_self_managed_addons", value=bootstrap_self_managed_addons, expected_type=type_hints["bootstrap_self_managed_addons"])
             check_type(argname="argument compute_config", value=compute_config, expected_type=type_hints["compute_config"])
+            check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
             check_type(argname="argument encryption_config", value=encryption_config, expected_type=type_hints["encryption_config"])
             check_type(argname="argument force", value=force, expected_type=type_hints["force"])
             check_type(argname="argument kubernetes_network_config", value=kubernetes_network_config, expected_type=type_hints["kubernetes_network_config"])
@@ -8318,6 +8576,8 @@ class CfnClusterProps:
             self._values["bootstrap_self_managed_addons"] = bootstrap_self_managed_addons
         if compute_config is not None:
             self._values["compute_config"] = compute_config
+        if deletion_protection is not None:
+            self._values["deletion_protection"] = deletion_protection
         if encryption_config is not None:
             self._values["encryption_config"] = encryption_config
         if force is not None:
@@ -8386,7 +8646,7 @@ class CfnClusterProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed.
 
-        The default networking addons include vpc-cni, coredns, and kube-proxy.
+        The default networking add-ons include ``vpc-cni`` , ``coredns`` , and ``kube-proxy`` .
 
         Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
 
@@ -8408,6 +8668,19 @@ class CfnClusterProps:
         result = self._values.get("compute_config")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnCluster.ComputeConfigProperty]], result)
 
+    @builtins.property
+    def deletion_protection(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''The current deletion protection setting for the cluster.
+
+        When ``true`` , deletion protection is enabled and the cluster cannot be deleted until protection is disabled. When ``false`` , the cluster can be deleted normally. This setting only applies to clusters in an active state.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-deletionprotection
+        '''
+        result = self._values.get("deletion_protection")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
     @builtins.property
     def encryption_config(
         self,
@@ -8568,7 +8841,7 @@ class CfnClusterProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IFargateProfileRef_ebba9623, _ITaggable_36806126)
 class CfnFargateProfile(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -8633,7 +8906,8 @@ class CfnFargateProfile(
         subnets: typing.Optional[typing.Sequence[builtins.str]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::FargateProfile``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param cluster_name: The name of your cluster.
@@ -8702,6 +8976,12 @@ class CfnFargateProfile(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="fargateProfileRef")
+    def fargate_profile_ref(self) -> _FargateProfileReference_5fd534f8:
+        '''A reference to a FargateProfile resource.'''
+        return typing.cast(_FargateProfileReference_5fd534f8, jsii.get(self, "fargateProfileRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -9100,7 +9380,7 @@ class CfnFargateProfileProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IIdentityProviderConfigRef_0106e882, _ITaggable_36806126)
 class CfnIdentityProviderConfig(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -9158,7 +9438,8 @@ class CfnIdentityProviderConfig(
         oidc: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentityProviderConfig.OidcIdentityProviderConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::IdentityProviderConfig``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param cluster_name: The name of your cluster.
@@ -9225,6 +9506,12 @@ class CfnIdentityProviderConfig(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="identityProviderConfigRef")
+    def identity_provider_config_ref(self) -> _IdentityProviderConfigReference_7c0f381e:
+        '''A reference to a IdentityProviderConfig resource.'''
+        return typing.cast(_IdentityProviderConfigReference_7c0f381e, jsii.get(self, "identityProviderConfigRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -9689,7 +9976,7 @@ class CfnIdentityProviderConfigProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _INodegroupRef_cac0d8aa, _ITaggable_36806126)
 class CfnNodegroup(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -9737,7 +10024,17 @@ class CfnNodegroup(
             ),
             nodegroup_name="nodegroupName",
             node_repair_config=eks.CfnNodegroup.NodeRepairConfigProperty(
-                enabled=False
+                enabled=False,
+                max_parallel_nodes_repaired_count=123,
+                max_parallel_nodes_repaired_percentage=123,
+                max_unhealthy_node_threshold_count=123,
+                max_unhealthy_node_threshold_percentage=123,
+                node_repair_config_overrides=[eks.CfnNodegroup.NodeRepairConfigOverridesProperty(
+                    min_repair_wait_time_mins=123,
+                    node_monitoring_condition="nodeMonitoringCondition",
+                    node_unhealthy_reason="nodeUnhealthyReason",
+                    repair_action="repairAction"
+                )]
             ),
             release_version="releaseVersion",
             remote_access=eks.CfnNodegroup.RemoteAccessProperty(
@@ -9793,7 +10090,8 @@ class CfnNodegroup(
         update_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnNodegroup.UpdateConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         version: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::Nodegroup``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param cluster_name: The name of your cluster.
@@ -9914,6 +10212,12 @@ class CfnNodegroup(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="nodegroupRef")
+    def nodegroup_ref(self) -> _NodegroupReference_eab944f6:
+        '''A reference to a Nodegroup resource.'''
+        return typing.cast(_NodegroupReference_eab944f6, jsii.get(self, "nodegroupRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -10305,20 +10609,144 @@ class CfnNodegroup(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_eks.CfnNodegroup.NodeRepairConfigOverridesProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "min_repair_wait_time_mins": "minRepairWaitTimeMins",
+            "node_monitoring_condition": "nodeMonitoringCondition",
+            "node_unhealthy_reason": "nodeUnhealthyReason",
+            "repair_action": "repairAction",
+        },
+    )
+    class NodeRepairConfigOverridesProperty:
+        def __init__(
+            self,
+            *,
+            min_repair_wait_time_mins: typing.Optional[jsii.Number] = None,
+            node_monitoring_condition: typing.Optional[builtins.str] = None,
+            node_unhealthy_reason: typing.Optional[builtins.str] = None,
+            repair_action: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''Specify granular overrides for specific repair actions.
+
+            These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.
+
+            :param min_repair_wait_time_mins: Specify the minimum time in minutes to wait before attempting to repair a node with this specific NodeMonitoringCondition and NodeUnhealthyReason.
+            :param node_monitoring_condition: Specify an unhealthy condition reported by the node monitoring agent that this override would apply to.
+            :param node_unhealthy_reason: Specify a reason reported by the node monitoring agent that this override would apply to.
+            :param repair_action: Specify the repair action to take for nodes when all of the specified conditions are met.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfigoverrides.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_eks as eks
+                
+                node_repair_config_overrides_property = eks.CfnNodegroup.NodeRepairConfigOverridesProperty(
+                    min_repair_wait_time_mins=123,
+                    node_monitoring_condition="nodeMonitoringCondition",
+                    node_unhealthy_reason="nodeUnhealthyReason",
+                    repair_action="repairAction"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__1c8182284f4e249d40ce1280381d42d4de802714ccdb98dd8928f394e7a79a18)
+                check_type(argname="argument min_repair_wait_time_mins", value=min_repair_wait_time_mins, expected_type=type_hints["min_repair_wait_time_mins"])
+                check_type(argname="argument node_monitoring_condition", value=node_monitoring_condition, expected_type=type_hints["node_monitoring_condition"])
+                check_type(argname="argument node_unhealthy_reason", value=node_unhealthy_reason, expected_type=type_hints["node_unhealthy_reason"])
+                check_type(argname="argument repair_action", value=repair_action, expected_type=type_hints["repair_action"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if min_repair_wait_time_mins is not None:
+                self._values["min_repair_wait_time_mins"] = min_repair_wait_time_mins
+            if node_monitoring_condition is not None:
+                self._values["node_monitoring_condition"] = node_monitoring_condition
+            if node_unhealthy_reason is not None:
+                self._values["node_unhealthy_reason"] = node_unhealthy_reason
+            if repair_action is not None:
+                self._values["repair_action"] = repair_action
+
+        @builtins.property
+        def min_repair_wait_time_mins(self) -> typing.Optional[jsii.Number]:
+            '''Specify the minimum time in minutes to wait before attempting to repair a node with this specific NodeMonitoringCondition and NodeUnhealthyReason.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfigoverrides.html#cfn-eks-nodegroup-noderepairconfigoverrides-minrepairwaittimemins
+            '''
+            result = self._values.get("min_repair_wait_time_mins")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def node_monitoring_condition(self) -> typing.Optional[builtins.str]:
+            '''Specify an unhealthy condition reported by the node monitoring agent that this override would apply to.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfigoverrides.html#cfn-eks-nodegroup-noderepairconfigoverrides-nodemonitoringcondition
+            '''
+            result = self._values.get("node_monitoring_condition")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def node_unhealthy_reason(self) -> typing.Optional[builtins.str]:
+            '''Specify a reason reported by the node monitoring agent that this override would apply to.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfigoverrides.html#cfn-eks-nodegroup-noderepairconfigoverrides-nodeunhealthyreason
+            '''
+            result = self._values.get("node_unhealthy_reason")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def repair_action(self) -> typing.Optional[builtins.str]:
+            '''Specify the repair action to take for nodes when all of the specified conditions are met.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfigoverrides.html#cfn-eks-nodegroup-noderepairconfigoverrides-repairaction
+            '''
+            result = self._values.get("repair_action")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "NodeRepairConfigOverridesProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_eks.CfnNodegroup.NodeRepairConfigProperty",
         jsii_struct_bases=[],
-        name_mapping={"enabled": "enabled"},
+        name_mapping={
+            "enabled": "enabled",
+            "max_parallel_nodes_repaired_count": "maxParallelNodesRepairedCount",
+            "max_parallel_nodes_repaired_percentage": "maxParallelNodesRepairedPercentage",
+            "max_unhealthy_node_threshold_count": "maxUnhealthyNodeThresholdCount",
+            "max_unhealthy_node_threshold_percentage": "maxUnhealthyNodeThresholdPercentage",
+            "node_repair_config_overrides": "nodeRepairConfigOverrides",
+        },
     )
     class NodeRepairConfigProperty:
         def __init__(
             self,
             *,
             enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+            max_parallel_nodes_repaired_count: typing.Optional[jsii.Number] = None,
+            max_parallel_nodes_repaired_percentage: typing.Optional[jsii.Number] = None,
+            max_unhealthy_node_threshold_count: typing.Optional[jsii.Number] = None,
+            max_unhealthy_node_threshold_percentage: typing.Optional[jsii.Number] = None,
+            node_repair_config_overrides: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnNodegroup.NodeRepairConfigOverridesProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         ) -> None:
             '''The node auto repair configuration for the node group.
 
             :param enabled: Specifies whether to enable node auto repair for the node group. Node auto repair is disabled by default.
+            :param max_parallel_nodes_repaired_count: Specify the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a count of unhealthy nodes. This gives you finer-grained control over the pace of node replacements. When using this, you cannot also set MaxParallelNodesRepairedPercentage at the same time.
+            :param max_parallel_nodes_repaired_percentage: Specify the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a percentage of unhealthy nodes. This gives you finer-grained control over the pace of node replacements. When using this, you cannot also set MaxParallelNodesRepairedCount at the same time.
+            :param max_unhealthy_node_threshold_count: Specify a count threshold of unhealthy nodes, above which node auto repair actions will stop. When using this, you cannot also set MaxUnhealthyNodeThresholdPercentage at the same time.
+            :param max_unhealthy_node_threshold_percentage: Specify a percentage threshold of unhealthy nodes, above which node auto repair actions will stop. When using this, you cannot also set MaxUnhealthyNodeThresholdCount at the same time.
+            :param node_repair_config_overrides: Specify granular overrides for specific repair actions. These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfig.html
             :exampleMetadata: fixture=_generated
@@ -10330,15 +10758,40 @@ class CfnNodegroup(
                 from aws_cdk import aws_eks as eks
                 
                 node_repair_config_property = eks.CfnNodegroup.NodeRepairConfigProperty(
-                    enabled=False
+                    enabled=False,
+                    max_parallel_nodes_repaired_count=123,
+                    max_parallel_nodes_repaired_percentage=123,
+                    max_unhealthy_node_threshold_count=123,
+                    max_unhealthy_node_threshold_percentage=123,
+                    node_repair_config_overrides=[eks.CfnNodegroup.NodeRepairConfigOverridesProperty(
+                        min_repair_wait_time_mins=123,
+                        node_monitoring_condition="nodeMonitoringCondition",
+                        node_unhealthy_reason="nodeUnhealthyReason",
+                        repair_action="repairAction"
+                    )]
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__29dbda55ee07f00e62bcfcbc392973b5c2850e347abc3e6692b5d82704d445f0)
                 check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
+                check_type(argname="argument max_parallel_nodes_repaired_count", value=max_parallel_nodes_repaired_count, expected_type=type_hints["max_parallel_nodes_repaired_count"])
+                check_type(argname="argument max_parallel_nodes_repaired_percentage", value=max_parallel_nodes_repaired_percentage, expected_type=type_hints["max_parallel_nodes_repaired_percentage"])
+                check_type(argname="argument max_unhealthy_node_threshold_count", value=max_unhealthy_node_threshold_count, expected_type=type_hints["max_unhealthy_node_threshold_count"])
+                check_type(argname="argument max_unhealthy_node_threshold_percentage", value=max_unhealthy_node_threshold_percentage, expected_type=type_hints["max_unhealthy_node_threshold_percentage"])
+                check_type(argname="argument node_repair_config_overrides", value=node_repair_config_overrides, expected_type=type_hints["node_repair_config_overrides"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
             if enabled is not None:
                 self._values["enabled"] = enabled
+            if max_parallel_nodes_repaired_count is not None:
+                self._values["max_parallel_nodes_repaired_count"] = max_parallel_nodes_repaired_count
+            if max_parallel_nodes_repaired_percentage is not None:
+                self._values["max_parallel_nodes_repaired_percentage"] = max_parallel_nodes_repaired_percentage
+            if max_unhealthy_node_threshold_count is not None:
+                self._values["max_unhealthy_node_threshold_count"] = max_unhealthy_node_threshold_count
+            if max_unhealthy_node_threshold_percentage is not None:
+                self._values["max_unhealthy_node_threshold_percentage"] = max_unhealthy_node_threshold_percentage
+            if node_repair_config_overrides is not None:
+                self._values["node_repair_config_overrides"] = node_repair_config_overrides
 
         @builtins.property
         def enabled(
@@ -10353,6 +10806,67 @@ class CfnNodegroup(
             result = self._values.get("enabled")
             return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
+        @builtins.property
+        def max_parallel_nodes_repaired_count(self) -> typing.Optional[jsii.Number]:
+            '''Specify the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a count of unhealthy nodes.
+
+            This gives you finer-grained control over the pace of node replacements. When using this, you cannot also set MaxParallelNodesRepairedPercentage at the same time.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfig.html#cfn-eks-nodegroup-noderepairconfig-maxparallelnodesrepairedcount
+            '''
+            result = self._values.get("max_parallel_nodes_repaired_count")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def max_parallel_nodes_repaired_percentage(
+            self,
+        ) -> typing.Optional[jsii.Number]:
+            '''Specify the maximum number of nodes that can be repaired concurrently or in parallel, expressed as a percentage of unhealthy nodes.
+
+            This gives you finer-grained control over the pace of node replacements. When using this, you cannot also set MaxParallelNodesRepairedCount at the same time.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfig.html#cfn-eks-nodegroup-noderepairconfig-maxparallelnodesrepairedpercentage
+            '''
+            result = self._values.get("max_parallel_nodes_repaired_percentage")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def max_unhealthy_node_threshold_count(self) -> typing.Optional[jsii.Number]:
+            '''Specify a count threshold of unhealthy nodes, above which node auto repair actions will stop.
+
+            When using this, you cannot also set MaxUnhealthyNodeThresholdPercentage at the same time.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfig.html#cfn-eks-nodegroup-noderepairconfig-maxunhealthynodethresholdcount
+            '''
+            result = self._values.get("max_unhealthy_node_threshold_count")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def max_unhealthy_node_threshold_percentage(
+            self,
+        ) -> typing.Optional[jsii.Number]:
+            '''Specify a percentage threshold of unhealthy nodes, above which node auto repair actions will stop.
+
+            When using this, you cannot also set MaxUnhealthyNodeThresholdCount at the same time.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfig.html#cfn-eks-nodegroup-noderepairconfig-maxunhealthynodethresholdpercentage
+            '''
+            result = self._values.get("max_unhealthy_node_threshold_percentage")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def node_repair_config_overrides(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNodegroup.NodeRepairConfigOverridesProperty"]]]]:
+            '''Specify granular overrides for specific repair actions.
+
+            These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-noderepairconfig.html#cfn-eks-nodegroup-noderepairconfig-noderepairconfigoverrides
+            '''
+            result = self._values.get("node_repair_config_overrides")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNodegroup.NodeRepairConfigOverridesProperty"]]]], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -10831,7 +11345,17 @@ class CfnNodegroupProps:
                 ),
                 nodegroup_name="nodegroupName",
                 node_repair_config=eks.CfnNodegroup.NodeRepairConfigProperty(
-                    enabled=False
+                    enabled=False,
+                    max_parallel_nodes_repaired_count=123,
+                    max_parallel_nodes_repaired_percentage=123,
+                    max_unhealthy_node_threshold_count=123,
+                    max_unhealthy_node_threshold_percentage=123,
+                    node_repair_config_overrides=[eks.CfnNodegroup.NodeRepairConfigOverridesProperty(
+                        min_repair_wait_time_mins=123,
+                        node_monitoring_condition="nodeMonitoringCondition",
+                        node_unhealthy_reason="nodeUnhealthyReason",
+                        repair_action="repairAction"
+                    )]
                 ),
                 release_version="releaseVersion",
                 remote_access=eks.CfnNodegroup.RemoteAccessProperty(
@@ -11159,7 +11683,7 @@ class CfnNodegroupProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IPodIdentityAssociationRef_21f8b2b1, _ITaggableV2_4e6798f8)
 class CfnPodIdentityAssociation(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -11184,10 +11708,12 @@ class CfnPodIdentityAssociation(
             service_account="serviceAccount",
         
             # the properties below are optional
+            disable_session_tags=False,
             tags=[CfnTag(
                 key="key",
                 value="value"
-            )]
+            )],
+            target_role_arn="targetRoleArn"
         )
     '''
 
@@ -11200,16 +11726,21 @@ class CfnPodIdentityAssociation(
         namespace: builtins.str,
         role_arn: builtins.str,
         service_account: builtins.str,
+        disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        target_role_arn: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::EKS::PodIdentityAssociation``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param cluster_name: The name of the cluster that the association is in.
-        :param namespace: The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
-        :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+        :param namespace: The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.
+        :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
         :param service_account: The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
+        :param disable_session_tags: The state of the automatic sessions tags. The value of *true* disables these tags. EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see `List of session tags added by EKS Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags>`_ in the *Amazon EKS User Guide* .
         :param tags: Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources. The following basic restrictions apply to tags: - Maximum number of tags per resource – 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length – 128 Unicode characters in UTF-8 - Maximum value length – 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : /
+        :param target_role_arn: The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__be8311b6089cea26f85c63a586f0c5b063230a1b4a96ffcd4c6c983a331d8652)
@@ -11220,7 +11751,9 @@ class CfnPodIdentityAssociation(
             namespace=namespace,
             role_arn=role_arn,
             service_account=service_account,
+            disable_session_tags=disable_session_tags,
             tags=tags,
+            target_role_arn=target_role_arn,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -11273,6 +11806,19 @@ class CfnPodIdentityAssociation(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAssociationId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrExternalId")
+    def attr_external_id(self) -> builtins.str:
+        '''The unique identifier for this EKS Pod Identity association for a target IAM role.
+
+        You put this value in the trust policy of the target role, in a ``Condition`` to match the ``sts.ExternalId`` . This ensures that the target role can only be assumed by this association. This prevents the *confused deputy problem* . For more information about the confused deputy problem, see `The confused deputy problem <https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html>`_ in the *IAM User Guide* .
+
+        If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow ``sts:AssumeRole`` access from each role.
+
+        :cloudformationAttribute: ExternalId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrExternalId"))
+
     @builtins.property
     @jsii.member(jsii_name="cdkTagManager")
     def cdk_tag_manager(self) -> _TagManager_0a598cb3:
@@ -11284,6 +11830,12 @@ class CfnPodIdentityAssociation(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="podIdentityAssociationRef")
+    def pod_identity_association_ref(self) -> _PodIdentityAssociationReference_14e19bbb:
+        '''A reference to a PodIdentityAssociation resource.'''
+        return typing.cast(_PodIdentityAssociationReference_14e19bbb, jsii.get(self, "podIdentityAssociationRef"))
+
     @builtins.property
     @jsii.member(jsii_name="clusterName")
     def cluster_name(self) -> builtins.str:
@@ -11336,6 +11888,27 @@ class CfnPodIdentityAssociation(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "serviceAccount", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="disableSessionTags")
+    def disable_session_tags(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''The state of the automatic sessions tags.
+
+        The value of *true* disables these tags.
+        '''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "disableSessionTags"))
+
+    @disable_session_tags.setter
+    def disable_session_tags(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__cb3dbe4cc3b44e9265bbfe13e41235db909b0c1dc0e052b3bdda07fd4b228e8b)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "disableSessionTags", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
@@ -11349,6 +11922,19 @@ class CfnPodIdentityAssociation(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="targetRoleArn")
+    def target_role_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) of the target IAM role to associate with the service account.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "targetRoleArn"))
+
+    @target_role_arn.setter
+    def target_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__cb6220c6db8cf93a8a307b1ba0630d6bc64b4a09325e7cfe5854228aa75ff833)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "targetRoleArn", value) # pyright: ignore[reportArgumentType]
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.CfnPodIdentityAssociationProps",
@@ -11358,7 +11944,9 @@ class CfnPodIdentityAssociation(
         "namespace": "namespace",
         "role_arn": "roleArn",
         "service_account": "serviceAccount",
+        "disable_session_tags": "disableSessionTags",
         "tags": "tags",
+        "target_role_arn": "targetRoleArn",
     },
 )
 class CfnPodIdentityAssociationProps:
@@ -11369,15 +11957,19 @@ class CfnPodIdentityAssociationProps:
         namespace: builtins.str,
         role_arn: builtins.str,
         service_account: builtins.str,
+        disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        target_role_arn: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for defining a ``CfnPodIdentityAssociation``.
 
         :param cluster_name: The name of the cluster that the association is in.
-        :param namespace: The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
-        :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+        :param namespace: The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.
+        :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
         :param service_account: The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
+        :param disable_session_tags: The state of the automatic sessions tags. The value of *true* disables these tags. EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see `List of session tags added by EKS Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags>`_ in the *Amazon EKS User Guide* .
         :param tags: Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources. The following basic restrictions apply to tags: - Maximum number of tags per resource – 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length – 128 Unicode characters in UTF-8 - Maximum value length – 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : /
+        :param target_role_arn: The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html
         :exampleMetadata: fixture=_generated
@@ -11395,10 +11987,12 @@ class CfnPodIdentityAssociationProps:
                 service_account="serviceAccount",
             
                 # the properties below are optional
+                disable_session_tags=False,
                 tags=[CfnTag(
                     key="key",
                     value="value"
-                )]
+                )],
+                target_role_arn="targetRoleArn"
             )
         '''
         if __debug__:
@@ -11407,15 +12001,21 @@ class CfnPodIdentityAssociationProps:
             check_type(argname="argument namespace", value=namespace, expected_type=type_hints["namespace"])
             check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
             check_type(argname="argument service_account", value=service_account, expected_type=type_hints["service_account"])
+            check_type(argname="argument disable_session_tags", value=disable_session_tags, expected_type=type_hints["disable_session_tags"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+            check_type(argname="argument target_role_arn", value=target_role_arn, expected_type=type_hints["target_role_arn"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "cluster_name": cluster_name,
             "namespace": namespace,
             "role_arn": role_arn,
             "service_account": service_account,
         }
+        if disable_session_tags is not None:
+            self._values["disable_session_tags"] = disable_session_tags
         if tags is not None:
             self._values["tags"] = tags
+        if target_role_arn is not None:
+            self._values["target_role_arn"] = target_role_arn
 
     @builtins.property
     def cluster_name(self) -> builtins.str:
@@ -11431,7 +12031,7 @@ class CfnPodIdentityAssociationProps:
     def namespace(self) -> builtins.str:
         '''The name of the Kubernetes namespace inside the cluster to create the association in.
 
-        The service account and the pods that use the service account must be in this namespace.
+        The service account and the Pods that use the service account must be in this namespace.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html#cfn-eks-podidentityassociation-namespace
         '''
@@ -11443,7 +12043,7 @@ class CfnPodIdentityAssociationProps:
     def role_arn(self) -> builtins.str:
         '''The Amazon Resource Name (ARN) of the IAM role to associate with the service account.
 
-        The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
+        The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html#cfn-eks-podidentityassociation-rolearn
         '''
@@ -11461,6 +12061,19 @@ class CfnPodIdentityAssociationProps:
         assert result is not None, "Required property 'service_account' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def disable_session_tags(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''The state of the automatic sessions tags. The value of *true* disables these tags.
+
+        EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see `List of session tags added by EKS Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags>`_ in the *Amazon EKS User Guide* .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html#cfn-eks-podidentityassociation-disablesessiontags
+        '''
+        result = self._values.get("disable_session_tags")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
         '''Metadata that assists with categorization and organization.
@@ -11486,6 +12099,17 @@ class CfnPodIdentityAssociationProps:
         result = self._values.get("tags")
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
 
+    @builtins.property
+    def target_role_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) of the target IAM role to associate with the service account.
+
+        This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html#cfn-eks-podidentityassociation-targetrolearn
+        '''
+        result = self._values.get("target_role_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -11928,15 +12552,15 @@ class ClusterLoggingTypes(enum.Enum):
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         
         cluster = eks.Cluster(self, "Cluster",
             # ...
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
             ],
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
     '''
 
@@ -11984,7 +12608,7 @@ class CommonClusterOptions:
         :param version: The Kubernetes version to run in the cluster.
         :param cluster_name: Name for the cluster. Default: - Automatically generated name
         :param output_cluster_name: Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false
-        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true
+        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and the ARN of the masters IAM role. Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. Default: true
         :param role: Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
@@ -12085,9 +12709,13 @@ class CommonClusterOptions:
         '''Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized.
 
         This command will include
-        the cluster name and, if applicable, the ARN of the masters IAM role.
+        the cluster name and the ARN of the masters IAM role.
+
+        Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted.
 
         :default: true
+
+        :see: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role
         '''
         result = self._values.get("output_config_command")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -12172,13 +12800,13 @@ class DefaultCapacityType(enum.Enum):
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         
         cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             default_capacity_type=eks.DefaultCapacityType.EC2,
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
     '''
 
@@ -12345,13 +12973,13 @@ class EndpointAccess(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             endpoint_access=eks.EndpointAccess.PRIVATE,  # No access outside of your VPC.
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
     '''
 
@@ -14525,7 +15153,7 @@ class IpFamily(enum.Enum):
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         # vpc: ec2.Vpc
         
         
@@ -14550,11 +15178,11 @@ class IpFamily(enum.Enum):
             subnetcount = subnetcount + 1
         
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             vpc=vpc,
             ip_family=eks.IpFamily.IP_V6,
             vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
     '''
 
@@ -14893,6 +15521,12 @@ class KubernetesManifest(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="RESOURCE_TYPE")
     def RESOURCE_TYPE(cls) -> builtins.str:
@@ -15675,21 +16309,19 @@ class KubernetesVersion(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
-        
-        # or
-        # vpc: ec2.Vpc
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         
-        eks.Cluster(self, "MyCluster",
-            kubectl_memory=Size.gibibytes(4),
-            version=eks.KubernetesVersion.V1_32,
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+        cluster = eks.Cluster(self, "HelloEKS",
+            version=eks.KubernetesVersion.V1_34,
+            default_capacity=0,
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
-        eks.Cluster.from_cluster_attributes(self, "MyCluster",
-            kubectl_memory=Size.gibibytes(4),
-            vpc=vpc,
-            cluster_name="cluster-name"
+        
+        cluster.add_nodegroup_capacity("custom-node-group",
+            instance_types=[ec2.InstanceType("m5.large")],
+            min_size=4,
+            disk_size=100
         )
     '''
 
@@ -15914,6 +16546,28 @@ class KubernetesVersion(
         '''
         return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_32"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="V1_33")
+    def V1_33(cls) -> "KubernetesVersion":
+        '''Kubernetes version 1.33.
+
+        When creating a ``Cluster`` with this version, you need to also specify the
+        ``kubectlLayer`` property with a ``KubectlV33Layer`` from
+        ``@aws-cdk/lambda-layer-kubectl-v33``.
+        '''
+        return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_33"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="V1_34")
+    def V1_34(cls) -> "KubernetesVersion":
+        '''Kubernetes version 1.34.
+
+        When creating a ``Cluster`` with this version, you need to also specify the
+        ``kubectlLayer`` property with a ``KubectlV34Layer`` from
+        ``@aws-cdk/lambda-layer-kubectl-v34``.
+        '''
+        return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_34"))
+
     @builtins.property
     @jsii.member(jsii_name="version")
     def version(self) -> builtins.str:
@@ -16225,6 +16879,12 @@ class Nodegroup(
             check_type(argname="argument nodegroup_name", value=nodegroup_name, expected_type=type_hints["nodegroup_name"])
         return typing.cast(INodegroup, jsii.sinvoke(cls, "fromNodegroupName", [scope, id, nodegroup_name]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="cluster")
     def cluster(self) -> ICluster:
@@ -16313,6 +16973,8 @@ class NodegroupAmiType(enum.Enum):
     '''Amazon Linux 2023 with AWS Neuron drivers (x86-64).'''
     AL2023_X86_64_NVIDIA = "AL2023_X86_64_NVIDIA"
     '''Amazon Linux 2023 with NVIDIA drivers (x86-64).'''
+    AL2023_ARM_64_NVIDIA = "AL2023_ARM_64_NVIDIA"
+    '''Amazon Linux 2023 with NVIDIA drivers (ARM-64).'''
     AL2023_ARM_64_STANDARD = "AL2023_ARM_64_STANDARD"
     '''Amazon Linux 2023 (ARM-64).'''
 
@@ -17334,6 +17996,12 @@ class OpenIdConnectProvider(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.OpenIdConnectProviderProps",
@@ -18066,6 +18734,17 @@ class ServiceLoadBalancerAddressOptions:
 class TaintEffect(enum.Enum):
     '''Effect types of kubernetes node taint.
 
+    Note: These values are specifically for AWS EKS NodeGroups and use the AWS API format.
+    When using AWS CLI or API, taint effects must be NO_SCHEDULE, PREFER_NO_SCHEDULE, or NO_EXECUTE.
+    When using Kubernetes directly or kubectl, taint effects must be NoSchedule, PreferNoSchedule, or NoExecute.
+
+    For Kubernetes manifests (like Karpenter NodePools), use string literals with PascalCase format:
+
+    - 'NoSchedule' instead of TaintEffect.NO_SCHEDULE
+    - 'PreferNoSchedule' instead of TaintEffect.PREFER_NO_SCHEDULE
+    - 'NoExecute' instead of TaintEffect.NO_EXECUTE
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/node-taints-managed-node-groups.html
     :exampleMetadata: infused
 
     Example::
@@ -18286,6 +18965,12 @@ class AccessEntry(
             check_type(argname="argument new_access_policies", value=new_access_policies, expected_type=type_hints["new_access_policies"])
         return typing.cast(None, jsii.invoke(self, "addAccessPolicies", [new_access_policies]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="accessEntryArn")
     def access_entry_arn(self) -> builtins.str:
@@ -18391,10 +19076,13 @@ class Addon(
         
         eks.Addon(self, "Addon",
             cluster=cluster,
-            addon_name="aws-guardduty-agent",
-            addon_version="v1.6.1",
+            addon_name="coredns",
+            addon_version="v1.11.4-eksbuild.2",
             # whether to preserve the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on.
-            preserve_on_delete=False
+            preserve_on_delete=False,
+            configuration_values={
+                "replica_count": 2
+            }
         )
     '''
 
@@ -18406,6 +19094,7 @@ class Addon(
         addon_name: builtins.str,
         cluster: ICluster,
         addon_version: typing.Optional[builtins.str] = None,
+        configuration_values: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
         preserve_on_delete: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''Creates a new Amazon EKS Add-On.
@@ -18415,6 +19104,7 @@ class Addon(
         :param addon_name: Name of the Add-On.
         :param cluster: The EKS cluster the Add-On is associated with.
         :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versions. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
+        :param configuration_values: The configuration values for the Add-on. Default: - Use default configuration.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed. Default: true
         '''
         if __debug__:
@@ -18425,6 +19115,7 @@ class Addon(
             addon_name=addon_name,
             cluster=cluster,
             addon_version=addon_version,
+            configuration_values=configuration_values,
             preserve_on_delete=preserve_on_delete,
         )
 
@@ -18480,6 +19171,12 @@ class Addon(
 
         return typing.cast(IAddon, jsii.sinvoke(cls, "fromAddonAttributes", [scope, id, attrs]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="addonArn")
     def addon_arn(self) -> builtins.str:
@@ -18508,7 +19205,7 @@ class Cluster(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         # or
         # vpc: ec2.Vpc
@@ -18516,8 +19213,8 @@ class Cluster(
         
         eks.Cluster(self, "MyCluster",
             kubectl_memory=Size.gibibytes(4),
-            version=eks.KubernetesVersion.V1_32,
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            version=eks.KubernetesVersion.V1_34,
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
         eks.Cluster.from_cluster_attributes(self, "MyCluster",
             kubectl_memory=Size.gibibytes(4),
@@ -18532,6 +19229,7 @@ class Cluster(
         id: builtins.str,
         *,
         bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
+        bootstrap_self_managed_addons: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -18556,7 +19254,8 @@ class Cluster(
         prune: typing.Optional[builtins.bool] = None,
         remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-        secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+        removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         version: KubernetesVersion,
         cluster_name: typing.Optional[builtins.str] = None,
@@ -18572,6 +19271,7 @@ class Cluster(
         :param scope: a Construct, most likely a cdk.Stack created.
         :param id: the id of the Construct to create.
         :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
+        :param bootstrap_self_managed_addons: If you set this value to False when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
@@ -18596,12 +19296,13 @@ class Cluster(
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
         :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
+        :param removal_policy: The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation. This can happen in one of three situations: - The resource is removed from the template, so CloudFormation stops managing it; - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it; - The stack is deleted, so CloudFormation stops managing all resources in it. This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC and any other CloudFormation resources managed by this construct. Default: - Resources will be deleted.
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param version: The Kubernetes version to run in the cluster.
         :param cluster_name: Name for the cluster. Default: - Automatically generated name
         :param output_cluster_name: Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false
-        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true
+        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and the ARN of the masters IAM role. Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. Default: true
         :param role: Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
@@ -18613,6 +19314,7 @@ class Cluster(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ClusterProps(
             bootstrap_cluster_creator_admin_permissions=bootstrap_cluster_creator_admin_permissions,
+            bootstrap_self_managed_addons=bootstrap_self_managed_addons,
             default_capacity=default_capacity,
             default_capacity_instance=default_capacity_instance,
             default_capacity_type=default_capacity_type,
@@ -18637,6 +19339,7 @@ class Cluster(
             prune=prune,
             remote_node_networks=remote_node_networks,
             remote_pod_networks=remote_pod_networks,
+            removal_policy=removal_policy,
             secrets_encryption_key=secrets_encryption_key,
             service_ipv4_cidr=service_ipv4_cidr,
             version=version,
@@ -18814,7 +19517,7 @@ class Cluster(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instances. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Feature flag ``AUTOSCALING_GENERATE_LAUNCH_TEMPLATE`` must be enabled to use this property. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified. You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param max_capacity: Maximum number of instances in the fleet. Default: desiredCapacity
-        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value, leave this property undefined. Default: none
+        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, leave this property undefined. Default: none
         :param min_capacity: Minimum number of instances in the fleet. Default: 1
         :param new_instances_protected_from_scale_in: Whether newly-launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. By default, Auto Scaling can terminate an instance at any time after launch when scaling in an Auto Scaling Group, subject to the group's termination policy. However, you may wish to protect newly-launched instances from being scaled in if they are going to run critical applications that should not be prematurely terminated. This flag must be enabled if the Auto Scaling Group will be associated with an ECS Capacity Provider with managed termination protection. Default: false
         :param notifications: Configure autoscaling group to send notifications about fleet changes to an SNS topic(s). Default: - No fleet change notifications will be sent.
@@ -19248,6 +19951,12 @@ class Cluster(
             check_type(argname="argument access_policies", value=access_policies, expected_type=type_hints["access_policies"])
         return typing.cast(None, jsii.invoke(self, "grantAccess", [id, principal, access_policies]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="adminRole")
     def admin_role(self) -> _Role_e8c6e11f:
@@ -19578,6 +20287,7 @@ class Cluster(
         "prune": "prune",
         "remote_node_networks": "remoteNodeNetworks",
         "remote_pod_networks": "remotePodNetworks",
+        "removal_policy": "removalPolicy",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
     },
@@ -19613,7 +20323,8 @@ class ClusterOptions(CommonClusterOptions):
         prune: typing.Optional[builtins.bool] = None,
         remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-        secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+        removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Options for EKS clusters.
@@ -19621,7 +20332,7 @@ class ClusterOptions(CommonClusterOptions):
         :param version: The Kubernetes version to run in the cluster.
         :param cluster_name: Name for the cluster. Default: - Automatically generated name
         :param output_cluster_name: Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false
-        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true
+        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and the ARN of the masters IAM role. Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. Default: true
         :param role: Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
@@ -19645,6 +20356,7 @@ class ClusterOptions(CommonClusterOptions):
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
         :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
+        :param removal_policy: The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation. This can happen in one of three situations: - The resource is removed from the template, so CloudFormation stops managing it; - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it; - The stack is deleted, so CloudFormation stops managing all resources in it. This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC and any other CloudFormation resources managed by this construct. Default: - Resources will be deleted.
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
 
@@ -19658,12 +20370,12 @@ class ClusterOptions(CommonClusterOptions):
             from aws_cdk import aws_ec2 as ec2
             from aws_cdk import aws_eks as eks
             from aws_cdk import aws_iam as iam
-            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_lambda as lambda_
+            from aws_cdk.interfaces import aws_kms as interfaces_aws_kms
             
             # alb_controller_version: eks.AlbControllerVersion
             # endpoint_access: eks.EndpointAccess
-            # key: kms.Key
+            # key_ref: interfaces_aws_kms.IKeyRef
             # kubernetes_version: eks.KubernetesVersion
             # layer_version: lambda.LayerVersion
             # policy: Any
@@ -19718,8 +20430,9 @@ class ClusterOptions(CommonClusterOptions):
                 remote_pod_networks=[eks.RemotePodNetwork(
                     cidrs=["cidrs"]
                 )],
+                removal_policy=cdk.RemovalPolicy.DESTROY,
                 role=role,
-                secrets_encryption_key=key,
+                secrets_encryption_key=key_ref,
                 security_group=security_group,
                 service_ipv4_cidr="serviceIpv4Cidr",
                 vpc=vpc,
@@ -19764,6 +20477,7 @@ class ClusterOptions(CommonClusterOptions):
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
             check_type(argname="argument remote_node_networks", value=remote_node_networks, expected_type=type_hints["remote_node_networks"])
             check_type(argname="argument remote_pod_networks", value=remote_pod_networks, expected_type=type_hints["remote_pod_networks"])
+            check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -19820,6 +20534,8 @@ class ClusterOptions(CommonClusterOptions):
             self._values["remote_node_networks"] = remote_node_networks
         if remote_pod_networks is not None:
             self._values["remote_pod_networks"] = remote_pod_networks
+        if removal_policy is not None:
+            self._values["removal_policy"] = removal_policy
         if secrets_encryption_key is not None:
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
@@ -19855,9 +20571,13 @@ class ClusterOptions(CommonClusterOptions):
         '''Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized.
 
         This command will include
-        the cluster name and, if applicable, the ARN of the masters IAM role.
+        the cluster name and the ARN of the masters IAM role.
+
+        Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted.
 
         :default: true
+
+        :see: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role
         '''
         result = self._values.get("output_config_command")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -20125,7 +20845,25 @@ class ClusterOptions(CommonClusterOptions):
         return typing.cast(typing.Optional[typing.List[RemotePodNetwork]], result)
 
     @builtins.property
-    def secrets_encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
+    def removal_policy(self) -> typing.Optional[_RemovalPolicy_9f93c814]:
+        '''The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation.
+
+        This can happen in one of three situations:
+
+        - The resource is removed from the template, so CloudFormation stops managing it;
+        - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it;
+        - The stack is deleted, so CloudFormation stops managing all resources in it.
+
+        This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC
+        and any other CloudFormation resources managed by this construct.
+
+        :default: - Resources will be deleted.
+        '''
+        result = self._values.get("removal_policy")
+        return typing.cast(typing.Optional[_RemovalPolicy_9f93c814], result)
+
+    @builtins.property
+    def secrets_encryption_key(self) -> typing.Optional[_IKeyRef_d4fc6ef3]:
         '''KMS secret for envelope encryption for Kubernetes secrets.
 
         :default:
@@ -20135,7 +20873,7 @@ class ClusterOptions(CommonClusterOptions):
         using AWS-Managed encryption keys.
         '''
         result = self._values.get("secrets_encryption_key")
-        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+        return typing.cast(typing.Optional[_IKeyRef_d4fc6ef3], result)
 
     @builtins.property
     def service_ipv4_cidr(self) -> typing.Optional[builtins.str]:
@@ -20194,9 +20932,11 @@ class ClusterOptions(CommonClusterOptions):
         "prune": "prune",
         "remote_node_networks": "remoteNodeNetworks",
         "remote_pod_networks": "remotePodNetworks",
+        "removal_policy": "removalPolicy",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
         "bootstrap_cluster_creator_admin_permissions": "bootstrapClusterCreatorAdminPermissions",
+        "bootstrap_self_managed_addons": "bootstrapSelfManagedAddons",
         "default_capacity": "defaultCapacity",
         "default_capacity_instance": "defaultCapacityInstance",
         "default_capacity_type": "defaultCapacityType",
@@ -20235,9 +20975,11 @@ class ClusterProps(ClusterOptions):
         prune: typing.Optional[builtins.bool] = None,
         remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-        secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+        removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
+        bootstrap_self_managed_addons: typing.Optional[builtins.bool] = None,
         default_capacity: typing.Optional[jsii.Number] = None,
         default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
         default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -20249,7 +20991,7 @@ class ClusterProps(ClusterOptions):
         :param version: The Kubernetes version to run in the cluster.
         :param cluster_name: Name for the cluster. Default: - Automatically generated name
         :param output_cluster_name: Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false
-        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true
+        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and the ARN of the masters IAM role. Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. Default: true
         :param role: Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
@@ -20273,9 +21015,11 @@ class ClusterProps(ClusterOptions):
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
         :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
+        :param removal_policy: The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation. This can happen in one of three situations: - The resource is removed from the template, so CloudFormation stops managing it; - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it; - The stack is deleted, so CloudFormation stops managing all resources in it. This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC and any other CloudFormation resources managed by this construct. Default: - Resources will be deleted.
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param bootstrap_cluster_creator_admin_permissions: Whether or not IAM principal of the cluster creator was set as a cluster admin access entry during cluster creation time. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
+        :param bootstrap_self_managed_addons: If you set this value to False when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons. Changing this value after the cluster has been created will result in the cluster being replaced. Default: true
         :param default_capacity: Number of instances to allocate as an initial capacity for this cluster. Instance type can be configured through ``defaultCapacityInstanceType``, which defaults to ``m5.large``. Use ``cluster.addAutoScalingGroupCapacity`` to add additional customized capacity. Set this to ``0`` is you wish to avoid the initial capacity allocation. Default: 2
         :param default_capacity_instance: The instance type to use for the default capacity. This will only be taken into account if ``defaultCapacity`` is > 0. Default: m5.large
         :param default_capacity_type: The default capacity type for the cluster. Default: NODEGROUP
@@ -20286,7 +21030,7 @@ class ClusterProps(ClusterOptions):
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
             
             # or
             # vpc: ec2.Vpc
@@ -20294,8 +21038,8 @@ class ClusterProps(ClusterOptions):
             
             eks.Cluster(self, "MyCluster",
                 kubectl_memory=Size.gibibytes(4),
-                version=eks.KubernetesVersion.V1_32,
-                kubectl_layer=KubectlV32Layer(self, "kubectl")
+                version=eks.KubernetesVersion.V1_34,
+                kubectl_layer=KubectlV34Layer(self, "kubectl")
             )
             eks.Cluster.from_cluster_attributes(self, "MyCluster",
                 kubectl_memory=Size.gibibytes(4),
@@ -20334,9 +21078,11 @@ class ClusterProps(ClusterOptions):
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
             check_type(argname="argument remote_node_networks", value=remote_node_networks, expected_type=type_hints["remote_node_networks"])
             check_type(argname="argument remote_pod_networks", value=remote_pod_networks, expected_type=type_hints["remote_pod_networks"])
+            check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
             check_type(argname="argument bootstrap_cluster_creator_admin_permissions", value=bootstrap_cluster_creator_admin_permissions, expected_type=type_hints["bootstrap_cluster_creator_admin_permissions"])
+            check_type(argname="argument bootstrap_self_managed_addons", value=bootstrap_self_managed_addons, expected_type=type_hints["bootstrap_self_managed_addons"])
             check_type(argname="argument default_capacity", value=default_capacity, expected_type=type_hints["default_capacity"])
             check_type(argname="argument default_capacity_instance", value=default_capacity_instance, expected_type=type_hints["default_capacity_instance"])
             check_type(argname="argument default_capacity_type", value=default_capacity_type, expected_type=type_hints["default_capacity_type"])
@@ -20396,12 +21142,16 @@ class ClusterProps(ClusterOptions):
             self._values["remote_node_networks"] = remote_node_networks
         if remote_pod_networks is not None:
             self._values["remote_pod_networks"] = remote_pod_networks
+        if removal_policy is not None:
+            self._values["removal_policy"] = removal_policy
         if secrets_encryption_key is not None:
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
             self._values["service_ipv4_cidr"] = service_ipv4_cidr
         if bootstrap_cluster_creator_admin_permissions is not None:
             self._values["bootstrap_cluster_creator_admin_permissions"] = bootstrap_cluster_creator_admin_permissions
+        if bootstrap_self_managed_addons is not None:
+            self._values["bootstrap_self_managed_addons"] = bootstrap_self_managed_addons
         if default_capacity is not None:
             self._values["default_capacity"] = default_capacity
         if default_capacity_instance is not None:
@@ -20443,9 +21193,13 @@ class ClusterProps(ClusterOptions):
         '''Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized.
 
         This command will include
-        the cluster name and, if applicable, the ARN of the masters IAM role.
+        the cluster name and the ARN of the masters IAM role.
+
+        Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted.
 
         :default: true
+
+        :see: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role
         '''
         result = self._values.get("output_config_command")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -20713,7 +21467,25 @@ class ClusterProps(ClusterOptions):
         return typing.cast(typing.Optional[typing.List[RemotePodNetwork]], result)
 
     @builtins.property
-    def secrets_encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
+    def removal_policy(self) -> typing.Optional[_RemovalPolicy_9f93c814]:
+        '''The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation.
+
+        This can happen in one of three situations:
+
+        - The resource is removed from the template, so CloudFormation stops managing it;
+        - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it;
+        - The stack is deleted, so CloudFormation stops managing all resources in it.
+
+        This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC
+        and any other CloudFormation resources managed by this construct.
+
+        :default: - Resources will be deleted.
+        '''
+        result = self._values.get("removal_policy")
+        return typing.cast(typing.Optional[_RemovalPolicy_9f93c814], result)
+
+    @builtins.property
+    def secrets_encryption_key(self) -> typing.Optional[_IKeyRef_d4fc6ef3]:
         '''KMS secret for envelope encryption for Kubernetes secrets.
 
         :default:
@@ -20723,7 +21495,7 @@ class ClusterProps(ClusterOptions):
         using AWS-Managed encryption keys.
         '''
         result = self._values.get("secrets_encryption_key")
-        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+        return typing.cast(typing.Optional[_IKeyRef_d4fc6ef3], result)
 
     @builtins.property
     def service_ipv4_cidr(self) -> typing.Optional[builtins.str]:
@@ -20752,6 +21524,20 @@ class ClusterProps(ClusterOptions):
         result = self._values.get("bootstrap_cluster_creator_admin_permissions")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def bootstrap_self_managed_addons(self) -> typing.Optional[builtins.bool]:
+        '''If you set this value to False when creating a cluster, the default networking add-ons will not be installed.
+
+        The default networking addons include vpc-cni, coredns, and kube-proxy.
+        Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
+
+        Changing this value after the cluster has been created will result in the cluster being replaced.
+
+        :default: true
+        '''
+        result = self._values.get("bootstrap_self_managed_addons")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def default_capacity(self) -> typing.Optional[jsii.Number]:
         '''Number of instances to allocate as an initial capacity for this cluster.
@@ -20833,12 +21619,12 @@ class FargateCluster(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         
         
         cluster = eks.FargateCluster(self, "MyCluster",
-            version=eks.KubernetesVersion.V1_32,
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            version=eks.KubernetesVersion.V1_34,
+            kubectl_layer=KubectlV34Layer(self, "kubectl")
         )
     '''
 
@@ -20867,7 +21653,8 @@ class FargateCluster(
         prune: typing.Optional[builtins.bool] = None,
         remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-        secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+        removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         version: KubernetesVersion,
         cluster_name: typing.Optional[builtins.str] = None,
@@ -20901,12 +21688,13 @@ class FargateCluster(
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
         :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
+        :param removal_policy: The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation. This can happen in one of three situations: - The resource is removed from the template, so CloudFormation stops managing it; - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it; - The stack is deleted, so CloudFormation stops managing all resources in it. This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC and any other CloudFormation resources managed by this construct. Default: - Resources will be deleted.
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param version: The Kubernetes version to run in the cluster.
         :param cluster_name: Name for the cluster. Default: - Automatically generated name
         :param output_cluster_name: Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false
-        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true
+        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and the ARN of the masters IAM role. Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. Default: true
         :param role: Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
@@ -20937,6 +21725,7 @@ class FargateCluster(
             prune=prune,
             remote_node_networks=remote_node_networks,
             remote_pod_networks=remote_pod_networks,
+            removal_policy=removal_policy,
             secrets_encryption_key=secrets_encryption_key,
             service_ipv4_cidr=service_ipv4_cidr,
             version=version,
@@ -20951,6 +21740,12 @@ class FargateCluster(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="defaultProfile")
     def default_profile(self) -> FargateProfile:
@@ -20989,6 +21784,7 @@ class FargateCluster(
         "prune": "prune",
         "remote_node_networks": "remoteNodeNetworks",
         "remote_pod_networks": "remotePodNetworks",
+        "removal_policy": "removalPolicy",
         "secrets_encryption_key": "secretsEncryptionKey",
         "service_ipv4_cidr": "serviceIpv4Cidr",
         "default_profile": "defaultProfile",
@@ -21025,7 +21821,8 @@ class FargateClusterProps(ClusterOptions):
         prune: typing.Optional[builtins.bool] = None,
         remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
         remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-        secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+        removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+        secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -21034,7 +21831,7 @@ class FargateClusterProps(ClusterOptions):
         :param version: The Kubernetes version to run in the cluster.
         :param cluster_name: Name for the cluster. Default: - Automatically generated name
         :param output_cluster_name: Determines whether a CloudFormation output with the name of the cluster will be synthesized. Default: false
-        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and, if applicable, the ARN of the masters IAM role. Default: true
+        :param output_config_command: Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized. This command will include the cluster name and the ARN of the masters IAM role. Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted. Default: true
         :param role: Role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Default: - A role is automatically created for you
         :param security_group: Security Group to use for Control Plane ENIs. Default: - A security group is automatically created
         :param vpc: The VPC in which to create the Cluster. Default: - a VPC with default configuration will be created and can be accessed through ``cluster.vpc``.
@@ -21058,6 +21855,7 @@ class FargateClusterProps(ClusterOptions):
         :param prune: Indicates whether Kubernetes resources added through ``addManifest()`` can be automatically pruned. When this is enabled (default), prune labels will be allocated and injected to each resource. These labels will then be used when issuing the ``kubectl apply`` operation with the ``--prune`` switch. Default: true
         :param remote_node_networks: IPv4 CIDR blocks defining the expected address range of hybrid nodes that will join the cluster. Default: - none
         :param remote_pod_networks: IPv4 CIDR blocks for Pods running Kubernetes webhooks on hybrid nodes. Default: - none
+        :param removal_policy: The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation. This can happen in one of three situations: - The resource is removed from the template, so CloudFormation stops managing it; - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it; - The stack is deleted, so CloudFormation stops managing all resources in it. This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC and any other CloudFormation resources managed by this construct. Default: - Resources will be deleted.
         :param secrets_encryption_key: KMS secret for envelope encryption for Kubernetes secrets. Default: - By default, Kubernetes stores all secret object data within etcd and all etcd volumes used by Amazon EKS are encrypted at the disk-level using AWS-Managed encryption keys.
         :param service_ipv4_cidr: The CIDR block to assign Kubernetes service IP addresses from. Default: - Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
         :param default_profile: Fargate Profile to create along with the cluster. Default: - A profile called "default" with 'default' and 'kube-system' selectors will be created if this is left undefined.
@@ -21066,12 +21864,12 @@ class FargateClusterProps(ClusterOptions):
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
             
             
             cluster = eks.FargateCluster(self, "MyCluster",
-                version=eks.KubernetesVersion.V1_32,
-                kubectl_layer=KubectlV32Layer(self, "kubectl")
+                version=eks.KubernetesVersion.V1_34,
+                kubectl_layer=KubectlV34Layer(self, "kubectl")
             )
         '''
         if isinstance(alb_controller, dict):
@@ -21107,6 +21905,7 @@ class FargateClusterProps(ClusterOptions):
             check_type(argname="argument prune", value=prune, expected_type=type_hints["prune"])
             check_type(argname="argument remote_node_networks", value=remote_node_networks, expected_type=type_hints["remote_node_networks"])
             check_type(argname="argument remote_pod_networks", value=remote_pod_networks, expected_type=type_hints["remote_pod_networks"])
+            check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument secrets_encryption_key", value=secrets_encryption_key, expected_type=type_hints["secrets_encryption_key"])
             check_type(argname="argument service_ipv4_cidr", value=service_ipv4_cidr, expected_type=type_hints["service_ipv4_cidr"])
             check_type(argname="argument default_profile", value=default_profile, expected_type=type_hints["default_profile"])
@@ -21164,6 +21963,8 @@ class FargateClusterProps(ClusterOptions):
             self._values["remote_node_networks"] = remote_node_networks
         if remote_pod_networks is not None:
             self._values["remote_pod_networks"] = remote_pod_networks
+        if removal_policy is not None:
+            self._values["removal_policy"] = removal_policy
         if secrets_encryption_key is not None:
             self._values["secrets_encryption_key"] = secrets_encryption_key
         if service_ipv4_cidr is not None:
@@ -21201,9 +22002,13 @@ class FargateClusterProps(ClusterOptions):
         '''Determines whether a CloudFormation output with the ``aws eks update-kubeconfig`` command will be synthesized.
 
         This command will include
-        the cluster name and, if applicable, the ARN of the masters IAM role.
+        the cluster name and the ARN of the masters IAM role.
+
+        Note: If mastersRole is not specified, this property will be ignored and no config command will be emitted.
 
         :default: true
+
+        :see: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role
         '''
         result = self._values.get("output_config_command")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -21471,7 +22276,25 @@ class FargateClusterProps(ClusterOptions):
         return typing.cast(typing.Optional[typing.List[RemotePodNetwork]], result)
 
     @builtins.property
-    def secrets_encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
+    def removal_policy(self) -> typing.Optional[_RemovalPolicy_9f93c814]:
+        '''The removal policy applied to all CloudFormation resources created by this construct when they are no longer managed by CloudFormation.
+
+        This can happen in one of three situations:
+
+        - The resource is removed from the template, so CloudFormation stops managing it;
+        - A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it;
+        - The stack is deleted, so CloudFormation stops managing all resources in it.
+
+        This affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC
+        and any other CloudFormation resources managed by this construct.
+
+        :default: - Resources will be deleted.
+        '''
+        result = self._values.get("removal_policy")
+        return typing.cast(typing.Optional[_RemovalPolicy_9f93c814], result)
+
+    @builtins.property
+    def secrets_encryption_key(self) -> typing.Optional[_IKeyRef_d4fc6ef3]:
         '''KMS secret for envelope encryption for Kubernetes secrets.
 
         :default:
@@ -21481,7 +22304,7 @@ class FargateClusterProps(ClusterOptions):
         using AWS-Managed encryption keys.
         '''
         result = self._values.get("secrets_encryption_key")
-        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+        return typing.cast(typing.Optional[_IKeyRef_d4fc6ef3], result)
 
     @builtins.property
     def service_ipv4_cidr(self) -> typing.Optional[builtins.str]:
@@ -21766,6 +22589,7 @@ def _typecheckingstub__febc9f6cb4243d885b1b1838be38d633e7c5fc6534eaaf731f00a2465
     addon_name: builtins.str,
     cluster: ICluster,
     addon_version: typing.Optional[builtins.str] = None,
+    configuration_values: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
     preserve_on_delete: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
@@ -22057,6 +22881,7 @@ def _typecheckingstub__45ff0728c7d6fc5f47c97aa791c327f70a32e19bdf463d94d9351053f
     cluster_name: builtins.str,
     addon_version: typing.Optional[builtins.str] = None,
     configuration_values: typing.Optional[builtins.str] = None,
+    namespace_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.NamespaceConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.PodIdentityAssociationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     resolve_conflicts: typing.Optional[builtins.str] = None,
@@ -22102,6 +22927,12 @@ def _typecheckingstub__f2b158aed78a78d2962c2650df64f6c3880ccb508ebd6b281bda6c1a1
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__039b518895f39f54dce3ea31a35bed66445fb7b5e7f4c52a89adafc86911f331(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnAddon.NamespaceConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__04a430658e28600fba10a8c3e5edab2978904829dda6f2c70e9cca8560f7e400(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAddon.PodIdentityAssociationProperty]]]],
 ) -> None:
@@ -22132,6 +22963,13 @@ def _typecheckingstub__61cfcc2cd9aba81e02df7f2a5c976044dc5e5cbf6c05b880c4944cb35
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c336eaf5f7476c60c3b0b8dc688fc9ea53319525b39f820a30e2510a38e67cbc(
+    *,
+    namespace: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__3925c850dd0d0ad3b9faeea87aafbe69220a7bf33d95af5527715674625c9891(
     *,
     role_arn: builtins.str,
@@ -22146,6 +22984,7 @@ def _typecheckingstub__484b2779e40e4780cb0940ac7bc9daaf91fa04347613d732138d3be3d
     cluster_name: builtins.str,
     addon_version: typing.Optional[builtins.str] = None,
     configuration_values: typing.Optional[builtins.str] = None,
+    namespace_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.NamespaceConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     pod_identity_associations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAddon.PodIdentityAssociationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     preserve_on_delete: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     resolve_conflicts: typing.Optional[builtins.str] = None,
@@ -22164,6 +23003,7 @@ def _typecheckingstub__d3e62a858014f3867f3039d1328d57223fb0d16e3fb6d1e2d79279938
     access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.AccessConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ComputeConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -22180,6 +23020,22 @@ def _typecheckingstub__d3e62a858014f3867f3039d1328d57223fb0d16e3fb6d1e2d79279938
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b7520097767a23a7f7b750879adb8df71436766d2ad7c356ce08243330524e31(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__06b7df746bf67240facb00749c1c399634c9167d5acb1747f034220efaf30f49(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    cluster_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__4ce8181eaff5e47deffee284e9005fc3985d7f0cc2ae10f69530ae44c00c9022(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -22222,6 +23078,12 @@ def _typecheckingstub__5d35f88b28db161e1414d604c41ffc1d10fcf76351a0503d110f81158
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__19e2a4eccf6e2e232dc5d0a9572dba914015320e88042ef8f90020cd0d14b037(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b161fda542258d1cd8a20fecd3943cacecb658f19ab16b918baf49908459644c(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnCluster.EncryptionConfigProperty]]]],
 ) -> None:
@@ -22448,6 +23310,7 @@ def _typecheckingstub__270f142a59c249328ab174c5b0484cfdae6e3110ab52578dbe783d6f8
     access_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.AccessConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ComputeConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -22803,9 +23666,24 @@ def _typecheckingstub__e659212680af90c8732b5ec096030b6902f35121f1ca1a82a513ebaa5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__1c8182284f4e249d40ce1280381d42d4de802714ccdb98dd8928f394e7a79a18(
+    *,
+    min_repair_wait_time_mins: typing.Optional[jsii.Number] = None,
+    node_monitoring_condition: typing.Optional[builtins.str] = None,
+    node_unhealthy_reason: typing.Optional[builtins.str] = None,
+    repair_action: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__29dbda55ee07f00e62bcfcbc392973b5c2850e347abc3e6692b5d82704d445f0(
     *,
     enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    max_parallel_nodes_repaired_count: typing.Optional[jsii.Number] = None,
+    max_parallel_nodes_repaired_percentage: typing.Optional[jsii.Number] = None,
+    max_unhealthy_node_threshold_count: typing.Optional[jsii.Number] = None,
+    max_unhealthy_node_threshold_percentage: typing.Optional[jsii.Number] = None,
+    node_repair_config_overrides: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.NodeRepairConfigOverridesProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22878,7 +23756,9 @@ def _typecheckingstub__be8311b6089cea26f85c63a586f0c5b063230a1b4a96ffcd4c6c983a3
     namespace: builtins.str,
     role_arn: builtins.str,
     service_account: builtins.str,
+    disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    target_role_arn: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22919,19 +23799,33 @@ def _typecheckingstub__ea3bb34348aff57e29a5352e7460510bda8dd51720dbf7d275297137f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__cb3dbe4cc3b44e9265bbfe13e41235db909b0c1dc0e052b3bdda07fd4b228e8b(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b0e0a0551adefc10761733af04b8c51e7dad6b483be9252882ecff10539c7dcc(
     value: typing.Optional[typing.List[_CfnTag_f6864754]],
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__cb6220c6db8cf93a8a307b1ba0630d6bc64b4a09325e7cfe5854228aa75ff833(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__40e8da56b529234cdbb596fa46af952a935adf744e907347861dfc232b89038b(
     *,
     cluster_name: builtins.str,
     namespace: builtins.str,
     role_arn: builtins.str,
     service_account: builtins.str,
+    disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    target_role_arn: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23543,6 +24437,7 @@ def _typecheckingstub__a8342124e215d4789acf852df764143c4809251dbcaa86f6b4a11860e
     addon_name: builtins.str,
     cluster: ICluster,
     addon_version: typing.Optional[builtins.str] = None,
+    configuration_values: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
     preserve_on_delete: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
@@ -23571,6 +24466,7 @@ def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c
     id: builtins.str,
     *,
     bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
+    bootstrap_self_managed_addons: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -23595,7 +24491,8 @@ def _typecheckingstub__786576ad54eacdb9ab8e92277c0fd07f813bc56d4243937f3b5a85c0c
     prune: typing.Optional[builtins.bool] = None,
     remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-    secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+    removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     version: KubernetesVersion,
     cluster_name: typing.Optional[builtins.str] = None,
@@ -23835,7 +24732,8 @@ def _typecheckingstub__0b45b97fda36b43e872f90f9fe4cde65de855b50b3acfd236c1f400ef
     prune: typing.Optional[builtins.bool] = None,
     remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-    secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+    removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -23870,9 +24768,11 @@ def _typecheckingstub__ce7a73a63de29ba5e5b5cd5cabde7aca1c4bc7d119de52fc4c0f11d99
     prune: typing.Optional[builtins.bool] = None,
     remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-    secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+    removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     bootstrap_cluster_creator_admin_permissions: typing.Optional[builtins.bool] = None,
+    bootstrap_self_managed_addons: typing.Optional[builtins.bool] = None,
     default_capacity: typing.Optional[jsii.Number] = None,
     default_capacity_instance: typing.Optional[_InstanceType_f64915b9] = None,
     default_capacity_type: typing.Optional[DefaultCapacityType] = None,
@@ -23906,7 +24806,8 @@ def _typecheckingstub__ae166d791f5d5176f3386726c22bc44afedf5d336437a3513e3740387
     prune: typing.Optional[builtins.bool] = None,
     remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-    secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+    removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     version: KubernetesVersion,
     cluster_name: typing.Optional[builtins.str] = None,
@@ -23949,7 +24850,8 @@ def _typecheckingstub__f11c7f989209f6213cb855d2846bb0b2b79a6a2b85eb0d65939e981df
     prune: typing.Optional[builtins.bool] = None,
     remote_node_networks: typing.Optional[typing.Sequence[typing.Union[RemoteNodeNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
     remote_pod_networks: typing.Optional[typing.Sequence[typing.Union[RemotePodNetwork, typing.Dict[builtins.str, typing.Any]]]] = None,
-    secrets_encryption_key: typing.Optional[_IKey_5f11635f] = None,
+    removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
+    secrets_encryption_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     default_profile: typing.Optional[typing.Union[FargateProfileOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -23963,3 +24865,6 @@ def _typecheckingstub__b393c3f294ed9f8582743840eca786b8cd915c5b4df9d362597e69dbe
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAccessEntry, IAccessPolicy, IAddon, ICluster, IKubectlProvider, INodegroup]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])