aws-cdk.aws-eks-v2-alpha 2.206.0a0__py3-none-any.whl → 2.231.0a0__py3-none-any.whl

aws_cdk/aws_eks_v2_alpha/__init__.py

@@ -4,13 +4,13 @@ r'''
 <!--BEGIN STABILITY BANNER-->---
 
 
-![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)
+![cdk-constructs: Developer Preview](https://img.shields.io/badge/cdk--constructs-developer--preview-informational.svg?style=for-the-badge)
 
-> The APIs of higher level constructs in this module are experimental and under active development.
-> They are subject to non-backward compatible changes or removal in any future version. These are
-> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be
-> announced in the release notes. This means that while you may use them, you may need to update
-> your source code when upgrading to a newer version of this package.
+> The APIs of higher level constructs in this module are in **developer preview** before they
+> become stable. We will only make breaking changes to address unforeseen API issues. Therefore,
+> these APIs are not subject to [Semantic Versioning](https://semver.org/), and breaking changes
+> will be announced in release notes. This means that while you may use them, you may need to
+> update your source code when upgrading to a newer version of this package.
 
 ---
 <!--END STABILITY BANNER-->
@@ -33,39 +33,88 @@ Here is the minimal example of defining an AWS EKS cluster
 
 ```python
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
 ## Architecture
 
-```text
- +-----------------------------------------------+
- | EKS Cluster      | kubectl |  |
- | -----------------|<--------+| Kubectl Handler |
- | AWS::EKS::Cluster             (Optional)      |
- | +--------------------+    +-----------------+ |
- | |                    |    |                 | |
- | | Managed Node Group |    | Fargate Profile | |
- | |                    |    |                 | |
- | +--------------------+    +-----------------+ |
- +-----------------------------------------------+
-    ^
-    | connect self managed capacity
-    +
- +--------------------+
- | Auto Scaling Group |
- +--------------------+
+```text                                             +-----------------+
+                                         kubectl    |                 |
+                                      +------------>| Kubectl Handler |
+                                      |             |   (Optional)    |
+                                      |             +-----------------+
++-------------------------------------+-------------------------------------+
+|                        EKS Cluster (Auto Mode)                            |
+|                          AWS::EKS::Cluster                                |
+|                                                                           |
+|  +---------------------------------------------------------------------+  |
+|  |           Auto Mode Compute (Managed by EKS) (Default)              |  |
+|  |                                                                     |  |
+|  |  - Automatically provisions EC2 instances                           |  |
+|  |  - Auto scaling based on pod requirements                           |  |
+|  |  - No manual node group configuration needed                        |  |
+|  |                                                                     |  |
+|  +---------------------------------------------------------------------+  |
+|                                                                           |
++---------------------------------------------------------------------------+
 ```
 
 In a nutshell:
 
-* EKS Cluster - The cluster endpoint created by EKS.
-* Managed Node Group - EC2 worker nodes managed by EKS.
-* Fargate Profile - Fargate worker nodes managed by EKS.
-* Auto Scaling Group - EC2 worker nodes managed by the user.
-* Kubectl Handler (Optional) - Custom resource (i.e Lambda Function) for invoking kubectl commands on the
-  cluster - created by CDK
+* **[Auto Mode](#eks-auto-mode)** (Default) – The fully managed capacity mode in EKS.
+  EKS automatically provisions and scales  EC2 capacity based on pod requirements.
+  It manages internal *system* and *general-purpose* NodePools, handles networking and storage setup, and removes the need for user-managed node groups or Auto Scaling Groups.
+
+  ```python
+  cluster = eks.Cluster(self, "AutoModeCluster",
+      version=eks.KubernetesVersion.V1_34
+  )
+  ```
+* **[Managed Node Groups](#managed-node-groups)** – The semi-managed capacity mode.
+  EKS provisions and manages EC2 nodes on your behalf but you configure the instance types, scaling ranges, and update strategy.
+  AWS handles node health, draining, and rolling updates while you retain control over scaling and cost optimization.
+
+  You can also define *Fargate Profiles* that determine which pods or namespaces run on Fargate infrastructure.
+
+  ```python
+  cluster = eks.Cluster(self, "ManagedNodeCluster",
+      version=eks.KubernetesVersion.V1_34,
+      default_capacity_type=eks.DefaultCapacityType.NODEGROUP
+  )
+
+  # Add a Fargate Profile for specific workloads (e.g., default namespace)
+  cluster.add_fargate_profile("FargateProfile",
+      selectors=[eks.Selector(namespace="default")
+      ]
+  )
+  ```
+* **[Fargate Mode](#fargate-profiles)** – The Fargate capacity mode.
+  EKS runs your pods directly on AWS Fargate without provisioning EC2 nodes.
+
+  ```python
+  cluster = eks.FargateCluster(self, "FargateCluster",
+      version=eks.KubernetesVersion.V1_34
+  )
+  ```
+* **[Self-Managed Nodes](#self-managed-capacity)** – The fully manual capacity mode.
+  You create and manage EC2 instances (via an Auto Scaling Group) and connect them to the cluster manually.
+  This provides maximum flexibility for custom AMIs or configurations but also the highest operational overhead.
+
+  ```python
+  cluster = eks.Cluster(self, "SelfManagedCluster",
+      version=eks.KubernetesVersion.V1_34
+  )
+
+  # Add self-managed Auto Scaling Group
+  cluster.add_auto_scaling_group_capacity("self-managed-asg",
+      instance_type=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
+      min_capacity=1,
+      max_capacity=5
+  )
+  ```
+* **[Kubectl Handler](#kubectl-support) (Optional)** – A Lambda-backed custom resource created by the AWS CDK to execute `kubectl` commands (like `apply` or `patch`) during deployment.
+  Regardless of the capacity mode, this handler may still be created to apply Kubernetes manifests as part of CDK provisioning.
 
 ## Provisioning cluster
 
@@ -73,7 +122,7 @@ Creating a new cluster is done using the `Cluster` constructs. The only required
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -81,7 +130,7 @@ You can also use `FargateCluster` to provision a cluster that uses only fargate
 
 ```python
 eks.FargateCluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -90,22 +139,22 @@ be created by default. It will only be deployed when `kubectlProviderOptions`
 property is used.**
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     kubectl_provider_options=eks.KubectlProviderOptions(
-        kubectl_layer=KubectlV32Layer(self, "kubectl")
+        kubectl_layer=KubectlV34Layer(self, "kubectl")
     )
 )
 ```
 
-## EKS Auto Mode
+### EKS Auto Mode
 
 [Amazon EKS Auto Mode](https://aws.amazon.com/eks/auto-mode/) extends AWS management of Kubernetes clusters beyond the cluster itself, allowing AWS to set up and manage the infrastructure that enables the smooth operation of your workloads.
 
-### Using Auto Mode
+#### Using Auto Mode
 
 While `aws-eks` uses `DefaultCapacityType.NODEGROUP` by default, `aws-eks-v2` uses `DefaultCapacityType.AUTOMODE` as the default capacity type.
 
@@ -114,7 +163,7 @@ Auto Mode is enabled by default when creating a new cluster without specifying a
 ```python
 # Create EKS cluster with Auto Mode implicitly enabled
 cluster = eks.Cluster(self, "EksAutoCluster",
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -123,12 +172,12 @@ You can also explicitly enable Auto Mode using `defaultCapacityType`:
 ```python
 # Create EKS cluster with Auto Mode explicitly enabled
 cluster = eks.Cluster(self, "EksAutoCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.AUTOMODE
 )
 ```
 
-### Node Pools
+#### Node Pools
 
 When Auto Mode is enabled, the cluster comes with two default node pools:
 
@@ -139,7 +188,7 @@ These node pools are managed automatically by EKS. You can configure which node
 
 ```python
 cluster = eks.Cluster(self, "EksAutoCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
     compute=eks.ComputeConfig(
         node_pools=["system", "general-purpose"]
@@ -149,13 +198,13 @@ cluster = eks.Cluster(self, "EksAutoCluster",
 
 For more information, see [Create a Node Pool for EKS Auto Mode](https://docs.aws.amazon.com/eks/latest/userguide/create-node-pool.html).
 
-### Disabling Default Node Pools
+#### Disabling Default Node Pools
 
 You can disable the default node pools entirely by setting an empty array for `nodePools`. This is useful when you want to use Auto Mode features but manage your compute resources separately:
 
 ```python
 cluster = eks.Cluster(self, "EksAutoCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
     compute=eks.ComputeConfig(
         node_pools=[]
@@ -172,7 +221,7 @@ If you prefer to manage your own node groups instead of using Auto Mode, you can
 ```python
 # Create EKS cluster with traditional managed node group
 cluster = eks.Cluster(self, "EksCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.NODEGROUP,
     default_capacity=3,  # Number of instances
     default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.LARGE)
@@ -183,7 +232,7 @@ You can also create a cluster with no initial capacity and add node groups later
 
 ```python
 cluster = eks.Cluster(self, "EksCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.NODEGROUP,
     default_capacity=0
 )
@@ -204,7 +253,7 @@ You can combine Auto Mode with traditional node groups for specific workload req
 
 ```python
 cluster = eks.Cluster(self, "Cluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
     compute=eks.ComputeConfig(
         node_pools=["system", "general-purpose"]
@@ -243,7 +292,7 @@ By default, when using `DefaultCapacityType.NODEGROUP`, this library will alloca
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.NODEGROUP
 )
 ```
@@ -252,7 +301,7 @@ At cluster instantiation time, you can customize the number of instances and the
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.NODEGROUP,
     default_capacity=5,
     default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.SMALL)
@@ -265,7 +314,7 @@ Additional customizations are available post instantiation. To apply them, set t
 
 ```python
 cluster = eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     default_capacity_type=eks.DefaultCapacityType.NODEGROUP,
     default_capacity=0
 )
@@ -318,7 +367,7 @@ The following code defines an Amazon EKS cluster with a default Fargate Profile
 
 ```python
 cluster = eks.FargateCluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -329,6 +378,39 @@ pods running on Fargate. For ingress, we recommend that you use the [ALB Ingress
 Controller](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html)
 on Amazon EKS (minimum version v1.1.4).
 
+### Self-managed capacity
+
+Self-managed capacity gives you the most control over your worker nodes by allowing you to create and manage your own EC2 Auto Scaling Groups. This approach provides maximum flexibility for custom AMIs, instance configurations, and scaling policies, but requires more operational overhead.
+
+You can add self-managed capacity to any cluster using the `addAutoScalingGroupCapacity` method:
+
+```python
+cluster = eks.Cluster(self, "Cluster",
+    version=eks.KubernetesVersion.V1_34
+)
+
+cluster.add_auto_scaling_group_capacity("self-managed-nodes",
+    instance_type=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
+    min_capacity=1,
+    max_capacity=10,
+    desired_capacity=3
+)
+```
+
+You can specify custom subnets for the Auto Scaling Group:
+
+```python
+# vpc: ec2.Vpc
+# cluster: eks.Cluster
+
+
+cluster.add_auto_scaling_group_capacity("custom-subnet-nodes",
+    vpc_subnets=ec2.SubnetSelection(subnets=vpc.private_subnets),
+    instance_type=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
+    min_capacity=2
+)
+```
+
 ### Endpoint Access
 
 When you create a new cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as `kubectl`)
@@ -337,7 +419,7 @@ You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/
 
 ```python
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     endpoint_access=eks.EndpointAccess.PRIVATE
 )
 ```
@@ -359,7 +441,7 @@ To deploy the controller on your EKS cluster, configure the `albController` prop
 
 ```python
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     alb_controller=eks.AlbControllerOptions(
         version=eks.AlbControllerVersion.V2_8_2
     )
@@ -401,7 +483,7 @@ You can specify the VPC of the cluster using the `vpc` and `vpcSubnets` properti
 
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     vpc=vpc,
     vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)]
 )
@@ -445,13 +527,13 @@ To create a `Kubectl Handler`, use `kubectlProviderOptions` when creating the cl
 `kubectlLayer` is the only required property in `kubectlProviderOptions`.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     kubectl_provider_options=eks.KubectlProviderOptions(
-        kubectl_layer=KubectlV32Layer(self, "kubectl")
+        kubectl_layer=KubectlV34Layer(self, "kubectl")
     )
 )
 ```
@@ -461,9 +543,6 @@ eks.Cluster(self, "hello-eks",
 If you want to use an existing kubectl provider function, for example with tight trusted entities on your IAM Roles - you can import the existing provider and then use the imported provider when importing the cluster:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
-
-
 handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
 # get the serivceToken from the custom resource provider
 function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
@@ -483,13 +562,13 @@ cluster = eks.Cluster.from_cluster_attributes(self, "Cluster",
 You can configure the environment of this function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     kubectl_provider_options=eks.KubectlProviderOptions(
-        kubectl_layer=KubectlV32Layer(self, "kubectl"),
+        kubectl_layer=KubectlV34Layer(self, "kubectl"),
         environment={
             "http_proxy": "http://proxy.myproxy.com"
         }
@@ -510,13 +589,13 @@ Depending on which version of kubernetes you're targeting, you will need to use
 the `@aws-cdk/lambda-layer-kubectl-vXY` packages.
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 cluster = eks.Cluster(self, "hello-eks",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     kubectl_provider_options=eks.KubectlProviderOptions(
-        kubectl_layer=KubectlV32Layer(self, "kubectl")
+        kubectl_layer=KubectlV34Layer(self, "kubectl")
     )
 )
 ```
@@ -526,15 +605,15 @@ cluster = eks.Cluster(self, "hello-eks",
 By default, the kubectl provider is configured with 1024MiB of memory. You can use the `memory` option to specify the memory size for the AWS Lambda function:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 
 
 eks.Cluster(self, "MyCluster",
     kubectl_provider_options=eks.KubectlProviderOptions(
-        kubectl_layer=KubectlV32Layer(self, "kubectl"),
+        kubectl_layer=KubectlV34Layer(self, "kubectl"),
         memory=Size.gibibytes(4)
     ),
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -567,7 +646,7 @@ When you create a cluster, you can specify a `mastersRole`. The `Cluster` constr
 # role: iam.Role
 
 eks.Cluster(self, "HelloEKS",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     masters_role=role
 )
 ```
@@ -588,7 +667,7 @@ You can use the `secretsEncryptionKey` to configure which key the cluster will u
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.Cluster(self, "MyCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -598,7 +677,7 @@ You can also use a similar configuration for running a cluster built using the F
 secrets_key = kms.Key(self, "SecretsKey")
 cluster = eks.FargateCluster(self, "MyFargateCluster",
     secrets_encryption_key=secrets_key,
-    version=eks.KubernetesVersion.V1_32
+    version=eks.KubernetesVersion.V1_34
 )
 ```
 
@@ -641,7 +720,7 @@ eks.AccessPolicy.from_access_policy_name("AmazonEKSAdminPolicy",
 Use `grantAccess()` to grant the AccessPolicy to an IAM principal:
 
 ```python
-from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
 # vpc: ec2.Vpc
 
 
@@ -656,9 +735,9 @@ eks_admin_role = iam.Role(self, "EKSAdminRole",
 cluster = eks.Cluster(self, "Cluster",
     vpc=vpc,
     masters_role=cluster_admin_role,
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     kubectl_provider_options=eks.KubectlProviderOptions(
-        kubectl_layer=KubectlV32Layer(self, "kubectl"),
+        kubectl_layer=KubectlV34Layer(self, "kubectl"),
         memory=Size.gibibytes(4)
     )
 )
@@ -843,7 +922,7 @@ when a cluster is defined:
 
 ```python
 eks.Cluster(self, "MyCluster",
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     prune=False
 )
 ```
@@ -1162,7 +1241,7 @@ property. For example:
 ```python
 cluster = eks.Cluster(self, "Cluster",
     # ...
-    version=eks.KubernetesVersion.V1_32,
+    version=eks.KubernetesVersion.V1_34,
     cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
     ]
 )
@@ -1218,9 +1297,9 @@ import aws_cdk as _aws_cdk_ceddda9d
 import aws_cdk.aws_autoscaling as _aws_cdk_aws_autoscaling_ceddda9d
 import aws_cdk.aws_ec2 as _aws_cdk_aws_ec2_ceddda9d
 import aws_cdk.aws_iam as _aws_cdk_aws_iam_ceddda9d
-import aws_cdk.aws_kms as _aws_cdk_aws_kms_ceddda9d
 import aws_cdk.aws_lambda as _aws_cdk_aws_lambda_ceddda9d
 import aws_cdk.aws_s3_assets as _aws_cdk_aws_s3_assets_ceddda9d
+import aws_cdk.interfaces.aws_kms as _aws_cdk_interfaces_aws_kms_ceddda9d
 import constructs as _constructs_77d1e7e8
 
 
@@ -2202,7 +2281,7 @@ class AlbControllerOptions:
         Example::
 
             eks.Cluster(self, "HelloEKS",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_34,
                 alb_controller=eks.AlbControllerOptions(
                     version=eks.AlbControllerVersion.V2_8_2
                 )
@@ -2414,7 +2493,7 @@ class AlbControllerVersion(
     Example::
 
         eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             alb_controller=eks.AlbControllerOptions(
                 version=eks.AlbControllerVersion.V2_8_2
             )
@@ -2900,7 +2979,7 @@ class AutoScalingGroupCapacityOptions(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instances. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Feature flag ``AUTOSCALING_GENERATE_LAUNCH_TEMPLATE`` must be enabled to use this property. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified. You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param max_capacity: Maximum number of instances in the fleet. Default: desiredCapacity
-        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value, leave this property undefined. Default: none
+        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, leave this property undefined. Default: none
         :param min_capacity: Minimum number of instances in the fleet. Default: 1
         :param new_instances_protected_from_scale_in: Whether newly-launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. By default, Auto Scaling can terminate an instance at any time after launch when scaling in an Auto Scaling Group, subject to the group's termination policy. However, you may wish to protect newly-launched instances from being scaled in if they are going to run critical applications that should not be prematurely terminated. This flag must be enabled if the Auto Scaling Group will be associated with an ECS Capacity Provider with managed termination protection. Default: false
         :param notifications: Configure autoscaling group to send notifications about fleet changes to an SNS topic(s). Default: - No fleet change notifications will be sent.
@@ -2921,12 +3000,15 @@ class AutoScalingGroupCapacityOptions(
 
         Example::
 
-            # vpc: ec2.Vpc
-            # cluster: eks.Cluster
+            cluster = eks.Cluster(self, "SelfManagedCluster",
+                version=eks.KubernetesVersion.V1_34
+            )
             
-            cluster.add_auto_scaling_group_capacity("nodes",
-                vpc_subnets=ec2.SubnetSelection(subnets=vpc.private_subnets),
-                instance_type=ec2.InstanceType("t2.medium")
+            # Add self-managed Auto Scaling Group
+            cluster.add_auto_scaling_group_capacity("self-managed-asg",
+                instance_type=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
+                min_capacity=1,
+                max_capacity=5
             )
         '''
         if isinstance(vpc_subnets, dict):
@@ -3279,7 +3361,7 @@ class AutoScalingGroupCapacityOptions(
         to all current and future instances in the group. As an instance approaches its maximum duration,
         it is terminated and replaced, and cannot be used again.
 
-        You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value,
+        You must specify a value of at least 86,400 seconds (one day). To clear a previously set value,
         leave this property undefined.
 
         :default: none
@@ -3864,9 +3946,6 @@ class ClusterAttributes:
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
-            
-            
             handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
             # get the serivceToken from the custom resource provider
             function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
@@ -4127,7 +4206,7 @@ class ClusterCommonOptions:
         masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
         prune: typing.Optional[builtins.bool] = None,
         role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-        secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+        secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
         security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -4165,12 +4244,12 @@ class ClusterCommonOptions:
             import aws_cdk as cdk
             from aws_cdk import aws_ec2 as ec2
             from aws_cdk import aws_iam as iam
-            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_lambda as lambda_
+            from aws_cdk.interfaces import aws_kms as interfaces_aws_kms
             
             # alb_controller_version: eks_v2_alpha.AlbControllerVersion
             # endpoint_access: eks_v2_alpha.EndpointAccess
-            # key: kms.Key
+            # key_ref: interfaces_aws_kms.IKeyRef
             # kubernetes_version: eks_v2_alpha.KubernetesVersion
             # layer_version: lambda.LayerVersion
             # policy: Any
@@ -4213,7 +4292,7 @@ class ClusterCommonOptions:
                 masters_role=role,
                 prune=False,
                 role=role,
-                secrets_encryption_key=key,
+                secrets_encryption_key=key_ref,
                 security_group=security_group,
                 service_ipv4_cidr="serviceIpv4Cidr",
                 tags={
@@ -4420,7 +4499,9 @@ class ClusterCommonOptions:
         return typing.cast(typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole], result)
 
     @builtins.property
-    def secrets_encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+    def secrets_encryption_key(
+        self,
+    ) -> typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef]:
         '''(experimental) KMS secret for envelope encryption for Kubernetes secrets.
 
         :default:
@@ -4432,7 +4513,7 @@ class ClusterCommonOptions:
         :stability: experimental
         '''
         result = self._values.get("secrets_encryption_key")
-        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], result)
+        return typing.cast(typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef], result)
 
     @builtins.property
     def security_group(
@@ -4524,7 +4605,7 @@ class ClusterLoggingTypes(enum.Enum):
 
         cluster = eks.Cluster(self, "Cluster",
             # ...
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             cluster_logging=[eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.SCHEDULER
             ]
         )
@@ -4601,7 +4682,7 @@ class ClusterProps(ClusterCommonOptions):
         masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
         prune: typing.Optional[builtins.bool] = None,
         role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-        secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+        secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
         security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -4645,12 +4726,15 @@ class ClusterProps(ClusterCommonOptions):
 
         Example::
 
-            cluster = eks.Cluster(self, "EksAutoCluster",
-                version=eks.KubernetesVersion.V1_32,
-                default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
-                compute=eks.ComputeConfig(
-                    node_pools=["system", "general-purpose"]
-                )
+            cluster = eks.Cluster(self, "ManagedNodeCluster",
+                version=eks.KubernetesVersion.V1_34,
+                default_capacity_type=eks.DefaultCapacityType.NODEGROUP
+            )
+            
+            # Add a Fargate Profile for specific workloads (e.g., default namespace)
+            cluster.add_fargate_profile("FargateProfile",
+                selectors=[eks.Selector(namespace="default")
+                ]
             )
         '''
         if isinstance(alb_controller, dict):
@@ -4863,7 +4947,9 @@ class ClusterProps(ClusterCommonOptions):
         return typing.cast(typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole], result)
 
     @builtins.property
-    def secrets_encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+    def secrets_encryption_key(
+        self,
+    ) -> typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef]:
         '''(experimental) KMS secret for envelope encryption for Kubernetes secrets.
 
         :default:
@@ -4875,7 +4961,7 @@ class ClusterProps(ClusterCommonOptions):
         :stability: experimental
         '''
         result = self._values.get("secrets_encryption_key")
-        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], result)
+        return typing.cast(typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef], result)
 
     @builtins.property
     def security_group(
@@ -5067,7 +5153,7 @@ class ComputeConfig:
         Example::
 
             cluster = eks.Cluster(self, "EksAutoCluster",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_34,
                 default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
                 compute=eks.ComputeConfig(
                     node_pools=["system", "general-purpose"]
@@ -5171,7 +5257,7 @@ class DefaultCapacityType(enum.Enum):
     Example::
 
         cluster = eks.Cluster(self, "HelloEKS",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             default_capacity_type=eks.DefaultCapacityType.NODEGROUP,
             default_capacity=0
         )
@@ -5371,7 +5457,7 @@ class EndpointAccess(
     Example::
 
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_34,
             endpoint_access=eks.EndpointAccess.PRIVATE
         )
     '''
@@ -5474,7 +5560,7 @@ class FargateClusterProps(ClusterCommonOptions):
         masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
         prune: typing.Optional[builtins.bool] = None,
         role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-        secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+        secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
         security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -5508,8 +5594,8 @@ class FargateClusterProps(ClusterCommonOptions):
 
         Example::
 
-            cluster = eks.FargateCluster(self, "MyCluster",
-                version=eks.KubernetesVersion.V1_32
+            cluster = eks.FargateCluster(self, "FargateCluster",
+                version=eks.KubernetesVersion.V1_34
             )
         '''
         if isinstance(alb_controller, dict):
@@ -5707,7 +5793,9 @@ class FargateClusterProps(ClusterCommonOptions):
         return typing.cast(typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole], result)
 
     @builtins.property
-    def secrets_encryption_key(self) -> typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey]:
+    def secrets_encryption_key(
+        self,
+    ) -> typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef]:
         '''(experimental) KMS secret for envelope encryption for Kubernetes secrets.
 
         :default:
@@ -5719,7 +5807,7 @@ class FargateClusterProps(ClusterCommonOptions):
         :stability: experimental
         '''
         result = self._values.get("secrets_encryption_key")
-        return typing.cast(typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey], result)
+        return typing.cast(typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef], result)
 
     @builtins.property
     def security_group(
@@ -5968,10 +6056,15 @@ class FargateProfileOptions:
 
         Example::
 
-            # cluster: eks.Cluster
+            cluster = eks.Cluster(self, "ManagedNodeCluster",
+                version=eks.KubernetesVersion.V1_34,
+                default_capacity_type=eks.DefaultCapacityType.NODEGROUP
+            )
             
-            cluster.add_fargate_profile("MyProfile",
-                selectors=[eks.Selector(namespace="default")]
+            # Add a Fargate Profile for specific workloads (e.g., default namespace)
+            cluster.add_fargate_profile("FargateProfile",
+                selectors=[eks.Selector(namespace="default")
+                ]
             )
         '''
         if isinstance(subnet_selection, dict):
@@ -7970,9 +8063,6 @@ class KubectlProvider(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
-        
-        
         handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
         # get the serivceToken from the custom resource provider
         function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
@@ -8120,9 +8210,6 @@ class KubectlProviderAttributes:
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
-            
-            
             handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
             # get the serivceToken from the custom resource provider
             function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
@@ -8220,13 +8307,13 @@ class KubectlProviderOptions:
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
             
             
             cluster = eks.Cluster(self, "hello-eks",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_34,
                 kubectl_provider_options=eks.KubectlProviderOptions(
-                    kubectl_layer=KubectlV32Layer(self, "kubectl"),
+                    kubectl_layer=KubectlV34Layer(self, "kubectl"),
                     environment={
                         "http_proxy": "http://proxy.myproxy.com"
                     }
@@ -9501,12 +9588,15 @@ class KubernetesVersion(
 
     Example::
 
-        cluster = eks.Cluster(self, "EksAutoCluster",
-            version=eks.KubernetesVersion.V1_32,
-            default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
-            compute=eks.ComputeConfig(
-                node_pools=["system", "general-purpose"]
-            )
+        cluster = eks.Cluster(self, "ManagedNodeCluster",
+            version=eks.KubernetesVersion.V1_34,
+            default_capacity_type=eks.DefaultCapacityType.NODEGROUP
+        )
+        
+        # Add a Fargate Profile for specific workloads (e.g., default namespace)
+        cluster.add_fargate_profile("FargateProfile",
+            selectors=[eks.Selector(namespace="default")
+            ]
         )
     '''
 
@@ -9628,6 +9718,32 @@ class KubernetesVersion(
         '''
         return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_32"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="V1_33")
+    def V1_33(cls) -> "KubernetesVersion":
+        '''(experimental) Kubernetes version 1.33.
+
+        When creating a ``Cluster`` with this version, you need to also specify the
+        ``kubectlLayer`` property with a ``KubectlV33Layer`` from
+        ``@aws-cdk/lambda-layer-kubectl-v33``.
+
+        :stability: experimental
+        '''
+        return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_33"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="V1_34")
+    def V1_34(cls) -> "KubernetesVersion":
+        '''(experimental) Kubernetes version 1.34.
+
+        When creating a ``Cluster`` with this version, you need to also specify the
+        ``kubectlLayer`` property with a ``KubectlV34Layer`` from
+        ``@aws-cdk/lambda-layer-kubectl-v34``.
+
+        :stability: experimental
+        '''
+        return typing.cast("KubernetesVersion", jsii.sget(cls, "V1_34"))
+
     @builtins.property
     @jsii.member(jsii_name="version")
     def version(self) -> builtins.str:
@@ -10092,6 +10208,11 @@ class NodegroupAmiType(enum.Enum):
     AL2023_X86_64_NVIDIA = "AL2023_X86_64_NVIDIA"
     '''(experimental) Amazon Linux 2023 with NVIDIA drivers (x86-64).
 
+    :stability: experimental
+    '''
+    AL2023_ARM_64_NVIDIA = "AL2023_ARM_64_NVIDIA"
+    '''(experimental) Amazon Linux 2023 with NVIDIA drivers (ARM-64).
+
     :stability: experimental
     '''
     AL2023_ARM_64_STANDARD = "AL2023_ARM_64_STANDARD"
@@ -10184,7 +10305,7 @@ class NodegroupOptions:
         Example::
 
             cluster = eks.Cluster(self, "HelloEKS",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_34,
                 default_capacity_type=eks.DefaultCapacityType.NODEGROUP,
                 default_capacity=0
             )
@@ -11503,7 +11624,8 @@ class ServiceAccount(
         self,
         statement: _aws_cdk_aws_iam_ceddda9d.PolicyStatement,
     ) -> builtins.bool:
-        '''
+        '''(deprecated) Add to the policy of this principal.
+
         :param statement: -
 
         :deprecated: use ``addToPrincipalPolicy()``
@@ -11975,6 +12097,17 @@ class ServiceLoadBalancerAddressOptions:
 class TaintEffect(enum.Enum):
     '''(experimental) Effect types of kubernetes node taint.
 
+    Note: These values are specifically for AWS EKS NodeGroups and use the AWS API format.
+    When using AWS CLI or API, taint effects must be NO_SCHEDULE, PREFER_NO_SCHEDULE, or NO_EXECUTE.
+    When using Kubernetes directly or kubectl, taint effects must be NoSchedule, PreferNoSchedule, or NoExecute.
+
+    For Kubernetes manifests (like Karpenter NodePools), use string literals with PascalCase format:
+
+    - 'NoSchedule' instead of TaintEffect.NO_SCHEDULE
+    - 'PreferNoSchedule' instead of TaintEffect.PREFER_NO_SCHEDULE
+    - 'NoExecute' instead of TaintEffect.NO_EXECUTE
+
+    :see: https://docs.aws.amazon.com/eks/latest/userguide/node-taints-managed-node-groups.html
     :stability: experimental
     '''
 
@@ -12484,12 +12617,15 @@ class Cluster(
 
     Example::
 
-        cluster = eks.Cluster(self, "EksAutoCluster",
-            version=eks.KubernetesVersion.V1_32,
-            default_capacity_type=eks.DefaultCapacityType.AUTOMODE,
-            compute=eks.ComputeConfig(
-                node_pools=["system", "general-purpose"]
-            )
+        cluster = eks.Cluster(self, "ManagedNodeCluster",
+            version=eks.KubernetesVersion.V1_34,
+            default_capacity_type=eks.DefaultCapacityType.NODEGROUP
+        )
+        
+        # Add a Fargate Profile for specific workloads (e.g., default namespace)
+        cluster.add_fargate_profile("FargateProfile",
+            selectors=[eks.Selector(namespace="default")
+            ]
         )
     '''
 
@@ -12515,7 +12651,7 @@ class Cluster(
         masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
         prune: typing.Optional[builtins.bool] = None,
         role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-        secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+        secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
         security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -12713,7 +12849,7 @@ class Cluster(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instances. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Feature flag ``AUTOSCALING_GENERATE_LAUNCH_TEMPLATE`` must be enabled to use this property. ``launchTemplate`` and ``mixedInstancesPolicy`` must not be specified when this property is specified. You can either specify ``keyPair`` or ``keyName``, not both. Default: - No SSH access will be possible.
         :param max_capacity: Maximum number of instances in the fleet. Default: desiredCapacity
-        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 604,800 seconds (7 days). To clear a previously set value, leave this property undefined. Default: none
+        :param max_instance_lifetime: The maximum amount of time that an instance can be in service. The maximum duration applies to all current and future instances in the group. As an instance approaches its maximum duration, it is terminated and replaced, and cannot be used again. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, leave this property undefined. Default: none
         :param min_capacity: Minimum number of instances in the fleet. Default: 1
         :param new_instances_protected_from_scale_in: Whether newly-launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. By default, Auto Scaling can terminate an instance at any time after launch when scaling in an Auto Scaling Group, subject to the group's termination policy. However, you may wish to protect newly-launched instances from being scaled in if they are going to run critical applications that should not be prematurely terminated. This flag must be enabled if the Auto Scaling Group will be associated with an ECS Capacity Provider with managed termination protection. Default: false
         :param notifications: Configure autoscaling group to send notifications about fleet changes to an SNS topic(s). Default: - No fleet change notifications will be sent.
@@ -13410,8 +13546,8 @@ class FargateCluster(
 
     Example::
 
-        cluster = eks.FargateCluster(self, "MyCluster",
-            version=eks.KubernetesVersion.V1_32
+        cluster = eks.FargateCluster(self, "FargateCluster",
+            version=eks.KubernetesVersion.V1_34
         )
     '''
 
@@ -13432,7 +13568,7 @@ class FargateCluster(
         masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
         prune: typing.Optional[builtins.bool] = None,
         role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-        secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+        secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
         security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
         service_ipv4_cidr: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -13885,7 +14021,7 @@ def _typecheckingstub__522396bf3ea38086bd92ddd50181dc1757140cccc27f7d0415c200a26
     masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
     prune: typing.Optional[builtins.bool] = None,
     role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-    secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+    secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
     security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -13908,7 +14044,7 @@ def _typecheckingstub__cdebba88d00ede95b7f48fc97c266609fdb0fc0ef3bb709493d319c84
     masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
     prune: typing.Optional[builtins.bool] = None,
     role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-    secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+    secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
     security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -13966,7 +14102,7 @@ def _typecheckingstub__89419afd037884b6a69d80af0bf5c1fe35164b8d31e7e5746501350e5
     masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
     prune: typing.Optional[builtins.bool] = None,
     role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-    secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+    secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
     security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -14585,7 +14721,7 @@ def _typecheckingstub__f953a3ebdf317cd4c17c2caf66c079973022b58e6c5cf124f9d5f0089
     masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
     prune: typing.Optional[builtins.bool] = None,
     role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-    secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+    secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
     security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -14803,7 +14939,7 @@ def _typecheckingstub__673db9ae76799e064c85ea6382670fd3efa0ca3c8a72239cc0723fff0
     masters_role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
     prune: typing.Optional[builtins.bool] = None,
     role: typing.Optional[_aws_cdk_aws_iam_ceddda9d.IRole] = None,
-    secrets_encryption_key: typing.Optional[_aws_cdk_aws_kms_ceddda9d.IKey] = None,
+    secrets_encryption_key: typing.Optional[_aws_cdk_interfaces_aws_kms_ceddda9d.IKeyRef] = None,
     security_group: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup] = None,
     service_ipv4_cidr: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -14820,3 +14956,6 @@ def _typecheckingstub__867c24d91e82b6c927deaaa713ad154d44030f8a2d7da291636600790
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAccessEntry, IAccessPolicy, IAddon, ICluster, IKubectlProvider, INodegroup]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])