eks: Remove the Cluster custom resource in favour of L1

[gricey432]

Describe the feature

Currently, eks.Cluster is implemented as a Custom Resource, though I believe this is no longer required and is causing unneeded complexity.

The docstring for the CR says

 Implements EKS create/update/delete through a CloudFormation custom resource
 in order to allow us to control the IAM role which creates the cluster. This
 is required in order to be able to allow CloudFormation to interact with the
 cluster via `kubectl` to enable Kubernetes management capabilities like apply
 manifest and IAM role/user RBAC mapping.

This was added 4 years ago in #3510 and I don't think it's true anymore. The Cfn resource takes a RoleArn property which should solve the problem identified in the docstring.

I had a quick run through of the custom handler source and it looks like it hasn't really gained any other features since then, so should be a straighforward replacement.

Use Case

#28584 highlights the serious risks introduced by CDK diverging from Cloudformation and implementing custom resources. The current implementation makes the behaviour harder to inspect.

Proposed Solution

The L2 eks.Cluster should replace its internal ClusterResource with just the L1 CfnCluster.

I'm unsure on how this migration would actually have to work.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.113.0 (build ccd534a)

Environment details (OS name and version, etc.)

N/A

[gshpychka]

The Cfn resource takes a RoleArn property which should solve the problem identified in the docstring.

I don't think this is correct - that is for the role that calls AWS APIs, not kubectl.

[gricey432]

I don't think this is correct - that is for the role that calls AWS APIs, not kubectl.

I think you're right. @benfriebe do you think we might have this backwards?

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts#L79 and Line 92 show where the two different roles are used for their different purposes.

Is this "creator is admin" problem supposed to be solved by Access Entries?

[pahud]

We absolutely need the new module. Let's track this feature request in #24059 and please help us prioritize with 👍 on that issue.

I am closing this one in favor of #24059

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.