feat(eks): support for Kubernetes version 1.22

packages/@aws-cdk/aws-eks/lib/cluster.ts

@@ -124,12 +124,19 @@ export interface ICluster extends IResource, ec2.IConnectable {
   readonly kubectlLambdaRole?: iam.IRole;
 
   /**
-   * An AWS Lambda layer that includes `kubectl`, `helm` and the `aws` CLI.
+   * An AWS Lambda layer that includes `kubectl` and `helm`
    *
-   * If not defined, a default layer will be used.
+   * If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
    */
   readonly kubectlLayer?: lambda.ILayerVersion;
 
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * If not defined, a default layer will be used containing the AWS CLI 1.x.
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
+
   /**
    * Kubectl Provider for issuing kubectl commands against it
    *
@@ -325,19 +332,38 @@ export interface ClusterAttributes {
   readonly openIdConnectProvider?: iam.IOpenIdConnectProvider;
 
   /**
-   * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI. This layer
-   * is used by the kubectl handler to apply manifests and install helm charts.
+   * An AWS Lambda Layer which includes `kubectl` and Helm.
+   *
+   * This layer is used by the kubectl handler to apply manifests and install
+   * helm charts. You must pick an appropriate releases of one of the
+   * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
+   * Kubernetes you have chosen. If you don't supply this value `kubectl`
+   * 1.20 will be used, but that version is most likely too old.
    *
    * The handler expects the layer to include the following executables:
    *
-   *    helm/helm
-   *    kubectl/kubectl
-   *    awscli/aws
+   * ```
+   * /opt/helm/helm
+   * /opt/kubectl/kubectl
+   * ```
    *
-   * @default - a layer bundled with this module.
+   * @default - a default layer with Kubectl 1.20 and helm 3.8.
    */
   readonly kubectlLayer?: lambda.ILayerVersion;
 
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * The handler expects the layer to include the following executables:
+   *
+   * ```
+   * /opt/awscli/aws
+   * ```
+   *
+   * @default - a default layer with the AWS CLI 1.x
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
+
   /**
    * KubectlProvider for issuing kubectl commands.
    *
@@ -500,29 +526,38 @@ export interface ClusterOptions extends CommonClusterOptions {
   readonly kubectlEnvironment?: { [key: string]: string };
 
   /**
-   * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI.
+   * An AWS Lambda Layer which includes `kubectl` and Helm.
    *
-   * By default, the provider will use the layer included in the
-   * "aws-lambda-layer-kubectl" SAR application which is available in all
-   * commercial regions.
+   * This layer is used by the kubectl handler to apply manifests and install
+   * helm charts. You must pick an appropriate releases of one of the
+   * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
+   * Kubernetes you have chosen. If you don't supply this value `kubectl`
+   * 1.20 will be used, but that version is most likely too old.
    *
-   * To deploy the layer locally, visit
-   * https://github.com/aws-samples/aws-lambda-layer-kubectl/blob/master/cdk/README.md
-   * for instructions on how to prepare the .zip file and then define it in your
-   * app as follows:
+   * The handler expects the layer to include the following executables:
    *
-   * ```ts
-   * const layer = new lambda.LayerVersion(this, 'kubectl-layer', {
-   *   code: lambda.Code.fromAsset(`${__dirname}/layer.zip`),
-   *   compatibleRuntimes: [lambda.Runtime.PROVIDED],
-   * });
+   * ```
+   * /opt/helm/helm
+   * /opt/kubectl/kubectl
    * ```
    *
-   * @default - the layer provided by the `aws-lambda-layer-kubectl` SAR app.
-   * @see https://github.com/aws-samples/aws-lambda-layer-kubectl
+   * @default - a default layer with Kubectl 1.20.
    */
   readonly kubectlLayer?: lambda.ILayerVersion;
 
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * The handler expects the layer to include the following executables:
+   *
+   * ```
+   * /opt/awscli/aws
+   * ```
+   *
+   * @default - a default layer with the AWS CLI 1.x
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
+
   /**
    * Amount of memory to allocate to the provider's lambda function.
    *
@@ -809,6 +844,15 @@ export class KubernetesVersion {
    */
   public static readonly V1_21 = KubernetesVersion.of('1.21');
 
+  /**
+   * Kubernetes version 1.22
+   *
+   * When creating a `Cluster` with this version, you need to also specify the
+   * `kubectlLayer` property with a `KubectlLayer` from
+   * `@aws-cdk/lambda-layer-kubectl-v22`.
+   */
+  public static readonly V1_22 = KubernetesVersion.of('1.22');
+
   /**
    * Custom cluster version
    * @param version custom version number
@@ -1233,10 +1277,18 @@ export class Cluster extends ClusterBase {
   private _openIdConnectProvider?: iam.IOpenIdConnectProvider;
 
   /**
-   * The AWS Lambda layer that contains `kubectl`, `helm` and the AWS CLI. If
-   * undefined, a SAR app that contains this layer will be used.
+   * An AWS Lambda layer that includes `kubectl` and `helm`
+   *
+   * If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
    */
-  public readonly kubectlLayer?: lambda.ILayerVersion;
+  readonly kubectlLayer?: lambda.ILayerVersion;
+
+  /**
+   * An AWS Lambda layer that contains the `aws` CLI.
+   *
+   * If not defined, a default layer will be used containing the AWS CLI 1.x.
+   */
+  readonly awscliLayer?: lambda.ILayerVersion;
 
   /**
    * The amount of memory allocated to the kubectl provider's lambda function.
@@ -1319,6 +1371,10 @@ export class Cluster extends ClusterBase {
 
     this.prune = props.prune ?? true;
     this.vpc = props.vpc || new ec2.Vpc(this, 'DefaultVpc');
+
+    if (props.version === KubernetesVersion.V1_22 && !props.kubectlLayer) {
+      Annotations.of(this).addWarning(`You created a cluster with Kubernetes Version ${props.version} without specifying the kubectlLayer property. This may cause failures as the kubectl version provided with aws-cdk-lib is 1.20, which is only guaranteed to be compatible with Kubernetes versions 1.19-1.21. Please provide a kubectlLayer from @aws-cdk/lambda-layer-kubectl-v22.`);
+    };
     this.version = props.version;
     this.kubectlLambdaRole = props.kubectlLambdaRole ? props.kubectlLambdaRole : undefined;
 
@@ -1359,6 +1415,7 @@ export class Cluster extends ClusterBase {
     this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE;
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlLayer = props.kubectlLayer;
+    this.awscliLayer = props.awscliLayer;
     this.kubectlMemory = props.kubectlMemory;
 
     this.onEventLayer = props.onEventLayer;
@@ -2033,6 +2090,7 @@ class ImportedCluster extends ClusterBase {
   public readonly kubectlSecurityGroup?: ec2.ISecurityGroup | undefined;
   public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined;
   public readonly kubectlLayer?: lambda.ILayerVersion;
+  public readonly awscliLayer?: lambda.ILayerVersion;
   public readonly kubectlProvider?: IKubectlProvider;
   public readonly onEventLayer?: lambda.ILayerVersion;
   public readonly kubectlMemory?: Size;
@@ -2054,6 +2112,7 @@ class ImportedCluster extends ClusterBase {
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlPrivateSubnets = props.kubectlPrivateSubnetIds ? props.kubectlPrivateSubnetIds.map((subnetid, index) => ec2.Subnet.fromSubnetId(this, `KubectlSubnet${index}`, subnetid)) : undefined;
     this.kubectlLayer = props.kubectlLayer;
+    this.awscliLayer = props.awscliLayer;
     this.kubectlMemory = props.kubectlMemory;
     this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterHandlerSecurityGroup', props.clusterHandlerSecurityGroupId) : undefined;
     this.kubectlProvider = props.kubectlProvider;

packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts

@@ -149,13 +149,9 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
       vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined,
     });
 
-    // allow user to customize the layer
-    if (!props.cluster.kubectlLayer) {
-      handler.addLayers(new AwsCliLayer(this, 'AwsCliLayer'));
-      handler.addLayers(new KubectlLayer(this, 'KubectlLayer'));
-    } else {
-      handler.addLayers(props.cluster.kubectlLayer);
-    }
+    // allow user to customize the layers with the tools we need
+    handler.addLayers(props.cluster.awscliLayer ?? new AwsCliLayer(this, 'AwsCliLayer'));
+    handler.addLayers(props.cluster.kubectlLayer ?? new KubectlLayer(this, 'KubectlLayer'));
 
     this.handlerRole = handler.role!;
 

packages/@aws-cdk/aws-eks/package.json

@@ -80,6 +80,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
+    "@aws-cdk/lambda-layer-kubectl-v22": "0.0.4",
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",

packages/@aws-cdk/aws-eks/test/alb-controller.integ.snapshot/aws-cdk-eks-cluster-alb-controller-test.assets.json

@@ -1,6 +1,19 @@
 {
   "version": "21.0.0",
   "files": {
+    "c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30": {
+      "source": {
+        "path": "asset.c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30.zip",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
     "4288ebb3652acdf2d828b7db7ca44a7162a401ace50ebb4026e84b18a02a06ee": {
       "source": {
         "path": "asset.4288ebb3652acdf2d828b7db7ca44a7162a401ace50ebb4026e84b18a02a06ee.zip",
@@ -66,19 +79,6 @@
         }
       }
     },
-    "c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed": {
-      "source": {
-        "path": "asset.c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed.zip",
-        "packaging": "file"
-      },
-      "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed.zip",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
-        }
-      }
-    },
     "42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174": {
       "source": {
         "path": "asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174",
@@ -131,28 +131,28 @@
         }
       }
     },
-    "b426f1001506d25688ef81611f184e1ef5ebf1662e67bb4933b045477f10a56e": {
+    "a5c54a47681dc263bb296e341ff9500a68cc18f5d368dd66b41793f364332175": {
       "source": {
         "path": "awscdkeksclusteralbcontrollertestawscdkawseksKubectlProviderA1AC28D1.nested.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "b426f1001506d25688ef81611f184e1ef5ebf1662e67bb4933b045477f10a56e.json",
+          "objectKey": "a5c54a47681dc263bb296e341ff9500a68cc18f5d368dd66b41793f364332175.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "a7952c511d282bd028c89eada46178e2c8388a5649c0fc3d3364479c01bca79e": {
+    "4dddd3bf7eb63d312c638e331fc885e2dbb8d3398b739973a85d928c5178ec45": {
       "source": {
         "path": "aws-cdk-eks-cluster-alb-controller-test.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "a7952c511d282bd028c89eada46178e2c8388a5649c0fc3d3364479c01bca79e.json",
+          "objectKey": "4dddd3bf7eb63d312c638e331fc885e2dbb8d3398b739973a85d928c5178ec45.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-eks/test/alb-controller.integ.snapshot/aws-cdk-eks-cluster-alb-controller-test.template.json

@@ -395,6 +395,19 @@
     }
    }
   },
+  "KubectlLayer600207B5": {
+   "Type": "AWS::Lambda::LayerVersion",
+   "Properties": {
+    "Content": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "c0f40a9fd16d1698ca05765606c04c8724dc5c8355b6e124a39af09449a3aa30.zip"
+    },
+    "Description": "/opt/kubectl/kubectl 1.22; /opt/helm/helm 3.9",
+    "LicenseInfo": "Apache-2.0"
+   }
+  },
   "ClusterRoleFA261979": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -595,7 +608,7 @@
      ]
     },
     "Config": {
-     "version": "1.21",
+     "version": "1.22",
      "roleArn": {
       "Fn::GetAtt": [
        "ClusterRoleFA261979",
@@ -1017,7 +1030,7 @@
        {
         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
        },
-       "/b426f1001506d25688ef81611f184e1ef5ebf1662e67bb4933b045477f10a56e.json"
+       "/a5c54a47681dc263bb296e341ff9500a68cc18f5d368dd66b41793f364332175.json"
       ]
      ]
     },
@@ -1034,6 +1047,9 @@
        "Arn"
       ]
      },
+     "referencetoawscdkeksclusteralbcontrollertestKubectlLayerD13282C5Ref": {
+      "Ref": "KubectlLayer600207B5"
+     },
      "referencetoawscdkeksclusteralbcontrollertestVpcPrivateSubnet1Subnet7C7DBEE5Ref": {
       "Ref": "VpcPrivateSubnet1Subnet536B997A"
      },

packages/@aws-cdk/aws-eks/test/alb-controller.integ.snapshot/awscdkeksclusteralbcontrollertestawscdkawseksKubectlProviderA1AC28D1.nested.template.json

@@ -107,7 +107,7 @@
       "Ref": "AwsCliLayerF44AAF94"
      },
      {
-      "Ref": "KubectlLayer600207B5"
+      "Ref": "referencetoawscdkeksclusteralbcontrollertestKubectlLayerD13282C5Ref"
      }
     ],
     "MemorySize": 1024,
@@ -146,18 +146,6 @@
     "Description": "/opt/awscli/aws"
    }
   },
-  "KubectlLayer600207B5": {
-   "Type": "AWS::Lambda::LayerVersion",
-   "Properties": {
-    "Content": {
-     "S3Bucket": {
-      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
-     },
-     "S3Key": "c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed.zip"
-    },
-    "Description": "/opt/kubectl/kubectl and /opt/helm/helm"
-   }
-  },
   "ProviderframeworkonEventServiceRole9FF04296": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -311,6 +299,9 @@
   "referencetoawscdkeksclusteralbcontrollertestClusterCreationRoleA16C24E9Arn": {
    "Type": "String"
   },
+  "referencetoawscdkeksclusteralbcontrollertestKubectlLayerD13282C5Ref": {
+   "Type": "String"
+  },
   "referencetoawscdkeksclusteralbcontrollertestVpcPrivateSubnet1Subnet7C7DBEE5Ref": {
    "Type": "String"
   },