feat(eks): support for installing default networking add-ons

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-bootstrap-self-managed-addons.ts

@@ -0,0 +1,55 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import * as eks from 'aws-cdk-lib/aws-eks';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { getClusterVersionConfig } from './integ-tests-kubernetes-version';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+interface EksClusterStackProps extends StackProps {
+  readonly bootstrapSelfManagedAddons: boolean;
+}
+
+class EksClusterStack extends Stack {
+  public cluster: eks.Cluster;
+
+  constructor(scope: App, id: string, props: EksClusterStackProps) {
+    super(scope, id);
+
+    const vpc = new ec2.Vpc(this, 'Vpc', { natGateways: 1 });
+    this.cluster = new eks.Cluster(this, 'Cluster', {
+      vpc,
+      ...getClusterVersionConfig(this, eks.KubernetesVersion.V1_30),
+      bootstrapSelfManagedAddons: props.bootstrapSelfManagedAddons,
+    });
+  }
+}
+
+const app = new App();
+
+const enabledStack = new EksClusterStack(app, 'EnabledEksClusterSstack', {
+  bootstrapSelfManagedAddons: true,
+});
+const disabledStack = new EksClusterStack(app, 'DisabledEksClusterStack', {
+  bootstrapSelfManagedAddons: false,
+});
+
+const integ = new IntegTest(app, 'EksClusterWithSelfManagedAddons', {
+  testCases: [enabledStack, disabledStack],
+});
+
+const assertion = integ.assertions.awsApiCall('EKS', 'ListAddons', {
+  name: disabledStack.cluster.clusterName,
+}).expect(ExpectedResult.objectLike({
+  addons: ['vpc-cni', 'kube-proxy', 'coredns'],
+}));
+
+integ.assertions.awsApiCall('EKS', 'ListAddons', {
+  name: enabledStack.cluster.clusterName,
+}).expect(ExpectedResult.objectLike({
+  addons: [],
+}));
+
+assertion.provider.addToRolePolicy({
+  Effects: 'Allow',
+  Action: ['eks:*'],
+  Resource: ['*'],
+});

packages/aws-cdk-lib/aws-eks/README.md

@@ -1840,10 +1840,15 @@ const loadBalancerAddress = cluster.getServiceLoadBalancerAddress('my-service');
 
 ## Add-ons
 
-[Add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) is a software that provides supporting operational capabilities to Kubernetes applications. The EKS module supports adding add-ons to your cluster using the `eks.Addon` class.
+[Add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) is a software that provides supporting operational capabilities to Kubernetes applications. The EKS module supports adding default networking add-ons to your cluster using `bootstrapSelfManagedAddons` prop and additional add-ons using the `eks.Addon` class.
 
 ```ts
-declare const cluster: eks.Cluster;
+const cluster = new eks.Cluster(this, 'Cluster', {
+  version: eks.KubernetesVersion.V1_31,
+  // If you set this value to False when creating a cluster, the default networking add-ons will not be installed.
+  // The default networking addons include vpc-cni, coredns, and kube-proxy.
+  bootstrapSelfManagedAddons: true,
+});
 
 new eks.Addon(this, 'Addon', {
   cluster,

packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts

@@ -27,6 +27,7 @@ export interface ClusterResourceProps {
   readonly tags?: { [key: string]: string };
   readonly logging?: { [key: string]: [ { [key: string]: any } ] };
   readonly accessconfig?: CfnCluster.AccessConfigProperty;
+  readonly bootstrapSelfManagedAddons?: boolean;
 }
 
 /**
@@ -90,6 +91,7 @@ export class ClusterResource extends Construct {
           tags: props.tags,
           logging: props.logging,
           accessConfig: props.accessconfig,
+          bootstrapSelfManagedAddons: props.bootstrapSelfManagedAddons,
         },
         AssumeRoleArn: this.adminRole.roleArn,
 

packages/aws-cdk-lib/aws-eks/lib/cluster.ts

@@ -847,6 +847,18 @@ export interface ClusterProps extends ClusterOptions {
    */
   readonly bootstrapClusterCreatorAdminPermissions?: boolean;
 
+  /**
+   * If you set this value to False when creating a cluster, the default networking add-ons will not be installed.
+   * The default networking addons include vpc-cni, coredns, and kube-proxy.
+   *
+   * Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
+   *
+   * Changing this value after the cluster has been created will result in the cluster being replaced.
+   *
+   * @default true
+   */
+  readonly bootstrapSelfManagedAddons?: boolean;
+
   /**
    * The tags assigned to the EKS cluster
    *
@@ -1705,6 +1717,7 @@ export class Cluster extends ClusterBase {
       onEventLayer: this.onEventLayer,
       tags: props.tags,
       logging: this.logging,
+      bootstrapSelfManagedAddons: props.bootstrapSelfManagedAddons,
     });
 
     if (this.endpointAccess._config.privateAccess && privateSubnets.length !== 0) {

packages/aws-cdk-lib/aws-eks/test/cluster.test.ts

@@ -54,6 +54,21 @@ describe('cluster', () => {
     });
   });
 
+  test.each([true, false])('can specify bootstrap self managed add-ons', (bootstrapSelfManagedAddons) => {
+    const { stack } = testFixture();
+
+    new eks.Cluster(stack, 'Cluster', {
+      version: CLUSTER_VERSION,
+      bootstrapSelfManagedAddons,
+    });
+
+    Template.fromStack(stack).hasResourceProperties('Custom::AWSCDK-EKS-Cluster', {
+      Config: {
+        bootstrapSelfManagedAddons,
+      },
+    });
+  });
+
   test('can specify security group to cluster resource handler', () => {
     const { stack, vpc } = testFixture();
     const securityGroup = new ec2.SecurityGroup(stack, 'ProxyInstanceSG', {