feat(eks): make kubectlLayer property required from optional

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/eks/integ.call.ts

@@ -3,6 +3,7 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import * as cdk from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import { EksCall, HttpMethods } from 'aws-cdk-lib/aws-stepfunctions-tasks';
 import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
@@ -25,6 +26,7 @@ stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 const cluster = new eks.Cluster(stack, 'EksCluster', {
   version: eks.KubernetesVersion.V1_30,
   clusterName: 'eksCluster',
+  kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
 });
 
 const executionRole = new iam.Role(stack, 'Role', {

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emrcontainers/integ.job-submission-workflow.ts

@@ -4,6 +4,7 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import * as cdk from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import {
   Classification, VirtualClusterInput, EksClusterInput, EmrContainersDeleteVirtualCluster,
   EmrContainersCreateVirtualCluster, EmrContainersStartJobRun, ReleaseLabel,
@@ -29,6 +30,7 @@ const eksCluster = new eks.Cluster(stack, 'integration-test-eks-cluster', {
   version: eks.KubernetesVersion.V1_30,
   defaultCapacity: 3,
   defaultCapacityInstance: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.XLARGE),
+  kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
 });
 
 const jobExecutionRole = new iam.Role(stack, 'JobExecutionRole', {

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.ts

@@ -6,6 +6,7 @@ import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import * as cdk from 'aws-cdk-lib';
 import { Aws } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import { EmrContainersStartJobRun, ReleaseLabel, VirtualClusterInput } from 'aws-cdk-lib/aws-stepfunctions-tasks';
 import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
@@ -25,6 +26,7 @@ const eksCluster = new eks.Cluster(stack, 'integration-test-eks-cluster', {
   version: eks.KubernetesVersion.V1_30,
   defaultCapacity: 3,
   defaultCapacityInstance: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.XLARGE),
+  kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
 });
 
 const virtualCluster = new cdk.CfnResource(stack, 'Virtual Cluster', {

packages/@aws-cdk-testing/framework-integ/test/lambda-layer-kubectl/test/integ.kubectl-layer.ts

@@ -3,16 +3,15 @@ import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as cdk from 'aws-cdk-lib';
 import * as cr from 'aws-cdk-lib/custom-resources';
 import * as integ from '@aws-cdk/integ-tests-alpha';
-
-import { KubectlLayer } from 'aws-cdk-lib/lambda-layer-kubectl';
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 
 /**
  * Test verifies that kubectl and helm are invoked successfully inside Lambda runtime.
  */
 
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'lambda-layer-kubectl-integ-stack');
-const layer = new KubectlLayer(stack, 'KubectlLayer');
+const layer = new KubectlV31Layer(stack, 'KubectlLayer');
 
 const runtimes = [
   lambda.Runtime.PYTHON_3_9,

packages/aws-cdk-lib/aws-eks/lib/cluster.ts

@@ -142,9 +142,8 @@ export interface ICluster extends IResource, ec2.IConnectable {
   /**
    * An AWS Lambda layer that includes `kubectl` and `helm`
    *
-   * If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
    */
-  readonly kubectlLayer?: lambda.ILayerVersion;
+  readonly kubectlLayer: lambda.ILayerVersion;
 
   /**
    * Specify which IP family is used to assign Kubernetes pod and service IP addresses.
@@ -375,19 +374,16 @@ export interface ClusterAttributes {
    * This layer is used by the kubectl handler to apply manifests and install
    * helm charts. You must pick an appropriate releases of one of the
    * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
-   * Kubernetes you have chosen. If you don't supply this value `kubectl`
-   * 1.20 will be used, but that version is most likely too old.
+   * Kubernetes you have chosen.
    *
    * The handler expects the layer to include the following executables:
    *
    * ```
    * /opt/helm/helm
    * /opt/kubectl/kubectl
    * ```
-   *
-   * @default - a default layer with Kubectl 1.20 and helm 3.8.
    */
-  readonly kubectlLayer?: lambda.ILayerVersion;
+  readonly kubectlLayer: lambda.ILayerVersion;
 
   /**
    * An AWS Lambda layer that contains the `aws` CLI.
@@ -566,19 +562,16 @@ export interface ClusterOptions extends CommonClusterOptions {
    * This layer is used by the kubectl handler to apply manifests and install
    * helm charts. You must pick an appropriate releases of one of the
    * `@aws-cdk/layer-kubectl-vXX` packages, that works with the version of
-   * Kubernetes you have chosen. If you don't supply this value `kubectl`
-   * 1.20 will be used, but that version is most likely too old.
+   * Kubernetes you have chosen.
    *
    * The handler expects the layer to include the following executables:
    *
    * ```
    * /opt/helm/helm
    * /opt/kubectl/kubectl
    * ```
-   *
-   * @default - a default layer with Kubectl 1.20.
    */
-  readonly kubectlLayer?: lambda.ILayerVersion;
+  readonly kubectlLayer: lambda.ILayerVersion;
 
   /**
    * An AWS Lambda layer that contains the `aws` CLI.
@@ -1083,6 +1076,7 @@ abstract class ClusterBase extends Resource implements ICluster {
   public abstract readonly ipFamily?: IpFamily;
   public abstract readonly kubectlRole?: iam.IRole;
   public abstract readonly kubectlLambdaRole?: iam.IRole;
+  public abstract readonly kubectlLayer: lambda.ILayerVersion;
   public abstract readonly kubectlEnvironment?: { [key: string]: string };
   public abstract readonly kubectlSecurityGroup?: ec2.ISecurityGroup;
   public abstract readonly kubectlPrivateSubnets?: ec2.ISubnet[];
@@ -1474,9 +1468,8 @@ export class Cluster extends ClusterBase {
   /**
    * An AWS Lambda layer that includes `kubectl` and `helm`
    *
-   * If not defined, a default layer will be used containing Kubectl 1.20 and Helm 3.8
    */
-  readonly kubectlLayer?: lambda.ILayerVersion;
+  readonly kubectlLayer: lambda.ILayerVersion;
 
   /**
    * An AWS Lambda layer that contains the `aws` CLI.
@@ -1578,9 +1571,6 @@ export class Cluster extends ClusterBase {
     this.prune = props.prune ?? true;
     this.vpc = props.vpc || new ec2.Vpc(this, 'DefaultVpc');
 
-    if (!props.kubectlLayer) {
-      Annotations.of(this).addWarningV2('@aws-cdk/aws-eks:clusterKubectlLayerNotSpecified', `You created a cluster with Kubernetes Version ${props.version.version} without specifying the kubectlLayer property. The property will become required instead of optional in 2025 Jan. Please update your CDK code to provide a kubectlLayer.`);
-    };
     this.version = props.version;
 
     // since this lambda role needs to be added to the trust policy of the creation role,
@@ -2402,7 +2392,7 @@ class ImportedCluster extends ClusterBase {
   public readonly kubectlEnvironment?: { [key: string]: string } | undefined;
   public readonly kubectlSecurityGroup?: ec2.ISecurityGroup | undefined;
   public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined;
-  public readonly kubectlLayer?: lambda.ILayerVersion;
+  public readonly kubectlLayer: lambda.ILayerVersion;
   public readonly ipFamily?: IpFamily;
   public readonly awscliLayer?: lambda.ILayerVersion;
   public readonly kubectlProvider?: IKubectlProvider;

packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts

@@ -5,7 +5,6 @@ import { Duration, Stack, NestedStack, Names, CfnCondition, Fn, Aws } from '../.
 import { KubectlFunction } from '../../custom-resource-handlers/dist/aws-eks/kubectl-provider.generated';
 import * as cr from '../../custom-resources';
 import { AwsCliLayer } from '../../lambda-layer-awscli';
-import { KubectlLayer } from '../../lambda-layer-kubectl';
 
 /**
  * Properties for a KubectlProvider
@@ -151,7 +150,7 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
 
     // allow user to customize the layers with the tools we need
     handler.addLayers(props.cluster.awscliLayer ?? new AwsCliLayer(this, 'AwsCliLayer'));
-    handler.addLayers(props.cluster.kubectlLayer ?? new KubectlLayer(this, 'KubectlLayer'));
+    handler.addLayers(props.cluster.kubectlLayer);
 
     this.handlerRole = handler.role!;
 

packages/aws-cdk-lib/aws-eks/test/access-entry.test.ts

@@ -1,3 +1,4 @@
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import { Template } from '../../assertions';
 import { App, Stack } from '../../core';
 import {
@@ -18,6 +19,7 @@ describe('AccessEntry', () => {
     cluster = new Cluster(stack, 'Cluster', {
       version: KubernetesVersion.V1_29,
       authenticationMode: AuthenticationMode.API,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
 
     mockAccessPolicies = [

packages/aws-cdk-lib/aws-eks/test/addon.test.ts

@@ -1,5 +1,6 @@
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import { Template } from '../../assertions';
-import { App, CfnOutput, Stack } from '../../core';
+import { App, Stack } from '../../core';
 import { Addon, KubernetesVersion, Cluster } from '../lib';
 
 describe('Addon', () => {
@@ -12,6 +13,7 @@ describe('Addon', () => {
     stack = new Stack(app, 'Stack');
     cluster = new Cluster(stack, 'Cluster', {
       version: KubernetesVersion.V1_30,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
   });
 

packages/aws-cdk-lib/aws-eks/test/alb-controller.test.ts

@@ -1,5 +1,6 @@
 import * as fs from 'fs';
 import * as path from 'path';
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import { testFixture } from './util';
 import { Template, Match } from '../../assertions';
 import * as iam from '../../aws-iam';
@@ -12,6 +13,7 @@ test.each(versions)('support AlbControllerVersion (%s)', (version) => {
 
   const cluster = new Cluster(stack, 'Cluster', {
     version: KubernetesVersion.V1_27,
+    kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
   });
   AlbController.create(stack, {
     cluster,
@@ -63,6 +65,7 @@ test('can configure a custom repository', () => {
 
   const cluster = new Cluster(stack, 'Cluster', {
     version: KubernetesVersion.V1_27,
+    kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
   });
 
   AlbController.create(stack, {
@@ -96,6 +99,7 @@ test('throws when a policy is not defined for a custom version', () => {
 
   const cluster = new Cluster(stack, 'Cluster', {
     version: KubernetesVersion.V1_27,
+    kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
   });
 
   expect(() => AlbController.create(stack, {
@@ -108,6 +112,7 @@ test.each(['us-gov-west-1', 'cn-north-1'])('stack does not include hard-coded pa
   const { stack } = testFixture(region);
   const cluster = new Cluster(stack, 'Cluster', {
     version: KubernetesVersion.V1_27,
+    kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
   });
 
   AlbController.create(stack, {
@@ -124,6 +129,7 @@ test('correct helm chart version is set for selected alb controller version', ()
 
   const cluster = new Cluster(stack, 'Cluster', {
     version: KubernetesVersion.V1_27,
+    kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
   });
 
   AlbController.create(stack, {
@@ -159,6 +165,7 @@ describe('AlbController AwsAuth creation', () => {
     const cluster = new Cluster(stack, 'Cluster', {
       version: KubernetesVersion.V1_27,
       authenticationMode,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
     });
     AlbController.create(stack, {
       cluster,

packages/aws-cdk-lib/aws-eks/test/awsauth.test.ts

@@ -1,3 +1,4 @@
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31';
 import { testFixtureNoVpc } from './util';
 import { Template } from '../../assertions';
 import * as iam from '../../aws-iam';
@@ -15,7 +16,10 @@ describe('aws auth', () => {
     const clusterStack = new cdk.Stack(app, 'ClusterStack');
     const roleStack = new cdk.Stack(app, 'RoleStack');
     const awsAuth = new AwsAuth(clusterStack, 'Auth', {
-      cluster: new Cluster(clusterStack, 'Cluster', { version: KubernetesVersion.V1_17 }),
+      cluster: new Cluster(clusterStack, 'Cluster', {
+        version: KubernetesVersion.V1_17,
+        kubectlLayer: new KubectlV31Layer(clusterStack, 'KubectlLayer'),
+      }),
     });
     const role = new iam.Role(roleStack, 'Role', { assumedBy: new iam.AnyPrincipal() });
 
@@ -31,7 +35,10 @@ describe('aws auth', () => {
     const clusterStack = new cdk.Stack(app, 'ClusterStack');
     const userStack = new cdk.Stack(app, 'UserStack');
     const awsAuth = new AwsAuth(clusterStack, 'Auth', {
-      cluster: new Cluster(clusterStack, 'Cluster', { version: KubernetesVersion.V1_17 }),
+      cluster: new Cluster(clusterStack, 'Cluster', {
+        version: KubernetesVersion.V1_17,
+        kubectlLayer: new KubectlV31Layer(clusterStack, 'KubectlLayer'),
+      }),
     });
     const user = new iam.User(userStack, 'User');
 
@@ -45,7 +52,11 @@ describe('aws auth', () => {
   test('empty aws-auth', () => {
     // GIVEN
     const { stack } = testFixtureNoVpc();
-    const cluster = new Cluster(stack, 'cluster', { version: CLUSTER_VERSION, prune: false });
+    const cluster = new Cluster(stack, 'cluster', {
+      version: CLUSTER_VERSION,
+      prune: false,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
+    });
 
     // WHEN
     new AwsAuth(stack, 'AwsAuth', { cluster });
@@ -64,7 +75,11 @@ describe('aws auth', () => {
   test('addRoleMapping and addUserMapping can be used to define the aws-auth ConfigMap', () => {
     // GIVEN
     const { stack } = testFixtureNoVpc();
-    const cluster = new Cluster(stack, 'Cluster', { version: CLUSTER_VERSION, prune: false });
+    const cluster = new Cluster(stack, 'Cluster', {
+      version: CLUSTER_VERSION,
+      prune: false,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
+    });
     const role = new iam.Role(stack, 'role', { assumedBy: new iam.AnyPrincipal() });
     const user = new iam.User(stack, 'user');
 
@@ -142,7 +157,10 @@ describe('aws auth', () => {
   test('imported users and roles can be also be used', () => {
     // GIVEN
     const { stack } = testFixtureNoVpc();
-    const cluster = new Cluster(stack, 'Cluster', { version: CLUSTER_VERSION });
+    const cluster = new Cluster(stack, 'Cluster', {
+      version: CLUSTER_VERSION,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
+    });
     const role = iam.Role.fromRoleArn(stack, 'imported-role', 'arn:aws:iam::123456789012:role/S3Access');
     const user = iam.User.fromUserName(stack, 'import-user', 'MyUserName');
 
@@ -189,7 +207,11 @@ describe('aws auth', () => {
   test('addMastersRole after addNodegroup correctly', () => {
     // GIVEN
     const { stack } = testFixtureNoVpc();
-    const cluster = new Cluster(stack, 'Cluster', { version: CLUSTER_VERSION, prune: false });
+    const cluster = new Cluster(stack, 'Cluster', {
+      version: CLUSTER_VERSION,
+      prune: false,
+      kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
+    });
     cluster.addNodegroupCapacity('NG');
     const role = iam.Role.fromRoleArn(stack, 'imported-role', 'arn:aws:iam::123456789012:role/S3Access');
 
@@ -238,6 +260,7 @@ describe('aws auth', () => {
     const cluster = new Cluster(clusterStack, 'Cluster', {
       version: KubernetesVersion.V1_29,
       authenticationMode: AuthenticationMode.API,
+      kubectlLayer: new KubectlV31Layer(clusterStack, 'KubectlLayer'),
     });
 
     // THEN
@@ -252,6 +275,7 @@ describe('aws auth', () => {
     const cluster = new Cluster(clusterStack, 'Cluster', {
       version: CLUSTER_VERSION,
       authenticationMode: AuthenticationMode.API_AND_CONFIG_MAP,
+      kubectlLayer: new KubectlV31Layer(clusterStack, 'KubectlLayer'),
     });
 
     // THEN
@@ -266,6 +290,7 @@ describe('aws auth', () => {
     const cluster = new Cluster(clusterStack, 'Cluster', {
       version: CLUSTER_VERSION,
       authenticationMode: AuthenticationMode.CONFIG_MAP,
+      kubectlLayer: new KubectlV31Layer(clusterStack, 'KubectlLayer'),
     });
 
     // THEN
@@ -279,6 +304,7 @@ describe('aws auth', () => {
     const clusterStack = new cdk.Stack(app, 'test-stack');
     const cluster = new Cluster(clusterStack, 'Cluster', {
       version: CLUSTER_VERSION,
+      kubectlLayer: new KubectlV31Layer(clusterStack, 'KubectlLayer'),
     });
 
     // THEN