RFC605: EKS L2 Rewrite

[xazhao]

This is a request for comments about Rewrite EKS L2 Construct. See #605 for additional details.

APIs are signed off by @iliapolo.

---

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache-2.0 license

Pull request has been modified.

[markusl]

Is EKS Auto Mode supported in the new construct?

[xazhao]

Is EKS Auto Mode supported in the new construct?

Yes because EKS Auto Mode is natively supported in CfnCluster L1 resource, there's no blocker to support it in the new construct. We will decide a proper API for EKS Auto Mode and it will be added to the construct as a new feature.

[markusl]

Is EKS Auto Mode supported in the new construct?

Yes because EKS Auto Mode is natively supported in CfnCluster L1 resource, there's no blocker to support it in the new construct. We will decide a proper API for EKS Auto Mode and it will be added to the construct as a new feature.

Thanks! This sounds good. Is there any estimate for the release with Auto Mode?

[xazhao]

Is EKS Auto Mode supported in the new construct?

Yes because EKS Auto Mode is natively supported in CfnCluster L1 resource, there's no blocker to support it in the new construct. We will decide a proper API for EKS Auto Mode and it will be added to the construct as a new feature.

Thanks! This sounds good. Is there any estimate for the release with Auto Mode?

The current estimate is 2025 Q1.

[iliapolo]

Can we make the second argument here accept an IGrantable and not a string?

[iliapolo]

Does this function return something? an AccessEntry maybe?

[iliapolo]

Is the access scope argument mandatory? what would be the API for granting admin on a specific namespace?

[xazhao]

This API is basically the current grantAccess() with hardcode values: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.Cluster.html#grantwbraccessid-principal-accesspolicies

Can we make the second argument here accept an IGrantable and not a string?

Yes I agree.

Does this function return something? an AccessEntry maybe?

It's the same as current API which is void.

Is the access scope argument mandatory? what would be the API for granting admin on a specific namespace?

Actually I think we should remove the third argument to make grantAdmin() easier to use. So something like:

cluster.grantAdmin('adminAccess', role);

It will add AmazonEKSClusterAdminPolicy to the role. There's also AmazonEKSAdminPolicy which can be applied to a namespace. Have 2 grantAdmin is a bit confusing. Customers can use the general grant method for granting admin on a specific namespace. We can add moregrantXXX() later.