eks: Windows Node Groups get an aws-auth roleMapping without eks:kube-proxy-windows #36625
Description
Describe the bug
Per the AWS documentation, the eks:kube-proxy-windows group is required for kube-proxy to work for windows nodes.
In the current state, the nodes all get created with groups that exclude that one. This forces users to use a workaround like call cluster.awsAuth.addRoleMapping manually, which risks adding duplicate values to the aws-auth ConfigMap.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
When creating a NodeGroup where the AmiType is Windows (e.g. props.amiType && windowsAmiTypes.includes(props.amiType)), the eks:kube-proxy-windows group should be added, or we should at least be able to provide a custom list of roles for the NodeGroup.
Current Behavior
The eks:kube-proxy-windows group is not added for Windows node groups, and we are unable to provide a custom list of groups.
Reproduction Steps
- Instantiate a
Nodegroupobject with a Windows AMI - Deploy and confirm that the created
aws-authConfigMap does not contain the expectedeks:kube-proxy-windowsgroup
Possible Solution
Conditionally add the eks:kube-proxy-windows group when the AmiType is part of windowsAmiTypes (props.amiType && windowsAmiTypes.includes(props.amiType)). Alternatively, allow providing a custom list of groups for the node role, defaulting to the existing values.
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
aws-cdk-lib@2.189.1
AWS CDK CLI version
2.1004.0 (build f0ad96e)
Node.js Version
v20.17.0
OS
macOS 15.7.2 (24G325)
Language
TypeScript
Language Version
typescript@5.1.6
Other information
No response