Skip to content

(aws-eks): CDK synth fails when using private isolated subnets with eks cluster and kubectl #37491

Open
Open
(aws-eks): CDK synth fails when using private isolated subnets with eks cluster and kubectl#37491
Labels
@aws-cdk/aws-eksRelated to Amazon Elastic Kubernetes ServicebugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.potential-regressionMarking this issue as a potential regression to be checked by team member
@hakenmt

Description

@hakenmt
hakenmt
opened on Apr 1, 2026

Describe the bug

CDK synth fails when the cluster is set to use private isolated subnets and also configured for private endpoint access. All required VPC endpoints are also configured for the VPC.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

This was the commit that introduced this problem: 73e5006

I believe this was working in at least 2.238. I needed to upgrade to 2.244 for a bug fix in kubectl v35 that prevented using OCI images in ECR.

Expected Behavior

CDK synth succeeds.

Current Behavior

CDK synth fails with an error: IsolatedKubectlSubnet» Isolated subnets cannot be used for kubectl private subnets. Isolated subnets have no internet access, which is required for the kubectl Lambda to reach the EKS API, STS, and other AWS service endpoints. Use PRIVATE_WITH_EGRESS subnets with a NAT Gateway instead, or configure VPC endpoints for STS, EKS, ECR, S3 and other AWS services detailed here https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html
...new Cluster2 in aws-cdk-lib...

Reproduction Steps

    const cluster = new eks.Cluster(this, 'EKSCluster', {
      vpc: props.vpc,
      vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_ISOLATED }],
      defaultCapacity: 0,
      version: props.version,
      placeClusterHandlerInVpc: true,
      endpointAccess: eks.EndpointAccess.PRIVATE,
      kubectlLayer: new KubectlLayer(this, 'KubectlLayer'),
      securityGroup: controlPlaneSG,
      mastersRole: props.adminRole,
      clusterName: props.clusterName,
    });

Possible Solution

No response

Additional Information/Context

Link to source where the incorrect validation is performed:

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

Line 1879 in 69cf4c9

if (this.vpc instanceof ec2.Vpc) {

Deploying a private EKS cluster in isolated subnets with the appropriate VPC endpoints is possible and works. CDK shouldn't prevent this from synthesizing.

AWS CDK Library version (aws-cdk-lib)

2.244.0

AWS CDK CLI version

2.1108.0 (build eace286)

Node.js Version

24.4.1

OS

darwin

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-eksRelated to Amazon Elastic Kubernetes ServicebugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.potential-regressionMarking this issue as a potential regression to be checked by team member

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions