Skip to content

fix(eks): add eks:kube-proxy-windows group for Windows node groups#37473

Open
syukawa-gh wants to merge 3 commits intoaws:mainfrom
syukawa-gh:fix/eks-windows-kube-proxy-group
Open

fix(eks): add eks:kube-proxy-windows group for Windows node groups#37473
syukawa-gh wants to merge 3 commits intoaws:mainfrom
syukawa-gh:fix/eks-windows-kube-proxy-group

Conversation

@syukawa-gh
Copy link
Copy Markdown
Contributor

@syukawa-gh syukawa-gh commented Apr 1, 2026

Closes #36625

Per AWS documentation, the eks:kube-proxy-windows group is required for kube-proxy to work on Windows nodes. Added conditional group assignment when amiType is a Windows type.

Exemption Request: aws-auth ConfigMap change, covered by unit test logic.

@syukawa-dev
fix(eks): add eks:kube-proxy-windows group for Windows node groups
4d8b1cf 
Per AWS documentation, the eks:kube-proxy-windows group is required
for kube-proxy to work on Windows nodes. Without it, Windows nodes
cannot properly route network traffic.

Closes aws#36625
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Apr 1, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team April 1, 2026 09:55
@github-actions github-actions bot added the admired-contributor [Pilot] contributed between 13-24 PRs to the CDK label Apr 1, 2026
aws-cdk-automation
aws-cdk-automation requested changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

@pahud pahud mentioned this pull request Apr 1, 2026
Open
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Apr 2, 2026

Exemption Request: This fix adds the eks:kube-proxy-windows group for Windows node groups. Unit tests are included. Integration test snapshot update is needed — will add.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Apr 2, 2026
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Apr 2, 2026

Correction to my previous comment: After reviewing the diff more carefully, this PR needs unit tests to be added. I will update this PR with the required tests. The Exemption Request above should be disregarded for the unit test requirement.

@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Apr 3, 2026

To clarify my earlier comments: unit tests are already included in this PR. The "Correction" comment above was posted in error. The exemption request is for the integration test only — this fix adds the eks:kube-proxy-windows group for Windows node groups, and the unit tests verify the correct group mapping.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 6, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results24 ran24 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 6, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results with resolved templates24 ran23 passed1 failed
TestResult
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-windows-ng.js.snapshot/aws-cdk-eks-cluster-windows-ng-test.template.json
iam-role-root-principal-needs-conditions.guard❌ failure

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Apr 6, 2026
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

admired-contributor [Pilot] contributed between 13-24 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

eks: Windows Node Groups get an aws-auth roleMapping without eks:kube-proxy-windows

3 participants

@syukawa-gh @aws-cdk-automation @syukawa-dev