fix(eks): downgrade isolated subnet validation from error to warning#37500
Merged
mergify[bot] merged 3 commits intomainfrom Apr 2, 2026
Merged
fix(eks): downgrade isolated subnet validation from error to warning#37500mergify[bot] merged 3 commits intomainfrom
mergify[bot] merged 3 commits intomainfrom
Conversation
The validation added in v2.246.0 throws an error when using PRIVATE_ISOLATED subnets for kubectl, blocking a legitimate AWS-supported pattern for fully private EKS clusters with VPC endpoints. This changes the validation to emit a warning instead, allowing users who have properly configured VPC endpoints (STS, EKS, ECR, S3, etc.) to synth successfully. Closes #37491
github-actions
bot
added
bug
aws-cdk-automation
previously requested changes
Apr 2, 2026
Closed
1 task
aemada-aws
approved these changes
Apr 2, 2026
aemada-aws
added
pr-linter/exempt-readme
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Contributor
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
Merge Queue Status
This pull request spent 30 minutes 11 seconds in the queue, including 29 minutes 59 seconds running CI. Required conditions to merge
|
Contributor
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Closes #37491
Reason for this change
The validation added in v2.246.0 (commit 73e5006) throws a hard error when using
PRIVATE_ISOLATEDsubnets for kubectl, blocking a legitimate AWS-supported pattern for fully private EKS clusters with VPC endpoints.AWS explicitly documents that private EKS clusters can run in isolated subnets when the appropriate VPC endpoints (STS, EKS, ECR, S3, CloudWatch Logs, etc.) are configured.
Description of changes
ValidationError(hard error) toAnnotations.addWarningV2(warning) in bothaws-eksandaws-eks-v2cluster implementations@aws-cdk/aws-eks:isolatedSubnetsForKubectlPrivateSubnetsDescription of how you validated changes
Updated unit tests pass. The existing tests for
PRIVATE_WITH_EGRESSsubnets and imported VPCs with isolated subnets continue to pass unchanged.Checklist