aws-eks: aws-node-termination-handler Chart Version is Outdated

[wafuwafu13]

Describe the bug

• Current Chart version is 0.18.0
  https://artifacthub.io/packages/helm/aws/aws-node-termination-handler/0.18.0
  

  aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

  Lines 1184 to 1188 in 58c2631

  	this._spotInterruptHandler = this.addHelmChart('spot-interrupt-handler', {
  	chart: 'aws-node-termination-handler',
  	version: '0.18.0',
  	repository: 'https://aws.github.io/eks-charts',
  	namespace: 'kube-system',

• Latest available version is 0.27.0
  https://artifacthub.io/packages/helm/aws-node-termination-handler/aws-node-termination-handler
• The outdated version of aws-node-termination-handler (0.18.0) is causing cluster creation failures for Kubernetes v1.25 and above.
  • Related: Migrate from PodSecurityPolicy to Pod Security Admission aws-node-termination-handler#638

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.190.0

Expected Behavior

Successfully creates a cluster with spot setting at addAutoScalingGroupCapacity.

Current Behavior

Cluster creation fails with the following error.

14:44:57 | CREATE_FAILED        | Custom::AWSCDK-EKS-HelmChart          | Cluster/chart-spot...r/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'Release "aygroundstackclusterchartspotinterrupthandlere670d248" does not exist. Installing it now.\nError: unable to build kubernetes objects from release manifest: resource mapp
ing not found for name: "aygroundstackclusterchartspotinterrupthandlere670d248-aws-node" namespace: "" from "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"\nensure CRDs are installed first\n'

Reproduction Steps

cdk deploy

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as eks from 'aws-cdk-lib/aws-eks';
import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';


export class AwsCdkPlaygroundStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    const mastersRole = new iam.Role(this, 'AdminRole', {
      assumedBy: new iam.AccountRootPrincipal(),
    });
    const secretsEncryptionKey = new kms.Key(this, 'SecretsKey');
    const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 3, natGateways: 1, restrictDefaultSecurityGroup: false });
    const vpcSubnets: ec2.SubnetSelection[] = [
      { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
      { subnetType: ec2.SubnetType.PUBLIC },
    ];

    const cluster = new eks.Cluster(this, 'Cluster', {
      vpc,
      vpcSubnets,
      mastersRole,
      defaultCapacity: 2,
      version: eks.KubernetesVersion.V1_32,
      kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
      secretsEncryptionKey,
      tags: {
        foo: 'bar',
      }
    });

    cluster.addAutoScalingGroupCapacity('spot', {
      spotPrice: '0.1094',
      instanceType: new ec2.InstanceType('t3.large'),
      maxCapacity: 10,
      bootstrapOptions: {
        kubeletExtraArgs: '--node-labels foo=bar,goo=far',
        awsApiRetryAttempts: 5,
      },
    });
  }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.1003.0 (build b242c23)

Framework Version

No response

Node.js Version

v22.7.0

OS

Darwin c889f3a8faa8 24.3.0 Darwin Kernel Version 24.3.0: Thu Jan 2 20:24:16 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6000 arm64

Language

TypeScript

Language Version

No response

Other information

This will be fixed by #34218

[ykethan]

Hey @wafuwafu13, Thank you for reporting this issue and providing a fix in PR #34218
The outdated aws-node-termination-handler chart (v0.18.0) is would cause cluster creation failures with Kubernetes v1.25+ due to its dependency on PodSecurityPolicy, which was removed in K8s v1.25. The fix unblocks users who need to create EKS clusters with spot instances on newer Kubernetes versions.

Thanks for your contribution to improving AWS CDK!

[pahud]

related to #33108

[wafuwafu13]

Hi @ykethan @pahud , I think we have 3 options now.
Which approach should we adopt for implementation?

Option 1

• Remove spotInterruptHandler prop

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

Lines 2364 to 2370 in e7a6e14

	/**
	* Installs the AWS spot instance interrupt handler on the cluster if it's not
	* already added. Only relevant if `spotPrice` is used.
	*
	* @default true
	*/
	readonly spotInterruptHandler?: boolean;

• Add recommendation for node termination handler installation to README
  https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-eks/README.md#spot-instances-support

Option 2

• Change https://artifacthub.io/packages/helm/aws/aws-node-termination-handler/0.18.0 to https://artifacthub.io/packages/helm/aws-node-termination-handler/aws-node-termination-handler

• Remove version specification
  

  aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

  Line 1186 in e7a6e14

  version: '0.18.0',

  • Latest version will be installed by default
    

    aws-cdk/packages/aws-cdk-lib/aws-eks/lib/helm-chart.ts

    Lines 26 to 30 in e7a6e14

    	/**
    	* The chart version to install.
    	* @default - If this is not specified, the latest version is installed
    	*/
    	readonly version?: string;

Option 3

• Add spotInterruptHandlerVersion prop

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

Line 2322 in e7a6e14

export interface AutoScalingGroupCapacityOptions extends autoscaling.CommonAutoScalingGroupProps {

I think rather than doing this, it makes more sense for users to use addHelmChart directly (Option 1)
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-eks/README.md#helm-charts