Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package eksctl for openSUSE:Factory checked in at 2026-02-09 15:34:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/eksctl (Old) and /work/SRC/openSUSE:Factory/.eksctl.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "eksctl" Mon Feb 9 15:34:58 2026 rev:66 rq:1331945 version:0.222.0 Changes: -------- --- /work/SRC/openSUSE:Factory/eksctl/eksctl.changes 2025-12-19 16:47:49.046818659 +0100 +++ /work/SRC/openSUSE:Factory/.eksctl.new.1670/eksctl.changes 2026-02-09 15:35:31.513098350 +0100 @@ -1,0 +2,19 @@ +Mon Feb 09 06:27:59 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.222.0: + * Features + - Add support for EKS Windows Server 2025 in eksctl (#8648) + - Allow wildcard matching of service account subject (#8629) + * Improvements + - Bump aws-sdk-go-v2 versions to support aws login (#8668) + - Update default cluster version to Kubernetes v1.34 (#8645) + * Bug Fixes + - replace AmazonLinux2 amis with AmazonLinux2023 | remove + override-bootstrap test in custom_ami tests (#8666) + - fix integration test with eks default version change (#8665) + - only create iam role stack for capability if the roleArn is + not provided (#8655) + - fix ssm resolver ami test with addition of bottleRocket + nvidia fips amis (#8656) + +------------------------------------------------------------------- Old: ---- eksctl-0.221.0.obscpio New: ---- eksctl-0.222.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ eksctl.spec ++++++ --- /var/tmp/diff_new_pack.hD0nHa/_old 2026-02-09 15:35:32.897156412 +0100 +++ /var/tmp/diff_new_pack.hD0nHa/_new 2026-02-09 15:35:32.901156580 +0100 @@ -1,7 +1,7 @@ # # spec file for package eksctl # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: eksctl -Version: 0.221.0 +Version: 0.222.0 Release: 0 Summary: The official CLI for Amazon EKS License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.hD0nHa/_old 2026-02-09 15:35:32.941158258 +0100 +++ /var/tmp/diff_new_pack.hD0nHa/_new 2026-02-09 15:35:32.949158594 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/eksctl-io/eksctl</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.221.0</param> + <param name="revision">v0.222.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.hD0nHa/_old 2026-02-09 15:35:32.973159601 +0100 +++ /var/tmp/diff_new_pack.hD0nHa/_new 2026-02-09 15:35:32.977159769 +0100 @@ -3,6 +3,6 @@ <param name="url">https://github.com/weaveworks/eksctl</param> <param name="changesrevision">5b28c17948a1036f26becbbc02d23e61195e8a33</param></service><service name="tar_scm"> <param name="url">https://github.com/eksctl-io/eksctl</param> - <param name="changesrevision">de9424a29cd8108ff4574d54844e4e98175efac8</param></service></servicedata> + <param name="changesrevision">c53a3a5b27a8bfb6fee25ee21c4b8ecade1881dd</param></service></servicedata> (No newline at EOF) ++++++ eksctl-0.221.0.obscpio -> eksctl-0.222.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/docs/release_notes/0.222.0.md new/eksctl-0.222.0/docs/release_notes/0.222.0.md --- old/eksctl-0.221.0/docs/release_notes/0.222.0.md 1970-01-01 01:00:00.000000000 +0100 +++ new/eksctl-0.222.0/docs/release_notes/0.222.0.md 2026-02-06 21:41:06.000000000 +0100 @@ -0,0 +1,23 @@ +# Release v0.222.0 + +## 🚀 Features + +- Add support for EKS Windows Server 2025 in eksctl (#8648) +- Allow wildcard matching of service account subject (#8629) + +## 🎯 Improvements + +- Bump aws-sdk-go-v2 versions to support aws login (#8668) +- Update default cluster version to Kubernetes v1.34 (#8645) + +## 🐛 Bug Fixes + +- replace AmazonLinux2 amis with AmazonLinux2023 | remove override-bootstrap test in custom\_ami tests (#8666) +- fix integration test with eks default version change (#8665) +- only create iam role stack for capability if the roleArn is not provided (#8655) +- fix ssm resolver ami test with addition of bottleRocket nvidia fips amis (#8656) + +## Acknowledgments + +The eksctl maintainers would like to sincerely thank @KlwntSingh, @avoidik, @cdirubbio, @kprahulraj and @naclonts. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/go.mod new/eksctl-0.222.0/go.mod --- old/eksctl-0.221.0/go.mod 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/go.mod 2026-02-06 21:41:06.000000000 +0100 @@ -7,24 +7,24 @@ require ( github.com/Masterminds/semver/v3 v3.4.0 github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2 - github.com/aws/aws-sdk-go-v2 v1.40.0 - github.com/aws/aws-sdk-go-v2/config v1.31.12 - github.com/aws/aws-sdk-go-v2/credentials v1.19.1 + github.com/aws/aws-sdk-go-v2 v1.41.1 + github.com/aws/aws-sdk-go-v2/config v1.32.7 + github.com/aws/aws-sdk-go-v2/credentials v1.19.7 github.com/aws/aws-sdk-go-v2/service/autoscaling v1.62.1 github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.1 github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.1 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.61.1 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7 github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.0 - github.com/aws/aws-sdk-go-v2/service/eks v1.76.0 + github.com/aws/aws-sdk-go-v2/service/eks v1.77.0 github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.15 github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.2 github.com/aws/aws-sdk-go-v2/service/iam v1.52.2 github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 github.com/aws/aws-sdk-go-v2/service/outposts v1.57.8 github.com/aws/aws-sdk-go-v2/service/ssm v1.67.4 - github.com/aws/aws-sdk-go-v2/service/sts v1.41.1 - github.com/aws/smithy-go v1.23.2 + github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 + github.com/aws/smithy-go v1.24.0 github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20251001043626-89ce6578d960 github.com/benjamintf1/unmarshalledmatchers v1.0.0 github.com/blang/semver/v4 v4.0.0 @@ -134,22 +134,23 @@ github.com/ashanbrown/makezero/v2 v2.1.0 // indirect github.com/atotto/clipboard v0.1.4 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 // indirect github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 // indirect github.com/aws/aws-sdk-go-v2/service/pricing v1.34.3 // indirect github.com/aws/aws-sdk-go-v2/service/route53 v1.52.2 // indirect github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0 // indirect + github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.30.4 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/beorn7/perks v1.0.1 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/go.sum new/eksctl-0.222.0/go.sum --- old/eksctl-0.221.0/go.sum 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/go.sum 2026-02-06 21:41:06.000000000 +0100 @@ -108,20 +108,20 @@ github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI= github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2 h1:F8GBspJo+RmR4rYyw75XywEEQHQxBbF7QYKaMMnYREc= github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2/go.mod h1:wdlMRtz9G4IO6H1yZPsqfGBxR8E6B/bdxHlGkls4kGQ= -github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrKlwc= -github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE= +github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU= +github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y= -github.com/aws/aws-sdk-go-v2/config v1.31.12 h1:pYM1Qgy0dKZLHX2cXslNacbcEFMkDMl+Bcj5ROuS6p8= -github.com/aws/aws-sdk-go-v2/config v1.31.12/go.mod h1:/MM0dyD7KSDPR+39p9ZNVKaHDLb9qnfDurvVS2KAhN8= -github.com/aws/aws-sdk-go-v2/credentials v1.19.1 h1:JeW+EwmtTE0yXFK8SmklrFh/cGTTXsQJumgMZNlbxfM= -github.com/aws/aws-sdk-go-v2/credentials v1.19.1/go.mod h1:BOoXiStwTF+fT2XufhO0Efssbi1CNIO/ZXpZu87N0pw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 h1:WZVR5DbDgxzA0BJeudId89Kmgy6DIU4ORpxwsVHz0qA= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14/go.mod h1:Dadl9QO0kHgbrH1GRqGiZdYtW5w+IXXaBNCHTIaheM4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 h1:PZHqQACxYb8mYgms4RZbhZG0a7dPW06xOjmaH0EJC/I= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14/go.mod h1:VymhrMJUWs69D8u0/lZ7jSB6WgaG/NqHi3gX0aYf6U0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 h1:bOS19y6zlJwagBfHxs0ESzr1XCOU2KXJCWcq3E2vfjY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14/go.mod h1:1ipeGBMAxZ0xcTm6y6paC2C/J6f6OO7LBODV9afuAyM= +github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY= +github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY= +github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8= +github.com/aws/aws-sdk-go-v2/credentials v1.19.7/go.mod h1:qOZk8sPDrxhf+4Wf4oT2urYJrYt3RejHSzgAquYeppw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 h1:xOLELNKGp2vsiteLsvLPwxC+mYmO6OZ8PYgiuPJzF8U= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17/go.mod h1:5M5CI3D12dNOtH3/mk6minaRwI2/37ifCURZISxA/IQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 h1:WWLqlh79iO48yLkj1v3ISRNiv+3KdQoZ6JWyfcsyQik= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17/go.mod h1:EhG22vHRrvF8oXSTYStZhJc1aUgKtnJe+aOiFEV90cM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 h1:ITi7qiDSv/mSGDSWNpZ4k4Ve0DQR6Ug2SJQ8zEHoDXg= @@ -138,8 +138,8 @@ github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7/go.mod h1:l8KDrD4EZQwTuM69YK3LFZ4c9VbNHrzaQJjJsoIFqfo= github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.0 h1:ymusjrsOjrcVBQNQXYFIQEHJIJ17/m+VoDSmWIMjGe0= github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.0/go.mod h1:QrV+/GjhSrJh6MRRuTO6ZEg4M2I0nwPakf0lZHSrE1o= -github.com/aws/aws-sdk-go-v2/service/eks v1.76.0 h1:LC40ZNQPC9DVzLHwR/SXa3FqqjgQKZ/9xuxJeGIXnEQ= -github.com/aws/aws-sdk-go-v2/service/eks v1.76.0/go.mod h1:lrJRZkSj6nIXH/SN3gbGQp4i4AtNyha0wT7VgYZ3KDw= +github.com/aws/aws-sdk-go-v2/service/eks v1.77.0 h1:Z5mTpmbJKU7jEM7xoXI5tO4Nm0JUZSgVSFkpYuu6Ic0= +github.com/aws/aws-sdk-go-v2/service/eks v1.77.0/go.mod h1:Qg678m+87sCuJhcsZojenz8mblYG+Tq86V4m3hjVz0s= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.15 h1:dJtNm4/eMx8nczyN3P4iAARXMj2rAvOJnj608zCqCmw= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.15/go.mod h1:QEbuU4eh8HGdv4uvld0Jth+KW8L0lOSYlyPcW6+JJo8= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.2 h1:xJkfrBzq4b4JxnxwNNzjUKmbQj1hPa4uUikSeXQFBYk= @@ -148,12 +148,12 @@ github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3/go.mod h1:sIrUII6Z+hAVAgcpmsc2e9HvEr++m/v8aBPT7s4ZYUk= github.com/aws/aws-sdk-go-v2/service/iam v1.52.2 h1:li0ooCUfHIivHn8nB3LstP6HgdNefwu5gnXE4MLVz/U= github.com/aws/aws-sdk-go-v2/service/iam v1.52.2/go.mod h1:PuHz5kGh1jtsNpjezdYhRp7xgn6DzCNJJfQt7O7U9Aw= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 h1:Hjkh7kE6D81PgrHlE/m9gx+4TyyeLHuY8xJs7yXN5C4= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5/go.mod h1:nPRXgyCfAurhyaTMoBMwRBYBhaHI4lNPAnJmjM0Tslc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 h1:FIouAnCE46kyYqyhs0XEBDFFSREtdnr8HQuLPQPLCrY= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14/go.mod h1:UTwDc5COa5+guonQU8qBikJo1ZJ4ln2r1MkF7Dqag1E= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 h1:RuNSMoozM8oXlgLG/n6WLaFGoea7/CddrCfIiSA+xdY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17/go.mod h1:F2xxQ9TZz5gDWsclCtPQscGpP0VUOc8RqgFM3vDENmU= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 h1:FzQE21lNtUor0Fb7QNgnEyiRCBlolLTX/Z1j65S7teM= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14/go.mod h1:s1ydyWG9pm3ZwmmYN21HKyG9WzAZhYVW85wMHs5FV6w= github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 h1:6+C0RoGF4HJQALrsecOXN7cm/l5rgNHCw2xbcvFgpH4= @@ -166,18 +166,20 @@ github.com/aws/aws-sdk-go-v2/service/route53 v1.52.2/go.mod h1:wi1naoiPnCQG3cyjsivwPON1ZmQt/EJGxFqXzubBTAw= github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0 h1:JubM8CGDDFaAOmBrd8CRYNr49ZNgEAiLwGwgNMdS0nw= github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0/go.mod h1:kUklwasNoCn5YpyAqC/97r6dzTA1SRKJfKq16SXeoDU= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M= github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8 h1:80dpSqWMwx2dAm30Ib7J6ucz1ZHfiv5OCRwN/EnCOXQ= github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8/go.mod h1:IzNt/udsXlETCdvBOL0nmyMe2t9cGmXmZgsdoZGYYhI= github.com/aws/aws-sdk-go-v2/service/ssm v1.67.4 h1:pOwUUY5FzKUsxtxGR6qsczZP7MuZMVlMbAOPQOcmJlo= github.com/aws/aws-sdk-go-v2/service/ssm v1.67.4/go.mod h1:+nlWvcgDPQ56mChEBzTC0puAMck+4onOFaHg5cE+Lgg= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.4 h1:U//SlnkE1wOQiIImxzdY5PXat4Wq+8rlfVEw4Y7J8as= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.4/go.mod h1:av+ArJpoYf3pgyrj6tcehSFW+y9/QvAY8kMooR9bZCw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.9 h1:LU8S9W/mPDAU9q0FjCLi0TrCheLMGwzbRpvUMwYspcA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.9/go.mod h1:/j67Z5XBVDx8nZVp9EuFM9/BS5dvBznbqILGuu73hug= -github.com/aws/aws-sdk-go-v2/service/sts v1.41.1 h1:GdGmKtG+/Krag7VfyOXV17xjTCz0i9NT+JnqLTOI5nA= -github.com/aws/aws-sdk-go-v2/service/sts v1.41.1/go.mod h1:6TxbXoDSgBQ225Qd8Q+MbxUxUh6TtNKwbRt/EPS9xso= -github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM= -github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= +github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= +github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20251001043626-89ce6578d960 h1:F/q1AN14KuY3I6HyEJxEUuQmEo5cDRpbXptP7UlB8GQ= github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20251001043626-89ce6578d960/go.mod h1:cOBzmLe5lF+1C3h0SNnbl2LvMi+Gm8EXGlPxdXoucio= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/integration/tests/custom_ami/custom_ami_test.go new/eksctl-0.222.0/integration/tests/custom_ami/custom_ami_test.go --- old/eksctl-0.221.0/integration/tests/custom_ami/custom_ami_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/integration/tests/custom_ami/custom_ami_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -58,7 +58,7 @@ // retrieve AL2 AMI input := &awsssm.GetParameterInput{ - Name: aws.String(fmt.Sprintf("/aws/service/eks/optimized-ami/%s/amazon-linux-2/recommended/image_id", params.Version)), + Name: aws.String(fmt.Sprintf("/aws/service/eks/optimized-ami/%s/amazon-linux-2/recommended/image_id", api.Version1_32)), } output, err := ssm.GetParameter(context.Background(), input) Expect(err).NotTo(HaveOccurred()) @@ -130,28 +130,6 @@ }) }) - Context("override bootstrap command for managed and un-managed nodegroups", func() { - - It("can create a working nodegroup which can join the cluster", func() { - By(fmt.Sprintf("using the following EKS optimised AMI: %s", customAMIAL2)) - content, err := os.ReadFile(filepath.Join("testdata/override-bootstrap.yaml")) - Expect(err).NotTo(HaveOccurred()) - content = bytes.ReplaceAll(content, []byte("<generated>"), []byte(params.ClusterName)) - content = bytes.ReplaceAll(content, []byte("<generated-region>"), []byte(params.Region)) - content = bytes.ReplaceAll(content, []byte("<generated-ami>"), []byte(customAMIAL2)) - cmd := params.EksctlCreateCmd. - WithArgs( - "nodegroup", - "--config-file", "-", - "--verbose", "4", - ). - WithoutArg("--region", params.Region). - WithStdin(bytes.NewReader(content)) - Expect(cmd).To(RunSuccessfully()) - }) - - }) - Context("bottlerocket un-managed nodegroups", func() { It("can create a working nodegroup which can join the cluster", func() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/integration/tests/dry_run/dry_run_test.go new/eksctl-0.222.0/integration/tests/dry_run/dry_run_test.go --- old/eksctl-0.221.0/integration/tests/dry_run/dry_run_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/integration/tests/dry_run/dry_run_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -68,7 +68,7 @@ authenticationMode: API_AND_CONFIG_MAP addonsConfig: {} nodeGroups: -- amiFamily: AmazonLinux2 +- amiFamily: AmazonLinux2023 containerRuntime: containerd disableIMDSv1: true disablePodIMDS: false @@ -287,7 +287,7 @@ Memory: "4", } - }, "--managed=false", "--instance-selector-vcpus=2", "--instance-selector-memory=4", "--node-ami-family=AmazonLinux2"), + }, "--managed=false", "--instance-selector-vcpus=2", "--instance-selector-memory=4", "--node-ami-family=AmazonLinux2023"), Entry("instance selector options with managed nodegroup", func(actual, expected *api.ClusterConfig) { Expect(actual.ManagedNodeGroups[0].InstanceTypes).NotTo(BeEmpty()) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/actions/addon/update_test.go new/eksctl-0.222.0/pkg/actions/addon/update_test.go --- old/eksctl-0.221.0/pkg/actions/addon/update_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/actions/addon/update_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -695,7 +695,7 @@ addonManager, err := addon.New(&api.ClusterConfig{ Metadata: &api.ClusterMeta{ - Version: api.Version1_32, + Version: api.DefaultVersion, Name: clusterName, }, AddonsConfig: e.addonsConfig, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/actions/capability/creator.go new/eksctl-0.222.0/pkg/actions/capability/creator.go --- old/eksctl-0.221.0/pkg/actions/capability/creator.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/actions/capability/creator.go 2026-02-06 21:41:06.000000000 +0100 @@ -70,8 +70,11 @@ if err := c.ensureClusterReady(ctx); err != nil { return fmt.Errorf("cluster not ready for capability creation: %w", err) } - if err := c.createIAMRoleStack(ctx, &cap); err != nil { - return err + // Only create IAM role stack if RoleARN is not provided + if cap.RoleARN == "" { + if err := c.createIAMRoleStack(ctx, &cap); err != nil { + return err + } } return c.createCapability(ctx, &cap) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ami/auto_resolver.go new/eksctl-0.222.0/pkg/ami/auto_resolver.go --- old/eksctl-0.221.0/pkg/ami/auto_resolver.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ami/auto_resolver.go 2026-02-06 21:41:06.000000000 +0100 @@ -71,6 +71,12 @@ api.NodeImageFamilyWindowsServer2022FullContainer: { ImageClassGeneral: fmt.Sprintf("Windows_Server-2022-English-Full-EKS_Optimized-%v-*", version), }, + api.NodeImageFamilyWindowsServer2025CoreContainer: { + ImageClassGeneral: fmt.Sprintf("Windows_Server-2025-English-Core-EKS_Optimized-%v-*", version), + }, + api.NodeImageFamilyWindowsServer2025FullContainer: { + ImageClassGeneral: fmt.Sprintf("Windows_Server-2025-English-Full-EKS_Optimized-%v-*", version), + }, } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ami/ssm_resolver.go new/eksctl-0.222.0/pkg/ami/ssm_resolver.go --- old/eksctl-0.221.0/pkg/ami/ssm_resolver.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ami/ssm_resolver.go 2026-02-06 21:41:06.000000000 +0100 @@ -71,6 +71,17 @@ return "", fmt.Errorf("Windows Server 2022 %s requires EKS version %s and above", windowsAmiType(imageFamily), minVersion) } return fmt.Sprintf("/aws/service/ami-windows-latest/Windows_Server-2022-English-%s-EKS_Optimized-%s/%s", windowsAmiType(imageFamily), version, fieldName), nil + case api.NodeImageFamilyWindowsServer2025CoreContainer, + api.NodeImageFamilyWindowsServer2025FullContainer: + const minVersion = api.Version1_35 + supportsWindows2025, err := utils.IsMinVersion(minVersion, version) + if err != nil { + return "", err + } + if !supportsWindows2025 { + return "", fmt.Errorf("Windows Server 2025 %s requires EKS version %s and above", windowsAmiType(imageFamily), minVersion) + } + return fmt.Sprintf("/aws/service/ami-windows-latest/Windows_Server-2025-English-%s-EKS_Optimized-%s/%s", windowsAmiType(imageFamily), version, fieldName), nil case api.NodeImageFamilyBottlerocket: return fmt.Sprintf("/aws/service/bottlerocket/aws-k8s-%s/%s/latest/%s", imageType(imageFamily, instanceType, version), instanceEC2ArchName(instanceType), fieldName), nil case api.NodeImageFamilyUbuntu2004, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ami/ssm_resolver_test.go new/eksctl-0.222.0/pkg/ami/ssm_resolver_test.go --- old/eksctl-0.221.0/pkg/ami/ssm_resolver_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ami/ssm_resolver_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -175,6 +175,35 @@ }) }) + Context("Windows Server 2025 Core", func() { + BeforeEach(func() { + version = "1.35" + p = mockprovider.NewMockProvider() + }) + + It("should return a valid AMI", func() { + imageFamily = "WindowsServer2025CoreContainer" + addMockGetParameter(p, "/aws/service/ami-windows-latest/Windows_Server-2025-English-Core-EKS_Optimized-1.35/image_id", expectedAmi) + + resolver := NewSSMResolver(p.MockSSM()) + resolvedAmi, err = resolver.Resolve(context.Background(), region, version, instanceType, imageFamily) + + Expect(err).NotTo(HaveOccurred()) + Expect(resolvedAmi).To(BeEquivalentTo(expectedAmi)) + Expect(p.MockSSM().AssertNumberOfCalls(GinkgoT(), "GetParameter", 1)).To(BeTrue()) + }) + + It("should return an error for EKS versions below 1.35", func() { + imageFamily = "WindowsServer2025CoreContainer" + + resolver := NewSSMResolver(p.MockSSM()) + resolvedAmi, err = resolver.Resolve(context.Background(), region, "1.34", instanceType, imageFamily) + + Expect(err).To(HaveOccurred()) + Expect(err).To(MatchError(ContainSubstring("Windows Server 2025 Core requires EKS version 1.35 and above"))) + }) + }) + }) Context("and Windows Full family", func() { @@ -232,6 +261,35 @@ }) }) + Context("Windows Server 2025 Full", func() { + BeforeEach(func() { + version = "1.35" + p = mockprovider.NewMockProvider() + }) + + It("should return a valid AMI", func() { + imageFamily = "WindowsServer2025FullContainer" + addMockGetParameter(p, "/aws/service/ami-windows-latest/Windows_Server-2025-English-Full-EKS_Optimized-1.35/image_id", expectedAmi) + + resolver := NewSSMResolver(p.MockSSM()) + resolvedAmi, err = resolver.Resolve(context.Background(), region, version, instanceType, imageFamily) + + Expect(err).NotTo(HaveOccurred()) + Expect(resolvedAmi).To(BeEquivalentTo(expectedAmi)) + Expect(p.MockSSM().AssertNumberOfCalls(GinkgoT(), "GetParameter", 1)).To(BeTrue()) + }) + + It("should return an error for EKS versions below 1.34", func() { + imageFamily = "WindowsServer2025FullContainer" + + resolver := NewSSMResolver(p.MockSSM()) + resolvedAmi, err = resolver.Resolve(context.Background(), region, "1.34", instanceType, imageFamily) + + Expect(err).To(HaveOccurred()) + Expect(err).To(MatchError(ContainSubstring("Windows Server 2025 Full requires EKS version 1.35 and above"))) + }) + }) + }) Context("and Ubuntu2004 family", func() { @@ -758,7 +816,9 @@ for _, amiType := range eksAMIType.Values() { if amiType == ekstypes.AMITypesCustom || strings.HasPrefix(string(amiType), "WINDOWS_") || // TODO: remove this condition after support for Bottlerocket FIPS AMI types. - amiType == ekstypes.AMITypesBottlerocketArm64Fips || amiType == ekstypes.AMITypesBottlerocketX8664Fips { + amiType == ekstypes.AMITypesBottlerocketArm64Fips || amiType == ekstypes.AMITypesBottlerocketX8664Fips || + // TODO: remove this condition after support for Bottlerocket Nvidia FIPS AMI types. + amiType == ekstypes.AMITypesBottlerocketArm64NvidiaFips || amiType == ekstypes.AMITypesBottlerocketX8664NvidiaFips { continue } ssmParameterName := MakeManagedSSMParameterName(api.Version1_31, amiType) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/amitype.go new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/amitype.go --- old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/amitype.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/amitype.go 2026-02-06 21:41:06.000000000 +0100 @@ -56,6 +56,14 @@ X86x64: ekstypes.AMITypesWindowsCore2022X8664, X86Nvidia: ekstypes.AMITypesWindowsCore2022X8664, }, + NodeImageFamilyWindowsServer2025FullContainer: { + X86x64: ekstypes.AMITypes("WINDOWS_FULL_2025_x86_64"), + X86Nvidia: ekstypes.AMITypes("WINDOWS_FULL_2025_x86_64"), + }, + NodeImageFamilyWindowsServer2025CoreContainer: { + X86x64: ekstypes.AMITypes("WINDOWS_CORE_2025_x86_64"), + X86Nvidia: ekstypes.AMITypes("WINDOWS_CORE_2025_x86_64"), + }, } amiType, ok := amiTypeMapping[amiFamily] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/assets/schema.json new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/assets/schema.json --- old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/assets/schema.json 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/assets/schema.json 2026-02-06 21:41:06.000000000 +0100 @@ -975,6 +975,11 @@ "status": { "$ref": "#/definitions/ClusterIAMServiceAccountStatus" }, + "subjectPattern": { + "type": "string", + "description": "Subject pattern to use in the trust policy condition. When set, this pattern is used instead of the service account name, and StringLike is used instead of StringEquals to allow wildcard matching.", + "x-intellij-html-description": "Subject pattern to use in the trust policy condition. When set, this pattern is used instead of the service account name, and StringLike is used instead of StringEquals to allow wildcard matching." + }, "tags": { "additionalProperties": { "type": "string" @@ -998,7 +1003,8 @@ "status", "roleName", "roleOnly", - "tags" + "tags", + "subjectPattern" ], "additionalProperties": false, "description": "holds an IAM service account metadata and configuration", @@ -1645,8 +1651,8 @@ }, "amiFamily": { "type": "string", - "description": "Valid variants are: `\"AmazonLinux2023\"` (default), `\"AmazonLinux2\"`, `\"UbuntuPro2404\"`, `\"Ubuntu2404\"`, `\"UbuntuPro2204\"`, `\"Ubuntu2204\"`, `\"UbuntuPro2004\"`, `\"Ubuntu2004\"`, `\"Bottlerocket\"`, `\"WindowsServer2019CoreContainer\"`, `\"WindowsServer2019FullContainer\"`, `\"WindowsServer2022CoreContainer\"`, `\"WindowsServer2022FullContainer\"`.", - "x-intellij-html-description": "Valid variants are: <code>"AmazonLinux2023"</code> (default), <code>"AmazonLinux2"</code>, <code>"UbuntuPro2404"</code>, <code>"Ubuntu2404"</code>, <code>"UbuntuPro2204"</code>, <code>"Ubuntu2204"</code>, <code>"UbuntuPro2004"</code>, <code>"Ubuntu2004"</code>, <code>"Bottlerocket"</code>, <code>"WindowsServer2019CoreContainer"</code>, <code>"WindowsServer2019FullContainer"</code>, <code>"WindowsServer2022CoreContainer"</code>, <code>"WindowsServer2022FullContainer"</code>.", + "description": "Valid variants are: `\"AmazonLinux2023\"` (default), `\"AmazonLinux2\"`, `\"UbuntuPro2404\"`, `\"Ubuntu2404\"`, `\"UbuntuPro2204\"`, `\"Ubuntu2204\"`, `\"UbuntuPro2004\"`, `\"Ubuntu2004\"`, `\"Bottlerocket\"`, `\"WindowsServer2019CoreContainer\"`, `\"WindowsServer2019FullContainer\"`, `\"WindowsServer2022CoreContainer\"`, `\"WindowsServer2022FullContainer\"`, `\"WindowsServer2025CoreContainer\"`, `\"WindowsServer2025FullContainer\"`.", + "x-intellij-html-description": "Valid variants are: <code>"AmazonLinux2023"</code> (default), <code>"AmazonLinux2"</code>, <code>"UbuntuPro2404"</code>, <code>"Ubuntu2404"</code>, <code>"UbuntuPro2204"</code>, <code>"Ubuntu2204"</code>, <code>"UbuntuPro2004"</code>, <code>"Ubuntu2004"</code>, <code>"Bottlerocket"</code>, <code>"WindowsServer2019CoreContainer"</code>, <code>"WindowsServer2019FullContainer"</code>, <code>"WindowsServer2022CoreContainer"</code>, <code>"WindowsServer2022FullContainer"</code>, <code>"WindowsServer2025CoreContainer"</code>, <code>"WindowsServer2025FullContainer"</code>.", "default": "AmazonLinux2023", "enum": [ "AmazonLinux2023", @@ -1661,7 +1667,9 @@ "WindowsServer2019CoreContainer", "WindowsServer2019FullContainer", "WindowsServer2022CoreContainer", - "WindowsServer2022FullContainer" + "WindowsServer2022FullContainer", + "WindowsServer2025CoreContainer", + "WindowsServer2025FullContainer" ] }, "asgSuspendProcesses": { @@ -1995,8 +2003,8 @@ }, "amiFamily": { "type": "string", - "description": "Valid variants are: `\"AmazonLinux2023\"` (default), `\"AmazonLinux2\"`, `\"UbuntuPro2404\"`, `\"Ubuntu2404\"`, `\"UbuntuPro2204\"`, `\"Ubuntu2204\"`, `\"UbuntuPro2004\"`, `\"Ubuntu2004\"`, `\"Bottlerocket\"`, `\"WindowsServer2019CoreContainer\"`, `\"WindowsServer2019FullContainer\"`, `\"WindowsServer2022CoreContainer\"`, `\"WindowsServer2022FullContainer\"`.", - "x-intellij-html-description": "Valid variants are: <code>"AmazonLinux2023"</code> (default), <code>"AmazonLinux2"</code>, <code>"UbuntuPro2404"</code>, <code>"Ubuntu2404"</code>, <code>"UbuntuPro2204"</code>, <code>"Ubuntu2204"</code>, <code>"UbuntuPro2004"</code>, <code>"Ubuntu2004"</code>, <code>"Bottlerocket"</code>, <code>"WindowsServer2019CoreContainer"</code>, <code>"WindowsServer2019FullContainer"</code>, <code>"WindowsServer2022CoreContainer"</code>, <code>"WindowsServer2022FullContainer"</code>.", + "description": "Valid variants are: `\"AmazonLinux2023\"` (default), `\"AmazonLinux2\"`, `\"UbuntuPro2404\"`, `\"Ubuntu2404\"`, `\"UbuntuPro2204\"`, `\"Ubuntu2204\"`, `\"UbuntuPro2004\"`, `\"Ubuntu2004\"`, `\"Bottlerocket\"`, `\"WindowsServer2019CoreContainer\"`, `\"WindowsServer2019FullContainer\"`, `\"WindowsServer2022CoreContainer\"`, `\"WindowsServer2022FullContainer\"`, `\"WindowsServer2025CoreContainer\"`, `\"WindowsServer2025FullContainer\"`.", + "x-intellij-html-description": "Valid variants are: <code>"AmazonLinux2023"</code> (default), <code>"AmazonLinux2"</code>, <code>"UbuntuPro2404"</code>, <code>"Ubuntu2404"</code>, <code>"UbuntuPro2204"</code>, <code>"Ubuntu2204"</code>, <code>"UbuntuPro2004"</code>, <code>"Ubuntu2004"</code>, <code>"Bottlerocket"</code>, <code>"WindowsServer2019CoreContainer"</code>, <code>"WindowsServer2019FullContainer"</code>, <code>"WindowsServer2022CoreContainer"</code>, <code>"WindowsServer2022FullContainer"</code>, <code>"WindowsServer2025CoreContainer"</code>, <code>"WindowsServer2025FullContainer"</code>.", "default": "AmazonLinux2023", "enum": [ "AmazonLinux2023", @@ -2011,7 +2019,9 @@ "WindowsServer2019CoreContainer", "WindowsServer2019FullContainer", "WindowsServer2022CoreContainer", - "WindowsServer2022FullContainer" + "WindowsServer2022FullContainer", + "WindowsServer2025CoreContainer", + "WindowsServer2025FullContainer" ] }, "asgMetricsCollection": { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/iam.go new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/iam.go --- old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/iam.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/iam.go 2026-02-06 21:41:06.000000000 +0100 @@ -124,6 +124,12 @@ // AWS tags for the service account // +optional Tags map[string]string `json:"tags,omitempty"` + + // Subject pattern to use in the trust policy condition. When set, this pattern is used + // instead of the service account name, and StringLike is used instead of StringEquals + // to allow wildcard matching. + // +optional + SubjectPattern string `json:"subjectPattern,omitempty"` } // ClusterIAMServiceAccountStatus holds status of the IAM service account diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go --- old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -217,6 +217,8 @@ Entry("Windows2019Full", api.NodeImageFamilyWindowsServer2019FullContainer, true), Entry("Windows2022Core", api.NodeImageFamilyWindowsServer2022CoreContainer, true), Entry("Windows2022Full", api.NodeImageFamilyWindowsServer2022FullContainer, true), + Entry("Windows2025Core", api.NodeImageFamilyWindowsServer2025CoreContainer, true), + Entry("Windows2025Full", api.NodeImageFamilyWindowsServer2025FullContainer, true), ) type nodeGroupEntry struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/types.go new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/types.go --- old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/types.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/types.go 2026-02-06 21:41:06.000000000 +0100 @@ -48,13 +48,15 @@ Version1_31 = "1.31" Version1_32 = "1.32" Version1_33 = "1.33" + Version1_34 = "1.34" + Version1_35 = "1.35" DockershimDeprecationVersion = Version1_24 AmazonLinux2EOLVersion = Version1_33 // EFABuiltInSupportVersion defines the minimum Kubernetes version that supports built-in EFA EFABuiltInSupportVersion = Version1_33 //TODO: Remove this and replace with output from DescribeClusterVersions endpoint // DefaultVersion (default) - DefaultVersion = Version1_32 + DefaultVersion = Version1_34 ) const ( @@ -223,6 +225,9 @@ NodeImageFamilyWindowsServer2022CoreContainer = "WindowsServer2022CoreContainer" NodeImageFamilyWindowsServer2022FullContainer = "WindowsServer2022FullContainer" + + NodeImageFamilyWindowsServer2025CoreContainer = "WindowsServer2025CoreContainer" + NodeImageFamilyWindowsServer2025FullContainer = "WindowsServer2025FullContainer" ) // Deprecated `NodeAMIFamily` @@ -604,6 +609,8 @@ NodeImageFamilyWindowsServer2019FullContainer, NodeImageFamilyWindowsServer2022CoreContainer, NodeImageFamilyWindowsServer2022FullContainer, + NodeImageFamilyWindowsServer2025CoreContainer, + NodeImageFamilyWindowsServer2025FullContainer, } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/validation.go new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/validation.go --- old/eksctl-0.221.0/pkg/apis/eksctl.io/v1alpha5/validation.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/apis/eksctl.io/v1alpha5/validation.go 2026-02-06 21:41:06.000000000 +0100 @@ -1674,7 +1674,9 @@ case NodeImageFamilyWindowsServer2019CoreContainer, NodeImageFamilyWindowsServer2019FullContainer, NodeImageFamilyWindowsServer2022CoreContainer, - NodeImageFamilyWindowsServer2022FullContainer: + NodeImageFamilyWindowsServer2022FullContainer, + NodeImageFamilyWindowsServer2025CoreContainer, + NodeImageFamilyWindowsServer2025FullContainer: return true default: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/awsapi/eks.go new/eksctl-0.222.0/pkg/awsapi/eks.go --- old/eksctl-0.221.0/pkg/awsapi/eks.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/awsapi/eks.go 2026-02-06 21:41:06.000000000 +0100 @@ -176,9 +176,9 @@ // node group was created. You can update the launch template version with // necessary changes. For more information about using launch templates, see [Customizing managed nodes with launch templates]. // - // An Amazon EKS managed node group is an Amazon EC2 Amazon EC2 Auto Scaling group - // and associated Amazon EC2 instances that are managed by Amazon Web Services for - // an Amazon EKS cluster. For more information, see [Managed node groups]in the Amazon EKS User Guide. + // An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and + // associated Amazon EC2 instances that are managed by Amazon Web Services for an + // Amazon EKS cluster. For more information, see [Managed node groups]in the Amazon EKS User Guide. // // Windows AMI types are only supported for commercial Amazon Web Services Regions // that support Windows on Amazon EKS. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/cfn/builder/iam.go new/eksctl-0.222.0/pkg/cfn/builder/iam.go --- old/eksctl-0.221.0/pkg/cfn/builder/iam.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/cfn/builder/iam.go 2026-02-06 21:41:06.000000000 +0100 @@ -344,6 +344,7 @@ wellKnownPolicies: spec.WellKnownPolicies, roleName: spec.RoleName, permissionsBoundary: spec.PermissionsBoundary, + subjectPattern: spec.SubjectPattern, description: fmt.Sprintf( "IAM role for serviceaccount %q %s", spec.NameString(), @@ -427,6 +428,7 @@ namespace string permissionsBoundary string description string + subjectPattern string } // NewIAMRoleResourceSetWithAttachPolicyARNs builds IAM Role stack from the give spec @@ -525,6 +527,9 @@ } if rs.serviceAccount != "" && rs.namespace != "" { logger.Debug("service account location provided: %s/%s, adding sub condition", api.AWSNodeMeta.Namespace, api.AWSNodeMeta.Name) + if rs.subjectPattern != "" { + return rs.oidc.MakeAssumeRolePolicyDocumentWithServiceAccountConditionsAllowingWildcard(rs.namespace, rs.subjectPattern) + } return rs.oidc.MakeAssumeRolePolicyDocumentWithServiceAccountConditions(rs.namespace, rs.serviceAccount) } return rs.oidc.MakeAssumeRolePolicyDocument() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/cfn/builder/iam_test.go new/eksctl-0.222.0/pkg/cfn/builder/iam_test.go --- old/eksctl-0.221.0/pkg/cfn/builder/iam_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/cfn/builder/iam_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -254,6 +254,42 @@ Expect(t).To(HaveOutputWithValue(outputs.IAMServiceAccountRoleName, `{ "Fn::GetAtt": "Role1.Arn" }`)) }) + It("can construct an iamserviceaccount addon template with subject pattern using wildcards", func() { + serviceAccount := &api.ClusterIAMServiceAccount{} + + serviceAccount.Name = "sa-1" + serviceAccount.SubjectPattern = "app-*" + + serviceAccount.AttachPolicyARNs = []string{"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"} + + appendServiceAccountToClusterConfig(cfg, serviceAccount) + + rs := builder.NewIAMRoleResourceSetForServiceAccount(serviceAccount, oidc) + + templateBody := []byte{} + + Expect(rs).To(RenderWithoutErrors(&templateBody)) + + t := cft.NewTemplate() + + Expect(t).To(LoadBytesWithoutErrors(templateBody)) + + Expect(t.Description).To(Equal("IAM role for serviceaccount \"default/sa-1\" [created and managed by eksctl]")) + + Expect(t.Resources).To(HaveLen(1)) + Expect(t.Outputs).To(HaveLen(1)) + + Expect(t).To(HaveResource(outputs.IAMServiceAccountRoleName, "AWS::IAM::Role")) + + // Verify that the assume role policy uses StringLike for subject pattern + Expect(t).To(HaveResourceWithPropertyValue(outputs.IAMServiceAccountRoleName, "AssumeRolePolicyDocument", expectedServiceAccountAssumeRolePolicyDocumentWithWildcard)) + Expect(t).To(HaveResourceWithPropertyValue(outputs.IAMServiceAccountRoleName, "ManagedPolicyArns", `[ + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + ]`)) + + Expect(t).To(HaveOutputWithValue(outputs.IAMServiceAccountRoleName, `{ "Fn::GetAtt": "Role1.Arn" }`)) + }) + It("can construct an iamserviceaccount addon template with all the wellKnownPolicies", func() { serviceAccount := &api.ClusterIAMServiceAccount{} @@ -442,6 +478,29 @@ } }, "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::456123987123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E" + } + } + ], + "Version": "2012-10-17" +}` + +const expectedServiceAccountAssumeRolePolicyDocumentWithWildcard = `{ + "Statement": [ + { + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ], + "Condition": { + "StringEquals": { + "oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E:aud": "sts.amazonaws.com" + }, + "StringLike": { + "oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E:sub": "system:serviceaccount:default:app-*" + } + }, + "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::456123987123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/cfn/builder/managed_nodegroup_ami_type_test.go new/eksctl-0.222.0/pkg/cfn/builder/managed_nodegroup_ami_type_test.go --- old/eksctl-0.221.0/pkg/cfn/builder/managed_nodegroup_ami_type_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/cfn/builder/managed_nodegroup_ami_type_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -22,6 +22,7 @@ nodeGroup *api.ManagedNodeGroup expectedAMIType string + clusterVersion string } var _ = DescribeTable("Managed Nodegroup AMI type", func(e amiTypeEntry) { @@ -29,6 +30,11 @@ clusterConfig.Status = &api.ClusterStatus{ Endpoint: "https://test.com";, } + if e.clusterVersion != "" { + clusterConfig.Metadata.Version = e.clusterVersion + } else { + clusterConfig.Metadata.Version = api.DefaultVersion + } err := api.SetManagedNodeGroupDefaults(e.nodeGroup, clusterConfig.Metadata, false) Expect(err).NotTo(HaveOccurred()) p := mockprovider.NewMockProvider() @@ -76,6 +82,7 @@ }, }, expectedAMIType: "AL2_x86_64", + clusterVersion: api.Version1_32, }), Entry("default Nvidia GPU instance type", amiTypeEntry{ @@ -107,6 +114,7 @@ }, }, expectedAMIType: "AL2_x86_64_GPU", + clusterVersion: api.Version1_32, }), Entry("default ARM instance type", amiTypeEntry{ @@ -128,6 +136,7 @@ }, }, expectedAMIType: "AL2_ARM_64", + clusterVersion: api.Version1_32, }), Entry("Bottlerocket AMI type", amiTypeEntry{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ctl/cmdutils/configfile.go new/eksctl-0.222.0/pkg/ctl/cmdutils/configfile.go --- old/eksctl-0.221.0/pkg/ctl/cmdutils/configfile.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ctl/cmdutils/configfile.go 2026-02-06 21:41:06.000000000 +0100 @@ -868,6 +868,7 @@ l.flagsIncompatibleWithConfigFile.Insert( "policy-arn", + "subject-pattern", ) l.validateWithConfigFile = func() error { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ctl/cmdutils/configfile_test.go new/eksctl-0.222.0/pkg/ctl/cmdutils/configfile_test.go --- old/eksctl-0.221.0/pkg/ctl/cmdutils/configfile_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ctl/cmdutils/configfile_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -649,6 +649,59 @@ }) }) + Describe("NewCreateIAMServiceAccountLoader", func() { + When("subject-pattern flag is used with config file", func() { + It("should return an error", func() { + cfg := api.NewClusterConfig() + cobraCmd := newCmd() + cobraCmd.Flags().String("subject-pattern", "", "") + cobraCmd.Flags().String("cluster", "", "") + Expect(cobraCmd.ParseFlags([]string{"--subject-pattern", "app-*"})).To(Succeed()) + + cmd := &Cmd{ + ClusterConfig: cfg, + CobraCommand: cobraCmd, + ClusterConfigFile: examplesDir + "01-simple-cluster.yaml", + ProviderConfig: api.ProviderConfig{}, + } + + err := NewCreateIAMServiceAccountLoader(cmd, filter.NewIAMServiceAccountFilter()).Load() + Expect(err).To(HaveOccurred()) + Expect(err.Error()).To(ContainSubstring("--subject-pattern")) + Expect(err.Error()).To(ContainSubstring("cannot use --subject-pattern when --config-file/-f is set")) + }) + }) + + When("subject-pattern flag is used without config file", func() { + It("should succeed", func() { + cfg := api.NewClusterConfig() + cfg.Metadata.Name = "test-cluster" + serviceAccount := &api.ClusterIAMServiceAccount{ + ClusterIAMMeta: api.ClusterIAMMeta{ + Name: "test-sa", + Namespace: "default", + }, + AttachPolicyARNs: []string{"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"}, + SubjectPattern: "app-*", + } + cfg.IAM.ServiceAccounts = []*api.ClusterIAMServiceAccount{serviceAccount} + + cobraCmd := newCmd() + cobraCmd.Flags().String("cluster", "", "") + cobraCmd.Flags().String("subject-pattern", "", "") + + cmd := &Cmd{ + ClusterConfig: cfg, + CobraCommand: cobraCmd, + ProviderConfig: api.ProviderConfig{}, + } + + err := NewCreateIAMServiceAccountLoader(cmd, filter.NewIAMServiceAccountFilter()).Load() + Expect(err).NotTo(HaveOccurred()) + }) + }) + }) + Context("makeManagedNodegroup with node repair config", func() { var ( ng *api.NodeGroup diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go new/eksctl-0.222.0/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go --- old/eksctl-0.221.0/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -3,6 +3,7 @@ import ( "bytes" "context" + "fmt" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/eks" @@ -341,14 +342,14 @@ ng.SSH = nil } -const expected = ` +var expected = fmt.Sprintf(` { "kind": "ClusterConfig", "apiVersion": "eksctl.io/v1alpha5", "metadata": { "name": "test-3x3-ngs", "region": "eu-central-1", - "version": "1.32" + "version": "%s" }, "upgradePolicy": {}, "kubernetesNetworkConfig": { @@ -656,7 +657,7 @@ } ] } -` +`, api.DefaultVersion) type mockStackLister struct { nodesResult []manager.NodeGroupStack diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ctl/create/iamserviceaccount.go new/eksctl-0.222.0/pkg/ctl/create/iamserviceaccount.go --- old/eksctl-0.221.0/pkg/ctl/create/iamserviceaccount.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ctl/create/iamserviceaccount.go 2026-02-06 21:41:06.000000000 +0100 @@ -57,6 +57,8 @@ fs.BoolVar(&overrideExistingServiceAccounts, "override-existing-serviceaccounts", false, "create IAM roles for existing serviceaccounts and update the serviceaccount") + fs.StringVar(&serviceAccount.SubjectPattern, "subject-pattern", "", "subject pattern to use in the trust policy (supports wildcards like '*' with StringLike condition)") + cmdutils.AddIAMServiceAccountFilterFlags(fs, &cmd.Include, &cmd.Exclude) cmdutils.AddApproveFlag(fs, cmd) cmdutils.AddRegionFlag(fs, &cmd.ProviderConfig) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/ctl/create/iamserviceaccount_test.go new/eksctl-0.222.0/pkg/ctl/create/iamserviceaccount_test.go --- old/eksctl-0.221.0/pkg/ctl/create/iamserviceaccount_test.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/ctl/create/iamserviceaccount_test.go 2026-02-06 21:41:06.000000000 +0100 @@ -30,6 +30,28 @@ Entry("with optional flags", "--cluster", "clusterName", "--name", "serviceAccountName", "--attach-policy-arn", "dummyPolicyArn", "--override-existing-serviceaccounts", "--role-name", "custom-role-name"), ) + DescribeTable("create service account with subject pattern", + func(args ...string) { + commandArgs := append([]string{"iamserviceaccount"}, args...) + cmd := newMockEmptyCmd(commandArgs...) + count := 0 + cmdutils.AddResourceCmd(cmdutils.NewGrouping(), cmd.parentCmd, func(cmd *cmdutils.Cmd) { + createIAMServiceAccountCmdWithRunFunc(cmd, func(cmd *cmdutils.Cmd, _, _ bool) error { + Expect(cmd.ClusterConfig.Metadata.Name).To(Equal("clusterName")) + Expect(cmd.ClusterConfig.IAM.ServiceAccounts[0].Name).To(Equal("serviceAccountName")) + Expect(cmd.ClusterConfig.IAM.ServiceAccounts[0].SubjectPattern).To(Equal("app-*")) + Expect(cmd.ClusterConfig.IAM.ServiceAccounts[0].AttachPolicyARNs).To(ContainElement("dummyPolicyArn")) + count++ + return nil + }) + }) + _, err := cmd.execute() + Expect(err).To(Not(HaveOccurred())) + Expect(count).To(Equal(1)) + }, + Entry("with subject-pattern flag", "--cluster", "clusterName", "--name", "serviceAccountName", "--attach-policy-arn", "dummyPolicyArn", "--subject-pattern", "app-*"), + ) + DescribeTable("invalid flags or arguments", func(c invalidParamsCase) { cmd := newDefaultCmd(c.args...) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/iam/oidc/api.go new/eksctl-0.222.0/pkg/iam/oidc/api.go --- old/eksctl-0.221.0/pkg/iam/oidc/api.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/iam/oidc/api.go 2026-02-06 21:41:06.000000000 +0100 @@ -180,6 +180,21 @@ }) } +// MakeAssumeRolePolicyDocumentWithServiceAccountConditionsAllowingWildcard constructs a trust policy document +// that allows wildcard pattern matching in the subject condition. The subjectPattern should be in the format +// "system:serviceaccount:namespace:name-pattern" where name-pattern can include wildcards like "*". +func (m *OpenIDConnectManager) MakeAssumeRolePolicyDocumentWithServiceAccountConditionsAllowingWildcard(serviceAccountNamespace, subjectPattern string) cft.MapOfInterfaces { + subject := fmt.Sprintf("system:serviceaccount:%s:%s", serviceAccountNamespace, subjectPattern) + return cft.MakeAssumeRoleWithWebIdentityPolicyDocument(m.ProviderARN, cft.MapOfInterfaces{ + "StringLike": map[string]string{ + m.hostnameAndPath() + ":sub": subject, + }, + "StringEquals": map[string]string{ + m.hostnameAndPath() + ":aud": m.audience, + }, + }) +} + func (m *OpenIDConnectManager) MakeAssumeRolePolicyDocument() cft.MapOfInterfaces { return cft.MakeAssumeRoleWithWebIdentityPolicyDocument(m.ProviderARN, cft.MapOfInterfaces{ "StringEquals": map[string]string{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/pkg/version/release.go new/eksctl-0.222.0/pkg/version/release.go --- old/eksctl-0.221.0/pkg/version/release.go 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/pkg/version/release.go 2026-02-06 21:41:06.000000000 +0100 @@ -3,7 +3,7 @@ // This file was generated by release_generate.go; DO NOT EDIT. // Version is the version number in semver format X.Y.Z -var Version = "0.221.0" +var Version = "0.222.0" // PreReleaseID can be empty for releases, "rc.X" for release candidates and "dev" for snapshots var PreReleaseID = "dev" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/userdocs/src/usage/custom-ami-support.md new/eksctl-0.222.0/userdocs/src/usage/custom-ami-support.md --- old/eksctl-0.221.0/userdocs/src/usage/custom-ami-support.md 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/userdocs/src/usage/custom-ami-support.md 2026-02-06 21:41:06.000000000 +0100 @@ -68,6 +68,8 @@ | WindowsServer2019CoreContainer | Indicates that the EKS AMI image based on Windows Server 2019 Core Container should be used. | | WindowsServer2022FullContainer | Indicates that the EKS AMI image based on Windows Server 2022 Full Container should be used. | | WindowsServer2022CoreContainer | Indicates that the EKS AMI image based on Windows Server 2022 Core Container should be used. | +| WindowsServer2025FullContainer | Indicates that the EKS AMI image based on Windows Server 2025 Full Container should be used. | +| WindowsServer2025CoreContainer | Indicates that the EKS AMI image based on Windows Server 2025 Core Container should be used. | CLI flag example: ```sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/eksctl-0.221.0/userdocs/src/usage/iamserviceaccounts.md new/eksctl-0.222.0/userdocs/src/usage/iamserviceaccounts.md --- old/eksctl-0.221.0/userdocs/src/usage/iamserviceaccounts.md 2025-12-18 18:30:03.000000000 +0100 +++ new/eksctl-0.222.0/userdocs/src/usage/iamserviceaccounts.md 2026-02-06 21:41:06.000000000 +0100 @@ -91,6 +91,50 @@ ???+ note `eksctl delete iamserviceaccount` deletes Kubernetes `ServiceAccounts` even if they were not created by `eksctl`. +#### Using wildcard patterns with `--subject-pattern` + +When you need to grant IAM permissions to multiple service accounts that follow a naming pattern, you can use the `--subject-pattern` flag to create an IAM role that trusts service accounts matching a wildcard pattern. + +This is useful for scenarios such as: +- Multiple deployment replicas with dynamic service account names +- Applications that create service accounts with predictable prefixes +- Multi-tenant environments where service accounts share a naming convention + +When using `--subject-pattern`, the IAM trust policy will use the `StringLike` condition operator instead of `StringEquals`, allowing wildcards like `*` to match multiple service accounts: + +```console +eksctl create iamserviceaccount \ + --cluster=<clusterName> \ + --name=<serviceAccountName> \ + --namespace=<serviceAccountNamespace> \ + --attach-policy-arn=<policyARN> \ + --subject-pattern="app-*" +``` + +For example, to allow all service accounts starting with `app-` in the `default` namespace to assume the role: + +```console +eksctl create iamserviceaccount \ + --cluster=<clusterName> \ + --name=app-base \ + --namespace=default \ + --attach-policy-arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \ + --subject-pattern="app-*" +``` + +This creates an IAM trust policy condition like: + +```json +"StringLike": { + "oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:default:app-*" +} +``` + +???+ warning "Security Considerations" + Use wildcard patterns carefully. A broad pattern like `*` would allow any service account in the namespace to assume the IAM role. Always use the most restrictive pattern possible for your use case. + +The Subject Pattern property can be defined in the configuration file. + ### Usage with config files To manage `iamserviceaccounts` using config file, you will be looking to set `iam.withOIDC: true` and list account you want under `iam.serviceAccount`. @@ -140,6 +184,7 @@ tags: Owner: "John Doe" Team: "Some Team" + subjectPattern: "app-*" - metadata: name: cache-access namespace: backend-apps ++++++ eksctl.obsinfo ++++++ --- /var/tmp/diff_new_pack.hD0nHa/_old 2026-02-09 15:35:36.421304253 +0100 +++ /var/tmp/diff_new_pack.hD0nHa/_new 2026-02-09 15:35:36.433304756 +0100 @@ -1,5 +1,5 @@ name: eksctl -version: 0.221.0 -mtime: 1766079003 -commit: de9424a29cd8108ff4574d54844e4e98175efac8 +version: 0.222.0 +mtime: 1770410466 +commit: c53a3a5b27a8bfb6fee25ee21c4b8ecade1881dd ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/eksctl/vendor.tar.gz /work/SRC/openSUSE:Factory/.eksctl.new.1670/vendor.tar.gz differ: char 13, line 1
