feat: add support for UpgradePolicy attribute in cluster creation

Fixes #7932

Author: guessi

examples/45-upgrade-policy-example.yaml

@@ -0,0 +1,20 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: upgrade-policy-cluster
+  region: us-west-2
+  version: "1.34"
+  # UpgradePolicy allows you to specify the support type for your cluster
+  # Valid values are "STANDARD" and "EXTENDED (default)"
+  # - https://docs.aws.amazon.com/eks/latest/APIReference/API_UpgradePolicyRequest.html
+  upgradePolicy:
+    supportType: "EXTENDED"
+
+# Managed node group
+managedNodeGroups:
+  - name: mng-1
+    instanceType: m5.large
+    desiredCapacity: 1
+    minSize: 1
+    maxSize: 2

pkg/apis/eksctl.io/v1alpha5/assets/schema.json

@@ -850,6 +850,11 @@
           "x-intellij-html-description": "used to tag AWS resources created by eksctl",
           "default": "{}"
         },
+        "upgradePolicy": {
+          "$ref": "#/definitions/UpgradePolicy",
+          "description": "specifies the upgrade policy for the cluster",
+          "x-intellij-html-description": "specifies the upgrade policy for the cluster"
+        },
         "version": {
           "type": "string",
           "description": "use `./eksctl utils describe-cluster-versions` to get the list of supported versions",
@@ -861,6 +866,7 @@
         "region",
         "version",
         "forceUpdateVersion",
+        "upgradePolicy",
         "tags",
         "annotations"
       ],
@@ -2719,6 +2725,26 @@
       "description": "defines the configuration for KMS encryption provider",
       "x-intellij-html-description": "defines the configuration for KMS encryption provider"
     },
+    "UpgradePolicy": {
+      "properties": {
+        "supportType": {
+          "type": "string",
+          "description": "specifies the support type for the cluster. Valid variants are: `\"STANDARD\"` standard support for the cluster, `\"EXTENDED\"` extended support for the cluster (default) defines the default support type.",
+          "x-intellij-html-description": "specifies the support type for the cluster. Valid variants are: <code>&quot;STANDARD&quot;</code> standard support for the cluster, <code>&quot;EXTENDED&quot;</code> extended support for the cluster (default) defines the default support type.",
+          "default": "EXTENDED",
+          "enum": [
+            "STANDARD",
+            "EXTENDED"
+          ]
+        }
+      },
+      "preferredOrder": [
+        "supportType"
+      ],
+      "additionalProperties": false,
+      "description": "holds the upgrade policy configuration for the cluster",
+      "x-intellij-html-description": "holds the upgrade policy configuration for the cluster"
+    },
     "VPCGateway": {
       "type": "string",
       "description": "VPCGatewayID the ID of the gateway that facilitates external connectivity from customer's VPC to their remote network(s). Valid options are Transit Gateway and Virtual Private Gateway.",

pkg/apis/eksctl.io/v1alpha5/types.go

@@ -451,6 +451,16 @@ const (
 	NoneCapacityReservation = "none"
 )
 
+// Values for `SupportType`
+const (
+	// SupportTypeStandard standard support for the cluster
+	SupportTypeStandard = "STANDARD"
+	// SupportTypeExtended extended support for the cluster (default)
+	SupportTypeExtended = "EXTENDED"
+	// DefaultSupportType defines the default support type
+	DefaultSupportType = SupportTypeExtended
+)
+
 var (
 	// DefaultIPFamily defines the default IP family to use when creating a new VPC and cluster.
 	DefaultIPFamily = IPV4Family
@@ -663,6 +673,9 @@ type ClusterMeta struct {
 	// When updating cluster version, provide the force flag to override upgrade-blocking insights
 	// +optional
 	ForceUpdateVersion *bool `json:"forceUpdateVersion,omitempty"`
+	// UpgradePolicy specifies the upgrade policy for the cluster
+	// +optional
+	UpgradePolicy *UpgradePolicy `json:"upgradePolicy,omitempty"`
 	// Tags are used to tag AWS resources created by eksctl
 	// +optional
 	Tags map[string]string `json:"tags,omitempty"`
@@ -674,6 +687,14 @@ type ClusterMeta struct {
 	AccountID string `json:"-"`
 }
 
+// UpgradePolicy holds the upgrade policy configuration for the cluster
+type UpgradePolicy struct {
+	// SupportType specifies the support type for the cluster.
+	// Valid variants are `SupportType` constants
+	// +optional
+	SupportType string `json:"supportType,omitempty"`
+}
+
 // KubernetesNetworkConfig contains cluster networking options
 type KubernetesNetworkConfig struct {
 	// Valid variants are `IPFamily` constants

pkg/apis/eksctl.io/v1alpha5/validation.go

@@ -143,8 +143,31 @@ func (c *ClusterConfig) validateRemoteNetworkingConfig() error {
 	return nil
 }
 
+// validateSupportType performs secure validation of the support type string
+func validateSupportType(supportType string) error {
+	// Security: Validate characters to prevent injection attacks
+	for _, r := range supportType {
+		if r < 32 || r == 127 { // Control characters
+			return fmt.Errorf("upgradePolicy.supportType contains invalid control characters")
+		}
+	}
+	// Validate against allowed values
+	if supportType != SupportTypeStandard && supportType != SupportTypeExtended {
+		return fmt.Errorf("upgradePolicy.supportType must be either %q or %q", SupportTypeStandard, SupportTypeExtended)
+	}
+	return nil
+}
+
 // ValidateClusterConfig checks compatible fields of a given ClusterConfig
 func ValidateClusterConfig(cfg *ClusterConfig) error {
+	if cfg.Metadata.UpgradePolicy != nil {
+		if cfg.Metadata.UpgradePolicy.SupportType != "" {
+			if err := validateSupportType(cfg.Metadata.UpgradePolicy.SupportType); err != nil {
+				return err
+			}
+		}
+	}
+
 	if IsDisabled(cfg.IAM.WithOIDC) && len(cfg.IAM.ServiceAccounts) > 0 {
 		return fmt.Errorf("iam.withOIDC must be enabled explicitly for iam.serviceAccounts to be created")
 	}

pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go

@@ -157,6 +157,7 @@ nav:
       - usage/fargate-support.md
       - usage/cluster-upgrade.md
       - usage/addon-upgrade.md
+      - usage/upgrade-policy.md
       - usage/zonal-shift.md
     - Nodegroups:
       - usage/nodegroups.md

userdocs/mkdocs.yml

@@ -0,0 +1,75 @@
+# Cluster Upgrade Policy
+
+This document describes how to configure the upgrade policy for your EKS cluster using eksctl.
+
+## Overview
+
+The `upgradePolicy` field allows you to specify the support type for your EKS cluster. This determines the level of support AWS provides for your cluster version.
+
+## Support Types
+
+- **STANDARD**: The default support type that provides standard AWS support for the cluster
+- **EXTENDED**: Provides extended support for older Kubernetes versions beyond the standard support period
+
+## Configuration
+
+You can specify the upgrade policy in your cluster configuration file:
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: my-cluster
+  region: us-west-2
+  version: "1.34"
+  upgradePolicy:
+    supportType: "EXTENDED"  # or "STANDARD"
+
+managedNodeGroups:
+  - name: mng-1
+    instanceType: m5.large
+    desiredCapacity: 1
+```
+
+## Command Line Usage
+
+When creating a cluster with a specific upgrade policy:
+
+```bash
+eksctl create cluster --config-file=cluster-config.yaml
+```
+
+## Examples
+
+### Extended Support (Default)
+```yaml
+metadata:
+  name: extended-cluster
+  region: us-west-2
+  upgradePolicy:
+    supportType: "EXTENDED"
+```
+
+### Standard Support
+```yaml
+metadata:
+  name: standard-cluster
+  region: us-west-2
+  upgradePolicy:
+    supportType: "STANDARD"
+```
+
+### No Upgrade Policy (Uses AWS Default)
+```yaml
+metadata:
+  name: default-cluster
+  region: us-west-2
+  # No upgradePolicy specified - uses AWS default behavior
+```
+
+## Notes
+
+- If no `upgradePolicy` is specified, AWS will use its default behavior
+- The upgrade policy can only be set during cluster creation
+- Extended support may incur additional costs - refer to AWS EKS pricing documentation