Stratio · iamjanr · Apr 28, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -35,4 +35,4 @@ deploy-recorder.lst
 
 # Test outputs
 /bin/all-junit.xml
-/bin/gotestsum
+/bin/gotestsum.claude/
@@ -240,6 +240,10 @@ spec:
     iamRoleCreation: false
     defaultControlPlaneRole:
         disable: false
+    managedMachinePool:
+        disable: false
+        extraPolicyAttachments:
+        - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
   controlPlane:
     enableCSIPolicy: true
   nodes:

@@ -168,9 +168,21 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 	}
 
 	awsEKSEnabled := a.keosCluster.Spec.InfraProvider == "aws" && a.keosCluster.Spec.ControlPlane.Managed
-	isMachinePool := a.keosCluster.Spec.InfraProvider != "aws" && a.keosCluster.Spec.ControlPlane.Managed
 	gcpGKEEnabled := a.keosCluster.Spec.InfraProvider == "gcp" && a.keosCluster.Spec.ControlPlane.Managed
 
+	hasMachinePool := a.keosCluster.Spec.InfraProvider != "aws" && a.keosCluster.Spec.ControlPlane.Managed
+	hasMachineDeployment := false
+	if awsEKSEnabled {
+		for _, wn := range a.keosCluster.Spec.WorkerNodes {
+			if wn.NodeImage != "" {
+				hasMachineDeployment = true
+			} else {
+				hasMachinePool = true
+			}
+		}
+	}
+	isMachinePool := hasMachinePool && !hasMachineDeployment
+
 	var privateParams PrivateParams
 	if a.clusterConfig != nil {
 		privateParams = PrivateParams{
@@ -691,7 +703,7 @@ spec:
 			}
 		}
 
-		if isMachinePool {
+		if hasMachinePool {
 			// Wait for all the machine pools to be ready
 			c = "kubectl -n " + capiClustersNamespace + " wait --for=condition=Ready --timeout=15m --all mp"
 			_, err = commons.ExecuteCommand(n, c, 5, 3)
@@ -704,7 +716,8 @@ spec:
 			if err != nil {
 				return errors.Wrap(err, "failed to wait for container metrics to be available")
 			}
-		} else {
+		}
+		if hasMachineDeployment {
 			// Wait for all the machine deployments to be ready
 			c = "kubectl -n " + capiClustersNamespace + " wait --for=condition=Ready --timeout=15m --all md"
 
@@ -1020,7 +1033,7 @@ spec:
 		ctx.Status.End(true) // End Installing StorageClass in workload cluster
 
 		if !a.clusterConfig.Spec.GitOpsEnabled {
-			if a.keosCluster.Spec.DeployAutoscaler && !isMachinePool {
+			if a.keosCluster.Spec.DeployAutoscaler && (!isMachinePool || awsEKSEnabled) {
 				ctx.Status.Start("Installing cluster-autoscaler in workload cluster 💻")
 				defer ctx.Status.End(false)
 

@@ -1,3 +1,5 @@
+replicaCount: 1
+
 image:
   repository: {{ if $.Private }}{{ $.KeosRegUrl }}{{ else }}public.ecr.aws{{ end }}/eks/aws-load-balancer-controller
   #tag: v2.14.1

@@ -9,7 +9,12 @@ rules:
   - apiGroups:
     - infrastructure.cluster.x-k8s.io
     resources:
+    {{- if and (eq $.Spec.InfraProvider "aws") $.Spec.ControlPlane.Managed }}
+    - awsmanagedmachinepools
+    - awsmachinetemplates
+    {{- else }}
     - {{ $.Spec.InfraProvider }}machinetemplates
+    {{- end }}
     verbs:
     - get
     - list

@@ -3,6 +3,8 @@ FROM kindest/node:v1.34.0
 # Init feature gates
 ENV CLUSTER_TOPOLOGY=true
 ENV CLUSTERCTL_DISABLE_VERSIONCHECK=true
+ENV EXP_MACHINE_POOL=true
+ENV CAPA_EKS_ADD_ROLES=true
 
 # Core tool/version args
 ARG CLUSTERCTL=v1.10.8

@@ -177,6 +177,12 @@ func validateAWS(spec commons.KeosSpec, providerSecrets map[string]string) error
 				return errors.New("spec.worker_nodes." + wn.Name + ": \"node_image\": must have the format " + AWSNodeImageFormat)
 			}
 		}
+		if wn.AmiType != "" && wn.NodeImage != "" {
+			return errors.New("spec.worker_nodes." + wn.Name + ": ami_type and node_image are mutually exclusive")
+		}
+		if wn.AmiType != "" && !spec.ControlPlane.Managed {
+			return errors.New("spec.worker_nodes." + wn.Name + ": ami_type is only valid for EKS managed clusters")
+		}
 		if wn.AZ != "" {
 			if len(azs) > 0 {
 				if !commons.Contains(azs, wn.AZ) {

@@ -267,6 +267,7 @@ type Subnets struct {
 type AWSCP struct {
 	AssociateOIDCProvider bool   `yaml:"associate_oidc_provider,omitempty" validate:"boolean"`
 	EncryptionKey         string `yaml:"encryption_key,omitempty"`
+	MPRoleName            string `yaml:"mp_role_name,omitempty"`
 	Logging               struct {
 		ApiServer         bool `yaml:"api_server" validate:"boolean"`
 		Audit             bool `yaml:"audit" validate:"boolean"`
@@ -295,6 +296,7 @@ type Security struct {
 type WorkerNodes []struct {
 	Name             string            `yaml:"name" validate:"required"`
 	NodeImage        string            `yaml:"node_image,omitempty"`
+	AmiType          string            `yaml:"ami_type,omitempty" validate:"omitempty,oneof=BOTTLEROCKET_x86_64"`
 	Quantity         *int              `yaml:"quantity" validate:"required,numeric,gte=0"`
 	Size             string            `yaml:"size" validate:"required"`
 	ZoneDistribution string            `yaml:"zone_distribution,omitempty" validate:"omitempty,oneof='balanced' 'unbalanced'"`

@@ -114,12 +114,45 @@
               "iam:TagOpenIDConnectProvider",
               "iam:ListAttachedRolePolicies",
               "iam:CreateRole",
-              "iam:TagRole"
+              "iam:TagRole",
+              "iam:UntagRole"
           ],
           "Resource": [
               "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*",
               "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/*"
           ]
+      },
+      {
+          "Sid": "CAPALaunchTemplates",
+          "Effect": "Allow",
+          "Action": [
+              "ec2:CreateLaunchTemplate",
+              "ec2:CreateLaunchTemplateVersion",
+              "ec2:DescribeLaunchTemplates",
+              "ec2:DescribeLaunchTemplateVersions",
+              "ec2:DeleteLaunchTemplate",
+              "ec2:DeleteLaunchTemplateVersions",
+              "ec2:DescribeKeyPairs",
+              "eks:TagResource",
+              "eks:UntagResource",
+              "eks:UpdateNodegroupConfig",
+              "iam:TagRole",
+              "iam:UntagRole"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Sid": "CAPAAutoScalingGroups",
+          "Effect": "Allow",
+          "Action": [
+              "autoscaling:CreateAutoScalingGroup",
+              "autoscaling:UpdateAutoScalingGroup",
+              "autoscaling:CreateOrUpdateTags",
+              "autoscaling:StartInstanceRefresh",
+              "autoscaling:DeleteAutoScalingGroup",
+              "autoscaling:DeleteTags"
+          ],
+          "Resource": "arn:aws:autoscaling:*:${AWS_ACCOUNT_ID}:autoScalingGroup:*:autoScalingGroupName/*"
       }
   ]
 }
@@ -114,12 +114,45 @@
               "iam:TagOpenIDConnectProvider",
               "iam:ListAttachedRolePolicies",
               "iam:CreateRole",
-              "iam:TagRole"
+              "iam:TagRole",
+              "iam:UntagRole"
           ],
           "Resource": [
               "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*",
               "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/*"
           ]
+      },
+      {
+          "Sid": "CAPALaunchTemplates",
+          "Effect": "Allow",
+          "Action": [
+              "ec2:CreateLaunchTemplate",
+              "ec2:CreateLaunchTemplateVersion",
+              "ec2:DescribeLaunchTemplates",
+              "ec2:DescribeLaunchTemplateVersions",
+              "ec2:DeleteLaunchTemplate",
+              "ec2:DeleteLaunchTemplateVersions",
+              "ec2:DescribeKeyPairs",
+              "eks:TagResource",
+              "eks:UntagResource",
+              "eks:UpdateNodegroupConfig",
+              "iam:TagRole",
+              "iam:UntagRole"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Sid": "CAPAAutoScalingGroups",
+          "Effect": "Allow",
+          "Action": [
+              "autoscaling:CreateAutoScalingGroup",
+              "autoscaling:UpdateAutoScalingGroup",
+              "autoscaling:CreateOrUpdateTags",
+              "autoscaling:StartInstanceRefresh",
+              "autoscaling:DeleteAutoScalingGroup",
+              "autoscaling:DeleteTags"
+          ],
+          "Resource": "arn:aws:autoscaling:*:${AWS_ACCOUNT_ID}:autoScalingGroup:*:autoScalingGroupName/*"
       }
   ]
 }
@@ -1107,6 +1107,7 @@ $ cat << EOF > policy.json
 				"ec2:DescribeSecurityGroups",
 				"ec2:DescribeSubnets",
 				"elasticloadbalancing:DescribeListeners",
+				"elasticloadbalancing:DescribeListenerAttributes",
 				"elasticloadbalancing:DescribeLoadBalancers",
 				"elasticloadbalancing:DescribeLoadBalancerAttributes",
 				"elasticloadbalancing:DescribeRules",

@@ -114,12 +114,45 @@
               "iam:TagOpenIDConnectProvider",
               "iam:ListAttachedRolePolicies",
               "iam:CreateRole",
-              "iam:TagRole"
+              "iam:TagRole",
+              "iam:UntagRole"
           ],
           "Resource": [
               "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*",
               "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/*"
           ]
+      },
+      {
+          "Sid": "CAPALaunchTemplates",
+          "Effect": "Allow",
+          "Action": [
+              "ec2:CreateLaunchTemplate",
+              "ec2:CreateLaunchTemplateVersion",
+              "ec2:DescribeLaunchTemplates",
+              "ec2:DescribeLaunchTemplateVersions",
+              "ec2:DeleteLaunchTemplate",
+              "ec2:DeleteLaunchTemplateVersions",
+              "ec2:DescribeKeyPairs",
+              "eks:TagResource",
+              "eks:UntagResource",
+              "eks:UpdateNodegroupConfig",
+              "iam:TagRole",
+              "iam:UntagRole"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Sid": "CAPAAutoScalingGroups",
+          "Effect": "Allow",
+          "Action": [
+              "autoscaling:CreateAutoScalingGroup",
+              "autoscaling:UpdateAutoScalingGroup",
+              "autoscaling:CreateOrUpdateTags",
+              "autoscaling:StartInstanceRefresh",
+              "autoscaling:DeleteAutoScalingGroup",
+              "autoscaling:DeleteTags"
+          ],
+          "Resource": "arn:aws:autoscaling:*:${AWS_ACCOUNT_ID}:autoScalingGroup:*:autoScalingGroupName/*"
       }
   ]
 }
@@ -114,12 +114,45 @@
               "iam:TagOpenIDConnectProvider",
               "iam:ListAttachedRolePolicies",
               "iam:CreateRole",
-              "iam:TagRole"
+              "iam:TagRole",
+              "iam:UntagRole"
           ],
           "Resource": [
               "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*",
               "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/*"
           ]
+      },
+      {
+          "Sid": "CAPALaunchTemplates",
+          "Effect": "Allow",
+          "Action": [
+              "ec2:CreateLaunchTemplate",
+              "ec2:CreateLaunchTemplateVersion",
+              "ec2:DescribeLaunchTemplates",
+              "ec2:DescribeLaunchTemplateVersions",
+              "ec2:DeleteLaunchTemplate",
+              "ec2:DeleteLaunchTemplateVersions",
+              "ec2:DescribeKeyPairs",
+              "eks:TagResource",
+              "eks:UntagResource",
+              "eks:UpdateNodegroupConfig",
+              "iam:TagRole",
+              "iam:UntagRole"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Sid": "CAPAAutoScalingGroups",
+          "Effect": "Allow",
+          "Action": [
+              "autoscaling:CreateAutoScalingGroup",
+              "autoscaling:UpdateAutoScalingGroup",
+              "autoscaling:CreateOrUpdateTags",
+              "autoscaling:StartInstanceRefresh",
+              "autoscaling:DeleteAutoScalingGroup",
+              "autoscaling:DeleteTags"
+          ],
+          "Resource": "arn:aws:autoscaling:*:${AWS_ACCOUNT_ID}:autoScalingGroup:*:autoScalingGroupName/*"
       }
   ]
 }
@@ -1107,6 +1107,7 @@ $ cat << EOF > policy.json
 				"ec2:DescribeSecurityGroups",
 				"ec2:DescribeSubnets",
 				"elasticloadbalancing:DescribeListeners",
+				"elasticloadbalancing:DescribeListenerAttributes",
 				"elasticloadbalancing:DescribeLoadBalancers",
 				"elasticloadbalancing:DescribeLoadBalancerAttributes",
 				"elasticloadbalancing:DescribeRules",