From 0f0ea66ccd43f08a6078b6b46abecc82d9f32e6a Mon Sep 17 00:00:00 2001
From: Kip Shields <kishiel@amazon.com>
Date: Wed, 1 Nov 2023 15:21:42 -0500
Subject: [PATCH] Use managed cni policy if not using cluster scoped ones

---
 packages/aws-cdk-lib/aws-eks/lib/cluster.ts           | 1 +
 packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
index 216909bd4585b..b717d3cd391a6 100644
--- a/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
+++ b/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
@@ -1147,6 +1147,7 @@ abstract class ClusterBase extends Resource implements ICluster {
     }
 
     autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'));
+    autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
     autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'));
 
     // EKS Required Tags
diff --git a/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts b/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts
index 954853f276d78..ce6c2f5c90a47 100644
--- a/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts
+++ b/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts
@@ -446,7 +446,6 @@ export class Nodegroup extends Resource implements INodegroup {
       });
 
       ngRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'));
-      ngRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
       ngRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'));
 
       this.role = ngRole;
@@ -454,11 +453,13 @@ export class Nodegroup extends Resource implements INodegroup {
       this.role = props.nodeRole;
     }
 
-    // Apply the CNI policies to the node group role
+    // Apply the cluster-scoped CNI policies to the node group role
     if (props.cluster.cniPolicies && this.applyLimitedCNIPoliciesToRole) {
       for (let policy of props.cluster.cniPolicies) {
         this.role.addToPrincipalPolicy(policy);
       }
+    } else {
+      this.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
     }
 
     this.validateUpdateConfig(props.maxUnavailable, props.maxUnavailablePercentage);