eks: TaintEffect Enum has unsupported values

[v4de]

Describe the bug

When trying to use the TaintEffect Enum for a kubernetes manifest describing a Karpenter NodePool, the string value is all uppercase and does not seem to match what a taint is as a string in k8s docs so the validation fails. This however does work for k8s nodegroups.

From the python docs it looks like the python lib uses the proper values for the TaintEffect Enum. I am not sure why that is, if TS is the source.

As a workaround I would need to specify it as a string and not use the TaintSpec interface or TaintEffect enum when using the TypeScript lib.

When using CDK to create a Karpenter nodepool manifest in the eks cluster I am seeing this error:
Error: b'The NodePool "default-nodepool" is invalid: \n* spec.template.spec.taints[0].effect: Unsupported value: "NO_EXECUTE": supported values: "NoSchedule", "PreferNoSchedule", "NoExecute"\n*

(P.S. Prompted a song for fun: https://suno.com/s/8JD1CY0RmFeOjSBJ)

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

N/A

Expected Behavior

I expect to not have an error when using the TaintEffect enum to configure a karpenter nodepool manifest with the NoExecute taint.

Current Behavior

| Custom::AWSCDK-EKS-KubernetesResource | rKarpenter/rNodeClass-default-nodeclass/rNodePool-default-nodepool/rNodePool-default-nodepool/Resource/Default (rKarpenterrNodeClassdefaultnodeclassrNodePooldefaultnodepoolDC25F7A7) Received response status [FAILED] from custom resource. Message returned: Error: b'The NodePool "default-nodepool" is invalid: \n* spec.template.spec.taints[0].effect: Unsupported value: "NO_EXECUTE": supported values: "NoSchedule", "PreferNoSchedule", "NoExecute"\n* <nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation\n'

Reproduction Steps

I believe this is a short enough example that can explain what I am trying to accomplish and be copied and reused. However if you need a larger, more complete, example I can try to work on a sample test stack and upload it to a public repo.

import { Nodegroup, KubernetesManifest, TaintEffect, TaintSpec } from 'aws-cdk-lib/aws-eks';

const ciliumTaint: TaintSpec = {
  key: 'node.cilium.io/agent-not-ready',
  value: 'true',
  effect: TaintEffect.NO_EXECUTE
}

// NodeGroups
const nodeGroup = new Nodegroup(this, id, {
    cluster: cluster,
    subnets: subnets,
    taints: [ciliumTaint]
  };
}

// NodePool
const chart = new KubernetesManifest(this, id, {
  cluster: cluster,
  manifest: [{
    apiVersion: `karpenter.sh/${apiVersion}`,
    kind: 'NodePool',
    metadata: {
      name: name
    },
    spec: {
      template: {
        spec: {
          taints: [ciliumTaint]
        }
      }
    }
  }]
});

Possible Solution

Update the enum to match k8s taint values.

export enum TaintEffect {
  /**
   * NoSchedule
   */
  NO_SCHEDULE = 'NoSchedule',
  /**
   * PreferNoSchedule
   */
  PREFER_NO_SCHEDULE = 'PreferNoSchedule',
  /**
   * NoExecute
   */
  NO_EXECUTE = 'NoExecute',
}

Additional Information/Context

EKS Version: 1.32
Cilium Version: 1.17.2
Karpenter-crd Version: 1.5.1
Karpenter Version: 1.5.1

Addons:

• addonName: coredns
  addonVersion: v1.11.4-eksbuild.2
  preserveOnDelete: false
• addonName: aws-ebs-csi-driver
  addonVersion: v1.41.0-eksbuild.1
  preserveOnDelete: false
• addonName: aws-mountpoint-s3-csi-driver
  addonVersion: v1.13.0-eksbuild.1
  preserveOnDelete: false

AWS CDK Library version (aws-cdk-lib)

aws-cdk-lib@2.195.0

AWS CDK CLI version

2.1016.0 (build 66e0b2d)

Node.js Version

v22.13.1

OS

Windows 10 22H2 (19045.3930)

Language

TypeScript

Language Version

5.8.3

Other information

No response

[pahud]

Hi @v4de,

Thank you for reporting this issue! You've identified a legitimate bug in the TaintEffect enum where the string values don't match Kubernetes' expected taint effect values.

The problem is that our enum currently uses uppercase values (NO_EXECUTE, NO_SCHEDULE, PREFER_NO_SCHEDULE) while Kubernetes expects PascalCase values (NoExecute, NoSchedule, PreferNoSchedule). This causes validation failures when using the enum with Karpenter NodePool manifests.

Your proposed solution is exactly right - we need to update the enum values to match the Kubernetes specification:

export enum TaintEffect {
 NO_SCHEDULE = 'NoSchedule',
 PREFER_NO_SCHEDULE = 'PreferNoSchedule',
 NO_EXECUTE = 'NoExecute',
}

This would be a breaking change in terms of the generated values, but it's necessary to ensure compatibility with Kubernetes validation. The enum member names would remain the same, so user code wouldn't need to change.

Would you be interested in contributing a pull request to fix this? The change would need to be made in packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts and we'd also need to update any related tests. We'd be happy to guide you through the contribution process!

As a workaround until this is fixed, you can indeed specify the taint effects as strings directly instead of using the enum when working with Karpenter NodePools.

[pahud]

By the way, I love this song. It makes my day!

[v4de]

Hi @pahud,

Thanks for the quick reply. I am interested in learning how to contribute and test. It's the end of day for me, so I can work on it on Monday if possible.

Glad you liked the song :)

[pahud]

Hi @v4de,

I need to provide an important update to my previous response. After investigating this issue more thoroughly and running integration tests, I discovered that the TaintEffect enum is actually working correctly as designed.

The Real Issue: Format Differences Between AWS and Kubernetes

The confusion arises from a fundamental difference in taint effect formats between AWS EKS and Kubernetes:

• AWS EKS API (used by CDK): expects NO_SCHEDULE, PREFER_NO_SCHEDULE, NO_EXECUTE
• Kubernetes manifests: expects NoSchedule, PreferNoSchedule, NoExecute

This is explicitly documented in the AWS EKS User Guide:

│ When using Kubernetes directly or the AWS Management Console, the taint effect must be NoSchedule, PreferNoSchedule, or NoExecute. However, when using the AWS CLI or API, the taint effect must be NO_SCHEDULE, PREFER_NO_SCHEDULE, or NO_EXECUTE.

Why the TaintEffect Enum Cannot Be Changed

The TaintEffect enum is specifically designed for EKS NodeGroups (which use the AWS API), not for direct Kubernetes manifests. Changing the enum values would break all existing EKS NodeGroup deployments.

When I attempted to change the enum values to PascalCase format, the integration tests failed with:
Invalid taint effect: null, must be one of these [NO_SCHEDULE, NO_EXECUTE, PREFER_NO_SCHEDULE] (Service: Eks, Status Code: 400)

This confirms that AWS EKS API requires the uppercase format.

The Correct Solution

Your code example shows the issue - you're trying to use the same TaintSpec object for both EKS NodeGroups and Kubernetes manifests, but they require different formats:

// ❌ This won't work - mixing AWS and Kubernetes formats
const ciliumTaint: TaintSpec = {
  key: 'node.cilium.io/agent-not-ready',
  value: 'true',
  effect: TaintEffect.NO_EXECUTE  // Produces 'NO_EXECUTE' for AWS
}

// NodeGroups - ✅ This works (AWS format)
const nodeGroup = new Nodegroup(this, 'nodegroup', {
  cluster: cluster,
  subnets: subnets,
  taints: [ciliumTaint]  // Uses 'NO_EXECUTE'
});

// NodePool - ❌ This fails (needs Kubernetes format)
const chart = new KubernetesManifest(this, 'nodepool', {
  cluster: cluster,
  manifest: [{
    spec: {
      template: {
        spec: {
          taints: [ciliumTaint]  // Still uses 'NO_EXECUTE' but needs 'NoExecute'
        }
      }
    }
  }]
});

The fix is to use different taint specifications for each context:

// ✅ For EKS NodeGroups - use the enum
const eksNodeGroupTaint: TaintSpec = {
  key: 'node.cilium.io/agent-not-ready',
  value: 'true',
  effect: TaintEffect.NO_EXECUTE  // Produces 'NO_EXECUTE' for AWS API
};

// ✅ For Kubernetes manifests - use string literals
const kubernetesManifestTaint = {
  key: 'node.cilium.io/agent-not-ready',
  value: 'true',
  effect: 'NoExecute'  // Direct string for Kubernetes
};

const nodeGroup = new Nodegroup(this, 'nodegroup', {
  cluster: cluster,
  subnets: subnets,
  taints: [eksNodeGroupTaint]  // Uses AWS format
});

const chart = new KubernetesManifest(this, 'nodepool', {
  cluster: cluster,
  manifest: [{
    apiVersion: `karpenter.sh/${apiVersion}`,
    kind: 'NodePool',
    metadata: { name: name },
    spec: {
      template: {
        spec: {
          taints: [kubernetesManifestTaint]  // Uses Kubernetes format
        }
      }
    }
  }]
});

Updated Documentation

I've added comprehensive documentation to the TaintEffect enum to clarify this distinction and prevent future confusion.

Conclusion

This issue should be closed as "Working as Intended". The TaintEffect enum is correctly designed for its intended purpose (EKS NodeGroups), and the format difference is due to AWS EKS API requirements, not a bug in the CDK.

The solution is to use:
• TaintEffect enum for EKS NodeGroups
• String literals with PascalCase for Kubernetes manifests

Sorry for the initial confusion in my response - this investigation revealed the important distinction between AWS and Kubernetes taint effect formats!

[v4de]

Hi @pahud,

Thank you for testing this, that explains why the nodegroups worked but the manifest did not. Sorry for the novice mistake, I will close this as working as intended and use my own implementation for manifest taints.

I wonder if using cdk8s for creating the manifest is possible as well, I will investigate this.

[pahud]

No worries. I've created #34781 and this issue will be auto closed on PR merge. :-)