eksctl-io · guessi · Oct 8, 2025
diff --git a/examples/45-upgrade-policy-example.yaml b/examples/45-upgrade-policy-example.yaml
@@ -0,0 +1,19 @@
+# A sample ClusterConfig file that creates a cluster with support type set as "EXTENDED (default)".
+
+# UpgradePolicy allows you to specify the support type for your cluster
+# Valid values are "STANDARD" and "EXTENDED (default)"
+# - https://docs.aws.amazon.com/eks/latest/APIReference/API_UpgradePolicyRequest.html
+
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: upgrade-policy-cluster
+  region: us-west-2
+
+upgradePolicy:
+  supportType: "EXTENDED"
+
+managedNodeGroups:
+  - name: mng-1
+    desiredCapacity: 1
diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json
@@ -550,6 +550,11 @@
         "secretsEncryption": {
           "$ref": "#/definitions/SecretsEncryption"
         },
+        "upgradePolicy": {
+          "$ref": "#/definitions/UpgradePolicy",
+          "description": "specifies the upgrade policy for the cluster",
+          "x-intellij-html-description": "specifies the upgrade policy for the cluster"
+        },
         "vpc": {
           "$ref": "#/definitions/ClusterVPC"
         },
@@ -563,6 +568,7 @@
         "kind",
         "apiVersion",
         "metadata",
+        "upgradePolicy",
         "kubernetesNetworkConfig",
         "autoModeConfig",
         "remoteNetworkConfig",
@@ -2719,6 +2725,26 @@
       "description": "defines the configuration for KMS encryption provider",
       "x-intellij-html-description": "defines the configuration for KMS encryption provider"
     },
+    "UpgradePolicy": {
+      "properties": {
+        "supportType": {
+          "type": "string",
+          "description": "specifies the support type for the cluster. Valid variants are: `\"STANDARD\"` standard support for the cluster, `\"EXTENDED\"` extended support for the cluster (default) defines the default support type.",
+          "x-intellij-html-description": "specifies the support type for the cluster. Valid variants are: <code>&quot;STANDARD&quot;</code> standard support for the cluster, <code>&quot;EXTENDED&quot;</code> extended support for the cluster (default) defines the default support type.",
+          "default": "EXTENDED",
+          "enum": [
+            "STANDARD",
+            "EXTENDED"
+          ]
+        }
+      },
+      "preferredOrder": [
+        "supportType"
+      ],
+      "additionalProperties": false,
+      "description": "holds the upgrade policy configuration for the cluster",
+      "x-intellij-html-description": "holds the upgrade policy configuration for the cluster"
+    },
     "VPCGateway": {
       "type": "string",
       "description": "VPCGatewayID the ID of the gateway that facilitates external connectivity from customer's VPC to their remote network(s). Valid options are Transit Gateway and Virtual Private Gateway.",

diff --git a/pkg/apis/eksctl.io/v1alpha5/types.go b/pkg/apis/eksctl.io/v1alpha5/types.go
@@ -451,6 +451,16 @@ const (
 	NoneCapacityReservation = "none"
 )
 
+// Values for `SupportType`
+const (
+	// SupportTypeStandard standard support for the cluster
+	SupportTypeStandard = "STANDARD"
+	// SupportTypeExtended extended support for the cluster (default)
+	SupportTypeExtended = "EXTENDED"
+	// DefaultSupportType defines the default support type
+	DefaultSupportType = SupportTypeExtended
+)
+
 var (
 	// DefaultIPFamily defines the default IP family to use when creating a new VPC and cluster.
 	DefaultIPFamily = IPV4Family
@@ -674,6 +684,14 @@ type ClusterMeta struct {
 	AccountID string `json:"-"`
 }
 
+// UpgradePolicy holds the upgrade policy configuration for the cluster
+type UpgradePolicy struct {
+	// SupportType specifies the support type for the cluster.
+	// Valid variants are `SupportType` constants
+	// +optional
+	SupportType string `json:"supportType,omitempty"`
+}
+
 // KubernetesNetworkConfig contains cluster networking options
 type KubernetesNetworkConfig struct {
 	// Valid variants are `IPFamily` constants
@@ -935,6 +953,10 @@ type ClusterConfig struct {
 	// +required
 	Metadata *ClusterMeta `json:"metadata"`
 
+	// UpgradePolicy specifies the upgrade policy for the cluster
+	// +optional
+	UpgradePolicy *UpgradePolicy `json:"upgradePolicy,omitempty"`
+
 	// +optional
 	KubernetesNetworkConfig *KubernetesNetworkConfig `json:"kubernetesNetworkConfig,omitempty"`
 

diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -143,8 +143,31 @@ func (c *ClusterConfig) validateRemoteNetworkingConfig() error {
 	return nil
 }
 
+// validateSupportType performs secure validation of the support type string
+func validateSupportType(supportType string) error {
+	// Security: Validate characters to prevent injection attacks
+	for _, r := range supportType {
+		if r < 32 || r == 127 { // Control characters
+			return fmt.Errorf("upgradePolicy.supportType contains invalid control characters")
+		}
+	}
+	// Validate against allowed values
+	if supportType != SupportTypeStandard && supportType != SupportTypeExtended {
+		return fmt.Errorf("upgradePolicy.supportType must be either %q or %q", SupportTypeStandard, SupportTypeExtended)
+	}
+	return nil
+}
+
 // ValidateClusterConfig checks compatible fields of a given ClusterConfig
 func ValidateClusterConfig(cfg *ClusterConfig) error {
+	if cfg.UpgradePolicy != nil {
+		if cfg.UpgradePolicy.SupportType != "" {
+			if err := validateSupportType(cfg.UpgradePolicy.SupportType); err != nil {
+				return err
+			}
+		}
+	}
+
 	if IsDisabled(cfg.IAM.WithOIDC) && len(cfg.IAM.ServiceAccounts) > 0 {
 		return fmt.Errorf("iam.withOIDC must be enabled explicitly for iam.serviceAccounts to be created")
 	}

diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go
diff --git a/userdocs/mkdocs.yml b/userdocs/mkdocs.yml
@@ -157,6 +157,7 @@ nav:
       - usage/fargate-support.md
       - usage/cluster-upgrade.md
       - usage/addon-upgrade.md
+      - usage/upgrade-policy.md
       - usage/zonal-shift.md
     - Nodegroups:
       - usage/nodegroups.md

diff --git a/userdocs/src/usage/upgrade-policy.md b/userdocs/src/usage/upgrade-policy.md
@@ -0,0 +1,42 @@
+# Cluster Upgrade Policy
+
+This document describes how to configure the upgrade policy for your EKS cluster using eksctl.
+
+## Overview
+
+The `upgradePolicy` field allows you to specify the support type for your EKS cluster. This determines the level of support AWS provides for your cluster version.
+
+## Support Types
+
+- **STANDARD**: The default support type that provides standard AWS support for the cluster
+- **EXTENDED**: Provides extended support for older Kubernetes versions beyond the standard support period
+
+## Configuration
+
+You can specify the upgrade policy in your cluster configuration file:
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: my-cluster
+  region: us-west-2
+
+upgradePolicy:
+  supportType: "EXTENDED"  # or "STANDARD"
+```
+
+## Command Line Usage
+
+When creating a cluster with a specific upgrade policy:
+
+```bash
+eksctl create cluster --config-file=cluster-config.yaml
+```
+
+## Notes
+
+- If no `upgradePolicy` is specified, AWS will use its default behavior
+- The upgrade policy can only be set during cluster creation
+- Extended support may incur additional costs - refer to AWS EKS pricing documentation