[aws-eks] The controllplane securitygroup of the cluster should be accessible outside the eks cluster construct

Use Case

I am using custom networking with eks. For this, i have to allow access from the pod securitygroup to the controllplane securitygroup. Because i have to apply some manifests and patches too, i have to pass the eks cluster to my CustomNetworking cunstruct. Because i cannot access the securitygroup of the controllplane via the cluster construct, i have to create a new securitygroup for the controllplane (the same way the cluster construct would create it) and pass it to my CustomNetworking construct too.

Both steps, passing it separately and creating the securitygroup is unnecessary.

In addition: It is not possible to change se controllplane securitygroup after you created the cluster. So you have to recreate it to use your own securitygroup. Only because i want to add an ingress to the controllplane securitygroup.

Proposed Solution

change the following code

https://github.com/aws/aws-cdk/blob/55e6130503d2e7346eec81d01ef37098708d0196/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L885

const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', {
   vpc: this.vpc,
   description: 'EKS Control Plane Security Group',
});

to

public abstract readonly controllPlaneSecurityGroup?: ec2.ISecurityGroup;
...

this.controllPlaneSecurityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', {
   vpc: this.vpc,
   description: 'EKS Control Plane Security Group',
});

...

resourcesVpcConfig: {
        securityGroupIds: [this.controllPlaneSecurityGroup.securityGroupId],
        subnetIds,
      },

i think there are no more references 

Other

I don’t think this will cause any problems and think i would be able to implement this

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request