Amazon EKS add-ons - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EKS add-ons

An add-on is software that provides supporting operational capabilities to Kubernetes applications, but is not specific to the application. This includes software like observability agents or Kubernetes drivers that allow the cluster to interact with underlying Amazon resources for networking, compute, and storage. Add-on software is typically built and maintained by the Kubernetes community, cloud providers like Amazon, or third-party vendors. Amazon EKS automatically installs self-managed add-ons such as the Amazon VPC CNI plugin for Kubernetes, kube-proxy, and CoreDNS for every cluster. You can change the default configuration of the add-ons and update them when desired.

Amazon EKS add-ons provide installation and management of a curated set of add-ons for Amazon EKS clusters. All Amazon EKS add-ons include the latest security patches, bug fixes, and are validated by Amazon to work with Amazon EKS. Amazon EKS add-ons allow you to consistently ensure that your Amazon EKS clusters are secure and stable and reduce the amount of work that you need to do in order to install, configure, and update add-ons. If a self-managed add-on, such as kube-proxy is already running on your cluster and is available as an Amazon EKS add-on, then you can install the kube-proxy Amazon EKS add-on to start benefiting from the capabilities of Amazon EKS add-ons.

You can update specific Amazon EKS managed configuration fields for Amazon EKS add-ons through the Amazon EKS API. You can also modify configuration fields not managed by Amazon EKS directly within the Kubernetes cluster once the add-on starts. This includes defining specific configuration fields for an add-on where applicable. These changes are not overridden by Amazon EKS once they are made. This is made possible using the Kubernetes server-side apply feature. For more information, see Kubernetes field management.

You can use Amazon EKS add-ons with any Amazon EKS node type.

Considerations
  • To configure add-ons for the cluster your IAM principal must have IAM permissions to work with add-ons. For more information, see the actions with Addon in their name in Actions defined by Amazon Elastic Kubernetes Service.

  • Amazon EKS add-ons run on the nodes that you provision or configure for your cluster. Node types include Amazon EC2 instances and Fargate.

  • You can modify fields that aren't managed by Amazon EKS to customize the installation of an Amazon EKS add-on. For more information, see Kubernetes field management.

  • If you create a cluster with the Amazon Web Services Management Console, the Amazon EKS kube-proxy, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add-ons are automatically added to your cluster. If you use eksctl to create your cluster with a config file, eksctl can also create the cluster with Amazon EKS add-ons. If you create your cluster using eksctl without a config file or with any other tool, the self-managed kube-proxy, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation.

  • The eks:addon-cluster-admin ClusterRoleBinding binds the cluster-admin ClusterRole to the eks:addon-manager Kubernetes identity. The role has the necessary permissions for the eks:addon-manager identity to create Kubernetes namespaces and install add-ons into namespaces. If the eks:addon-cluster-admin ClusterRoleBinding is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the new ClusterRoleBinding.

    Kubernetes version EKS platform version
    1.20 eks.12
    1.21 eks.14
    1.22 eks.9
    1.23 eks.5
    1.24 eks.3

You can add, update, or delete Amazon EKS add-ons using the Amazon EKS API, Amazon Web Services Management Console, Amazon CLI, and eksctl. For more information, see Managing Amazon EKS add-ons. You can also create Amazon EKS add-ons using Amazon CloudFormation.

Available Amazon EKS add-ons from Amazon EKS

The following Amazon EKS add-ons are available to create on your cluster. You can always view the most current list of available add-ons using eksctl, the Amazon Web Services Management Console, or the Amazon CLI. To see all available add-ons or to install an add-on, see Creating an add-on. If an add-on requires IAM permissions, then you must have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see Creating an IAM OIDC provider for your cluster. You can update or delete an add-on once you've installed it.

Choose an add-on to learn more about it and its installation requirements.

  • Namevpc-cni

  • Description – A Kubernetes container network interface (CNI) plugin that provides native VPC networking for your cluster. The self-managed or managed type of this add-on is installed on each Amazon EC2 node, by default.

  • Required IAM permissions – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. If your cluster uses the IPv4 family, the permissions in the AmazonEKS_CNI_Policy are required. If your cluster uses the IPv6 family, you must create an IAM policy with the permissions in IPv6 mode. You can create an IAM role, attach one of the policies to it, and annotate the Kubernetes service account used by the add-on with the following command.

    Replace my-cluster with the name of your cluster and AmazonEKSVPCCNIRole with the name for your role. If your cluster uses the IPv6 family, then replace AmazonEKS_CNI_Policy with the name of the policy that you created. This command requires that you have eksctl installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the Kubernetes service account, see Configuring a Kubernetes service account to assume an IAM role.

    eksctl create iamserviceaccount --name aws-node --namespace kube-system --cluster my-cluster --role-name AmazonEKSVPCCNIRole \ --role-only --attach-policy-arn arn:aws-cn:iam::aws:policy/AmazonEKS_CNI_Policy --approve
  • Additional information – To learn more about the add-on's configurable settings, see aws-vpc-cni-k8s on GitHub. To learn more about the plugin, see Proposal: CNI plugin for Kubernetes networking over Amazon VPC. For more information about creating the add-on, see Creating the Amazon EKS add-on.

  • Update information – You can only update one minor version at a time. For example, if your current version is 1.27.x-eksbuild.y and you want to update to 1.29.x-eksbuild.y, then you must update your current version to 1.28.x-eksbuild.y and then update it again to 1.29.x-eksbuild.y. For more information about updating the add-on, see Updating the Amazon EKS add-on.

  • Namecoredns

  • Description – A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. The self-managed or managed type of this add-on was installed, by default, when you created your cluster. When you launch an Amazon EKS cluster with at least one node, two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. The CoreDNS Pods provide name resolution for all Pods in the cluster. You can deploy the CoreDNS Pods to Fargate nodes if your cluster includes an Amazon Fargate profile with a namespace that matches the namespace for the CoreDNS deployment.

  • Required IAM permissions – This add-on doesn't require any permissions.

  • Additional information – To learn more about CoreDNS, see Using CoreDNS for Service Discovery and Customizing DNS Service in the Kubernetes documentation.

  • Namekube-proxy

  • Description – Maintains network rules on each Amazon EC2 node. It enables network communication to your Pods. The self-managed or managed type of this add-on is installed on each Amazon EC2 node in your cluster, by default.

  • Required IAM permissions – This add-on doesn't require any permissions.

  • Additional information – To learn more about kube-proxy, see kube-proxy in the Kubernetes documentation.

  • Update information – Before updating your current version, consider the following requirements:

    • Kube-proxy on an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes.

    • Kube-proxy must be the same minor version as kubelet on your Amazon EC2 nodes.

    • Kube-proxy can't be later than the minor version of your cluster's control plane.

    • The kube-proxy version on your Amazon EC2 nodes can't be more than two minor versions earlier than your control plane. For example, if your control plane is running Kubernetes 1.29, then the kube-proxy minor version can't be earlier than 1.27.

    • If you recently updated your cluster to a new Kubernetes minor version, then update your Amazon EC2 nodes to the same minor version before updating kube-proxy to the same minor version as your nodes.

  • Nameaws-ebs-csi-driver

  • Description – A Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster.

  • Required IAM permissions – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. The permissions in the AmazonEBSCSIDriverPolicy Amazon managed policy are required. You can create an IAM role and attach the managed policy to it with the following command. Replace my-cluster with the name of your cluster and AmazonEKS_EBS_CSI_DriverRole with the name for your role. This command requires that you have eksctl installed on your device. If you need to use a different tool or you need to use a custom KMS key for encryption, see Creating the Amazon EBS CSI driver IAM role.

    eksctl create iamserviceaccount \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster my-cluster \ --role-name AmazonEKS_EBS_CSI_DriverRole \ --role-only \ --attach-policy-arn arn:aws-cn:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve
  • Additional information – To learn more about the add-on, see Amazon EBS CSI driver.

Important

The Amazon EFS driver is only available as a self-managed installation in this Amazon Web Services Region. For instructions on how to add it as a self-managed installation, see Installation on GitHub.

  • Nameaws-efs-csi-driver

  • Description – A Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EFS storage for your cluster.

  • Required IAM permissions – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. The permissions in the AmazonEFSCSIDriverPolicy Amazon managed policy are required. You can create an IAM role and attach the managed policy to it with the following commands. Replace my-cluster with the name of your cluster and AmazonEKS_EFS_CSI_DriverRole with the name for your role. These commands require that you have eksctl installed on your device. If you need to use a different tool, see Creating an IAM role.

    export cluster_name=my-cluster export role_name=AmazonEKS_EFS_CSI_DriverRole eksctl create iamserviceaccount \ --name efs-csi-controller-sa \ --namespace kube-system \ --cluster $cluster_name \ --role-name $role_name \ --role-only \ --attach-policy-arn arn:aws-cn:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ --approve TRUST_POLICY=$(aws iam get-role --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/') aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY"
  • Additional information – To learn more about the add-on, see Amazon EFS CSI driver.

  • Namesnapshot-controller

  • Description – The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver.

  • Required IAM permissions – This add-on doesn't require any permissions.

  • Additional information – To learn more about the add-on, see CSI snapshot controller.

  • Nameeks-pod-identity-agent

  • Description – Amazon EKS Pod Identity provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.

  • Required IAM permissions – This add-on users permissions from the Amazon EKS node IAM role.

  • Update information – You can only update one minor version at a time. For example, if your current version is 1.27.x-eksbuild.y and you want to update to 1.29.x-eksbuild.y, then you must update your current version to 1.28.x-eksbuild.y and then update it again to 1.29.x-eksbuild.y. For more information about updating the add-on, see Updating the Amazon EKS add-on.

  • Nameaws-mountpoint-s3-csi-driver

  • Description – A Kubernetes Container Storage Interface (CSI) plugin that provides Amazon S3 storage for your cluster.

  • Required IAM permissions – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. The IAM role that is created will require a policy that gives access to S3. Follow the Mountpoint IAM permissions recommendations when creating the policy. Alternatively, you may use the Amazon managed policy AmazonS3FullAccess, but this managed policy grants more permissions than are needed for Mountpoint.

    You can create an IAM role and attach your policy to it with the following commands. Replace my-cluster with the name of your cluster, region-code with the correct Amazon Web Services Region code, AmazonEKS_S3_CSI_DriverRole with the name for your role, and AmazonEKS_S3_CSI_DriverRole_ARN with the role ARN. These commands require that you have eksctl installed on your device. For instructions on using the IAM console or Amazon CLI, see Creating an IAM role.

    CLUSTER_NAME=my-cluster REGION=region-code ROLE_NAME=AmazonEKS_S3_CSI_DriverRole POLICY_ARN=AmazonEKS_S3_CSI_DriverRole_ARN eksctl create iamserviceaccount \ --name s3-csi-driver-sa \ --namespace kube-system \ --cluster $CLUSTER_NAME \ --attach-policy-arn $POLICY_ARN \ --approve \ --role-name $ROLE_NAME \ --region $REGION \ --role-only
  • Additional information – To learn more about the add-on, see Mountpoint for Amazon S3 CSI driver.