Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Amazon EKS add-ons
An add-on is software that provides supporting operational capabilities to Kubernetes applications, but is not specific to the application. This includes software like observability agents or Kubernetes drivers that allow the cluster to interact with underlying Amazon resources for networking, compute, and storage. Add-on software is typically built and maintained by the Kubernetes community, cloud providers like Amazon, or third-party vendors. Amazon EKS automatically installs self-managed add-ons such as the Amazon VPC CNI plugin for Kubernetes, kube-proxy
, and CoreDNS for every cluster. Note that the VPC CNI add-on isn’t compatible with Amazon EKS Hybrid Nodes and doesn’t deploy to hybrid nodes. You can change the default configuration of the add-ons and update them when desired.
Amazon EKS add-ons provide installation and management of a curated set of add-ons for Amazon EKS clusters. All Amazon EKS add-ons include the latest security patches, bug fixes, and are validated by Amazon to work with Amazon EKS. Amazon EKS add-ons allow you to consistently ensure that your Amazon EKS clusters are secure and stable and reduce the amount of work that you need to do in order to install, configure, and update add-ons. If a self-managed add-on, such as kube-proxy
is already running on your cluster and is available as an Amazon EKS add-on, then you can install the kube-proxy
Amazon EKS add-on to start benefiting from the capabilities of Amazon EKS add-ons.
You can update specific Amazon EKS managed configuration fields for Amazon EKS add-ons through the Amazon EKS API. You can also modify configuration fields not managed by Amazon EKS directly within the Kubernetes cluster once the add-on starts. This includes defining specific configuration fields for an add-on where applicable. These changes are not overridden by Amazon EKS once they are made. This is made possible using the Kubernetes server-side apply feature. For more information, see Determine fields you can customize for Amazon EKS add-ons.
You can use Amazon EKS add-ons with any Amazon EKS node type. For more information, see Manage compute resources by using nodes.
You can add, update, or delete Amazon EKS add-ons using the Amazon EKS API, Amazon Web Services Management Console, Amazon CLI, and eksctl
. You can also create Amazon EKS add-ons using Amazon CloudFormation.
Considerations
Consider the following when you use Amazon EKS add-ons:
-
To configure add-ons for the cluster your IAM principal must have IAM permissions to work with add-ons. For more information, see the actions with
Addon
in their name in Actions defined by Amazon Elastic Kubernetes Service. -
Amazon EKS add-ons run on the nodes that you provision or configure for your cluster. Node types include Amazon EC2 instances, Fargate, and hybrid nodes.
-
You can modify fields that aren’t managed by Amazon EKS to customize the installation of an Amazon EKS add-on. For more information, see Determine fields you can customize for Amazon EKS add-ons.
-
If you create a cluster with the Amazon Web Services Management Console, the Amazon EKS
kube-proxy
, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add-ons are automatically added to your cluster. If you useeksctl
to create your cluster with aconfig
file,eksctl
can also create the cluster with Amazon EKS add-ons. If you create your cluster usingeksctl
without aconfig
file or with any other tool, the self-managedkube-proxy
, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation. Regardless of the method that you use to create your cluster, the VPC CNI add-on doesn’t install on hybrid nodes. -
The
eks:addon-cluster-admin
ClusterRoleBinding
binds thecluster-admin
ClusterRole
to theeks:addon-manager
Kubernetes identity. The role has the necessary permissions for theeks:addon-manager
identity to create Kubernetes namespaces and install add-ons into namespaces. If theeks:addon-cluster-admin
ClusterRoleBinding
is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the newClusterRoleBinding
. -
A subset of EKS add-ons from Amazon have been validated for compatibility with Amazon EKS Hybrid Nodes. For more information, see the compatibility table on Amazon Add-ons.
Required platform version
Review the table to determine the minimum required platform version to use this feature with your cluster. You can use the listed platform version, or a more recent platform version. For example, if the table lists "eks.14" you can use platform version "eks.15". For more information, see View Amazon EKS platform versions for each Kubernetes version.
Kubernetes version | EKS platform version |
---|---|
1.25 or newer |
All platform versions |
1.20 |
eks.12 |
1.21 |
eks.14 |
1.22 |
eks.9 |
1.23 |
eks.5 |
1.24 |
eks.3 |
Considerations for Amazon EKS Auto Mode
Amazon EKS Auto mode includes capabilities that deliver essential cluster functionality, including:
-
Pod networking
-
Service networking
-
Cluster DNS
-
Autoscaling
-
Block storage
-
Load balancer controller
-
Pod Identity agent
-
Node monitoring agent
With Auto mode compute, many commonly used EKS add-ons become redundant, such as:
-
Amazon VPC CNI
-
kube-proxy
-
CoreDNS
-
Amazon EBS CSI Driver
-
EKS Pod Identity Agent
However, if your cluster combines Auto mode with other compute options like self-managed EC2 instances, Managed Node Groups, or Amazon Fargate, these add-ons remain necessary. Amazon has enhanced EKS add-ons with anti-affinity rules that automatically ensure add-on pods are scheduled only on supported compute types. Furthermore, users can now leverage the EKS add-ons DescribeAddonVersions
API to verify the supported computeTypes for each add-on and its specific versions. Additionally, with EKS Auto mode, the controllers listed above run on Amazon owned infrastructure. So, you many not even see them in your accounts unless you are using EKS auto mode with other types of compute in which case, you will see the controllers you installed on your cluster.
If you are planning to enable EKS Auto Mode on an existing cluster, you may need to upgrade the version of certain addons. For more information, see Required Add-on Versions for EKS Auto Mode.
Support
Amazon publishes multiple types of add-ons with different levels of support.
-
Amazon Add-ons: These add-ons are built and fully supported by Amazon.
-
Use an Amazon add-on to work with other Amazon services, such as Amazon EFS.
-
For more information, see Amazon Add-ons.
-
-
Amazon Marketplace Add-ons: These add-ons are scanned by Amazon and supported by an independent Amazon partner.
-
Use a marketplace add-on to add valuable and sophisticated features to your cluster, such as monitoring with Splunk.
-
For more information, see Amazon Marketplace add-ons.
-
-
Community Add-ons: These add-ons are scanned by Amazon but supported by the open source community.
-
Use a community add-on to reduce the complexity of installing common open source software, such as Kubernetes Metrics Server.
-
For more information, see Community add-ons.
-
The following table details the scope of support for each add-on type:
Category | Feature | Amazon add-ons | Amazon Marketplace add-ons | Community add-ons |
---|---|---|---|---|
Development |
Built by Amazon |
Yes |
No |
Yes |
Development |
Validated by Amazon |
Yes |
No |
Yes |
Development |
Validated by Amazon Partner |
No |
Yes |
No |
Maintenance |
Scanned by Amazon |
Yes |
Yes |
Yes |
Maintenance |
Patched by Amazon |
Yes |
No |
Yes |
Maintenance |
Patched by Amazon Partner |
No |
Yes |
No |
Distribution |
Published by Amazon |
Yes |
No |
Yes |
Distribution |
Published by Amazon Partner |
No |
Yes |
No |
Support |
Basic Install Support by Amazon |
Yes |
Yes |
Yes |
Support |
Full Amazon Support |
Yes |
No |
No |
Support |
Full Amazon Partner Support |
No |
Yes |
No |
Amazon Marketplace add-ons can download additional software dependencies from external sources outside of Amazon. These external dependencies are not scanned or validated by Amazon. Consider your security requirements when deploying Amazon Marketplace add-ons that fetch external dependencies.