Amazon EKS add-ons - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.

Amazon EKS add-ons

An add-on is software that provides supporting operational capabilities to Kubernetes applications, but is not specific to the application. This includes software like observability agents or Kubernetes drivers that allow the cluster to interact with underlying Amazon resources for networking, compute, and storage. Add-on software is typically built and maintained by the Kubernetes community, cloud providers like Amazon, or third-party vendors. Amazon EKS automatically installs self-managed add-ons such as the Amazon VPC CNI plugin for Kubernetes, kube-proxy, and CoreDNS for every cluster. You can change the default configuration of the add-ons and update them when desired.

Amazon EKS add-ons provide installation and management of a curated set of add-ons for Amazon EKS clusters. All Amazon EKS add-ons include the latest security patches, bug fixes, and are validated by Amazon to work with Amazon EKS. Amazon EKS add-ons allow you to consistently ensure that your Amazon EKS clusters are secure and stable and reduce the amount of work that you need to do in order to install, configure, and update add-ons. If a self-managed add-on, such as kube-proxy is already running on your cluster and is available as an Amazon EKS add-on, then you can install the kube-proxy Amazon EKS add-on to start benefiting from the capabilities of Amazon EKS add-ons.

You can update specific Amazon EKS managed configuration fields for Amazon EKS add-ons through the Amazon EKS API. You can also modify configuration fields not managed by Amazon EKS directly within the Kubernetes cluster once the add-on starts. This includes defining specific configuration fields for an add-on where applicable. These changes are not overridden by Amazon EKS once they are made. This is made possible using the Kubernetes server-side apply feature. For more information, see Determine fields you can customize for Amazon EKS add-ons.

You can use Amazon EKS add-ons with any Amazon EKS node type.

You can add, update, or delete Amazon EKS add-ons using the Amazon EKS API, Amazon Web Services Management Console, Amazon CLI, and eksctl. You can also create Amazon EKS add-ons using Amazon CloudFormation.

Considerations

Consider the following when you use Amazon EKS add-ons:

  • To configure add-ons for the cluster your IAM principal must have IAM permissions to work with add-ons. For more information, see the actions with Addon in their name in Actions defined by Amazon Elastic Kubernetes Service.

  • Amazon EKS add-ons run on the nodes that you provision or configure for your cluster. Node types include Amazon EC2 instances and Fargate.

  • You can modify fields that aren't managed by Amazon EKS to customize the installation of an Amazon EKS add-on. For more information, see Determine fields you can customize for Amazon EKS add-ons.

  • If you create a cluster with the Amazon Web Services Management Console, the Amazon EKS kube-proxy, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add-ons are automatically added to your cluster. If you use eksctl to create your cluster with a config file, eksctl can also create the cluster with Amazon EKS add-ons. If you create your cluster using eksctl without a config file or with any other tool, the self-managed kube-proxy, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation.

  • The eks:addon-cluster-admin ClusterRoleBinding binds the cluster-admin ClusterRole to the eks:addon-manager Kubernetes identity. The role has the necessary permissions for the eks:addon-manager identity to create Kubernetes namespaces and install add-ons into namespaces. If the eks:addon-cluster-admin ClusterRoleBinding is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the new ClusterRoleBinding.

    Kubernetes version EKS platform version
    1.20 eks.12
    1.21 eks.14
    1.22 eks.9
    1.23 eks.5
    1.24 eks.3