Amazon EKS add-ons
An add-on is software that provides supporting operational capabilities to Kubernetes applications, but is not specific to the application. This includes software like observability agents or Kubernetes drivers that allow the cluster to interact with underlying Amazon resources for networking, compute, and storage. Add-on software is typically built and maintained by the Kubernetes community, cloud providers like Amazon, or third-party vendors. Amazon EKS automatically installs self-managed add-ons such as the Amazon VPC CNI plugin for Kubernetes, kube-proxy
, and CoreDNS for every cluster. Note that the VPC CNI add-on isn’t compatible with Amazon EKS Hybrid Nodes and doesn’t deploy to hybrid nodes. You can change the default configuration of the add-ons and update them when desired.
Amazon EKS add-ons provide installation and management of a curated set of add-ons for Amazon EKS clusters. All Amazon EKS add-ons include the latest security patches, bug fixes, and are validated by Amazon to work with Amazon EKS. Amazon EKS add-ons allow you to consistently ensure that your Amazon EKS clusters are secure and stable and reduce the amount of work that you need to do in order to install, configure, and update add-ons. If a self-managed add-on, such as kube-proxy
is already running on your cluster and is available as an Amazon EKS add-on, then you can install the kube-proxy
Amazon EKS add-on to start benefiting from the capabilities of Amazon EKS add-ons.
You can update specific Amazon EKS managed configuration fields for Amazon EKS add-ons through the Amazon EKS API. You can also modify configuration fields not managed by Amazon EKS directly within the Kubernetes cluster once the add-on starts. This includes defining specific configuration fields for an add-on where applicable. These changes are not overridden by Amazon EKS once they are made. This is made possible using the Kubernetes server-side apply feature. For more information, see Determine fields you can customize for Amazon EKS add-ons.
You can use Amazon EKS add-ons with any Amazon EKS node type. For more information, see Manage compute resources by using nodes.
You can add, update, or delete Amazon EKS add-ons using the Amazon EKS API, Amazon Web Services Management Console, Amazon CLI, and eksctl
. You can also create Amazon EKS add-ons using Amazon CloudFormation.
Considerations
Consider the following when you use Amazon EKS add-ons:
-
To configure add-ons for the cluster your IAM principal must have IAM permissions to work with add-ons. For more information, see the actions with
Addon
in their name in Actions defined by Amazon Elastic Kubernetes Service. -
Amazon EKS add-ons run on the nodes that you provision or configure for your cluster. Node types include Amazon EC2 instances, Fargate, and hybrid nodes.
-
You can modify fields that aren’t managed by Amazon EKS to customize the installation of an Amazon EKS add-on. For more information, see Determine fields you can customize for Amazon EKS add-ons.
-
If you create a cluster with the Amazon Web Services Management Console, the Amazon EKS
kube-proxy
, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add-ons are automatically added to your cluster. If you useeksctl
to create your cluster with aconfig
file,eksctl
can also create the cluster with Amazon EKS add-ons. If you create your cluster usingeksctl
without aconfig
file or with any other tool, the self-managedkube-proxy
, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation. Regardless of the method that you use to create your cluster, the VPC CNI add-on doesn’t install on hybrid nodes. -
The
eks:addon-cluster-admin
ClusterRoleBinding
binds thecluster-admin
ClusterRole
to theeks:addon-manager
Kubernetes identity. The role has the necessary permissions for theeks:addon-manager
identity to create Kubernetes namespaces and install add-ons into namespaces. If theeks:addon-cluster-admin
ClusterRoleBinding
is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the newClusterRoleBinding
. -
A subset of EKS add-ons from Amazon have been validated for compatibility with Amazon EKS Hybrid Nodes. For more information, see the compatibility table on Available Amazon EKS add-ons from Amazon.
Kubernetes version EKS platform version 1.20
eks.12
1.21
eks.14
1.22
eks.9
1.23
eks.5
1.24
eks.3
Considerations for Amazon EKS Auto Mode
Amazon EKS Auto mode includes capabilities that deliver essential cluster functionality, including:
-
Pod networking
-
Service networking
-
Cluster DNS
-
Autoscaling
-
Block storage
-
Load balancer controller
-
Pod Identity agent
-
Node monitoring agent
With Auto mode compute, many commonly used EKS add-ons become redundant, such as:
-
Amazon VPC CNI
-
kube-proxy
-
CoreDNS
-
Amazon EBS CSI Driver
-
EKS Pod Identity Agent
However, if your cluster combines Auto mode with other compute options like self-managed EC2 instances, Managed Node Groups, or Amazon Fargate, these add-ons remain necessary. Amazon has enhanced EKS add-ons with anti-affinity rules that automatically ensure add-on pods are scheduled only on supported compute types. Furthermore, users can now leverage the EKS add-ons DescribeAddonVersions
API to verify the supported computeTypes for each add-on and its specific versions. Additionally, with EKS Auto mode, the controllers listed above run on Amazon owned infrastructure. So, you many not even see them in your accounts unless you are using EKS auto mode with other types of compute in which case, you will see the controllers you installed on your cluster.
If you are planning to enable EKS Auto Mode on an existing cluster, you may need to upgrade the version of certain addons. For more information, see Required Add-on Versions for EKS Auto Mode.