Alternate CNI plugins for Amazon EKS clusters - Amazon EKS

Alternate CNI plugins for Amazon EKS clusters

The Amazon VPC CNI plugin for Kubernetes is the only CNI plugin supported by Amazon EKS. Amazon EKS runs upstream Kubernetes, so you can install alternate compatible CNI plugins to Amazon EC2 nodes in your cluster. If you have Fargate nodes in your cluster, the Amazon VPC CNI plugin for Kubernetes is already on your Fargate nodes. It’s the only CNI plugin you can use with Fargate nodes. An attempt to install an alternate CNI plugin on Fargate nodes fails.

If you plan to use an alternate CNI plugin on Amazon EC2 nodes, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project.

Amazon EKS maintains relationships with a network of partners that offer support for alternate compatible CNI plugins. For details about the versions, qualifications, and testing performed, see the following partner documentation.

Amazon EKS aims to give you a wide selection of options to cover all use cases.

Alternate compatible network policy plugins

Calico is a widely adopted solution for container networking and security. Using Calico on EKS provides a fully compliant network policy enforcement for your EKS clusters. Additionally, you can opt to use Calico’s networking, which conserve IP addresses from your underlying VPC. Calico Cloud enhances the features of [.noloc]`Calico Open Source, providing advanced security and observability capabilities.

Traffic flow to and from Pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only.

If you use Calico network policy enforcement, we recommend that you set the environment variable ANNOTATE_POD_IP to true to avoid a known issue with Kubernetes. To use this feature, you must add patch permission for pods to the aws-node[.noloc]`ClusterRole. Note that adding patch permissions to the aws-node[.noloc]`DaemonSet increases the security scope for the plugin. For more information, see ANNOTATE_POD_IP in the VPC CNI repo on GitHub.