Alternate CNI plugins for Amazon EKS clusters
The Amazon VPC CNI plugin for Kubernetes
If you plan to use an alternate CNI plugin on Amazon EC2 nodes, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project.
Amazon EKS maintains relationships with a network of partners that offer support for alternate compatible CNI plugins. For details about the versions, qualifications, and testing performed, see the following partner documentation.
Partner | Product | Documentation |
---|---|---|
Tigera |
||
Isovalent |
||
Juniper |
||
VMware |
Amazon EKS aims to give you a wide selection of options to cover all use cases.
Alternate compatible network policy plugins
Calico
Traffic flow to and from Pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only.
If you use Calico network policy enforcement, we recommend that you set the environment variable ANNOTATE_POD_IP
to true
to avoid a known issue with Kubernetes. To use this feature, you must add patch
permission for pods to the aws-node[.noloc]`ClusterRole
. Note that adding patch permissions to the aws-node[.noloc]`DaemonSet
increases the security scope for the plugin. For more information, see ANNOTATE_POD_IP