Available Amazon EKS add-ons from AWS
The following Amazon EKS add-ons are available to create on your cluster. You can view the most current list of available add-ons using eksctl
, the AWS Management Console, or the AWS CLI. To see all available add-ons or to install an add-on, see Create an Amazon EKS add-on. If an add-on requires IAM permissions, then you must have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see Create an IAM OIDC provider for your cluster. You can an create or delete an add-on after you’ve installed it. For more information, see Update an Amazon EKS add-on or Remove an Amazon EKS add-on from a cluster.
You can use any of the following Amazon EKS add-ons.
Description | Learn more |
---|---|
Provide native VPC networking for your cluster |
|
A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS |
|
Maintain network rules on each Amazon EC2 node |
|
Provide Amazon EBS storage for your cluster |
|
Provide Amazon EFS storage for your cluster |
|
Provide Amazon S3 storage for your cluster |
|
Enable the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver |
|
Secure, production-ready, AWS supported distribution of the OpenTelemetry project |
|
Security monitoring service that analyzes and processes foundational data sources including AWS CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring |
|
Monitoring and observability service provided by AWS. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS |
|
Ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances |
Amazon VPC CNI plugin for Kubernetes
The Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on is a Kubernetes container network interface (CNI) plugin that provides native VPC networking for your cluster. The self-managed or managed type of this add-on is installed on each Amazon EC2 node, by default. For more information, see Kubernetes container network interface (CNI) plugin
The Amazon EKS add-on name is vpc-cni
.
Required IAM permissions
This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts.
If your cluster uses the IPv4
family, the permissions in the AmazonEKS_CNI_Policy are required. If your cluster uses the IPv6
family, you must create an IAM policy with the permissions in IPv6 mode
Replace my-cluster
with the name of your cluster and AmazonEKSVPCCNIRole
with the name for your role. If your cluster uses the IPv6
family, then replace AmazonEKS_CNI_Policy
with the name of the policy that you created. This command requires that you have eksctl
eksctl create iamserviceaccount --name aws-node --namespace kube-system --cluster my-cluster --role-name AmazonEKSVPCCNIRole \ --role-only --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --approve
Update information
You can only update one minor version at a time. For example, if your current version is 1.28.
and you want to update to x
-eksbuild.y
1.30.
, then you must update your current version to x
-eksbuild.y
1.29.
and then update it again to x
-eksbuild.y
1.30.
. For more information about updating the add-on, see Updating the Amazon VPC CNI (Amazon EKS add-on).x
-eksbuild.y
CoreDNS
The CoreDNS Amazon EKS add-on is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. The self-managed or managed type of this add-on was installed, by default, when you created your cluster. When you launch an Amazon EKS cluster with at least one node, two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. The CoreDNS Pods provide name resolution for all Pods in the cluster. You can deploy the CoreDNS Pods to Fargate nodes if your cluster includes a Fargate profile with a namespace that matches the namespace for the CoreDNS deployment. For more information, see Define which Pods use AWS Fargate when launched
The Amazon EKS add-on name is coredns
.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
To learn more about CoreDNS, see Using CoreDNS for Service Discovery
Kube-proxy
The Kube-proxy
Amazon EKS add-on maintains network rules on each Amazon EC2 node. It enables network communication to your Pods. The self-managed or managed type of this add-on is installed on each Amazon EC2 node in your cluster, by default.
The Amazon EKS add-on name is kube-proxy
.
Required IAM permissions
This add-on doesn’t require any permissions.
Update information
Before updating your current version, consider the following requirements:
-
Kube-proxy
on an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes.
Additional information
To learn more about kube-proxy
, see kube-proxy
Amazon EBS CSI driver
The Amazon EBS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster.
The Amazon EKS add-on name is aws-ebs-csi-driver
.
Required IAM permissions
This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AmazonEBSCSIDriverPolicy
AWS managed policy are required. You can create an IAM role and attach the managed policy to it with the following command. Replace my-cluster
with the name of your cluster and AmazonEKS_EBS_CSI_DriverRole
with the name for your role. This command requires that you have eksctl
eksctl create iamserviceaccount \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster my-cluster \ --role-name AmazonEKS_EBS_CSI_DriverRole \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve
Additional information
To learn more about the add-on, see Store Kubernetes volumes with Amazon EBS.
Amazon EFS CSI driver
The Amazon EFS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EFS storage for your cluster.
The Amazon EKS add-on name is aws-efs-csi-driver
.
Required IAM permissions
Required IAM permissions – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AmazonEFSCSIDriverPolicy
AWS managed policy are required. You can create an IAM role and attach the managed policy to it with the following commands. Replace my-cluster
with the name of your cluster and AmazonEKS_EFS_CSI_DriverRole
with the name for your role. These commands require that you have eksctl
export cluster_name=my-cluster export role_name=AmazonEKS_EFS_CSI_DriverRole eksctl create iamserviceaccount \ --name efs-csi-controller-sa \ --namespace kube-system \ --cluster $cluster_name \ --role-name $role_name \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ --approve TRUST_POLICY=$(aws iam get-role --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/') aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY"
Additional information
To learn more about the add-on, see Store an elastic file system with Amazon EFS.
Mountpoint for Amazon S3 CSI Driver
The Mountpoint for Amazon S3 CSI Driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon S3 storage for your cluster.
The Amazon EKS add-on name is aws-mountpoint-s3-csi-driver
.
Required IAM permissions
This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts.
The IAM role that is created will require a policy that gives access to S3. Follow the Mountpoint IAM permissions recommendations
You can create an IAM role and attach your policy to it with the following commands. Replace my-cluster
with the name of your cluster, region-code
with the correct AWS Region code, AmazonEKS_S3_CSI_DriverRole
with the name for your role, and AmazonEKS_S3_CSI_DriverRole_ARN
with the role ARN. These commands require that you have eksctl
CLUSTER_NAME=my-cluster REGION=region-code ROLE_NAME=AmazonEKS_S3_CSI_DriverRole POLICY_ARN=AmazonEKS_S3_CSI_DriverRole_ARN eksctl create iamserviceaccount \ --name s3-csi-driver-sa \ --namespace kube-system \ --cluster $CLUSTER_NAME \ --attach-policy-arn $POLICY_ARN \ --approve \ --role-name $ROLE_NAME \ --region $REGION \ --role-only
Additional information
To learn more about the add-on, see Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver.
CSI snapshot controller
The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver.
The Amazon EKS add-on name is snapshot-controller
.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
To learn more about the add-on, see Enable snapshot functionality for CSI volumes.
AWS Distro for OpenTelemetry
The AWS Distro for OpenTelemetry Amazon EKS add-on is a secure, production-ready, AWS supported distribution of the OpenTelemetry project. For more information, see AWS Distro for OpenTelemetry
The Amazon EKS add-on name is adot
.
Required IAM permissions
This add-on only requires IAM permissions if you’re using one of the preconfigured custom resources that can be opted into through advanced configuration.
Additional information
For more information, see Getting Started with AWS Distro for OpenTelemetry using EKS Add-Ons
ADOT requires that cert-manager
is deployed on the cluster as a prerequisite, otherwise this add-on won’t work if deployed directly using the https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latestcluster_addons
property. For more requirements, see Requirements for Getting Started with AWS Distro for OpenTelemetry using EKS Add-Ons
Amazon GuardDuty agent
The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service that analyzes and processes foundational data sources including AWS CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring.
The Amazon EKS add-on name is aws-guardduty-agent
.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
For more information, see Runtime Monitoring for Amazon EKS clusters in Amazon GuardDuty.
-
To detect potential security threats in your Amazon EKS clusters, enable Amazon GuardDuty runtime monitoring and deploy the GuardDuty security agent to your Amazon EKS clusters.
Amazon CloudWatch Observability agent
The Amazon CloudWatch Observability agent Amazon EKS add-on the monitoring and observability service provided by AWS. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS. For more information, see Amazon CloudWatch Agent.
The Amazon EKS add-on name is amazon-cloudwatch-observability
.
Required IAM permissions
This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AWSXrayWriteOnlyAccessmy-cluster
with the name of your cluster and AmazonEKS_Observability_role
with the name for your role. This command requires that you have eksctl
eksctl create iamserviceaccount \ --name cloudwatch-agent \ --namespace amazon-cloudwatch \ --cluster my-cluster \ --role-name AmazonEKS_Observability_Role \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \ --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \ --approve
Additional information
For more information, see Install the CloudWatch agent.
EKS Pod Identity Agent
The Amazon EKS Pod Identity Agent Amazon EKS add-on provides the ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances.
The Amazon EKS add-on name is eks-pod-identity-agent
.
Required IAM permissions
This add-on users permissions from the Amazon EKS node IAM roleAmazon EKS node IAM role.
Update information
You can only update one minor version at a time. For example, if your current version is 1.28.x-eksbuild.y
and you want to update to 1.30.x-eksbuild.y
, then you must update your current version to 1.29.x-eksbuild.y
and then update it again to 1.30.x-eksbuild.y
. For more information about updating the add-on, see Updating the Amazon VPC CNI (Amazon EKS add-on).