Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Available Amazon EKS add-ons from AWS
The following Amazon EKS add-ons are available to create on your cluster. You can
view the most current list of available add-ons using eksctl
, the AWS Management Console, or the
AWS CLI. To see all available add-ons or to install an add-on, see Creating an Amazon EKS add-on. If an add-on
requires IAM permissions, then you must have an IAM OpenID Connect (OIDC) provider for
your cluster. To determine whether you have one, or to create one, see Create an IAM OIDC provider
for your cluster. You can update or delete an add-on after you've installed it.
You can use any of the following Amazon EKS add-ons.
Description | Learn more |
---|---|
Provide native VPC networking for your cluster |
Amazon VPC CNI plugin for Kubernetes |
A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS |
CoreDNS |
Maintain network rules on each Amazon EC2 node | Kube-proxy |
Provide Amazon EBS storage for your cluster | Amazon EBS CSI driver |
Provide Amazon EFS storage for your cluster | Amazon EFS CSI driver |
Provide Amazon S3 storage for your cluster | Mountpoint for Amazon S3 CSI Driver |
Enable the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver | CSI snapshot controller |
Secure, production-ready, AWS supported distribution of the OpenTelemetry project | AWS Distro for OpenTelemetry |
Security monitoring service that analyzes and processes foundational data sources including AWS CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring | Amazon GuardDuty agent |
Monitoring and observability service provided by AWS. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS | Amazon CloudWatch Observability agent |
Ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances | EKS Pod Identity Agent |
Amazon VPC CNI plugin for Kubernetes
The Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on is a Kubernetes container network interface (CNI) plugin
that provides native VPC networking for your cluster. The self-managed or managed type of
this add-on is installed on each Amazon EC2 node, by default. For more information, see Kubernetes container network interface (CNI) plugin
The Amazon EKS add-on name is vpc-cni
.
Required IAM permissions
This add-on uses the IAM roles for
service accounts capability of Amazon EKS. If your cluster uses
the IPv4
family, the permissions in the AmazonEKS_CNI_Policy are required. If your cluster uses the
IPv6
family, you must create an
IAM policy with the permissions in IPv6 mode
Replace
with the
name of your cluster and
my-cluster
with
the name for your role. If your cluster uses the AmazonEKSVPCCNIRole
IPv6
family, then replace
with the name of the policy that you created. This command requires that
you have AmazonEKS_CNI_Policy
eksctl
eksctl create iamserviceaccount --name aws-node --namespace kube-system --cluster
my-cluster
--role-nameAmazonEKSVPCCNIRole
\ --role-only --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
--approve
Update information
You can
only update one minor version at a time. For example, if your current
version is
1.29.
and you want to update to
x
-eksbuild.y
1.31.
,
then you must update your current version to
x
-eksbuild.y
1.30.
and then update it again to
x
-eksbuild.y
1.31.
.
For more information about updating the add-on, see Updating the Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on.x
-eksbuild.y
CoreDNS
The CoreDNS Amazon EKS add-on is a flexible, extensible DNS server that can serve as
the Kubernetes cluster DNS. The self-managed or managed type of this add-on was
installed, by default, when you created your cluster. When you launch an Amazon EKS
cluster with at least one node, two replicas of the CoreDNS image are deployed by
default, regardless of the number of nodes deployed in your cluster. The CoreDNS
Pods provide name resolution for all Pods in the
cluster. You can deploy the CoreDNS Pods to Fargate nodes if your
cluster includes an Define which Pods use AWS Fargate when
launched with a namespace that matches the namespace for the CoreDNS
deployment
.
The Amazon EKS add-on name is coredns
.
Required IAM permissions
This add-on doesn't require any permissions.
Additional information
To
learn more about CoreDNS, see Using CoreDNS for Service Discovery
Kube-proxy
The Kube-proxy
Amazon EKS add-on maintains network
rules on each Amazon EC2 node. It enables network communication to your
Pods. The self-managed or managed type of this add-on
is installed on each Amazon EC2 node in your cluster, by default.
The Amazon EKS add-on name is kube-proxy
.
Required IAM permissions
This add-on doesn't require any permissions.
Update information
Before updating your current version, consider the following requirements:
-
Kube-proxy
on an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes.
Additional information
To
learn more about kube-proxy
, see kube-proxy
Amazon EBS CSI driver
The Amazon EBS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster.
The Amazon EKS add-on name is aws-ebs-csi-driver
.
Required IAM permissions
This add-on utilizes the IAM roles for
service accounts capability of Amazon EKS. The permissions in the
AmazonEBSCSIDriverPolicy
AWS managed policy are required. You can create an IAM role and
attach the managed policy to it with the following command. Replace
with the name
of your cluster and
my-cluster
with the name for your role. This command requires that you have AmazonEKS_EBS_CSI_DriverRole
eksctl
eksctl create iamserviceaccount \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster
my-cluster
\ --role-nameAmazonEKS_EBS_CSI_DriverRole
\ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve
Additional information
To learn more about the add-on, see Store Kubernetes volumes with Amazon EBS.
Amazon EFS CSI driver
The Amazon EFS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EFS storage for your cluster.
The Amazon EKS add-on name is aws-efs-csi-driver
.
Required IAM permissions
Required IAM permissions –
This add-on utilizes the IAM roles for
service accounts capability of Amazon EKS. The permissions in the
AmazonEFSCSIDriverPolicy
AWS managed policy are required. You can create an IAM role and
attach the managed policy to it with the following commands. Replace
with the name
of your cluster and
my-cluster
with the name for your role. These commands require that you have AmazonEKS_EFS_CSI_DriverRole
eksctl
export cluster_name=
my-cluster
export role_name=AmazonEKS_EFS_CSI_DriverRole
eksctl create iamserviceaccount \ --name efs-csi-controller-sa \ --namespace kube-system \ --cluster $cluster_name \ --role-name $role_name \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ --approve TRUST_POLICY=$(aws iam get-role --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/') aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY"
Additional information
To learn more about the add-on, see Store an elastic file system with Amazon EFS.
Mountpoint for Amazon S3 CSI Driver
The Mountpoint for Amazon S3 CSI Driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon S3 storage for your cluster.
The Amazon EKS add-on name is aws-mountpoint-s3-csi-driver
.
Required IAM permissions
This add-on uses the IAM roles for
service accounts capability of Amazon EKS. The IAM role that is
created will require a policy that gives access to S3. Follow the Mountpoint IAM permissions
recommendations
You can create an IAM role and attach your policy to it with the
following commands. Replace my-cluster
with
the name of your cluster,
with the correct AWS Region code,
region-code
AmazonEKS_S3_CSI_DriverRole
with the name
for your role, and
AmazonEKS_S3_CSI_DriverRole_ARN
with the
role ARN. These commands require that you have eksctl
CLUSTER_NAME=
my-cluster
REGION=ROLE_NAME=
region-code
AmazonEKS_S3_CSI_DriverRole
POLICY_ARN=AmazonEKS_S3_CSI_DriverRole_ARN
eksctl create iamserviceaccount \ --name s3-csi-driver-sa \ --namespace kube-system \ --cluster $CLUSTER_NAME \ --attach-policy-arn $POLICY_ARN \ --approve \ --role-name $ROLE_NAME \ --region $REGION \ --role-only
Additional information
To learn more about the add-on, see Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver.
CSI snapshot controller
The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver.
The Amazon EKS add-on name is snapshot-controller
.
Required IAM permissions
This add-on doesn't require any permissions.
Additional information
To learn more about the add-on, see Enable snapshot functionality for CSI volumes.
AWS Distro for OpenTelemetry
The AWS Distro for OpenTelemetry Amazon EKS add-on is a secure, production-ready,
AWS supported distribution of the OpenTelemetry project. For more information, see
AWS Distro for OpenTelemetry
The Amazon EKS add-on name is adot
.
Required IAM permissions
This add-on only requires IAM permissions if you're using one of the preconfigured custom resources that can be opted into through advanced configuration.
Additional information
For
more information, see Getting Started with AWS Distro for OpenTelemetry
using EKS Add-Ons
ADOT requires that cert-manager
is deployed on the
cluster as a prerequisite, otherwise this add-on won't work if deployed
directly using the Amazon EKS Terraformcluster_addons
property. For more requirements, see Requirements for Getting Started with AWS Distro for
OpenTelemetry using EKS Add-Ons
Amazon GuardDuty agent
The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service that analyzes and processes foundational data sources including AWS CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring.
The Amazon EKS add-on name is aws-guardduty-agent
.
Required IAM permissions
This add-on doesn't require any permissions.
Additional information
For more information, see Runtime Monitoring for Amazon EKS clusters in Amazon GuardDuty.
-
To detect potential security threats in your Amazon EKS clusters, enable Amazon GuardDuty runtime monitoring and deploy the GuardDuty security agent to your Amazon EKS clusters.
Amazon CloudWatch Observability agent
The Amazon CloudWatch Observability agent Amazon EKS add-on the monitoring and observability service provided by AWS. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS. For more information, see Amazon CloudWatch Agent.
The Amazon EKS add-on name is amazon-cloudwatch-observability
.
Required IAM permissions
This add-on uses the IAM roles for
service accounts capability of Amazon EKS. The permissions in the
AWSXrayWriteOnlyAccess
with the name of
your cluster and
my-cluster
with the name for your role. This command requires that you have AmazonEKS_Observability_role
eksctl
eksctl create iamserviceaccount \ --name cloudwatch-agent \ --namespace amazon-cloudwatch \ --cluster
my-cluster
\ --role-nameAmazonEKS_Observability_Role
\ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \ --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \ --approve
Additional information
For more information, see Install the CloudWatch agent.
EKS Pod Identity Agent
The Amazon EKS Pod Identity Agent Amazon EKS add-on provides the ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances.
The Amazon EKS add-on name is eks-pod-identity-agent
.
Required IAM permissions
This add-on users permissions from the Amazon EKS node IAM role.
Update information
You can
only update one minor version at a time. For example, if your current
version is
1.29.
and you want to update to
x
-eksbuild.y
1.31.
,
then you must update your current version to
x
-eksbuild.y
1.30.
and then update it again to
x
-eksbuild.y
1.31.
.
For more information about updating the add-on, see Updating the Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on.x
-eksbuild.y