Managed Add-Ons

Amazon EKS add-ons provide supporting operational capabilities to Kubernetes applications. Installing add-ons to an EKS cluster can be done in the Console or using RCTL.

There are ten (10) EKS add-ons available in the Console. Some EKS add-ons are K8s version specific. For information about supported versions, see Amazon EKS Add-Ons.

Important

Support for Amazon EFS CSI driver, Mountpoint for Amazon S3 CSI Driver, CSI snapshot controller, Amazon CloudWatch Observability agent managed add-ons is currently available in Preview Orgs

• ADOT Operator
• Amazon CloudWatch observability
• Amazon EBS CSI Driver
• Amazon EFS CSI Driver
• Amazon GuardDuty
• Amazon VPC CNI - Recommended K8s versions
• CoreDNS - Not K8s version specific
• CSI Snapshot Controller
• Kube-Proxy - K8s Compatibility
• Mountpoint for S3 CSI driver

Important

• The managed add-ons Amazon VPC CNI, CoreDNS, and Kube-Proxy are mandatory for the successful completion of EKS cluster provisioning
• With AWS EKS version 1.24 and newer, the Amazon EBS CSI Driver is automatically included with the EKS cluster
• The Amazon EBS CSI Driver requires IAM permissions

Install Add-Ons

Console

1. In the Console, select the EKS cluster to install add-ons to.
2. On the Configuration tab, for EKS Managed Addons, click Add. Create EKS Managed Addon window appears
3. Select the required add-on and version from the drop-down list

1. Users are allowed to customize the addon at the time of addition. Configurable values can be utilized to tailor the add-on according to the user preferences. Click on Optional Configuration Values to add more configurable values. An illustrative example is given below where configuration values are added for the ADOT addon

1. Click Save

Here is an example where the Amazon EBS CSI Driver, Amazon VPC CNI and ADOT addons are added

To add the Guard Duty Addon, user must enable the EKS Runtime Monitoring option in the AWS Console, as illustrated below

Required IAM Permissions for GuardDuty Managed Add-On

In addition to the IAM permissions documented here, the GuardDuty managed add-on requires the following additional IAM permissions

• ec2:DescribeVpcEndpoints
• ec2:CreateVpcEndpoint
• ec2:DeleteVpcEndpoints

---

RCTL

In the EKS cluster specification file, add the 'addons' section and include the appropriate add-ons. The following is an example.

addons:
- name: aws-ebs-csi-driver
  serviceAccountRoleARN: arn:aws:iam::123456789012:role/demo-ebs-csi
  version: v1.16.0-eksbuild.1
- name: vpc-cni
  version: v1.12.6-eksbuild.1
- name: kube-proxy
  version: v1.23.16-eksbuild.2

Important

In clusters where the creation of Role permissions is restricted, the addon will be generated with policies inherited from the node.

---