Managed Add-Ons

Amazon EKS add-ons provide supporting operational capabilities to Kubernetes applications. Installing add-ons to an EKS cluster can be done in the Console or using RCTL.

There are ten (10) EKS add-ons available in the Console. Some EKS add-ons are K8s version specific. For information about supported versions, see Amazon EKS Add-Ons.

• ADOT Operator
• Amazon CloudWatch observability
• Amazon EBS CSI Driver
• Amazon EFS CSI Driver
• Amazon GuardDuty
• Amazon VPC CNI - Recommended K8s versions
• CoreDNS - Not K8s version specific
• CSI Snapshot Controller
• Kube-Proxy - K8s Compatibility
• Mountpoint for S3 CSI driver
• EKS Pod Identity Agent - For more information, refer to Pod Identity Associations page

Important

• The mandatory add-ons like Amazon VPC CNI, CoreDNS, and Kube-Proxy will be implicitly added to the cluster if they are not specified in the cluster configuration file during EKS cluster creation
• With AWS EKS version 1.24 and newer, the Amazon EBS CSI Driver is automatically included with the EKS cluster
• The Amazon EBS CSI Driver requires IAM permissions

---

Install Add-Ons

Console

1. In the Console, select the EKS cluster to install add-ons to.
2. On the Configuration tab, for EKS Managed Addons, click Add. Create EKS Managed Addon window appears
3. Select the required add-on and version from the drop-down list

1. Users are allowed to customize the addon at the time of addition. Configurable values can be utilized to tailor the add-on according to the user preferences. Click on Optional Configuration Values to add more configurable values. An illustrative example is given below where configuration values are added for the ADOT addon

1. Click Save

Here is an example where the Amazon EBS CSI Driver, Amazon VPC CNI and ADOT addons are added

To add the Guard Duty Addon, user must enable the EKS Runtime Monitoring option in the AWS Console, as illustrated below

Required IAM Permissions for GuardDuty Managed Add-On

In addition to the IAM permissions documented here, the GuardDuty managed add-on requires the following additional IAM permissions:

• ec2:DescribeVpcEndpoints
• ec2:CreateVpcEndpoint
• ec2:DeleteVpcEndpoints

Required IAM Permissions for EKS Pod Identity Agent Add-On

The EKS Pod Identity Agent managed add-on requires the following additional IAM permissions:

• "eks:CreatePodIdentityAssociation"
• "eks:DescribePodIdentityAssociation"
• "eks:DeletePodIdentityAssociation"
• "eks:UpdatePodIdentityAssociation"

---

RCTL

In the EKS cluster specification file, add the 'addons' section and include the appropriate add-ons. The following is an example.

addons:
- name: aws-ebs-csi-driver
  serviceAccountRoleARN: arn:aws:iam::123456789012:role/demo-ebs-csi
  version: v1.16.0-eksbuild.1
- name: vpc-cni
  version: v1.12.6-eksbuild.1
- name: kube-proxy
  version: v1.23.16-eksbuild.2

Important

In clusters where the creation of Role permissions is restricted, the addon will be generated with policies inherited from the node.

---