Amazon EKS add-ons provide supporting operational capabilities to Kubernetes applications. Installing add-ons to an EKS cluster can be done in the Console or using RCTL.
There are six (6) EKS add-ons available in the Console. Some EKS add-ons are K8s version specific. For information about supported versions, see Amazon EKS Add-Ons.
- Amazon EBS CSI Driver - Amazon EBS CSI Driver documentation
- Amazon VPC CNI - Recommended K8s versions
- CoreDNS - Not K8s version specific
- Kube-Proxy - K8s Compatibility
- ADOT - ADOT Operator
- Guard Duty - Amazon GuardDuty
With AWS EKS version 1.24 and newer, the Amazon EBS CSI Driver is automatically included with the EKS cluster.
The Amazon EBS CSI Driver requires IAM permissions.
- In the Console, select the EKS cluster to install add-ons to.
- On the Configuration tab, for EKS Managed Addons, click Add. Create EKS Managed Addon window appears
- Select the required add-on and version from the drop-down list
- Users are allowed to customize the addon at the time of addition. Configurable values can be utilized to tailor the add-on according to the user preferences. Click on Optional Configuration Values to add more configurable values. An illustrative example is given below where configuration values are added for the ADOT addon
- Click Save
Here is an example where the Amazon EBS CSI Driver, Amazon VPC CNI and ADOT addons are added
To add the Guard Duty Addon, user must enable the EKS Runtime Monitoring option in the AWS Console, as illustrated below
Required IAM Permissions for GuardDuty Managed Add-On
In addition to the IAM permissions documented here, the GuardDuty managed add-on requires the following additional IAM permissions
In the EKS cluster specification file, add the 'addons' section and include the appropriate add-ons. The following is an example.
addons: - name: aws-ebs-csi-driver serviceAccountRoleARN: arn:aws:iam::123456789012:role/demo-ebs-csi version: v1.16.0-eksbuild.1 - name: vpc-cni version: v1.12.6-eksbuild.1 - name: kube-proxy version: v1.23.16-eksbuild.2
In clusters where the creation of Role permissions is restricted, the addon will be generated with policies inherited from the node.