Help improve this page
To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.
AWS add-ons
The following Amazon EKS add-ons are available to create on your cluster. You can view the most current list of available add-ons using eksctl, the AWS Management Console, or the AWS CLI. To see all available add-ons or to install an add-on, see Create an Amazon EKS add-on. If an add-on requires IAM permissions, then you must have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see Create an IAM OIDC provider for your cluster. You can an create or delete an add-on after you’ve installed it. For more information, see Update an Amazon EKS add-on or Remove an Amazon EKS add-on from a cluster. For more information about considerations specific to running EKS add-ons with Amazon EKS Hybrid Nodes, see Configure add-ons for hybrid nodes.
You can use any of the following Amazon EKS add-ons.
| Description | Learn more | Compatible compute types | 
|---|---|---|
| Provide native VPC networking for your cluster | EC2 | |
| A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS | EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes | |
| Maintain network rules on each Amazon EC2 node | EC2, EKS Hybrid Nodes | |
| Provide Amazon EBS storage for your cluster | EC2 | |
| Provide Amazon EFS storage for your cluster | EC2, EKS Auto Mode | |
| Provide Amazon FSx for Lustre storage for your cluster | EC2, EKS Auto Mode | |
| Provide Amazon S3 storage for your cluster | EC2, EKS Auto Mode | |
| Detect additional node health issues | EC2, EKS Hybrid Nodes | |
| Enable the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver | EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes | |
| SageMaker HyperPod task governance optimizes compute resource allocation and usage across teams in Amazon EKS clusters, addressing inefficiencies in task prioritization and resource sharing. | EC2, EKS Auto Mode, | |
| The Amazon SageMaker HyperPod Observability AddOn provides comprehensive monitoring and observability capabilities for HyperPod clusters. | EC2, EKS Auto Mode, | |
| Amazon SageMaker HyperPod training operator enables efficient distributed training on Amazon EKS clusters with advanced scheduling and resource management capabilities. | EC2, EKS Auto Mode | |
| A Kubernetes agent that collects and reports network flow data to Amazon CloudWatch, enabling comprehensive monitoring of TCP connections across cluster nodes. | EC2, EKS Auto Mode | |
| Secure, production-ready, AWS supported distribution of the OpenTelemetry project | EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes | |
| Security monitoring service that analyzes and processes foundational data sources including AWS CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring | EC2, EKS Auto Mode | |
| Monitoring and observability service provided by AWS. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS | EC2, EKS Auto Mode, EKS Hybrid Nodes | |
| Ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances | EC2, EKS Hybrid Nodes | |
| Enable cert-manager to issue X.509 certificates from AWS Private CA. Requires cert-manager. | EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes | |
| Generate Prometheus metrics about SR-IOV network device performance | EC2 | 
Amazon VPC CNI plugin for Kubernetes
The Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on is a Kubernetes container network interface (CNI) plugin that provides native VPC networking for your cluster. The self-managed or managed type of this add-on is installed on each Amazon EC2 node, by default. For more information, see Kubernetes container network interface (CNI) plugin
Note
You do not need to install this add-on on Amazon EKS Auto Mode clusters. For more information, see Considerations for Amazon EKS Auto Mode.
The Amazon EKS add-on name is vpc-cni.
Required IAM permissions
This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts.
If your cluster uses the IPv4 family, the permissions in the AmazonEKS_CNI_Policy are required. If your cluster uses the IPv6 family, you must create an IAM policy with the permissions in IPv6 mode
Replace my-cluster with the name of your cluster and AmazonEKSVPCCNIRole with the name for your role. If your cluster uses the IPv6 family, then replace AmazonEKS_CNI_Policy with the name of the policy that you created. This command requires that you have eksctl
eksctl create iamserviceaccount --name aws-node --namespace kube-system --cluster my-cluster --role-name AmazonEKSVPCCNIRole \ --role-only --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --approve
Update information
You can only update one minor version at a time. For example, if your current version is 1.28. and you want to update to x-eksbuild.y
            1.30., then you must update your current version to x-eksbuild.y
            1.29. and then update it again to x-eksbuild.y
            1.30.. For more information about updating the add-on, see Update the Amazon VPC CNI (Amazon EKS add-on).x-eksbuild.y
            
CoreDNS
The CoreDNS Amazon EKS add-on is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. The self-managed or managed type of this add-on was installed, by default, when you created your cluster. When you launch an Amazon EKS cluster with at least one node, two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. The CoreDNS Pods provide name resolution for all Pods in the cluster. You can deploy the CoreDNS Pods to Fargate nodes if your cluster includes a Fargate profile with a namespace that matches the namespace for the CoreDNS deployment. For more information, see Define which Pods use AWS Fargate when launched
Note
You do not need to install this add-on on Amazon EKS Auto Mode clusters. For more information, see Considerations for Amazon EKS Auto Mode.
The Amazon EKS add-on name is coredns.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
To learn more about CoreDNS, see Using CoreDNS for Service Discovery
Kube-proxy
      The Kube-proxy Amazon EKS add-on maintains network rules on each Amazon EC2 node. It enables network communication to your Pods. The self-managed or managed type of this add-on is installed on each Amazon EC2 node in your cluster, by default.
Note
You do not need to install this add-on on Amazon EKS Auto Mode clusters. For more information, see Considerations for Amazon EKS Auto Mode.
The Amazon EKS add-on name is kube-proxy.
Required IAM permissions
This add-on doesn’t require any permissions.
Update information
Before updating your current version, consider the following requirements:
- 
               Kube-proxyon an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes. 
Additional information
To learn more about kube-proxy, see kube-proxy
Amazon EBS CSI driver
The Amazon EBS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster.
Note
You do not need to install this add-on on Amazon EKS Auto Mode clusters. Auto Mode includes a block storage capability. For more information, see Deploy a sample stateful workload to EKS Auto Mode.
The Amazon EKS add-on name is aws-ebs-csi-driver.
Required IAM permissions
This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AmazonEBSCSIDriverPolicy
            AWS managed policy are required. You can create an IAM role and attach the managed policy to it with the following command. Replace my-cluster with the name of your cluster and AmazonEKS_EBS_CSI_DriverRole with the name for your role. This command requires that you have eksctl
eksctl create iamserviceaccount \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster my-cluster \ --role-name AmazonEKS_EBS_CSI_DriverRole \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve
Additional information
To learn more about the add-on, see Use Kubernetes volume storage with Amazon EBS.
Amazon EFS CSI driver
The Amazon EFS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EFS storage for your cluster.
The Amazon EKS add-on name is aws-efs-csi-driver.
Required IAM permissions
            Required IAM permissions – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AmazonEFSCSIDriverPolicy
            AWS managed policy are required. You can create an IAM role and attach the managed policy to it with the following commands. Replace my-cluster with the name of your cluster and AmazonEKS_EFS_CSI_DriverRole with the name for your role. These commands require that you have eksctl
export cluster_name=my-cluster export role_name=AmazonEKS_EFS_CSI_DriverRole eksctl create iamserviceaccount \ --name efs-csi-controller-sa \ --namespace kube-system \ --cluster $cluster_name \ --role-name $role_name \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ --approve TRUST_POLICY=$(aws iam get-role --output json --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/') aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY"
Additional information
To learn more about the add-on, see Use elastic file system storage with Amazon EFS.
Amazon FSx CSI driver
The Amazon FSx CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon FSx for Lustre storage for your cluster.
The Amazon EKS add-on name is aws-fsx-csi-driver.
Note
- 
               Pre-existing Amazon FSx CSI driver installations in the cluster can cause add-on installation failures. When you attempt to install the Amazon EKS add-on version while a non-EKS FSx CSI Driver exists, the installation will fail due to resource conflicts. Use the OVERWRITEflag during installation to resolve this issue:aws eks create-addon --addon-name aws-fsx-csi-driver --cluster-name my-cluster --resolve-conflicts OVERWRITE
- 
               The Amazon FSx CSI Driver EKS add-on requires the EKS Pod Identity agent for authentication. Without this component, the add-on will fail with the error Amazon EKS Pod Identity agent is not installed in the cluster, preventing volume operations. Install the Pod Identity agent before or after deploying the FSx CSI Driver add-on. For more information, see Set up the Amazon EKS Pod Identity Agent.
Required IAM permissions
This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AmazonFSxFullAccess
            AWS managed policy are required. You can create an IAM role and attach the managed policy to it with the following command. Replace my-cluster with the name of your cluster and AmazonEKS_FSx_CSI_DriverRole with the name for your role. This command requires that you have eksctl
eksctl create iamserviceaccount \ --name fsx-csi-controller-sa \ --namespace kube-system \ --cluster my-cluster \ --role-name AmazonEKS_FSx_CSI_DriverRole \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/AmazonFSxFullAccess \ --approve
Additional information
To learn more about the add-on, see Use high-performance app storage with Amazon FSx for Lustre.
Mountpoint for Amazon S3 CSI Driver
The Mountpoint for Amazon S3 CSI Driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon S3 storage for your cluster.
The Amazon EKS add-on name is aws-mountpoint-s3-csi-driver.
Required IAM permissions
This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts.
The IAM role that is created will require a policy that gives access to S3. Follow the Mountpoint IAM permissions recommendations
You can create an IAM role and attach your policy to it with the following commands. Replace my-cluster with the name of your cluster, region-code with the correct AWS Region code, AmazonEKS_S3_CSI_DriverRole with the name for your role, and AmazonEKS_S3_CSI_DriverRole_ARN with the role ARN. These commands require that you have eksctl
CLUSTER_NAME=my-cluster REGION=region-code ROLE_NAME=AmazonEKS_S3_CSI_DriverRole POLICY_ARN=AmazonEKS_S3_CSI_DriverRole_ARN eksctl create iamserviceaccount \ --name s3-csi-driver-sa \ --namespace kube-system \ --cluster $CLUSTER_NAME \ --attach-policy-arn $POLICY_ARN \ --approve \ --role-name $ROLE_NAME \ --region $REGION \ --role-only
Additional information
To learn more about the add-on, see Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver.
CSI snapshot controller
The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver.
The Amazon EKS add-on name is snapshot-controller.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
To learn more about the add-on, see Enable snapshot functionality for CSI volumes.
Amazon SageMaker HyperPod task governance
SageMaker HyperPod task governance is a robust management system designed to streamline resource allocation and ensure efficient utilization of compute resources across teams and projects for your Amazon EKS clusters. This provides administrators with the capability to set:
- 
            Priority levels for various tasks 
- 
            Compute allocation for each team 
- 
            How each team lends and borrows idle compute 
- 
            If a team preempts their own tasks 
HyperPod task governance also provides Amazon EKS cluster Observability, offering real-time visibility into cluster capacity. This includes compute availability and usage, team allocation and utilization, and task run and wait time information, setting you up for informed decision-making and proactive resource management.
The Amazon EKS add-on name is amazon-sagemaker-hyperpod-taskgovernance.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
To learn more about the add-on, see SageMaker HyperPod task governance
Amazon SageMaker HyperPod Observability Add-on
The Amazon SageMaker HyperPod Observability Add-on provides comprehensive monitoring and observability capabilities for HyperPod clusters. This add-on automatically deploys and manages essential monitoring components including node exporter, DCGM exporter, kube-state-metrics, and EFA exporter. It collects and forwards metrics to a customer-designated Amazon Managed Prometheus (AMP) instance and exposes an OTLP endpoint for custom metrics and event ingestion from customer training jobs.
The add-on integrates with the broader HyperPod ecosystem by scraping metrics from various components including HyperPod Task Governance add-on, HyperPod Training Operator, Kubeflow, and KEDA. All collected metrics are centralized in Amazon Managed Prometheus, enabling customers to achieve a unified observability view through Amazon Managed Grafana dashboards. This provides end-to-end visibility into cluster health, resource utilization, and training job performance across the entire HyperPod environment.
The Amazon EKS add-on name is amazon-sagemaker-hyperpod-observability.
Required IAM permissions
This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The following managed policies are required:
- 
               AmazonPrometheusRemoteWriteAccess- for remote writing metrics from the cluster to AMP
- 
               CloudWatchAgentServerPolicy- for remote writing the logs from the cluster to CloudWatch
Additional information
To learn more about the add-on and its capabilities, see SageMaker HyperPod Observability.
Amazon SageMaker HyperPod training operator
The Amazon SageMaker HyperPod training operator helps you accelerate generative AI model development by efficiently managing distributed training across large GPU clusters. It introduces intelligent fault recovery, hang job detection, and process-level management capabilities that minimize training disruptions and reduce costs. Unlike traditional training infrastructure that requires complete job restarts when failures occur, this operator implements surgical process recovery to keep your training jobs running smoothly.
The operator also works with HyperPod’s health monitoring and observability functions, providing real-time visibility into training execution and automatic monitoring of critical metrics like loss spikes and throughput degradation. You can define recovery policies through simple YAML configurations without code changes, allowing you to quickly respond to and recover from unrecoverable training states. These monitoring and recovery capabilities work together to maintain optimal training performance while minimizing operational overhead.
The Amazon EKS add-on name is amazon-sagemaker-hyperpod-training-operator.
For more information, see Using the HyperPod training operatorr in the Amazon SageMaker Developer Guide.
Required IAM permissions
This add-on requires IAM permissions, and uses EKS Pod Identity.
            AWS suggests the AmazonSageMakerHyperPodTrainingOperatorAccess
            managed policy.
For more information, see Installing the training operator in the Amazon SageMaker Developer Guide.
Additional information
To learn more about the add-on, see SageMaker HyperPod training operator.
AWS Network Flow Monitor Agent
The Amazon CloudWatch Network Flow Monitor Agent is a Kubernetes application that collects TCP connection statistics from all nodes in a cluster and publishes network flow reports to Amazon CloudWatch Network Flow Monitor Ingestion APIs.
The Amazon EKS add-on name is aws-network-flow-monitoring-agent.
Required IAM permissions
This add-on does require IAM permissions.
You need to attach the CloudWatchNetworkFlowMonitorAgentPublishPolicy managed policy to the add-on.
For more information on the required IAM setup, see IAM Policy
For more information about the managed policy, see CloudWatchNetworkFlowMonitorAgentPublishPolicy in the Amazon CloudWatch User Guide.
Additional information
To learn more about the add-on, see the Amazon CloudWatch Network Flow Monitor Agent GitHub repo
Node monitoring agent
The node monitoring agent Amazon EKS add-on can detect additional node health issues. These extra health signals can also be leveraged by the optional node auto repair feature to automatically replace nodes as needed.
Note
You do not need to install this add-on on Amazon EKS Auto Mode clusters. For more information, see Considerations for Amazon EKS Auto Mode.
The Amazon EKS add-on name is eks-node-monitoring-agent.
Required IAM permissions
This add-on doesn’t require additional permissions.
Additional information
For more information, see Enable node auto repair and investigate node health issues.
AWS Distro for OpenTelemetry
The AWS Distro for OpenTelemetry Amazon EKS add-on is a secure, production-ready, AWS supported distribution of the OpenTelemetry project. For more information, see AWS Distro for OpenTelemetry
The Amazon EKS add-on name is adot.
Required IAM permissions
This add-on only requires IAM permissions if you’re using one of the preconfigured custom resources that can be opted into through advanced configuration.
Additional information
For more information, see Getting Started with AWS Distro for OpenTelemetry using EKS Add-Ons
ADOT requires that the cert-manager add-on is deployed on the cluster as a prerequisite, otherwise this add-on won’t work if deployed directly using the https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latestcluster_addons property. For more requirements, see Requirements for Getting Started with AWS Distro for OpenTelemetry using EKS Add-Ons
Amazon GuardDuty agent
The Amazon GuardDuty agent Amazon EKS add-on collects runtime events (file access, process execution, network connections) from your EKS cluster nodes for analysis by GuardDuty Runtime Monitoring. GuardDuty itself (not the agent) is the security monitoring service that analyzes and processes foundational data sources including AWS CloudTrail management events and Amazon VPC flow logs, as well as features, such as Kubernetes audit logs and runtime monitoring.
The Amazon EKS add-on name is aws-guardduty-agent.
Required IAM permissions
This add-on doesn’t require any permissions.
Additional information
For more information, see Runtime Monitoring for Amazon EKS clusters in Amazon GuardDuty.
- 
               To detect potential security threats in your Amazon EKS clusters, enable Amazon GuardDuty runtime monitoring and deploy the GuardDuty security agent to your Amazon EKS clusters. 
Amazon CloudWatch Observability agent
The Amazon CloudWatch Observability agent Amazon EKS add-on the monitoring and observability service provided by AWS. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS. For more information, see Amazon CloudWatch Agent.
The Amazon EKS add-on name is amazon-cloudwatch-observability.
Required IAM permissions
This add-on uses the  IAM roles for service accounts capability of Amazon EKS. For more information, see IAM roles for service accounts. The permissions in the AWSXrayWriteOnlyAccessmy-cluster with the name of your cluster and AmazonEKS_Observability_role with the name for your role. This command requires that you have eksctl
eksctl create iamserviceaccount \ --name cloudwatch-agent \ --namespace amazon-cloudwatch \ --cluster my-cluster \ --role-name AmazonEKS_Observability_Role \ --role-only \ --attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \ --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \ --approve
Additional information
For more information, see Install the CloudWatch agent.
AWS Private CA Connector for Kubernetes
The AWS Private CA Connector for Kubernetes is an add-on for cert-manager that enables users to obtain Certificates from AWS Private Certificate Authority (AWS Private CA).
- 
            The Amazon EKS add-on name is aws-privateca-connector-for-kubernetes.
- 
            The add-on namespace is aws-privateca-issuer.
This add-on requires cert-manager. cert-manager is available on Amazon EKS as a community add-on. For more information about this add-on, see Cert Manager. For more information about installing add-ons, see Create an Amazon EKS add-on.
Required IAM permissions
This add-on requires IAM permissions.
Use EKS Pod Identities to attach the AWSPrivateCAConnectorForKubernetesPolicy IAM Policy to the aws-privateca-issuer Kubernetes Service Account. For more information, see Use Pod Identities to assign an IAM role to an Amazon EKS add-on.
For information about the required permissions, see AWSPrivateCAConnectorForKubernetesPolicy in the AWS Managed Policy Reference.
Additional information
For more information, see the AWS Private CA Issuer for Kubernetes GitHub repository
For more information about configuring the add-on, see values.yamlaws-privateca-issuer GitHub repo. Confirm the version of values.yaml matches the version of the add-on installed on your cluster.
This add-on tolerates the CriticalAddonsOnly taint used by the system NodePool of EKS Auto Mode. For more information, see Run critical add-ons on dedicated instances.
EKS Pod Identity Agent
The Amazon EKS Pod Identity Agent Amazon EKS add-on provides the ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances.
Note
You do not need to install this add-on on Amazon EKS Auto Mode clusters. Amazon EKS Auto Mode integrates with EKS Pod Identity. For more information, see Considerations for Amazon EKS Auto Mode.
The Amazon EKS add-on name is eks-pod-identity-agent.
Required IAM permissions
The Pod Identity Agent add-on itself does not require an IAM role. It uses permissions from the Amazon EKS node IAM role to function, but does not need a dedicated IAM role for the add-on.
Update information
You can only update one minor version at a time. For example, if your current version is 1.28.x-eksbuild.y and you want to update to 1.30.x-eksbuild.y, then you must update your current version to 1.29.x-eksbuild.y and then update it again to 1.30.x-eksbuild.y. For more information about updating the add-on, see Update an Amazon EKS add-on.
SR-IOV Network Metrics Exporter
The SR-IOV Network Metrics Exporter Amazon EKS add-on collects and exposes metrics about SR-IOV network devices in Prometheus format. It enables monitoring of SR-IOV network performance on EKS bare metal nodes. The exporter runs as a DaemonSet on nodes with SR-IOV-capable network interfaces and exports metrics that can be scraped by Prometheus.
Note
This add-on requires nodes with SR-IOV-capable network interfaces.
| Property | Value | 
|---|---|
| Add-on name | 
                         | 
| Namespace | 
                         | 
| Documentation | |
| Service account name | None | 
| Managed IAM policy | None | 
| Custom IAM permissions | None |