EKS Add-Ons is a new feature that lets you enable and manage Kubernetes operational software for your AWS EKS clusters. At launch, EKS add-ons supports controlling the launch and version of the AWS VPC CNI plugin through the EKS API
You can specify what addons you want and what policies (if required) to attach to them in your config file:
apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: example-cluster region: us-west-2 version: "1.20" iam: withOIDC: true addons: - name: vpc-cni version: 1.7.5 # optional attachPolicyARNs: #optional - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy serviceAccountRoleARN: arn:aws:iam::aws:policy/AmazonEKSCNIAccess # optional tags: # optional team: eks attachPolicy: # optional Statement: - Effect: Allow Action: - ec2:AssignPrivateIpAddresses - ec2:AttachNetworkInterface - ec2:CreateNetworkInterface - ec2:DeleteNetworkInterface - ec2:DescribeInstances - ec2:DescribeTags - ec2:DescribeNetworkInterfaces - ec2:DescribeInstanceTypes - ec2:DetachNetworkInterface - ec2:ModifyNetworkInterfaceAttribute - ec2:UnassignPrivateIpAddresses Resource: '*'
You can specify at most one of
If none of these are specified, the addon will be created with a role that has all recommended policies attached.
In order to attach policies to addons your cluster must have
OIDC enabled. If it's not enabled we ignore any policies
You can then either have these addons created during the cluster creation process:
eksctl create cluster -f config.yaml
Or you can create after cluster creation using the config file or CLI flags:
eksctl create addon -f config.yaml
eksctl create addon --name vpc-cni --version 1.7.5 --service-account-role-arn=<role-arn>
Listing enabled addons¶
You can see what addons are enabled in your cluster by running:
eksctl get addons --cluster <cluster-name>
Setting the addon's version¶
Setting the version of the addon is optional. If the
version field is empty in the request sent by
eksctl, the EKS API will set it to the default version for that specific addon. More information about which version is the default version for specific addons can be found in the AWS documentation about EKS. Note that the default version might not necessarily be the latest version available.
The addon version can be set to
latest. Alternatively, the version can be set with the EKS build tag specified, such as
v1.7.5-eksbuild.2. It can also be set to the release version of the addon, such as
1.7.5, and the
eksbuild suffix tag will be discovered and set for you.
See the section below on how to discover available addons and their versions.
You can discover what addons are available to install on your cluster by running:
eksctl utils describe-addon-versions --cluster <cluster-name>
This will discover your cluster's kubernetes version and filter on that. Alternatively if you want to see what addons are available for a particular kubernetes version you can run:
eksctl utils describe-addon-versions --kubernetes-version <version>
You can update your addons to newer versions and change what policies are attached by running:
eksctl update addon -f config.yaml
eksctl update addon --name vpc-cni --version 1.8.0 --service-account-role-arn=<new-role>
You can delete an addon by running:
eksctl delete addon --cluster <cluster-name> --name <addon-name
When you delete your cluster all IAM roles associated to addons are also deleted.