Amazon Elastic Kubernetes Service (Amazon EKS) released support for operational cluster add-on software, or Amazon EKS add-ons, around Kubernetes version 1.19 in May 2021. These include:
- Amazon VPC CNI plugin for Kubernetes
- CoreDNS
- Kube-proxy
- Amazon EBS CSI driver (Follow this guide to install the EBS CSI driver)
These services, like Amazon VPC CNI and CoreDNS, are likely already installed on your Amazon EKS cluster. However, you may not have the Amazon EKS type of the add-on installed on your cluster:
If you create a cluster with the AWS Management Console, the Amazon EKS kube-proxy, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add-ons are automatically added to your cluster. If you use eksctl to create your cluster with a config file, eksctl can also create the cluster with Amazon EKS add-ons. If you create your cluster [...] with any other tool, the self-managed kube-proxy, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation.
We used AWS CloudFormation to provision our Amazon EKS cluster, with a template that does not manage add-ons (yet), so the self-managed add-ons are installed. This guide documents how to migrate to the Amazon EKS type of add-ons.
Introduction
- First, install the eksctl command line tool. If you're on an Apple Silicon Mac like me, you can run the following:
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Darwin_arm64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin
- Define your cluster name, region, and account ID variables:
export CLUSTER=caktus-saguaro-cluster export AWS_REGION=us-east-1 export AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq --raw-output ".Account") export ENV=Production
- Create an IAM OIDC Provider:
eksctl utils associate-iam-oidc-provider --cluster $CLUSTER --approve aws eks describe-cluster --region $AWS_REGION --name $CLUSTER --output json | grep issuer
Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on
Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on is a Kubernetes container network interface (CNI) plugin that provides native VPC networking for your cluster. The following guide is adapted from Working with the Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on.
- See which version of the service is installed on your cluster:
kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3
You should see output like this:
v1.11.4-eksbuild.1
- You shouldn't have the add-on installed yet, but try to describe it first to confirm.
aws eks describe-addon --cluster-name $CLUSTER --addon-name vpc-cni --query addon.addonVersion --output text
You should see an error like:
An error occurred (ResourceNotFoundException) when calling the DescribeAddon operation: No addon: vpc-cni found in cluster: ...
- As a precaution, save the configuration of your currently installed add-on:
kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml
- Create an IAM role with the AmazonEKS_CNI_Policy IAM policy bound to a service account:
eksctl create iamserviceaccount \
--name aws-node \
--namespace kube-system \
--cluster $CLUSTER \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
--approve \
--role-only \
--role-name "AmazonEKSVPCCNIRole-${ENV}"
- Create the add-on:
aws eks create-addon \
--cluster-name $CLUSTER \
--addon-name vpc-cni \
--service-account-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/AmazonEKSVPCCNIRole-${ENV} \
--resolve-conflicts OVERWRITE
- Finally, watch the status of the add-on and wait for it to be ACTIVE:
eksctl get addon --name vpc-cni --cluster $CLUSTER
- Update the add-on to the version returned under UPDATE AVAILABLE in the output of the previous step. For example:
aws eks update-addon \
--addon-name vpc-cni \
--addon-version v1.12.6-eksbuild.2 \
--cluster-name $CLUSTER \
--service-account-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/AmazonEKSVPCCNIRole-${ENV}
CoreDNS Amazon EKS add-on
CoreDNS is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. The following guide is adapted from Working with the CoreDNS Amazon EKS add-on.
- See which version of the add-on is installed on your cluster.
kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3
You should see output like this:
v1.8.7-eksbuild.3
- As a precaution, save the configuration of your currently installed add-on:
kubectl get deployment coredns -n kube-system -o yaml > aws-k8s-coredns-old.yaml
- Create the add-on:
aws eks create-addon \ --cluster-name $CLUSTER \ --addon-name coredns \ --resolve-conflicts OVERWRITE
- Check the current version of your add-on:
eksctl get addon --name coredns --cluster $CLUSTER
- Update the add-on to the version returned under UPDATE AVAILABLE in the output of the previous step. For example:
aws eks update-addon \ --addon-name coredns \ --addon-version v1.9.3-eksbuild.3 \ --cluster-name $CLUSTER
Kube-proxy Amazon EKS add-on
Kube-proxy maintains network rules on each Amazon EC2 node and enables network communication to your Pods. The following guide is adapted from Working with the CoreDNS Amazon EKS add-on.
- See which version of the add-on is installed on your cluster.
kubectl describe daemonset kube-proxy -n kube-system | grep Image
- As a precaution, save the configuration of your currently installed add-on:
kubectl get daemonset kube-proxy -n kube-system -o yaml > aws-k8s-kube-proxy-old.yaml
- Create the add-on:
aws eks create-addon \ --cluster-name $CLUSTER \ --addon-name kube-proxy \ --resolve-conflicts OVERWRITE
- Check the current version:
eksctl get addon --name kube-proxy --cluster $CLUSTER
- Update the add-on to the version returned under UPDATE AVAILABLE in the output of the previous step. For example:
aws eks update-addon \ --addon-name kube-proxy \ --addon-version v1.25.9-eksbuild.1 \ --cluster-name $CLUSTER
By following the steps outlined in this guide, you can ensure that your Amazon EKS cluster is equipped with the appropriate add-ons, allowing you to leverage the full potential of the services offered by Amazon Elastic Kubernetes Service. With the support of operational cluster add-on software, users can enhance their cluster's performance, security, and functionality, ultimately contributing to a more efficient and effective Kubernetes environment.