AWS EKS Required Add-Ons: A Comprehensive Guide

AWS EKS Required Add-Ons: A Comprehensive Guide

Table of Contents

Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service that simplifies the process of deploying, managing, and scaling containerized applications. To ensure optimal functionality and performance, EKS relies on several essential add-ons.

In this article, we’ll explore three crucial EKS add-ons: AWS VPC CNI , Kube-proxy , and CoreDNS. We’ll delve into what they are, how they work, why they’re indispensable for your EKS cluster, and when they became required components.

The Shift to Required Add-Ons

Before we dive into each add-on, it’s important to understand why these components became required for EKS. In Kubernetes version 1.21, the Kubernetes community began the process of removing in-tree cloud provider code. This decision was made to improve the maintainability of Kubernetes and to allow cloud providers to develop and update their integrations independently of the Kubernetes release cycle.

As a result, functionality that was previously built into Kubernetes needed to be replaced by external components. For EKS, this meant that certain add-ons became required to maintain full functionality. AWS began this transition in 2022, with the process continuing through 2023 and beyond.

AWS VPC CNI:

How does VPC CNI works

The AWS VPC CNI is a networking plugin for Kubernetes that allows Kubernetes pods to have the same IP address inside the pod as they do on the VPC network.

How does it work?

1. IP Address Management : When a pod is scheduled, the CNI plugin allocates an IP address from the VPC’s IP address pool and assigns it to the pod.
2. Network Interface Creation : It creates and attaches an elastic network interface (ENI) to the EC2 instance if needed to support the pod’s networking requirements.
3. Route Configuration : The plugin configures routes on the host to direct traffic to the correct pods.
4. Pod Networking : It sets up the necessary networking within the pod, including creating virtual ethernet (veth) pairs and configuring namespaces.

It requires an IRSA IAM role for it to function properly (refer to this guide for more details)

How to install it ?

  1. Make sure you have an AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster (Refer to this guide to determine whether you already have one, or to create one, see Create an IAM OIDC provider for your cluster )
  2. Create an IAM role with the AmazonEKS_CNI_Policy IAM policy (use the IPv6 policy if your cluster uses the IPv6 family) attached to it. (Refer to this guide for more information)

Why is it important?

- Enables native VPC networking for pods
- Provides better performance compared to overlay networks
- Allows for easier integration with other AWS services
- Supports security groups at the pod level

When did it become required?

The AWS VPC CNI has been a critical component of EKS since its launch. However, it became an official required add-on as part of AWS’s response to the removal of in-tree cloud provider code in Kubernetes.

AWS EKS Add-ons

Kube proxy:

Kube-proxy is a network proxy that runs on each node in the Kubernetes cluster. It’s responsible for maintaining network rules that allow communication to and from pods.

1 — How does it work?

1. Service Discovery : Kube-proxy watches the Kubernetes API server for changes to Service and Endpoint objects.
2. iptables Rules : Based on these changes, it updates iptables rules on each node to route traffic to the appropriate pods.
3. Load Balancing : For services with multiple pods, kube-proxy implements simple round-robin load balancing.
4. NodePort and LoadBalancer Services : It manages the necessary rules for these service types, allowing external access to services.

2 — How to install it ?

It should be installed on a newly created EKS cluster and if not you can either install it from the EKS UI (Add-ons tab) or with the CLI (refer to this guide for more details)

3 — Why is it important?

- Enables the Kubernetes Service abstraction
- Provides load balancing for pod-to-pod communication
- Manages network rules for cluster-wide communication
- Essential for implementing Kubernetes networking model

4 — When did it become required?

For EKS, it became an official required add-on aligning with the broader industry move towards externalized cloud provider functionality.

CoreDNS

1 — What is it?

CoreDNS is a flexible, extensible DNS server that serves as the cluster DNS in Kubernetes. It’s responsible for service discovery within the cluster.

2 — How does it work?

1. DNS Resolution : CoreDNS runs as a pod (usually replicated) in the kube-system namespace.
2. Service Records : It creates DNS records for Kubernetes services, allowing pods to discover and communicate with each other using domain names.
3. Pod DNS : CoreDNS also manages DNS for individual pods, if configured.
4. Plugins : CoreDNS uses a plugin architecture, allowing for easy extension and customization of its functionality.

3 — How to install it ?

It should be installed on a newly created EKS cluster and if not you can either install it from the EKS UI (Add-ons tab) or with the CLI (refer to this guide for more details)

4 — Why is it important?

- Enables service discovery within the cluster
- Allows pods to communicate using human-readable names instead of IP addresses
- Supports DNS-based load balancing
- Can be extended to integrate with external DNS systems or provide custom DNS functionality

5 — When did it become required?

For EKS, it became an official required add-on as part of the broader transition to externalized cloud provider functionality.

Conclusion

AWS VPC CNI, Kube-proxy, and CoreDNS are essential add-ons that work together to provide networking, service discovery, and name resolution capabilities in an EKS cluster. Their transition to required add-ons reflects the broader changes in the Kubernetes ecosystem, moving towards more modular and cloud- agnostic core functionality.

AWS EKS Required Add-Ons: A Comprehensive Guide was originally published in AWS Morocco on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tags :
Share :

Related Posts

Exploring Steampipe for Terraform Drift Detection

Exploring Steampipe for Terraform Drift Detection

In Terraform, drift detection helps spot any mismatches between the infrastructure you’ve outlined in your code and what’s actually out there running in your cloud accounts. This is super important for keeping your Infrastructure as Code (IaC) practices on point, making sure everything is consistent, efficient, and secure. Steampipe, which is an open-source tool, takes this a step further by letting you run real-time SQL queries on your infrastructure data. When you bring Steampipe into the mix, you get a clearer picture and more control over your setup, making it easier to keep your code and infrastructure in sync and strengthening your IaC game.

Read More
Do Pods Really Get Evicted Due to CPU Pressure?

Do Pods Really Get Evicted Due to CPU Pressure?

As Kubernetes administrators and developers, we’ve all heard the notion that pods can get evicted due to high CPU pressure on a node. But is this really true? Let’s explore this idea and put it to the test. 1 — Understanding Pod Eviction and CPU Management In Kubernetes, pod eviction is the process of removing one or more pods from a node in order to reclaim resources. This can happen for various reasons, such as:

Read More
Monitoring Kubernetes with Prometheus and Alertmanager: Setting Up Alerts with Slack Integration

Monitoring Kubernetes with Prometheus and Alertmanager: Setting Up Alerts with Slack Integration

Photo by Sigmund on Unsplash In this tutorial, we will learn how to set up Prometheus rules and configure Alertmanager to send alerts to a Slack channel. Prometheus is a popular monitoring and alerting solution in the Kubernetes ecosystem, while Alertmanager handles alert management and routing. By integrating with Slack, you can receive real-time notifications for any issues or anomalies in your Kubernetes cluster. Let’s get started 👨🏻‍💻! Table of Contents: Prerequisites Setting Up Prometheus Rules Configuring Alertmanager Integrating with Slack Testing the Setup Conclusion 🚦Prerequisites: Access to a Kubernetes cluster Prometheus and Alertmanager installed in the cluster Basic knowledge of Kubernetes and YAML syntax 1 — Setting Up Prometheus Rules : Prometheus rules define conditions for generating alerts based on metrics collected by Prometheus. In this example, we will create a PrometheusRule resource named z4ck404-alerts in the monitoring namespace.

Read More