Announcing Amazon EKS community Add-ons catalog

This post was jointly authored by Elizabeth Fuentes (Developer Advocate), Ikenna Izugbokwe (Principal SA), and Steven David (Principal SA). 

Amazon Elastic Kubernetes Service (Amazon EKS) provides add-ons that streamline supporting operational capabilities for Kubernetes applications. Still, customers rely on a wide range of Kubernetes add-ons to run their containerized applications. These add-ons come from different sources such as Amazon Web Services (AWS), AWS Partners, and the open-source community, each bringing specialized expertise to solve specific user problems. However, to consume these, customers discover various sources, navigate multiple deployment tools, manage separate update workflows, and monitor disparate interfaces. This fragmented approach increases operational overhead and misconfiguration risks.

Announcing community add-ons catalog, which provides a way to streamline cluster operations by integrating popular community add-ons through native AWS management, broadening the choice of add-ons that users can install to their cluster directly using Amazon EKS console, AWS software development kit (SDK), AWS Command Line Interface (AWS CLI), or infrastructure as code (IaC) tools such as AWS CloudFormation.

The Amazon EKS community add-ons catalog provides an integration directly to the open source ecosystem of tools and solutions through familiar Amazon EKS interfaces. This allows teams to deploy add-ons that have been packaged, scanned, and validated for version compatibility by Amazon EKS using the same console and APIs that they already know.

Amazon EKS supports the lifecycle of these add-ons, and for core functionality support you can continue to engage with the open source community through respective project resources, maintaining your connection to the Kubernetes ecosystem.

The community add-on catalog includes essential cluster capabilities such as metrics-server, kube-state-metrics, prometheus-node-exporter, cert-manager, and external-dns. These add-ons represent core operational components that most production Kubernetes clusters need for monitoring, security, and network management.

• Metrics-server: Collects CPU and memory usage from Kubernetes nodes and pods. Powers features such as Horizontal Pod Autoscaling (HPA) and the ”kubectl top” command. Critical for resource optimization and performance monitoring.
• Kube-state-metrics: Generates metrics about the state of Kubernetes objects such as deployments, nodes, and pods. Provides essential observability data about cluster health and operational status. Used for comprehensive monitoring solutions, capacity planning, and alerting based on cluster state changes. This integrates with Amazon Managed Service for Prometheus for scalable, managed metrics storage, and querying.
• Prometheus-node-exporter: Collects detailed metrics about the underlying host system such as CPU, memory, disk, and network statistics. Fundamental building block for comprehensive cluster monitoring, providing deep insights into node performance and health. You can use Amazon Managed Service for Prometheus, enabling automated scraping and long-term metrics retention without managing the Prometheus infrastructure.
• Cert-manager: Automates the management and issuance of TLS certificates in Kubernetes clusters. Integrates with various certificate authorities to handle certificate requests and revocations. Vital for maintaining secure communications and implementing proper TLS termination in production environments.
• External-dns: Synchronizes exposed Kubernetes services and ingresses with external DNS providers. Automates DNS record management, thereby eliminating manual DNS configuration. Facilitates service discovery and routing for external-facing applications, which is particularly valuable in dynamic environments.

Community add-ons available through Amazon EKS can be chosen and installed on your cluster. You can install them directly from the Amazon EKS console, SDK, AWS CLI, or IaC tools. Amazon EKS makes sure of version compatibility with your clusters, helps you manage updates, and maintains consistency across multiple clusters. AWS provides support for lifecycle operations (installation, updates, and removal), while the community supports the underlying functionality through their respective project channels.

Getting started with community add-on in Amazon EKS

You can install a community add-on when you create an EKS cluster, or add a community add-on to an existing EKS cluster through the AWS SDK, AWS CLI, Amazon EKS console, or IaC tools such as CloudFormation.

For this demo, I edit an existing EKS cluster, in the Amazon EKS console, and I choose the name of the cluster, as shown in the following figure.

Figure 1: Selecting an existing Amazon EKS cluster to edit

Then, I choose the Add-ons tab and Get more add-ons, as shown in the following figure.

Figure 2: Choosing add-ons from the tab

In the add-ons menu, I go to the bottom where the community add-ons are located, and I choose the add-ons that I want to install. I install two in this demo: Cert Manager automates the management and issuance of TLS certificates, and External DNS automatically manages DNS records for my Kubernetes services and ingresses across various DNS providers, as shown in the following figure.

Figure 3: Selecting add-ons to be installed

In the next step, I can choose the version of the add-ons, shown in the following figure, and at the moment there is only one version.

Figure 4: Choosing the correct version of the add-ons

Then I configure access to the add-ons, and I do that through EKS Pod Identity or AWS Identity and Access Management (IAM) roles for service accounts (IRSA).

In this case I am going to use EKS Pod Identity. This is the first time that I am doing this for this account, thus I want to create a new role. Choose the Create recommended role button, as shown in the following figure.

Figure 5: Configuring access to the add-ons

This loads the pre-configured IAM role creation workflow. In Step one I am creating a AWS service entity type role that is intended for the EKS Pod Identity use case. Choose Next to progress the workflow, as shown in the following figure.

Figure 6: Progressing through the access workflow

In Step 2 of the Create recommended role process, I assign permissions. The policy I need assigned to this role is the “arn:aws:iam::aws:policy/AmazonRoute53FullAccess” policy. That policy is already chosen by this workflow process, but I can search for “Route” to visually verify that selection has been made. Choose Next to continue, as shown in the following figure.

Figure 7: Assigning necessary permissions

The final step of the Create recommended role process is to name, review, and create the role. Everything is pre-filled out and I choose Create Role, as shown in the following figure.

Figure 8: Name, review and create the role

When the role is created, return to the External DNS Community Add-on installation page. The page refreshes and shows the newly created role assigned to the External DNS add-on, as shown in the following figure.

Figure 9: Newly created role assigned to the external DNS add-on

Along with the configuration changes made previously, I can make a wide range of configuration changes in the Optional configuration settings settings. These can be used to create annotations, labels, and more. For my cluster, choose Next to proceed to the next step.

To finish, on the Review and add page, I can deploy the add-ons to my cluster by choosing the Create button, as shown in the following figure.

Figure 10: Deploying the add-ons to the Amazon EKS cluster

I can check the creation status of the add-ons in the Cluster add-ons dashboard,. When it’s ready, I can start using its benefits without the need to insert a further line of instruction in the cluster, as shown in the following figure.

Figure 11: Cluster add-ons dashboard showing creation status

Amazon EKS doesn’t automatically update an add-on when new versions are released or after I update my cluster to a new Kubernetes minor version. Amazon EKS console provides notifications when new versions of the add-ons are ready. When I’m notified, I can update an add-on for an existing cluster by following the Update an Amazon EKS add-on steps.

Get started with community add-ons on Amazon EKS today 

You can start using community add-ons through the Amazon EKS console, AWS CLI, or AWS APIs. When creating a new cluster through the console, some add-ons are automatically added. For existing clusters, you can add community add-ons at any time, just make sure that your IAM role principal has IAM permissions to work with add-ons. For more information, see the Amazon EKS community add-ons documentation.

If you have a community add-on that you want to see added to the Amazon EKS community add-ons catalog, then go to the Amazon EKS Roadmap on GitHub and submit a request for the add-on.

View the full article