AWS EKS

Upgrades and Maintenance

EKS Addon

Amazon EKS add-ons let you install and manage essential cluster services—such as the VPC CNI, kube-proxy, and CoreDNS—through the AWS API. While these components are automatically provisioned with your EKS cluster, turning them into managed add-ons enables AWS to handle version alignment and automated upgrades. However, this convenience can introduce limitations and additional steps during control plane or worker node upgrades.

What Are EKS Add-ons?

EKS add-ons are extensions that AWS maintains for compatibility with your cluster’s Kubernetes version. They include:

  • Amazon VPC CNI: Integrates Kubernetes pod networking directly with your VPC.
  • CoreDNS: Provides DNS resolution for in-cluster services.
  • kube-proxy: Manages cluster networking rules.

By default, the VPC CNI ships as a managed add-on, while CoreDNS and kube-proxy run as unmanaged core components. Converting these into managed add-ons synchronizes their lifecycle with your cluster.

Inspecting Default Add-ons in the Console

Let’s explore an EKS cluster via the AWS Management Console. Here’s my cluster named kodekloud, running Kubernetes v1.29. The Amazon VPC CNI appears automatically under the Add-ons section.

The image shows an AWS console page for an EKS cluster named "kodekloud," displaying its active status, Kubernetes version 1.29, and support details.

Even though only the VPC CNI shows up as an add-on, you can verify that CoreDNS and kube-proxy are running:

kubectl get pods -A

Converting CoreDNS and kube-proxy to Managed Add-ons

To bring CoreDNS and kube-proxy under managed add-on control:

  1. In the AWS Console, go to Add-ons for your cluster.
  2. Select CoreDNS and kube-proxy.
  3. Click Install; the console auto-selects a compatible version via the EKS API.

The image shows an AWS console interface for selecting Amazon EKS add-ons, with options like CoreDNS and kube-proxy highlighted.

Next, review the default settings (IAM role, version) and confirm the installation:

The image shows an AWS console screen for configuring the "kube-proxy" add-on in the Elastic Kubernetes Service, with options to select the version and IAM role. The status indicates "Ready to install."

Note

During installation, you may observe both unmanaged and managed instances of these components running in parallel. This is normal until you remove the original unmanaged deployments.

Viewing Add-on Status

Once installed, all add-ons appear as Active in the console—despite already running under the hood.

The image shows the Amazon Elastic Kubernetes Service (EKS) console, displaying add-ons like Amazon VPC CNI and kube-proxy, with their status and version information.

You can update each add-on individually when AWS releases a newer compatible package. The console highlights available updates even if your cluster’s components are up-to-date with Kubernetes standards.

The image shows an AWS console screen displaying the update status of a Kubernetes add-on in progress, with details like Update ID, AddonVersion, and no errors listed.

kubectl get pods -A

When you click Update, EKS triggers an internal API call to patch the add-on manifest. You don’t control the rollout strategy, and the console does not expose the underlying YAML changes.

Officially Supported vs. Marketplace Add-ons

AWS maintains a growing roster of officially supported add-ons:

Add-onUse CaseExample Installation
AWS Distro for OpenTelemetry (ADOT)Collect and export metrics/traceseksctl create addon --name aws-otel-collector
CSI Snapshot ControllerVolume snapshot managementeksctl create addon --name aws-ebs-csi-node
EKS Pod Identity AgentEnable IAM roles for Kubernetes service accountseksctl create addon --name aws-iam-authenticator

The image shows an AWS console interface for selecting Amazon EKS add-ons, including options like CSI Snapshot Controller and Amazon EKS Pod Identity Agent.

Marketplace add-ons introduce extra dependencies and may lag behind Kubernetes releases. For instance, attempting to install KubeCost without a subscription—or if no compatible package exists—can block your upgrade path:

The image shows an AWS console screen for configuring add-ons, specifically for "Kubecost - Amazon EKS cost monitoring." It indicates that a subscription is required and that the selected add-on does not support the Kubernetes version for the cluster.

Warning

Marketplace add-ons may show “no versions available” if they don’t support your Kubernetes version. This can delay critical upgrades.

Best Practices: Own Your Add-on Manifests

For maximum control over versions, rollout timing, and configuration, consider managing cluster services yourself:

  • Use Helm charts or plain YAML manifests.
  • Incorporate add-on deployments in your GitOps pipeline.
  • Align CoreDNS and kube-proxy versions directly with your control plane and node versions.

This approach streamlines testing and upgrades, removing external bottlenecks.

The image is a diagram illustrating the concept of avoiding add-ons for smoother flow, featuring hexagons with gear icons and a central cloud API symbol.

Conclusion

While EKS add-ons simplify cluster service management, they can complicate upgrades and reduce your visibility into rollout processes. Evaluate your operational requirements to decide which components you want AWS to manage and which you prefer to control directly.


References

Watch Video

Watch video content

Previous
EKS Upgrades