Amazon EKS features

With Amazon EKS you have complete access to EC2 instance types, providing flexibility and allowing you to automatically provision the optimal compute for your workload. You can purchase compute on-demand, via savings plan, or Spot.

The AWS Nitro System is a combination of dedicated hardware and lightweight hypervisor enabling faster innovation and enhanced security.

AWS Graviton is a family of processors designed to delivery the best price performance for your cloud workloads running in Amazon EC2.

Take advantage of unused EC2 capacity in the AWS cloud, that are available at up to 90% discount compared to the on-demand prices. Use Spot Instances for various stateless, fault-tolerant, or flexible applications such as big data, containerized workloads, CI/CD, web servers, high-performance computing (HPC), and test and development workloads.

EKS supports AWS Fargate to run your Kubernetes applications using serverless compute. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Your EKS clusters run in an Amazon VPC, allowing you to use your own VPC security groups and network access control lists (ACLs). No compute resources are shared with other customers, which provides you a high level of isolation to build secure and reliable applications. EKS uses the Amazon VPC container network interface (CNI), allowing Kubernetes pods to receive IP addresses from the VPC. Amazon EKS works with the Project Calico network policy engine to provide fine-grained networking policies for your Kubernetes workloads. Use the Kubernetes network policy API to control access on a per-service basis.

Amazon Elastic Kubernetes Service (EKS) supports IPv6, enabling customers to scale on Kubernetes far beyond limits of private IPv4 address space. With EKS support for IPv6, pods are assigned only a globally routable IPv6 address, allowing you to scale applications in your cluster without consuming limited private IPv4 address space. This globally routable IPv6 address can be used to directly communicate with any IPv6 endpoint in your Amazon VPC, on-premises network, or the public internet. Further, EKS configures networking so that pods can still communicate with IPv4 based endpoints outside the cluster, enabling you to adopt the benefits of IPv6 using Kubernetes without requiring that all dependent services deployed across your organization are migrated to IPv6.

Amazon EKS supports using Elastic Load Balancing including Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer. You can run standard Kubernetes cluster load balancing or any Kubernetes-supported ingress controller with your Amazon EKS cluster.

Amazon VPC Lattice is a fully managed application networking service built directly into the AWS networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and virtual private clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the AWS Gateway API Controller, an implementation of the Kubernetes Gateway API. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard Kubernetes semantics in a simple and consistent manner.

EKS Pod Identity simplifies the work customers need to do to setup applications on EKS clusters to access AWS services. EKS cluster administrators get a simplified workflow for obtaining IAM credentials required for authenticating Kubernetes applications to access AWS resources such as S3 buckets, DynamoDB tables, and more. EKS Pod Identity makes it easy to use IAM roles across multiple clusters, and simplifies IAM policy management by supporting reuse of policies across IAM roles.

Amazon EKS integrates Kubernetes RBAC (the native role based access control system for Kubernetes) with AWS IAM. You can assign RBAC roles directly to each IAM entity, allowing granular access permission control over your Kubernetes control plane nodes.

Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. Amazon EKS is compliant with SOC, PCI, ISO, FedRAMP- Moderate, IRAP, C5, K-ISMS, ENS High, OSPAR, HITRUST CSF, and is a HIPAA eligible service.

Amazon EKS is compatible with container image signature verification to enable deploying container workloads with approved images and artifacts. You can verify images (or any other OCI artifact like Software Bill of Materials) signed by AWS Signer, a fully managed signing solution, before deploying images in your Amazon EKS clusters. AWS supports open-source based image signing and verification solutions so you can easily sign artifacts stored in your registry, and verify them using open source policy-as-code or admission controllers.

Amazon EKS makes it easy to update running clusters to the latest Kubernetes version without managing the update process. Kubernetes version updates are done in place, removing the need to create new clusters or migrate applications to a new cluster. As new Kubernetes versions are released and validated for use with Amazon EKS, we will support three stable Kubernetes versions at any given time as part of the update process. You can initiate new version installation and review in-flight update status via the SDK, CLI or AWS Console.

Amazon EKS is fully compatible with Kubernetes community tools and supports popular Kubernetes add ons. These include CoreDNS, which creates a DNS service for your cluster, and both the Kubernetes Dashboard web-based UI and the kubectl command line tool, which help access and manage your cluster on Amazon EKS. For more information, see the Kubernetes community tools GitHub page.

Amazon EKS offers a curated set of Kubernetes software, also known as add-ons, that provide key operational capabilities for Kubernetes clusters and integration with various AWS services. These add-ons include operational software like CoreDNS, which enables cluster DNS capabilities, and kube-proxy, which enables service networking capabilities within the Kubernetes cluster. Additionally, the add-ons include operational software like Amazon VPC CNI, which enables pod networking capabilities through integration with Amazon VPC, as well as CSI drivers that enable integration with Amazon Elastic Block Storage (Amazon EBS), Amazon Elastic File System (Amazon EFS), and Amazon Simple Storage Service (Amazon S3). Furthermore, the add-ons include observability and security agents that allow for integration with different AWS services.

Amazon EKS enables the installation, management, and configuration of add-ons through the EKS API, AWS Management Console, AWS Command Line Interface (AWS CLI), eksctl, AWS CloudFormation, and third-party infrastructure as code (IaC) tools. All Amazon EKS add-ons from AWS include the latest security patches and bug fixes, and are validated by AWS to work with Amazon EKS. This ensures that Amazon EKS clusters are consistently secure and stable, reducing the amount of work required to install, configure, and update add-ons. To learn more about the add-ons from AWS, refer to the EKS user guide.

Amazon EKS provides a unified management experience for finding, selecting, installing, managing, and configuring third-party Kubernetes operational software (add-ons) from independent software vendors on EKS clusters. This is enabled through the use of the EKS API, AWS Management Console, AWS CLI, eksctl, AWS CloudFormation, and third-party IaC tools that are also used to manage EKS add-ons from AWS. This helps simplify the management experience to find, subscribe to, and deploy third-party Kubernetes add-ons that provide operational capabilities including observability, service mesh, GitOps, and storage on EKS clusters. Third-party add-ons are sourced from the AWS Marketplace, which continually scans the software for common vulnerabilities and exposures (CVEs). Only add-on versions compatible with the different Kubernetes versions are presented, reducing the overhead to validate the add-on compatibility. Selecting these add-ons through EKS provides the same benefits as any other product in the AWS Marketplace, including consolidated billing, flexible payment options, and lower pricing for long-term contracts. To learn more about the add-ons from AWS, refer to the EKS user guide.

Amazon Managed Service for Prometheus provides a scalable, secure, AWS- managed service for open -source Prometheus. You can use Prometheus query language (PromQL) to monitor the performance of containerized workloads without managing the underlying infrastructure for ingesting, storing, and querying operational metrics. You can collect Prometheus metrics from Amazon EKS by using AWS Distro for OpenTelemetry or Prometheus servers as collection agents. Amazon Managed Service for Prometheus provides a fully-managed, agentless scraper to automatically scrape metrics from your Amazon EKS clusters. Scraping automatically pulls the metrics from Prometheus-compatible endpoints.

Amazon CloudWatch Container Insights is a fully managed monitoring and observability service that provides DevOps engineers, developers, site reliability engineers (SREs), and IT managers with out-of-the-box visibility into their containerized applications and microservice environments. With Amazon CloudWatch Container Insights, you can monitor, isolate, and diagnose issues in your EKS clusters with minimal effort. It delivers infrastructure telemetry like CPU, memory, network, and disk usage for your clusters, services, and pods in the form of metrics and logs that can be easily visualized in the CloudWatch console.

You can get enhanced observability for your Amazon EKS Cluster with the Amazon CloudWatch Observability EKS Add-on. The Amazon EKS add-on gives you enhanced observability into your Amazon EKS cluster. This add-on installs the CloudWatch agent and Fluent Bit, giving you infrastructure and container log insights. The CloudWatch agent sends key infrastructure metrics from the cluster nodes to CloudWatch. This allows you to monitor CPU, network, disk, and other low-level node metrics. Fluent Bit ships container logs from the cluster to CloudWatch Logs. This gives you insights into application and system logs from your containers.

Amazon EKS is integrated with AWS CloudTrail to provide visibility into EKS management operations, including audit history. You can use CloudTrail to view API calls to the Amazon EKS API. Amazon EKS also delivers Kubernetes control plane logs to Amazon CloudWatch for analysis, debugging, and auditing.

Amazon EKS automatically adds an AWS cost allocation tag to every EC2 instance that joins a cluster. This frees you from having to enforce a custom tagging policy across your organization to gain insights into cluster level costs. After you activate the EKS cluster name cost allocation tag in the AWS Billing Console, you can use AWS Cost and Usage reports track your EC2 costs associated with EKS clusters.

Amazon EKS supports Kubecost which enables you to monitor costs broken down by Kubernetes resources including pods, nodes, namespaces, and labels. Kubernetes platform administrators and finance leaders can use Kubecost to visualize a breakdown of their Amazon EKS associated charges, allocate costs, and charge back to organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual AWS bill and get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters.

AWS Controllers for Kubernetes (ACK) is a tool that lets you directly manage AWS services from Kubernetes. ACK makes it simple to build scalable and highly-available Kubernetes applications that use AWS services. ACK provides a consistent Kubernetes interface for AWS, regardless of the AWS service API.

Amazon ECR is a fully managed container registry offering high-performance hosting so you can reliably deploy application images and artifacts anywhere. You can pull images from Amazon ECR to run Kubernetes workloads on Amazon EKS.

GuardDuty EKS Protection enables Amazon GuardDuty to detect suspicious activities and potential compromises of your EKS clusters by analyzing Kubernetes audit logs. Amazon GuardDuty EKS Runtime Monitoring detects runtime threats from over 30 security findings to protect your EKS clusters. EKS Runtime Monitoring uses a fully managed EKS add-on that adds visibility into individual container runtime activities, such as file access, process execution, and network connections. GuardDuty can now identify specific containers within your EKS clusters that are potentially compromised and detect attempts to escalate privileges from an individual container to the underlying Amazon EC2 host and the broader AWS environment. GuardDuty EKS Runtime Monitoring findings provide metadata context to identify potential threats and contain them before they escalate.

You can use the same Amazon EKS to run nodes on AWS-hosted infrastructure in AWS Regions, AWS Local Zones, AWS Wavelength Zones, or in your own on-premises environments with AWS Outposts and Amazon EKS Hybrid Nodes. AWS Outposts is AWS-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on virtual machines or bare- metal infrastructure that you manage in your on-premises or edge environments. If you need to run in isolated or air-gapped environments, you can use Amazon EKS Anywhere, which is AWS-supported Kubernetes management software that runs on infrastructure you manage. With Amazon EKS Anywhere, you are responsible for cluster lifecycle operations and maintenance of your Amazon EKS Anywhere clusters. The Amazon EKS Connector can be used to view any Kubernetes cluster and its resources in the Amazon EKS console. Amazon EKS Distro is the AWS distribution of the underlying Kubernetes components that power all Amazon EKS offerings.

Amazon EKS Hybrid Nodes unifies management of Kubernetes across cloud, on-premises and edge environments, giving you the flexibility to run your workloads anywhere, while driving higher availability, scalability, and efficiency. It standardizes Kubernetes operations and tooling across environments and natively integrates with AWS services for centralized monitoring, logging, and identity management. EKS Hybrid Nodes reduces the time and effort required for managing Kubernetes on premises and at the edge by offloading the availability and scalability of the Kubernetes control plane to AWS. EKS Hybrid Nodes can run on your existing infrastructure to accelerate modernization without additional hardware investment.

AWS Outposts, AWS Local Zones, and AWS Wavelength Zones can be used to run applications closer to end users to meet low latency and data residency requirements. You can use Amazon EKS to run nodes on these AWS infrastructure types with the same Amazon EKS clusters, features, and tools you use to run applications in AWS Regions.

Amazon EKS Anywhere simplifies Kubernetes cluster management through the automation of undifferentiated heavy lifting such as infrastructure setup and Kubernetes cluster lifecycle operations in on-premises and edge environments. Amazon EKS Anywhere is built on the Kubernetes sub-project Cluster API (CAPI) and supports a range of infrastructure including VMware vSphere, bare metal, Nutanix, Apache CloudStack, and the AWS Snow Family. Amazon EKS Anywhere can be run in air-gapped environments and offers optional integrations with regional AWS services for observability and identity management. To receive support for Amazon EKS Anywhere and access to AWS-vended Kubernetes add-ons, you can purchase Amazon EKS Anywhere Enterprise Subscriptions.

You can use the Amazon EKS Connector to register and connect any conformant Kubernetes cluster to AWS and view it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in the Amazon EKS console, but the Amazon EKS Connector does not enable management or mutating operations for your connected clusters through the Amazon EKS console.

Amazon EKS Distro is the AWS distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, and kube-controller-manager) and networking components (CoreDNS, kube-proxy, and CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling.