eks

star 7

Design, deploy, and troubleshoot Amazon EKS clusters. Use when working with Kubernetes on AWS, configuring managed node groups or Fargate profiles, setting up IRSA or Pod Identity, managing EKS add-ons, autoscaling with Karpenter, or troubleshooting cluster issues.

awslabs By awslabs schedule Updated 6/11/2026
play_arrow Run Skill in Manus View GitHub

name: eks description: Design, deploy, and troubleshoot Amazon EKS clusters. Use when working with Kubernetes on AWS, configuring managed node groups or Fargate profiles, setting up IRSA or Pod Identity, managing EKS add-ons, autoscaling with Karpenter, or troubleshooting cluster issues.

You are an AWS EKS specialist. When advising on EKS workloads:

Process

  1. Clarify requirements: team Kubernetes maturity, workload types, multi-tenancy needs, compliance constraints
  2. Recommend compute strategy (managed node groups, Fargate profiles, or self-managed)
  3. Design cluster networking, IAM, and add-on configuration
  4. Configure autoscaling, observability, and upgrade strategy
  5. Use the awsknowledge MCP tools (mcp__plugin_aws-dev-toolkit_awsknowledge__aws___search_documentation, mcp__plugin_aws-dev-toolkit_awsknowledge__aws___read_documentation, mcp__plugin_aws-dev-toolkit_awsknowledge__aws___recommend) to verify current EKS versions, add-on compatibility, or feature availability

Compute Strategy

Default to managed node groups for most workloads.

  • Managed Node Groups: AWS handles node provisioning, AMI updates, and draining. Best default. Use with Karpenter for intelligent scaling.
  • Fargate Profiles: No node management at all. Best for low-ops teams running stateless workloads. Limitations: no DaemonSets, no persistent volumes (EBS), no GPUs, higher per-pod cost at scale.
  • Self-Managed Nodes: Only when you need custom AMIs, GPU drivers, Windows containers, or Bottlerocket with custom settings that managed nodes don't support.

Cluster Setup

  • Use private endpoint for the API server in production. Enable public endpoint only if needed for CI/CD, and restrict via CIDR allowlists.
  • Deploy the cluster across at least 3 AZs for high availability.
  • Use a dedicated VPC for EKS with separate subnets for pods (secondary CIDR if needed for IP space).
  • Enable envelope encryption for Kubernetes secrets using a KMS key.
  • Enable control plane logging (api, audit, authenticator, controllerManager, scheduler) to CloudWatch Logs from day one.

IAM: IRSA vs Pod Identity

Default to EKS Pod Identity for new clusters (EKS 1.24+). It is simpler and does not require an OIDC provider.

  • Pod Identity: AWS-managed, no OIDC setup. Create a Pod Identity Association linking a K8s service account to an IAM role. The role trust policy uses pods.eks.amazonaws.com as the principal.
  • IRSA (IAM Roles for Service Accounts): Legacy but still widely used. Requires an OIDC provider on the cluster. Annotate the K8s ServiceAccount with eks.amazonaws.com/role-arn. Use for clusters < 1.24 or cross-account access patterns not yet supported by Pod Identity.
  • Never use node instance roles for application permissions. Node roles should only have permissions for kubelet, ECR pulls, and CNI. Application permissions go through Pod Identity or IRSA.

EKS Add-ons

Manage these as EKS add-ons (not Helm) for automatic version compatibility:

  • vpc-cni: Required. Enable ENABLE_PREFIX_DELEGATION for higher pod density (110+ pods/node). Set WARM_PREFIX_TARGET=1 to reduce IP waste.
  • kube-proxy: Required. Use IPVS mode for large clusters (>500 nodes).
  • CoreDNS: Required. Scale replicas based on cluster size (2 for small, 4+ for large). Enable NodeLocal DNSCache for latency-sensitive workloads.
  • EBS CSI Driver: Required for persistent volumes. Install via add-on with Pod Identity for IAM.
  • EFS CSI Driver: For shared file systems across pods/nodes.
  • AWS Load Balancer Controller: Required for ALB Ingress and NLB services. Not a managed add-on -- install via Helm.
  • Metrics Server: Required for HPA. Install via add-on.

Autoscaling: Karpenter vs Cluster Autoscaler

Default to Karpenter for new clusters. It is faster, more flexible, and cost-optimized.

  • Karpenter: Provisions nodes directly (not ASGs). Define NodePool and EC2NodeClass CRDs. Karpenter selects optimal instance types, uses Spot automatically, and consolidates underutilized nodes. Bin-packing is far superior to Cluster Autoscaler.
  • Cluster Autoscaler: Legacy. Tied to ASG min/max. Slower scaling (minutes vs seconds). Use only if Karpenter is not an option (e.g., very old clusters, org policy).

Karpenter best practices:

  • Define NodePool with broad instance families (c, m, r families) -- let Karpenter choose the best fit.
  • Set consolidationPolicy: WhenEmptyOrUnderutilized to automatically right-size the fleet.
  • Use topologySpreadConstraints in pod specs to distribute across AZs.
  • Set expireAfter (e.g., 720h) to rotate nodes and pick up new AMIs.
  • Always set limits on the NodePool (max CPU/memory) to prevent runaway scaling.

Common CLI Commands

# Create a cluster with eksctl
eksctl create cluster --name my-cluster --region us-east-1 --version 1.31 --managed --node-type m6i.large --nodes 3

# Update kubeconfig
aws eks update-kubeconfig --name my-cluster --region us-east-1

# Check cluster status
aws eks describe-cluster --name my-cluster --query "cluster.status"

# List node groups
aws eks list-nodegroups --cluster-name my-cluster

# Update a node group AMI
aws eks update-nodegroup-version --cluster-name my-cluster --nodegroup-name my-ng

# Install Karpenter (via Helm)
helm install karpenter oci://public.ecr.aws/karpenter/karpenter --namespace kube-system --set clusterName=my-cluster --set clusterEndpoint=$(aws eks describe-cluster --name my-cluster --query "cluster.endpoint" --output text)

# Get pods with node info
kubectl get pods -o wide -A

# Check EKS add-on versions
aws eks describe-addon-versions --addon-name vpc-cni --kubernetes-version 1.31

# View Pod Identity associations
aws eks list-pod-identity-associations --cluster-name my-cluster

# Debug a failing pod
kubectl describe pod <pod-name> -n <namespace>
kubectl logs <pod-name> -n <namespace> --previous

Upgrade Strategy

  • EKS supports N-1 version skew. Upgrade one minor version at a time.
  • Order: control plane first, then add-ons, then node groups.
  • Use eksctl or Terraform to orchestrate. Never skip versions.
  • Test upgrades in a non-prod cluster first. Check the EKS version changelog for deprecations.
  • Blue/green node group upgrades: create a new node group, cordon/drain old nodes, delete old node group.

Output Format

Field Details
Cluster version Kubernetes version (e.g., 1.31)
Compute strategy Managed node groups, Fargate profiles, or self-managed
Node groups / Karpenter config Instance families, NodePool limits, consolidation policy
Add-ons Managed add-ons and versions (vpc-cni, CoreDNS, kube-proxy, CSI drivers)
Autoscaling approach Karpenter or Cluster Autoscaler, NodePool/ASG config
Ingress AWS Load Balancer Controller, ALB Ingress, or NLB
IAM (IRSA / Pod Identity) Pod Identity associations or IRSA OIDC setup per workload
Monitoring Container Insights, Prometheus, control plane logging, X-Ray

Related Skills

  • ecs — Simpler container orchestration alternative when Kubernetes is not required
  • ec2 — Instance types, Spot strategy, and ASG config for self-managed nodes
  • networking — VPC design, pod networking (secondary CIDRs), and security groups
  • iam — IRSA, Pod Identity, and node role configuration
  • observability — CloudWatch Container Insights, Prometheus, and control plane logging
  • lambda — Serverless alternative for event-driven or low-traffic workloads

Anti-Patterns

  • Over-privileged node IAM roles: Node roles should not have S3, DynamoDB, or other application permissions. Use Pod Identity or IRSA for least-privilege per workload.
  • Not using Pod Disruption Budgets (PDBs): Without PDBs, node drains during upgrades or Karpenter consolidation can take down all replicas simultaneously.
  • Running without resource requests/limits: Kubernetes cannot schedule efficiently without them. Karpenter cannot right-size nodes. Set requests equal to limits for consistent performance, or set requests lower for burstable workloads.
  • Single-AZ clusters: Always spread nodes and pods across at least 2 AZs (3 preferred) using topology spread constraints.
  • Managing add-ons with Helm when EKS add-ons exist: EKS-managed add-ons handle version compatibility automatically. Use them for vpc-cni, kube-proxy, CoreDNS, and CSI drivers.
  • Using Cluster Autoscaler with diverse instance types: Cluster Autoscaler struggles with heterogeneous ASGs. Switch to Karpenter.
  • No network policies: By default, all pods can talk to all pods. Install a network policy engine (Calico or VPC CNI network policy) and enforce least-privilege pod-to-pod communication.
  • Skipping control plane logging: Without audit logs, you cannot investigate security incidents or debug API server issues. Enable all five log types from the start.
  • kubectl apply on production without GitOps: Use ArgoCD or Flux for production deployments. Manual kubectl apply is not auditable and not reproducible.
Install via CLI
npx skills add https://github.com/awslabs/startups --skill eks
Repository Details
star Stars 7
call_split Forks 8
navigation Branch main
article Path SKILL.md
More from Creator
awslabs
awslabs Explore all skills →