Amazon EKS
Overview
Amazon Elastic Kubernetes Service (EKS) is fully supported by OpsWorker. The Kubernetes Agent installs using the standard Helm chart with no EKS-specific configuration required.
Setup
Follow the standard agent installation process. The Helm command from the OpsWorker portal works directly on EKS clusters.
EKS-Specific Notes
Networking
- Security Groups: Ensure outbound HTTPS (port 443) to
*.amazonaws.comis allowed in the node security group. Since EKS runs on AWS, SQS connectivity is typically straightforward. - VPC Endpoints: If using VPC endpoints for SQS, the agent will use them automatically.
- NAT Gateway: If nodes are in private subnets, ensure a NAT Gateway is configured for outbound internet access (or use VPC endpoints).
IAM
- IRSA not required: The agent authenticates using a cluster token, not AWS IAM. No IAM roles for service accounts (IRSA) configuration is needed.
- Node IAM role: No additional IAM permissions are needed on the node role.
Node Groups
| Node Type | Support |
|---|---|
| Managed node groups | Fully supported |
| Self-managed nodes | Fully supported |
| Fargate | Supported with limitations (Fargate pods can't run privileged containers; standard agent works but some kubectl operations may be restricted) |
EKS Add-ons
The OpsWorker agent is independent of EKS add-ons and doesn't conflict with CoreDNS, kube-proxy, or VPC CNI.
Next Steps
- Install the Agent — Step-by-step installation
- Verify Connection — Confirm the agent is connected