chainguard-dev · SharpRake · Apr 11, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -0,0 +1,95 @@
+---
+title: "Overview of Chainguard EKS Add-ons"
+linktitle: "EKS Add-ons"
+description: "Learn about Chainguard EKS add-ons, which provide zero-CVE and FIPS-validated container images for core Amazon EKS cluster components through AWS Marketplace."
+type: "article"
+date: 2026-04-10T00:00:00+00:00
+lastmod: 2026-04-10T00:00:00+00:00
+draft: false
+tags: ["FIPS", "Chainguard Containers"]
+images: []
+menu:
+  docs:
+    parent: "fips"
+weight: 035
+toc: true
+---
+
+Chainguard EKS add-ons are hardened, minimal container images for the foundational software components that power Amazon Elastic Kubernetes Service (EKS) clusters. Available through [AWS Marketplace](https://aws.amazon.com/marketplace), they serve as FIPS-validated drop-in replacements for AWS default add-ons, providing zero known CVEs and FIPS 140-3 validated cryptography without requiring custom image builds or manifest overrides.
+
+
+## What are EKS add-ons?
+
+Amazon EKS add-ons are software components that provide supporting operational capabilities to Kubernetes applications — things like networking drivers, storage integrations, and observability agents that allow the cluster to interact with underlying AWS resources, but aren't specific to any application running on it.
+
+They handle cluster functions like internal DNS resolution, pod networking, persistent storage, and traffic routing, and are managed independently from your application workloads. AWS installs several add-ons in every EKS cluster by default.
+
+For a full explanation of how EKS add-ons work (including how to install, configure, and update them), refer to the [Amazon EKS add-ons documentation](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html).
+
+
+## Available Chainguard EKS add-ons
+
+Chainguard provides hardened images for five widely used EKS add-ons. All are FIPS-validated.
+
+| Add-on | Description |
+|--------|-------------|
+| **kube-proxy** | Routes network traffic between pods within the cluster |
+| **CoreDNS** | Handles internal DNS — how services discover and communicate with each other |
+| **Amazon VPC CNI** | Connects pods to the AWS VPC network backbone |
+| **Amazon EBS CSI Driver** | Enables persistent block storage volumes backed by Amazon EBS |
+| **Amazon EFS CSI Driver** | Enables shared, persistent file storage backed by Amazon EFS |
+
+
+## Why use Chainguard EKS add-ons?
+
+### Zero known CVEs
+
+Default EKS add-on images ship with known CVEs. Because customers do not own the upstream source code, they aren't able to patch these vulnerabilities.
+
+Chainguard rebuilds each add-on using its minimal, hardened container image approach, removing unnecessary packages and dependencies that are the most common source of CVEs. Like Chainguard Containers, Chainguard EKS add-ons are rebuilt continuously to incorporate available security patches, keeping the known CVE count at or near zero.
+
+### FIPS 140-3 validated cryptography
+
+For organizations operating under FedRAMP, NIST, or other compliance frameworks that require FIPS-validated cryptography, existing options create additional developer toil to maintain the image. Chainguard EKS add-ons are the only available option that provides FIPS 140-3 validated cryptography for core EKS cluster infrastructure. No other provider offers FIPS-validated replacements for these components.
+
+To learn more about how Chainguard approaches FIPS, refer to the [Chainguard FIPS documentation](/chainguard/fips/).
+
+### Drop-in compatibility
+
+Chainguard EKS add-ons are designed as direct replacements for the corresponding AWS-managed components. They use the same Helm-based deployment workflow as any other EKS add-on and require no changes to your existing cluster configuration.
+
+Chainguard EKS add-ons are available through AWS Marketplace and can be found through the AWS Console. There's no manual setup, you don't need a Chainguard account to subscribe, and billing is consolidated with your existing AWS bill.
+
+
+## Who should use Chainguard EKS add-ons?
+
+Chainguard EKS add-ons are well-suited for:
+
+- **Regulated industries**: Healthcare, financial services, defense, and government organizations that require FIPS 140-3 validated cryptography or operate under FedRAMP, NIST 800-53, or similar compliance frameworks.
+- **Security-conscious engineering teams**: Platform and DevOps teams that want a clean, auditable baseline for cluster infrastructure without maintaining custom image builds or accepting audit exceptions.
+- **Organizations requiring infrastructure control**: Enterprises that need more control over their EKS deployments than EKS Auto Mode provides, and for whom FIPS compliance through Auto Mode is not a viable option.
+
+
+## Using Chainguard EKS add-ons
+
+### Prerequisites
+
+In order to use Chainguard EKS add-ons, you will need the following:
+
+- An active AWS account
+- An existing Amazon EKS cluster, or permission to create one
+- AWS IAM permissions sufficient to subscribe to AWS Marketplace offerings
+
+### Subscribe through AWS Marketplace
+
+Chainguard EKS add-ons are listed in AWS Marketplace and can be found within the EKS Console. To subscribe:
+
+1. In the AWS Console, navigate to your EKS cluster and open the **Add-ons** tab.
+2. Search for the Chainguard add-on you want to install.
+3. Subscribe.
+
+### Deploy with Helm
+
+Once subscribed, deployment follows the standard EKS Helm workflow, and you can deploy the add-ons with AWS CLI or in your GitOps workflows. Unlike a standalone Helm chart, which is self-managed, EKS will automatically handle lifecycle management of your add-ons. No new tooling, no Chainguard account, and no changes to your existing Kubernetes manifests are required. 
+
+For step-by-step installation guidance, refer to the deployment instructions included with each add-on listing in AWS Marketplace.