EKS Composites
These composites produce K8s YAML with EKS-specific annotations and configurations. They complement the generic composites by adding AWS service integrations.
IrsaServiceAccount
Section titled “IrsaServiceAccount”ServiceAccount annotated for IAM Roles for Service Accounts (IRSA):
import { IrsaServiceAccount } from "@intentius/chant-lexicon-k8s";
const { serviceAccount, role, roleBinding } = IrsaServiceAccount({ name: "app-sa", iamRoleArn: "arn:aws:iam::123456789012:role/my-app-role", rbacRules: [ { apiGroups: [""], resources: ["secrets"], verbs: ["get"] }, ], namespace: "prod",});- Sets
eks.amazonaws.com/role-arnannotation on the ServiceAccount - Optional RBAC rules create a Role + RoleBinding scoped to the namespace
- The IAM role trust policy must include an OIDC condition for
system:serviceaccount:<namespace>:<name>
AlbIngress
Section titled “AlbIngress”Ingress with AWS ALB Controller annotations:
import { AlbIngress } from "@intentius/chant-lexicon-k8s";
const { ingress } = AlbIngress({ name: "api-ingress", hosts: [ { hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }], }, ], scheme: "internet-facing", certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abc-123", groupName: "shared-alb", healthCheckPath: "/healthz",});- Auto-sets
alb.ingress.kubernetes.io/*annotations - SSL redirect enabled by default when
certificateArnis set groupNameshares a single ALB across multiple Ingress resourceswafAclArnfor WAFv2 integrationschemecontrols internet-facing vs internal ALB
EbsStorageClass
Section titled “EbsStorageClass”StorageClass for the EBS CSI driver:
import { EbsStorageClass } from "@intentius/chant-lexicon-k8s";
const { storageClass } = EbsStorageClass({ name: "gp3-encrypted", type: "gp3", encrypted: true, iops: "3000", throughput: "125",});- Provisions
ebs.csi.aws.comvolumes - Supports
gp2,gp3,io1,io2,st1,sc1types encrypted: trueenables at-rest encryption (recommended)
EfsStorageClass
Section titled “EfsStorageClass”StorageClass for the EFS CSI driver (ReadWriteMany):
import { EfsStorageClass } from "@intentius/chant-lexicon-k8s";
const { storageClass } = EfsStorageClass({ name: "efs-shared", fileSystemId: "fs-12345678",});- ReadWriteMany access — shared across pods and nodes
- Requires the EFS CSI driver EKS add-on
- Use EBS for ReadWriteOnce (single pod), EFS for ReadWriteMany (shared)
FluentBitAgent
Section titled “FluentBitAgent”DaemonSet for CloudWatch logging:
import { FluentBitAgent } from "@intentius/chant-lexicon-k8s";
const result = FluentBitAgent({ logGroup: "/aws/eks/my-cluster/containers", region: "us-east-1", clusterName: "my-cluster",});- Deploys Fluent Bit as a DaemonSet with host path mounts for
/var/log - Forwards container logs to CloudWatch Logs
- Uses IRSA for authentication (pair with
IrsaServiceAccount)
ExternalDnsAgent
Section titled “ExternalDnsAgent”ExternalDNS for Route53 integration:
import { ExternalDnsAgent } from "@intentius/chant-lexicon-k8s";
const result = ExternalDnsAgent({ iamRoleArn: "arn:aws:iam::123456789012:role/external-dns-role", domainFilters: ["example.com"], txtOwnerId: "my-cluster",});- Watches Ingress/Service resources and creates Route53 records
domainFiltersrestricts which domains ExternalDNS can managetxtOwnerIdprevents conflicts between multiple clusters
AdotCollector
Section titled “AdotCollector”AWS Distro for OpenTelemetry (ADOT) for CloudWatch and X-Ray:
import { AdotCollector } from "@intentius/chant-lexicon-k8s";
const result = AdotCollector({ region: "us-east-1", clusterName: "my-cluster", exporters: ["cloudwatch", "xray"],});- Deploys ADOT as a DaemonSet collecting metrics and traces
- Exports to CloudWatch Metrics and/or X-Ray
- Uses IRSA for authentication (pair with
IrsaServiceAccount)
Pod Identity vs IRSA
Section titled “Pod Identity vs IRSA”| Feature | IRSA | Pod Identity |
|---|---|---|
| K8s annotation needed | Yes (eks.amazonaws.com/role-arn) | No |
| Composite available | IrsaServiceAccount | None needed |
| Setup | OIDC provider + IAM role trust policy | EKS Pod Identity Agent add-on + association |
| When to use | Existing clusters, broad compatibility | New clusters (EKS 1.28+), simpler management |
For Pod Identity, no K8s-side composite is needed — configure the association via AWS API/CloudFormation and use a plain ServiceAccount.
Fargate considerations
Section titled “Fargate considerations”When running on EKS Fargate:
- No DaemonSets —
FluentBitAgentandAdotCollectorcannot run on Fargate nodes - No hostPath volumes — use EFS for shared storage
- No privileged containers — security context restrictions apply
- For Fargate logging, use the built-in Fluent Bit log router (Fargate logging configuration)
EKS add-ons
Section titled “EKS add-ons”Common add-ons managed via AWS (not K8s manifests):
| Add-on | Required for |
|---|---|
| vpc-cni | Amazon VPC CNI plugin |
| coredns | Cluster DNS |
| kube-proxy | Network proxy |
| aws-ebs-csi-driver | EbsStorageClass |
| aws-efs-csi-driver | EfsStorageClass |
| adot | Alternative to AdotCollector composite |
| aws-guardduty-agent | Runtime threat detection |
Configure add-ons via the AWS CloudFormation lexicon.
Further reading
Section titled “Further reading”- AWS EKS + Kubernetes tutorial — full deployment walkthrough
- Deploying to EKS — AWS lexicon bridge page
- Generic composites — WebApp, AutoscaledService, NamespaceEnv, and more