Chainguard launches compliant EKS add-ons in AWS Marketplace

Chainguard has launched five Amazon Elastic Kubernetes Service add-ons in AWS Marketplace, aimed at organisations that need compliant infrastructure for regulated environments.

The add-ons cover kube-proxy, CoreDNS, VPC CNI, EBS CSI and EFS CSI, all core components in Kubernetes deployments on Amazon's managed container service. The underlying images are hardened, FIPS 140-3 validated and carry zero known common vulnerabilities and exposures.

For AWS customers, the launch provides a marketplace route to buy and deploy these components within existing EKS workflows, rather than sourcing them separately or handling their own hardening and patching.

Compliance push

The launch is aimed at companies in sectors where infrastructure choices are shaped by standards such as FedRAMP, HIPAA and PCI-DSS. In those environments, platform teams often need cryptographic modules and container images that meet specific compliance requirements while fitting internal procurement and operational controls.

For teams managing their own EKS node groups, obtaining compliant add-on components has typically required custom integration and ongoing maintenance. AWS offers a more managed route through EKS Auto Mode with FIPS-compatible infrastructure, but that does not suit every organisation, particularly those that want tighter control over individual add-ons.

Chainguard positions its listing as a way to fill that gap, offering a drop-in option through AWS Marketplace for users that want to manage the add-on lifecycle themselves. It also says it is the only third-party provider offering zero-known-CVE, FIPS 140-3 validated EKS add-on images in the marketplace.

Patrick Donahue, Senior Vice President of Product at Chainguard, described the issue as a longstanding trade-off for customers in regulated markets.

"Organisations in highly regulated industries that need FIPS-validated container images for their EKS add-ons have faced a difficult tradeoff between custom hardening work and adopting a fully managed approach," said Patrick Donahue, Senior Vice President of Product at Chainguard. "Chainguard's EKS add-ons bring the same zero-known-CVE, FIPS-validated images our customers rely on into the AWS-native procurement path so security teams get what they need without slowing developers down."

Core components

Each of the five add-ons supports a basic part of an EKS deployment. Kube-proxy manages network rules on each node for service connectivity. CoreDNS handles internal DNS resolution within the cluster. VPC CNI provides pod networking through AWS VPC-native IP addresses. EBS CSI supports Amazon EBS volume provisioning for pods, while EFS CSI enables access to Amazon EFS file systems.

These components are widely used building blocks in production Kubernetes environments. As a result, updating, patching and validating them can become a recurring burden for platform engineering and security teams, especially where systems must pass internal audits and external assessments.

Chainguard has built its business around container images designed to reduce that operational burden. It says it maintains a catalogue of more than 2,300 container images, continuously rebuilt from source and packaged with software bills of materials and verifiable signatures.

According to the company, this approach reduces unnecessary elements in each image and narrows the potential attack surface. Its FIPS-validated variants are intended for customers that need to meet cryptographic requirements tied to federal and industry standards.

AWS route

The AWS Marketplace listing also reflects a broader push by infrastructure suppliers to meet customers within the procurement and deployment tools they already use. Rather than asking teams to adopt a separate marketplace or bespoke delivery process, vendors are trying to fit more closely into cloud-native operating models.

That matters for regulated organisations because procurement, deployment and compliance review are often closely linked. A product available through established cloud channels may be easier to assess, purchase and roll out than one that requires separate contracting, custom packaging or manual integration.

Chainguard also framed the announcement against a security backdrop in which software vulnerabilities are being identified at increasing speed. It argues that artificial intelligence tools are helping expose weaknesses faster than maintainers can patch them, increasing pressure on teams responsible for software supply chain security.

Its customer base includes large enterprises such as Anduril, Canva, Fortinet, Hewlett Packard Enterprise, OpenAI, Snap and Snowflake.

Security and platform teams can adopt the new EKS add-ons without changing their existing EKS workflows or procurement processes, according to Chainguard.