---
title: "Amazon EKS-A"
diataxis: how-to
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/controllers/n4k/provider-integrations/amazon-eks-a/
---


Amazon EKS Anywhere lets you create and operate Kubernetes clusters on your own infrastructure. Amazon EKS Anywhere builds on the strengths of Amazon EKS Distro and provides open-source software that's up to date and patched so you can have an on-premises Kubernetes environment that's more reliable than a self-managed Kubernetes offering. Kyverno, an open-source policy engine, enables policy-based security, governance, and compliance for Amazon EKS-A clusters. Using Kyverno, enterprise platform teams can deploy the necessary guardrails to ensure that deployed applications are secure, compliant, and follow Amazon EKS Best Practices. 

### Deploying Enterprise Kyverno on Amazon EKS-A cluster

#### Prerequisites

* Request a Nirmata Enterprise Kyverno license from sales@nirmata.com
* Install the following tools: kubectl, AWS CLI, and optionally eksctl
* You have access to an Amazon EKS-A cluster
* Follow these prerequisites [here](https://github.com/aws-samples/eks-anywhere-addons) to install flux and external-secrets
* Also create the secret (aws-secret) with AWS credentials to allow the AWS Secret to be retrieved
* Add the Nirmata license to AWS Secrets Manager:
  - Create a Secret with the name 'nirmata-license-key' and type "Other type of secret"
  - In Key/Value pairs, add the license as plaintext
![image](/images/aws-secretsmanager.png)
  - Next, create the ClusterSecretStore as follows:
```bash
cat <<EOF | kubectl apply -f - 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: eksa-secret-store
spec:
  provider:
    aws:  # set secretStore provider to AWS.
      service: SecretsManager
      region: us-west-1  # Region where the secret is.
      auth:
        secretRef:
          accessKeyIDSecretRef: 
            name: aws-secret # References the secret we created
            namespace: default
            key: access-key  
          secretAccessKeySecretRef:
            name: aws-secret
            namespace: default
            key: secret
EOF
```

#### Deploy Enterprise Kyverno as an Amazon EKS-A add-on
Follow the instructions [here](https://github.com/aws-samples/eks-anywhere-addons) to deploy Kyverno your Amazon EKS-A Cluster.

Nirmata Enterprise Kyverno Add-on repository is [here](https://github.com/aws-samples/eks-anywhere-addons/tree/main/eks-anywhere-common/Addons/Partner/Nirmata/Kyverno). 


The exact command to install the Kyverno add-on is:

```bash

Once the add-on is installed, you can verify that the Kyverno pods are running using the command:

```bash
kubectl get pods -n kyverno
```text