AWS EKS - Cluster-Level Multi-AZ Enforcement Solutions

❌ What’s NOT Available in EKS

Kubernetes Scheduler Configuration: EKS doesn’t allow modification of KubeSchedulerConfiguration to set custom default topology spread constraints
Built-in Cluster Defaults: No native EKS setting to enforce multi-AZ distribution automatically

✅ Available Solutions (Ranked by Effectiveness)

Solution 1: Mutating Admission Webhook (Recommended)

This automatically injects topology spread constraints into all deployments at creation time.

A. Deploy the Mutating Webhook

# mutating-webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: multiaz-webhook
  namespace: kube-system
  labels:
    app: multiaz-webhook
spec:
  replicas: 2
  selector:
    matchLabels:
      app: multiaz-webhook
  template:
    metadata:
      labels:
        app: multiaz-webhook
    spec:
      serviceAccountName: multiaz-webhook
      containers:
      - name: webhook
        image: your-registry/multiaz-webhook:latest
        ports:
        - containerPort: 8443
        env:
        - name: TLS_CERT_FILE
          value: /etc/certs/tls.crt
        - name: TLS_PRIVATE_KEY_FILE
          value: /etc/certs/tls.key
        volumeMounts:
        - name: certs
          mountPath: /etc/certs
          readOnly: true
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 200m
            memory: 256Mi
      volumes:
      - name: certs
        secret:
          secretName: multiaz-webhook-certs
---
apiVersion: v1
kind: Service
metadata:
  name: multiaz-webhook-service
  namespace: kube-system
spec:
  selector:
    app: multiaz-webhook
  ports:
  - port: 443
    targetPort: 8443
    protocol: TCP
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: multiaz-webhook
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: multiaz-webhook
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: multiaz-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: multiaz-webhook
subjects:
- kind: ServiceAccount
  name: multiaz-webhook
  namespace: kube-system

B. Webhook Configuration

# mutating-webhook-config.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingAdmissionWebhook
metadata:
  name: multiaz-enforcer
webhooks:
- name: multiaz.enforcer.eks.aws
  clientConfig:
    service:
      name: multiaz-webhook-service
      namespace: kube-system
      path: "/mutate"
  rules:
  - operations: ["CREATE", "UPDATE"]
    apiGroups: ["apps"]
    apiVersions: ["v1"]
    resources: ["deployments"]
  - operations: ["CREATE", "UPDATE"]
    apiGroups: ["apps"]
    apiVersions: ["v1"]
    resources: ["replicasets"]
  namespaceSelector:
    matchExpressions:
    - key: name
      operator: NotIn
      values: ["kube-system", "kube-public", "kube-node-lease"]
  objectSelector:
    matchExpressions:
    - key: multiaz.enforcer.eks.aws/skip
      operator: DoesNotExist
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  failurePolicy: Fail

C. Sample Webhook Code (Go)

// webhook-server.go
package main

import (
    "context"
    "encoding/json"
    "fmt"
    "net/http"
    
    admissionv1 "k8s.io/api/admission/v1"
    appsv1 "k8s.io/api/apps/v1"
    corev1 "k8s.io/api/core/v1"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    "k8s.io/apimachinery/pkg/runtime"
)

type WebhookServer struct {
    server *http.Server
}

func (ws *WebhookServer) mutate(w http.ResponseWriter, r *http.Request) {
    var body []byte
    if r.Body != nil {
        if data, err := ioutil.ReadAll(r.Body); err == nil {
            body = data
        }
    }

    var admissionResponse *admissionv1.AdmissionResponse
    ar := admissionv1.AdmissionReview{}
    
    if err := json.Unmarshal(body, &ar); err != nil {
        admissionResponse = &admissionv1.AdmissionResponse{
            Result: &metav1.Status{
                Message: err.Error(),
            },
        }
    } else {
        admissionResponse = ws.mutateDeployment(&ar)
    }

    admissionReview := admissionv1.AdmissionReview{}
    if admissionResponse != nil {
        admissionReview.Response = admissionResponse
        if ar.Request != nil {
            admissionReview.Response.UID = ar.Request.UID
        }
    }

    respBytes, _ := json.Marshal(admissionReview)
    w.Header().Set("Content-Type", "application/json")
    w.Write(respBytes)
}

func (ws *WebhookServer) mutateDeployment(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
    req := ar.Request
    var deployment appsv1.Deployment
    
    if err := json.Unmarshal(req.Object.Raw, &deployment); err != nil {
        return &admissionv1.AdmissionResponse{
            Result: &metav1.Status{
                Message: err.Error(),
            },
        }
    }

    // Check if topology spread constraints already exist
    if hasTopologySpreadConstraints(&deployment) {
        return &admissionv1.AdmissionResponse{Allowed: true}
    }

    // Add multi-AZ topology spread constraints
    patches := createMultiAZPatches(&deployment)
    
    patchBytes, _ := json.Marshal(patches)
    
    return &admissionv1.AdmissionResponse{
        Allowed: true,
        Patch:   patchBytes,
        PatchType: func() *admissionv1.PatchType {
            pt := admissionv1.PatchTypeJSONPatch
            return &pt
        }(),
    }
}

func hasTopologySpreadConstraints(deployment *appsv1.Deployment) bool {
    return len(deployment.Spec.Template.Spec.TopologySpreadConstraints) > 0
}

func createMultiAZPatches(deployment *appsv1.Deployment) []map[string]interface{} {
    patches := []map[string]interface{}{}
    
    // Add topology spread constraints for AZ distribution
    topologyConstraints := []corev1.TopologySpreadConstraint{
        {
            MaxSkew:           1,
            TopologyKey:       "topology.kubernetes.io/zone",
            WhenUnsatisfiable: corev1.DoNotSchedule,
            MinDomains:        func() *int32 { i := int32(3); return &i }(),
            LabelSelector: &metav1.LabelSelector{
                MatchLabels: deployment.Spec.Selector.MatchLabels,
            },
        },
        {
            MaxSkew:           2,
            TopologyKey:       "kubernetes.io/hostname",
            WhenUnsatisfiable: corev1.ScheduleAnyway,
            LabelSelector: &metav1.LabelSelector{
                MatchLabels: deployment.Spec.Selector.MatchLabels,
            },
        },
    }
    
    patches = append(patches, map[string]interface{}{
        "op":    "add",
        "path":  "/spec/template/spec/topologySpreadConstraints",
        "value": topologyConstraints,
    })
    
    return patches
}

Solution 2: OPA Gatekeeper (Policy-Based Approach)

This validates and can mutate deployments to enforce multi-AZ distribution.

A. Install Gatekeeper

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml
Code language: JavaScript (javascript)

B. Create Constraint Template

# gatekeeper-multiaz-template.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8smultiazrequired
spec:
  crd:
    spec:
      names:
        kind: K8sMultiAZRequired
      validation:
        openAPIV3Schema:
          type: object
          properties:
            message:
              type: string
            exemptNamespaces:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8smultiazrequired

        violation[{"msg": msg}] {
          input.review.kind.kind == "Deployment"
          input.review.object.spec.replicas > 1
          not input.review.object.spec.template.spec.topologySpreadConstraints
          not is_exempt_namespace
          msg := sprintf("Deployment %s must have topology spread constraints for multi-AZ distribution", [input.review.object.metadata.name])
        }

        violation[{"msg": msg}] {
          input.review.kind.kind == "Deployment"
          input.review.object.spec.replicas > 1
          input.review.object.spec.template.spec.topologySpreadConstraints
          not has_zone_topology_constraint
          not is_exempt_namespace
          msg := sprintf("Deployment %s must have zone topology spread constraint", [input.review.object.metadata.name])
        }

        has_zone_topology_constraint {
          constraint := input.review.object.spec.template.spec.topologySpreadConstraints[_]
          constraint.topologyKey == "topology.kubernetes.io/zone"
        }

        is_exempt_namespace {
          exempt_namespaces := input.parameters.exemptNamespaces
          input.review.object.metadata.namespace == exempt_namespaces[_]
        }

C. Create Constraint

# gatekeeper-multiaz-constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMultiAZRequired
metadata:
  name: must-have-multiaz-topology
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
    excludedNamespaces: ["kube-system", "kube-public", "gatekeeper-system"]
  parameters:
    message: "All deployments with more than 1 replica must have multi-AZ topology spread constraints"
    exemptNamespaces: ["kube-system", "kube-public", "gatekeeper-system"]

Solution 3: Kyverno (Alternative Policy Engine)

A. Install Kyverno

kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
Code language: JavaScript (javascript)

B. Create Multi-AZ Policy

# kyverno-multiaz-policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-multiaz-topology
spec:
  validationFailureAction: enforce
  background: true
  rules:
  - name: check-multiaz-topology
    match:
      any:
      - resources:
          kinds:
          - Deployment
          namespaces:
          - "!kube-system"
          - "!kube-public"
          - "!kyverno"
    validate:
      message: "Deployments with replicas > 1 must have topology spread constraints for multi-AZ distribution"
      pattern:
        spec:
          =(replicas): "1"
  - name: require-zone-topology
    match:
      any:
      - resources:
          kinds:
          - Deployment
          namespaces:
          - "!kube-system"
          - "!kube-public"
          - "!kyverno"
    validate:
      message: "Deployments with replicas > 1 must have zone topology spread constraints"
      anyPattern:
      - spec:
          replicas: 1
      - spec:
          template:
            spec:
              topologySpreadConstraints:
              - topologyKey: "topology.kubernetes.io/zone"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-multiaz-topology
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: add-topology-constraints
    match:
      any:
      - resources:
          kinds:
          - Deployment
          namespaces:
          - "!kube-system"
          - "!kube-public"
          - "!kyverno"
    preconditions:
      all:
      - key: "{{ request.object.spec.replicas }}"
        operator: GreaterThan
        value: 1
      - key: "{{ request.object.spec.template.spec.topologySpreadConstraints || `[]` | length(@) }}"
        operator: Equals
        value: 0
    mutate:
      patchStrategicMerge:
        spec:
          template:
            spec:
              topologySpreadConstraints:
              - maxSkew: 1
                topologyKey: "topology.kubernetes.io/zone"
                whenUnsatisfiable: DoNotSchedule
                minDomains: 3
                labelSelector:
                  matchLabels:
                    "{{ request.object.spec.selector.matchLabels }}"
              - maxSkew: 2
                topologyKey: "kubernetes.io/hostname"
                whenUnsatisfiable: ScheduleAnyway
                labelSelector:
                  matchLabels:
                    "{{ request.object.spec.selector.matchLabels }}"

Solution 4: Namespace-Level Defaults with LimitRanges

While not directly enforcing topology constraints, you can use this approach combined with other solutions:

# namespace-defaults.yaml
apiVersion: v1
kind: LimitRange
metadata:
  name: multiaz-defaults
  namespace: production
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "512Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"
    type: Container
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: multiaz-quota
  namespace: production
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
    pods: "50"

Implementation Guide

Step 1: Choose Your Approach

For Maximum Control: Use Mutating Admission Webhook For Policy Management: Use Kyverno (easier) or OPA Gatekeeper (more powerful) For Simple Validation: Use Gatekeeper validation only

Step 2: Deploy the Solution

# For Kyverno (Recommended for simplicity)
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
kubectl apply -f kyverno-multiaz-policy.yaml

# Verify installation
kubectl get clusterpolicy
Run in CloudShell

Step 3: Test the Enforcement

# test-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      containers:
      - name: nginx
        image: nginx:1.21
        resources:
          requests:
            cpu: 100m
            memory: 128Mi

# This should either be automatically modified (mutating webhook/Kyverno)
# or rejected (validation-only policies)
kubectl apply -f test-deployment.yaml

# Check if topology constraints were added
kubectl get deployment test-app -o yaml | grep -A 20 topologySpreadConstraints
Run in CloudShell

Step 4: Create Exemption Mechanism

# For deployments that should skip multi-AZ enforcement
apiVersion: apps/v1
kind: Deployment
metadata:
  name: single-az-app
  namespace: default
  annotations:
    multiaz.enforcer.eks.aws/skip: "true"  # For webhook
    policies.kyverno.io/skip: "true"       # For Kyverno
spec:
  replicas: 1
  # ... rest of deployment

Monitoring and Validation

Check Policy Compliance

# For Kyverno
kubectl get cpol
kubectl describe cpol require-multiaz-topology

# For Gatekeeper
kubectl get constraints
kubectl describe k8smultiazrequired must-have-multiaz-topology

# Check violations
kubectl get events --field-selector reason=PolicyViolation
Run in CloudShell

Validate Existing Deployments

#!/bin/bash
# check-multiaz-compliance.sh

echo "Checking Multi-AZ compliance for all deployments..."

kubectl get deployments --all-namespaces -o json | jq -r '
.items[] | 
select(.spec.replicas > 1) |
select(.spec.template.spec.topologySpreadConstraints == null or 
       (.spec.template.spec.topologySpreadConstraints | 
        map(select(.topologyKey == "topology.kubernetes.io/zone")) | 
        length == 0)) |
"\(.metadata.namespace)/\(.metadata.name) - Missing multi-AZ topology constraints"
'
Run in CloudShell

Recommended Implementation

For your EKS Auto Mode cluster, I recommend:

Start with Kyverno – easier to implement and maintain
Use the mutating policy to automatically add topology constraints
Set up monitoring to track compliance
Create exemption mechanisms for special cases
Test thoroughly in a non-production environment first

This approach ensures that every deployment with more than 1 replica automatically gets multi-AZ distribution without requiring developers to remember to add topology spread constraints manually.

Sources

Spread workloads across nodes and Availability Zones – AWS Prescriptive Guidance

Use admission controllers to enforce security policies – Security Practices for Multi-Tenant SaaS Applications using Amazon EKS

Running highly-available applications – Amazon EKS

EKS Control Plane – Amazon EKS

Tenant Isolation – Amazon EKS

Managing webhook failures on Amazon EKS | AWS re:Post

Pod Security – Amazon EKS

TopologySpreadConstraints in EKS auto mode does not seem to work | AWS re:Post

Troubleshoot cluster scaling in Amazon EKS with Karpenter autoscaler | AWS re:Post

Image security – Amazon EKS

Scheduling – Containers on AWS

Kubernetes Data Plane – Amazon EKS

Customizing scheduling on Amazon EKS | Containers

EKS Data Plane – Amazon EKS

VPC and Subnet Considerations – Amazon EKS

Manage CoreDNS for DNS in Amazon EKS clusters – Amazon EKS

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Rajesh Kumar DailyLogs

Find Trusted Cardiac Hospitals

Compare heart hospitals by city and services — all in one place.

Explore Hospitals

1 Comment

Newest

Oldest Most Voted

Inline Feedbacks

View all comments

Skylar Bennett

2 days ago

This post does a great job explaining how enforcing multi‑AZ configurations at the cluster level in AWS EKS can significantly improve application resilience and uptime. Ensuring high availability across multiple availability zones is essential for production workloads, and the guidance here helps clarify both the “why” and the “how” behind it. I especially found the emphasis on architectural best practices and automated enforcement insightful, as these are key to avoiding single‑point failures and maintaining consistent performance. Overall, it’s a practical resource for DevOps engineers working with Kubernetes on AWS.