diff --git a/examples/ensure-cni-upgrade/Pulumi.yaml b/examples/ensure-cni-upgrade/Pulumi.yaml
new file mode 100644
index 000000000..6dc6ae5d6
--- /dev/null
+++ b/examples/ensure-cni-upgrade/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: ensure-cni-upgrade
+description: EKS cluster example to ensure CNI is upgraded when the base manifest changes
+runtime: nodejs
diff --git a/examples/ensure-cni-upgrade/index.ts b/examples/ensure-cni-upgrade/index.ts
new file mode 100644
index 000000000..4c01d2e97
--- /dev/null
+++ b/examples/ensure-cni-upgrade/index.ts
@@ -0,0 +1,18 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as awsx from "@pulumi/awsx";
+import * as eks from "@pulumi/eks";
+
+const projectName = pulumi.getProject();
+
+// Create an EKS cluster with the default configuration.
+const cluster = new eks.Cluster(`${projectName}-1`);
+
+// Create a VPC CNI resource for the cluster.
+// We have to use a strigified version of the kubeconfig because earlier versions
+// of the EKS provider did not parse the kubeconfig correctly.
+// https://github.com/pulumi/pulumi-eks/issues/1092
+const vpcCni = new eks.VpcCni(`${projectName}-1-cni`, cluster.kubeconfigJson);
+
+
+// Export the clusters' kubeconfig.
+export const kubeconfig = cluster.kubeconfigJson;
\ No newline at end of file
diff --git a/examples/ensure-cni-upgrade/package.json b/examples/ensure-cni-upgrade/package.json
new file mode 100644
index 000000000..3e7b60b22
--- /dev/null
+++ b/examples/ensure-cni-upgrade/package.json
@@ -0,0 +1,12 @@
+{
+    "name": "ensure-cni-upgrade",
+    "devDependencies": {
+        "typescript": "^4.0.0",
+        "@types/node": "latest"
+    },
+    "dependencies": {
+        "@pulumi/pulumi": "^3.0.0",
+        "@pulumi/awsx": "^2.0.2",
+        "@pulumi/eks": "latest"
+    }
+}
diff --git a/examples/ensure-cni-upgrade/tsconfig.json b/examples/ensure-cni-upgrade/tsconfig.json
new file mode 100644
index 000000000..2ea71672d
--- /dev/null
+++ b/examples/ensure-cni-upgrade/tsconfig.json
@@ -0,0 +1,24 @@
+{
+    "compilerOptions": {
+        "outDir": "bin",
+        "target": "es6",
+        "lib": [
+            "es6"
+        ],
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "declaration": true,
+        "sourceMap": true,
+        "stripInternal": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitAny": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true,
+        "strictNullChecks": true
+    },
+    "files": [
+        "index.ts"
+    ]
+}
diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go
index 5027b0f5a..9478a0f3c 100644
--- a/examples/examples_nodejs_test.go
+++ b/examples/examples_nodejs_test.go
@@ -28,8 +28,11 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 
+	"github.com/pulumi/providertest/pulumitest"
+	"github.com/pulumi/providertest/pulumitest/opttest"
 	"github.com/pulumi/pulumi-eks/examples/utils"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/pulumi/pulumi/sdk/v3/go/auto/optup"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -621,3 +624,56 @@ func getJSBaseOptions(t *testing.T) integration.ProgramTestOptions {
 
 	return baseJS
 }
+
+// TestCNIAcrossUpdates tests that the CNI manifest is reapplied when the EKS provider changes its base manifest.
+func TestCNIAcrossUpdates(t *testing.T) {
+	t.Log("Running `pulumi up` with v2.1.0 of the EKS provider")
+	pt := pulumitest.NewPulumiTest(t, "ensure-cni-upgrade", opttest.AttachDownloadedPlugin("eks", "2.1.0"))
+	result := pt.Up()
+
+	t.Log("Ensuring a kubeconfig output is present")
+	kcfg, ok := result.Outputs["kubeconfig"]
+	require.True(t, ok)
+
+	t.Log("Validating that the v1.11.0 CNI manifest is applied correctly")
+	var awsNodeContainerFound bool
+	assert.NoError(t, utils.ValidateDaemonSet(t, kcfg.Value, "kube-system", "aws-node", func(ds *appsv1.DaemonSet) {
+		for _, c := range ds.Spec.Template.Spec.Containers {
+			switch c.Name {
+			case "aws-node":
+				awsNodeContainerFound = true
+				assert.Equal(t, "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.11.0", c.Image)
+			}
+		}
+	}))
+	assert.True(t, awsNodeContainerFound)
+
+	t.Log("Running `pulumi up` with the latest version of the EKS provider")
+	pt = pt.CopyToTempDir(opttest.Defaults())
+
+	prevResult := pt.Preview()
+	assert.Equal(t, 1, len(prevResult.ChangeSummary))
+
+	result = pt.Up()
+	kcfg, ok = result.Outputs["kubeconfig"]
+	require.True(t, ok)
+
+	t.Log("Validating that the CNI manifests has been updated to the latest v1.16.0 version")
+	awsNodeContainerFound = false
+	assert.NoError(t, utils.ValidateDaemonSet(t, kcfg.Value, "kube-system", "aws-node", func(ds *appsv1.DaemonSet) {
+		// The exact image names/versions are obtained from the manifest in `nodejs/eks/cni/aws-k8s-cni.yaml`.
+		for _, c := range ds.Spec.Template.Spec.Containers {
+			switch c.Name {
+			case "aws-node":
+				awsNodeContainerFound = true
+				assert.Equal(t, "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.16.0", c.Image)
+			case "aws-eks-nodeagent":
+				assert.Equal(t, "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.0.7", c.Image)
+			}
+		}
+	}))
+	assert.True(t, awsNodeContainerFound)
+
+	t.Log("Ensuring that re-running `pulumi up` results in no changes and no spurious diffs")
+	pt.Up(optup.ExpectNoChanges())
+}