New engagements · 24h
Skip to main content
Home / Architectures / EKS Production Platform
Production Tested Kubernetes

EKS Production Platform

Production-grade Kubernetes on AWS EKS with managed node groups, GitOps delivery, secrets management and full observability.

Overview

This architecture runs production workloads on AWS EKS with managed node groups distributed across multiple availability zones. The control plane is AWS-managed. Node groups are defined in Terraform with autoscaling enabled. ArgoCD handles all deployments — no kubectl apply in CI/CD.

Live implementations: aws-terraform-devops deploys Flask on EKS with RDS PostgreSQL 15 Multi-AZ, dual GitHub Actions and Jenkins pipelines, and S3+DynamoDB remote state. gitops-stack runs a full Build→Test→Deploy pipeline with Jenkins CI, Ansible node configuration and CloudWatch + CloudTrail observability — zero SSH keys, zero static credentials.

External Secrets Operator synchronizes secrets from AWS Secrets Manager into Kubernetes Secrets. IRSA (IAM Roles for Service Accounts) grants pods the minimum required AWS permissions without static credentials. All workloads define resource requests and limits, run as non-root, and have health probes configured.

Architecture Diagram

Architecture Diagram

EKS Production Platform

Internet Users CloudFront ALB · HTTPS/TLS EKS Cluster 1.35 System Node Group ArgoCD · Prometheus Grafana · ESO App Node Group Application workloads HPA · PodDisruptionBudget Spot Node Group Batch / non-critical 60–70% cost reduction Networking NetworkPolicies AWS VPC CNI IRSA · Pod Security Standards · OIDC Provider IAM Roles for Service Accounts — no static credentials in pods Cluster Autoscaler · HPA (CPU 70%) · AWS Load Balancer Controller kube-proxy · CoreDNS · metrics-server ECR Container registry RDS Multi-AZ PostgreSQL 15 Secrets Manager via ESO CloudWatch Container Insights
Traffic flow from internet through CloudFront and ALB into EKS, with supporting AWS services.

Key Components

AWS Load Balancer Controller

Provisions ALB per Ingress resource. Terminates TLS, health checks, path-based routing. Replaces legacy nginx-ingress for AWS deployments.

ArgoCD (GitOps controller)

Watches the GitOps repository for changes. Applies Helm releases to the cluster. Auto-sync with prune and selfHeal enabled in staging, manual approval in production.

External Secrets Operator

Synchronizes secrets from AWS Secrets Manager into Kubernetes Secrets. Uses IRSA for authentication. No static credentials. Secret values never stored in Git.

Cluster Autoscaler

Scales node groups based on pending pods. Configured with expander=least-waste. Works with Spot node group for non-critical workloads at reduced cost.

Horizontal Pod Autoscaler

CPU target 70% for application node groups. Min replicas 2 for availability. Max replicas sized from load testing. Requires resource requests to function.

CloudWatch Container Insights

Node-level CPU, memory, disk metrics. Container logs via Fluent Bit. Alarms at CPU >80%, Memory >85%. SNS notifications to on-call channel.

Security Controls

OIDC provider configured — every service account maps to an IAM role with minimum required permissions

Pod Security Standards enforced at namespace level — restricted or baseline depending on workload

Network Policies: default deny all, explicit allow per service pair

All images from ECR private registry — lifecycle policies clean up untagged images

automountServiceAccountToken: false on all pods that do not need Kubernetes API access

No privileged containers in production — drop ALL capabilities, add only what is needed

Stack

EKS (aws-terraform-devops) Terraform Jenkins Ansible ArgoCD Helm CloudWatch CloudTrail IRSA RDS Multi-AZ GitHub Actions SonarCloud Flask Docker

Need this implemented?

We implement production EKS clusters with full Terraform automation, GitOps setup and observability stack included.

Start a conversation →