Modernizing Kubernetes Workflows with Amazon EKS Capabilities

Introduction

As cloud-native environments scale, the complexity of managing the underlying platform often outpaces the development of applications. Designing and automating infrastructure requires a delicate balance between reliability and speed. Historically, maintaining the ecosystem of open-source add-ons required to make Kubernetes production-ready, from routing and deployment to cloud resource provisioning, has drained engineering bandwidth.

To address this friction, AWS recently launched Amazon EKS Capabilities, a massive shift in how Kubernetes workloads are orchestrated. This suite of fully managed, Kubernetes-native solutions abstracts away the operational heavy lifting of cluster tooling, allowing teams to focus purely on application delivery and system observability.

Here is a comprehensive look at what Amazon EKS Capabilities is, how it functions under the hood, and why it represents a major leap forward for cloud-native infrastructure.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

The Operational Burden of Self-Managed Tooling

Building a Kubernetes environment from scratch involves much more than just spinning up a control plane and worker nodes. A production-grade cluster requires a stack of operational software: deployment controllers, resource orchestrators, and observability agents like Prometheus and Grafana.

Traditionally, these tools are installed directly onto the cluster’s worker nodes as in-cluster add-ons. This creates a hidden operational tax. Every tool requires dedicated compute resources, continuous security patching, High Availability (HA) configuration, and version upgrades to ensure compatibility with the Kubernetes control plane. When systems grow, this management overhead scales linearly, forcing platform engineers to spend their time maintaining the deployment machinery rather than improving the core infrastructure.

Amazon EKS Capabilities

Announced at AWS re:Invent 2025, Amazon EKS Capabilities changes the paradigm of add-on management. It bundles highly popular open-source Kubernetes tools into a managed platform layer.

The architectural game-changer here is zero cluster overhead. Unlike traditional installations, Amazon EKS Capabilities run in Amazon EKS service-owned accounts that are fully abstracted from your cluster. AWS handles the installation, high availability, scaling, and patching of these tools. They appear as native AWS resources that can be tagged, monitored, and managed, bridging the gap between standard AWS services and the Kubernetes ecosystem.

At launch, Amazon EKS Capabilities integrated three foundational components critical to modern deployment workflows: Argo CD, AWS Controllers for Kubernetes (ACK), and Kube Resource Orchestrator (KRO).

The Core Trio: Argo CD, ACK, and KRO

Managed Argo CD: The GitOps Standard

For teams building modern continuous delivery pipelines from the ground up, adopting a declarative GitOps approach is often preferable to configuring traditional, imperative automation servers. Argo CD is a declarative GitOps continuous delivery tool for Kubernetes.

Instead of pushing changes to a cluster via an external pipeline, Argo CD operates on a pull-based model. It continuously monitors a Git repository containing your environment declarations and automatically synchronizes the live cluster state to match the desired state defined in version control.

Why the managed version matters: Running self-managed Argo CD requires significant effort to configure SSO, manage Redis caches for HA, and handle frequent upgrades. With the EKS Capability for Argo CD, AWS manages the control plane. It integrates seamlessly with AWS IAM Identity Center out of the box, allowing developers to apply declarative configurations securely using familiar tools like kubectl or direct Git commits.

AWS Controllers for Kubernetes (ACK): Bridging Cloud and Cluster

While proficiency in Infrastructure as Code (IaC) tools like Terraform and AWS CloudFormation is essential for provisioning foundational infrastructure (VPCs, subnets, Amazon EKS clusters), application-specific resources often create bottlenecks. If a newly deployed microservice requires an Amazon S3 bucket or an Amazon DynamoDB table, developers traditionally have to step outside of Kubernetes and run separate IaC pipelines.

ACK solves this by providing Custom Resource Definitions (CRDs) that enable the management of AWS cloud resources directly from within the Kubernetes API. With the ACK EKS Capability, developers can define an Amazon S3 bucket alongside their application deployment in the same YAML manifest. ACK translates this Kubernetes manifest into AWS API calls, provisioning the bucket instantly. This complements existing IaC strategies by shifting application-level resource provisioning closer to the application code itself.

Kube Resource Orchestrator (KRO): Building Reusable Abstractions

As platforms scale, development teams are often overwhelmed by the sheer volume of YAML required to deploy a simple service. KRO offers a streamlined mechanism for creating and managing composed custom resources.

Platform engineers can use KRO to define reusable, higher-level abstractions. For example, instead of requiring a developer to write manifests for a Deployment, a Service, an Ingress, and an ACK-managed Amazon RDS instance, an engineer can create a single custom resource called WebService. KRO automatically expands this abstraction into the required underlying resources, hiding the complexity of the platform while remaining native to the Kubernetes ecosystem.

Security and AWS IAM Integration

A major hurdle to running third-party open-source tools on AWS is mapping Kubernetes Service Accounts to AWS IAM roles, often requiring complex OIDC provider configurations and trust policies.

Because Amazon EKS Capabilities are treated as first-class AWS resources, permissions are configured directly through AWS Identity and Access Management (IAM). When you enable a capability like ACK, you simply attach an AWS IAM role to the capability itself. This enforces the principle of least privilege natively, ensuring that your automated deployment tools have exactly the permissions they need to interact with your AWS environment, without the risk of misconfigured in-cluster credentials.

Conclusion

Amazon EKS Capabilities represents a fundamental shift in how organizations approach cloud-native architecture. By moving critical operational tools such as Argo CD, ACK, and KRO off worker nodes and into an AWS-managed layer, engineering teams can eliminate the toil of platform maintenance.

It allows infrastructure professionals to lean into modern GitOps practices, seamlessly blend AWS resources with Kubernetes manifests, and ultimately design more resilient, automated systems.

For teams looking to refine their architecture and eliminate administrative friction, evaluating Amazon EKS Capabilities should be the immediate next step in your cloud journey.

Drop a query if you have any questions regarding Amazon EKS Capabilities and we will get back to you quickly

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Do Amazon EKS Capabilities consume compute resources on my worker nodes?

ANS: – No. One of the primary benefits of Amazon EKS Capabilities is that the control planes for these tools (such as the Argo CD server or ACK controllers) run on AWS-owned infrastructure. They do not consume CPU or memory on your Amazon EC2 instances or Fargate profiles, reducing your direct compute costs and freeing up space for application workloads.

2. How does this impact my existing Terraform or AWS CloudFormation setups?

ANS: – Amazon EKS Capabilities, specifically ACK, are designed to complement, not replace, traditional IaC. Best practices dictate using Terraform or CloudFormation for foundational infrastructure (networking, cluster creation, AWS IAM roles) and using ACK for application-specific resources (e.g., an Amazon S3 bucket needed by a specific pod). This creates a clear boundary between platform infrastructure and application infrastructure.

3. Can I pick and choose which capabilities to enable?

ANS: – Yes. Amazon EKS Capabilities are completely independent and opt-in. You can enable Managed Argo CD without enabling ACK, or vice versa, depending on your team’s specific requirements. They can be enabled via the AWS Console, AWS CLI, or eksctl.

WRITTEN BY Swapnil Kumbar

Swapnil Kumbar is a Senior Research Associate at CloudThat with over 2.5 years of experience in DevOps. He specializes in AWS, Kubernetes, automation, and cloud-native technologies. Passionate about innovation and research, Swapnil focuses on building scalable infrastructure, optimizing deployments, and exploring emerging tools. In his free time, he actively contributes to knowledge sharing and community learning initiatives.