惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
D
DataBreaches.Net
S
Secure Thoughts
B
Blog
S
Schneier on Security
Y
Y Combinator Blog
P
Proofpoint News Feed
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
F
Full Disclosure
Engineering at Meta
Engineering at Meta
L
LangChain Blog
T
Threatpost
阮一峰的网络日志
阮一峰的网络日志
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Hacker News
The Hacker News
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
Cyberwarzone
Cyberwarzone
T
The Exploit Database - CXSecurity.com
雷峰网
雷峰网
博客园 - 司徒正美
Help Net Security
Help Net Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Privacy International News Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost
Cisco Talos Blog
Cisco Talos Blog
L
LINUX DO - 热门话题
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Threat Research - Cisco Blogs
Recent Announcements
Recent Announcements
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Heimdal Security Blog
Jina AI
Jina AI
C
Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
Microsoft Security Blog
Microsoft Security Blog
L
Lohrmann on Cybersecurity
aimingoo的专栏
aimingoo的专栏
D
Docker
I
Intezer
C
Check Point Blog
Cloudbric
Cloudbric
小众软件
小众软件
V2EX - 技术
V2EX - 技术

Devoriales - DevOps and Python Tutorials

Cloud & DevOps & AI Digest: The Week of Jun 28, 2026 Cloud & DevOps & AI Digest: The Week of Jun 20, 2026 Ansible for DevOps Engineers: Architecture, Core Concepts, and Hands-On Lab Login Must-Have Kubernetes CLI Tools Every Platform Engineer Should Know Login Login Login Why Your Best Engineers Are Quitting (And How to Stop It) Login ArgoCD Vulnerability: How the ServerSideDiff Feature Exposes Kubernetes Secrets Login How Kubernetes Controls What Your Containers Can Do Login Multi-AZ Is Not Disaster Recovery: What the AWS Bahrain Outage Finally Proved Trivy Supply Chain Attack: When Your Security Scanner Becomes the Threat Is Claude Opus 4.6 Fast Mode Really Worth 6× the Price? Login Unlocking Higher Pod Density in EKS with Prefix Delegation AWS Regional NAT Gateway: What It Is and Why You Should Care Kubernetes 1.35 Timbernetes Release Debate Series: How Do We Control Deployment Order in Kubernetes? Debate Series: Should We Eliminate Kubernetes Secrets Entirely? Kubernetes CRDs Explained: A Beginner-Friendly Guide to Extending the Kubernetes API Reduce Cloud Cross-Zone Data Transfer Costs with Kubernetes 1.33 trafficDistribution Building Custom Bitnami Images: A Guide for Self-Hosted Container Images New Features in Kubernetes 1.34: An Overview From Free to Fee: How Broadcom's Bitnami Monetization Disrupts DevOps Infrastructure Claude Code Cheat Sheet: The Reference Guide Kubernetes Loses Enterprise Slack Status: Discord Among Platforms Being Considered Understanding Container Security: A Guide to Docker and Pod Security Container Patterns in Kubernetes: Init Containers, Sidecars, and Co-located Containers Explained AWS Launches Serverless MCP Server: AI-Powered Development Gets a Serverless Boost Valve Responds to Alleged Steam Data Breach Reports: What Users Need to Know ArgoCD 3.0: The Evolution Toward Secure GitOps Redis Returns to Open Source: The AGPLv3 Licensing Decision New Features in Kubernetes 1.33: An Overview Prometheus: How We Slashed Memory Usage IngressNightmare: Critical Ingress-NGINX Vulnerabilities and How to Check Your Exposure New Features in Kubernetes 1.32: An Overview What to Consider If You're Not Signing Up for Bitnami Premium Certified Kubernetes Administrator (CKA) Exam Updates for 2025 DeepSeek AI and the Question of the AI Bubble Python Tops the Tiobe Index: The Most Popular Programming Languages - January 2025 2024 in Review: IT Trends, Startups, and What’s Next Inside Argo: The Open-Source Journey Captured in a CNCF Documentary Running Docker on macOS Without Docker Desktop - updated with Kubernetes installation HashiCorp Rolls Out Terraform 2.0 at HashiConf, Keeps IBM Acquisition in the Shadows Is the EU Falling Behind in the Global AI Race? Prometheus Essentials: Node Exporter And System Monitoring Prometheus Essentials: Install and Start Monitoring Your App Prometheus Essentials: Introduction To Metric Types Kubernetes Pod Scheduling Explained: Taints, Tolerations, and Node Affinity Retrieval Augmented Generation (RAG) Explained for Beginners Like Me Using Sealed Secrets with Your Kubernetes Applications
AWS re:Invent 2025: The Future of Kubernetes on EKS
Aleksandro Matejic · 2025-12-15 · via Devoriales - DevOps and Python Tutorials

The Future of Kubernetes on EKS

At AWS re:Invent 2025, the Amazon EKS team presented a set of enhancements and future direction for Kubernetes on AWS. The session, titled "The Future of Kubernetes," covered recent platform improvements, scaling innovations, and a three-year roadmap that signals AWS's commitment to making Kubernetes operations managed.

Current data from the CNCF 2024 survey shows that 80% of enterprises now run Kubernetes in production, up from 66% in 2023. Over 90% of companies are at minimum evaluating the platform.

The announcements reflect the following: customers want to use Kubernetes without going to deep into managing Kubernetes platform. This vision drives everything from observability features to managed capabilities that eliminate platform engineering overhead.

This post focuses solely on current and upcoming EKS features. However, the full session recording also includes a presentation by Niall Mullen, Senior Director of Cloud Infrastructure at Netflix, presenting their journey migrating to EKS at massive scale. He mentioned that Netflix serves 300 million paying customers, handles launch rates of 70,000 containers in 5 minutes during region failovers, and migrated their existing Titus container platform (originally built on Mesos, shifted to Kubernetes 5 years ago) to EKS. I'm sharing this as a teaser since it's pretty interesting—definitely watch the full video.

At the end of this article, I've listed links to the different features covered in the AWS session if you're interested in diving deeper.

Kubernetes Adoption


According to the session, there are a few reasons why Kubernetes has become the de facto standard:

Simplicity - Kubernetes wraps 15 years of bash scripts, runbooks, and operational knowledge behind declarative APIs. You rarely start from scratch; need to run Spark? Use the Kubeflow Spark Operator.

Consistency - Run Kubernetes on AWS, on-premises, other clouds, at the edge, or even on fighter jets (EKS has seen this deployment). Your workloads remain portable across environments.

Extensibility - While Kubernetes handles container orchestration by default, the Custom Resource Definition (CRD) model allows you to extend it for any use case. Customers increasingly use EKS to operate their entire business infrastructure, not just containers.

Enhanced Container Registry: ECR Improvements


Feature Description Key Benefit
Enhanced Scanning with Inspector Integration with Amazon Inspector provides automated vulnerability scanning for OS and programming language packages. Live inventory shows where vulnerable images are running across clusters. Know exactly which clusters are running vulnerable images without manual tracking
Pull Through Cache Authenticated pull-through cache with ECR-to-ECR and third-party registry support (Docker Hub, GitHub, etc.) across regions and accounts Efficient multi-region image distribution and rate limit avoidance without maintaining separate registries
Granular Tag Immutability Tag-level immutability control - make production tags immutable while keeping development tags (like latest) mutable Matches real-world workflows where some tags need flexibility while others require stability
Archive Storage Class Low-cost storage tier for rarely accessed images with 90-day minimum retention. Restore within 20 minutes when needed. Reduce storage costs for compliance-driven image retention while maintaining access when needed
Managed Image Signing Fully managed signing integrated with AWS Signer - sign images with a single API call, no separate infrastructure needed Eliminate PKI management overhead while ensuring image authenticity and integrity

Amazon Elastic Container Registry (ECR) processes over 2 billion image pulls daily. Several new capabilities strengthen its position as the foundation for container workloads.

Advanced Scanning and Vulnerability Management

Integration with Amazon Inspector provides enhanced scanning capabilities. The critical improvement addresses a common pain point: when a vulnerable image is detected, where is it actually running?

"You might have dozens, hundreds, thousands of clusters depending on the environment you're running. This feature makes it easier to see a live inventory of vulnerable images that are running."

The live inventory feature connects vulnerability reports directly to running workloads across your entire cluster fleet.

Pull Through Cache Enhancements

ECR now supports authenticated pull through cache with expanded upstream registry capabilities.
This feature works with:

  • ECR-to-ECR: Pull images across regions and accounts within your own ECR repositories
  • Third-party registries: Docker Hub, GitHub Container Registry, Azure Container Registry, GitLab, Quay, and Kubernetes registry
  • Public registries: Amazon ECR Public without authentication overhead

The workflow is simple:

┌─────────────────────┐
│ Upstream Registry   │
│                     │
│ • Docker Hub        │
│ • GitHub (ghcr.io)  │
│ • ECR (us-east-1)   │
│ • Quay.io           │
└──────────┬──────────┘
           │ Pull on demand
           │ (24h refresh)
           ▼
┌─────────────────────┐
│ Your ECR Registry   │
│ (eu-west-1)         │
│                     │
│ Auto-cached repos   │
└──────────┬──────────┘
           │
           │ Fast local pulls
           ▼
    ┌──────────────┐
    │ EKS Cluster  │
    └──────────────┘

This means it's possible to pull images across regions and accounts within own ECR repositories, or cache public images from external registries, creating efficient multi-region distribution patterns without maintaining separate registries. AWS automatically creates repositories, caches images on first pull, and checks for updates every 24 hours.

Key benefits are:

  • Avoid rate limits from public registries (pulls come from AWS IP addresses)
  • Reduce cross-region bandwidth costs
  • Improve image pull performance
  • No manual replication or sync workflows needed

Tag Immutability Flexibility

Previously, repositories enforced immutability at the repository level. The new granular tag immutability allows specific tags (like production releases) to be immutable while permitting others (like latest in development) to be mutable. This flexibility matches real-world development workflows.

Archive Storage Class

For compliance-driven organizations storing terabytes of container images, the new archival storage class provides cost optimization. Images that haven't been pulled recently can move to archive storage at lower cost. When needed for audits or unexpected rollbacks, they can be restored from archive.

Managed Image Signing

ECR now offers fully managed image signing integrated with AWS Signer. No separate infrastructure required - sign images with a simple API call, with all actions logged in CloudTrail for audit compliance.

EKS Platform & Observability


Feature Description Key Benefit
Cluster Insights Automated daily scans identifying upgrade blockers: deprecated APIs, outdated add-ons, compatibility issues. On-demand refresh available. Reduce upgrade preparation time and increase reliability of version migrations
Version Support Acceleration New Kubernetes versions available in EKS within 45 days of upstream release (100% track record over 2 years) Stay current with upstream Kubernetes without extended waiting periods
Global Cross-Account Dashboard AWS's first true global, cross-account, cross-region service view. Centralized visibility of all EKS clusters across your organization. Executive-level visibility - understand cluster versions, compliance, and upgrade needs across entire fleet
Enhanced Network Observability Single agent exposing granular network metrics: DNS limits, retransmissions, service maps, pod-to-pod flows, cross-AZ traffic, AWS service patterns Proactive network monitoring and faster root cause analysis for networking issues
Managed MCP Server Hosted Model Context Protocol server with 7+ years of EKS operational knowledge. Q integration in console for instant troubleshooting assistance. Access support engineer knowledge directly in the console without opening tickets
CloudWatch Container Insights Out-of-the-box monitoring with curated dashboards, EBS metrics, GPU metrics, and application signals support Opinionated monitoring stack - no decisions on which metrics to collect or alarms to set

Simplified Upgrades

Kubernetes upgrades remain one of the most challenging operational tasks. AWS has introduced several features to ease this burden.

Cluster Insights scans your clusters daily for potential upgrade blockers:

  • Deprecated API usage
  • Add-on versions more than two versions behind
  • Amazon Linux 2 dependencies (no longer supported in Kubernetes 1.33)
  • On-demand refresh capability for immediate validation after fixes

Version Support Acceleration ensures new Kubernetes versions arrive in EKS within 45 days of upstream release. Over the past two years, every release has met this target.

Global Cross-Account Dashboard

Managing clusters across multiple accounts and regions creates visibility challenges. The new EKS global dashboard provides centralized inventory across all organizational boundaries.

This represents AWS's first service offering true global, cross-account, cross-region visibility. Think of it as an executive dashboard - log in Monday morning with your coffee and immediately understand cluster versions, identify upgrade needs, and track compliance status across your entire fleet.

Enhanced Network Observability

Network issues cause the majority of Kubernetes failures. The new enhanced container network observability feature addresses troubleshooting gaps with a single agent that exposes critical metrics to CloudWatch.

Key capabilities include:

  • DNS packet limit monitoring
  • Retransmission timeout tracking
  • Native service maps showing pod-to-pod communication
  • Flow visualization for cross-AZ traffic
  • Pod-to-service traffic patterns (S3, DynamoDB)
  • External traffic monitoring

The flow view makes it immediately obvious when unexpected patterns emerge, such as excessive cross-AZ traffic driving up costs or applications making inefficient S3 calls.

Cluster Insights


Cluster Insights automatically scans the EKS clusters and identifies potential upgrade blockers before attempt an upgrade:

  1. Deprecated API usage - Detects if the workloads are using Kubernetes APIs that will be removed in the next version
  2. Outdated add-ons - Flags add-on versions that are more than two versions behind current
  3. Amazon Linux 2 dependencies - Identifies dependencies on AL2 (which is no longer supported in Kubernetes 1.33+)
  4. On-demand refresh - Possible to trigger an immediate scan after fixing issues to validate the changes

Managed MCP Server

AWS launched a hosted version of the EKS Model Context Protocol (MCP) server. This tool brings years of EKS operational knowledge into a troubleshooting assistant.

When you encounter a crashed pod or networking issue in the EKS console, you can now click "Hey Q, tell me what's going on." The system automatically integrates with the MCP server, accessing runbooks and troubleshooting guides that support engineers use.

The hosted version includes CloudTrail logging and enterprise security features, making it production-ready.

EKS Ultra Clusters and Scaling


Feature Description Key Benefit
Ultra Clusters - Scale Support for 100,000 nodes, 800,000 GPUs, 1.6M Trainium accelerators, 100K concurrent pod scale-ups in minutes Run AI/ML workloads at unprecedented scale while maintaining Kubernetes conformance
In-Memory Database BoltDB moved from network-attached storage to in-memory tmpfs Order-of-magnitude performance improvements for read/write operations
Partitioned Key Spaces Hot resource types split into separate etcd clusters Up to 5x write throughput improvement while preserving durability
Offloaded Consensus AWS journal system replaces Raft-based consensus Eliminates etcd peer-to-peer communication, provides ultrafast multi-AZ replication
Multi-Network Interface Support Network bandwidth up to 100 Gbps per pod Critical for AI workloads moving massive datasets
Concurrent Image Pulling SOCI-based container runtime Cuts image pull times in half
Prefix Delegation Assigns CIDR ranges instead of individual IPs 3x improvement in node launch rates, optimizes VPC address utilization
Auto-Repair Automatic detection and replacement of unhealthy nodes including GPU instances Maintains consistent performance without manual intervention

The announcement of EKS Ultra Clusters in July 2024 represents a rearchitecture of the Kubernetes control plane. Working closely with Anthropic, AWS addressed the challenges of running AI/ML workloads at unprecedented scale.

Scale Specifications

Ultra Clusters support:

  • Up to 100,000 nodes in a single cluster
  • 800,000 GPUs or 1.6 million Trainium accelerators
  • 100,000 concurrent pod scale-ups in minutes
  • Full Kubernetes conformance maintained

Architectural Innovations

Three key innovations enable this scale:

In-Memory Database - Moving BoltDB from network-attached storage to in-memory tmpfs-based solution delivers order-of-magnitude performance improvements for read and write operations.

Partitioned Key Spaces - Hot resource types split into separate etcd clusters, delivering up to 5x write throughput while preserving durability.

Offloaded Consensus Management - The most significant change replaces traditional Raft-based consensus with AWS's journal system, battle-tested for over a decade across AWS services. This eliminates etcd peer-to-peer communication requirements and provides ultrafast ordered data replication with multi-AZ durability.

Data Plane Improvements

Beyond control plane enhancements, four key data plane improvements boost application performance:

  1. Multi-Network Interface Support - Enables network bandwidth up to 100 Gbps per pod, critical for AI workloads moving massive datasets
  2. Concurrent Image Pulling - New SOCI-based container runtime cuts image pull times in half
  3. Prefix Delegation - Assigns CIDR ranges instead of individual IPs, improving node launch rates up to 3x while optimizing VPC address utilization
  4. Auto-Repair Capabilities - Automatic detection and replacement of unhealthy nodes, including accelerated compute instances

Provisioned Control Plane


Feature Description Key Benefit
Provisioned Control Plane Tiers Pre-allocated capacity tiers with guaranteed performance. Highest tier: 6,800 concurrent API requests. Switch between Standard and Provisioned modes anytime. Predictable, consistent performance for critical workloads - no scaling delays during operations
API Request Concurrency How many operations the cluster handles simultaneously Better multitasking for deployments, scaling, and health checks
Pod Scheduling Rate How quickly cluster responds to scaling events Faster recovery from disruptions and rapid AI/ML job orchestration

While Ultra Clusters target massive scale, AWS recognized that all customers deserve predictable, high-performance control planes. The new Provisioned Control Plane brings ultra-scale architecture benefits to standard deployments.

Capacity Tiers

Instead of auto-scaling control planes that introduce latency during scale-up, you can now select pre-allocated capacity tiers:

  • Standard Mode - Control plane scales up and down based on load (default behavior)
  • Provisioned Mode - Pre-allocated specific tier for guaranteed capacity

Each tier defines three critical dimensions:

  1. API Request Concurrency - How many operations the cluster handles simultaneously
  2. Pod Scheduling Rate - How quickly the cluster responds to scaling events
  3. Cluster Database Size - Headroom for application metadata (16 GB maintained across all tiers)

The highest tier processes up to 6,800 concurrent API requests. You can switch between modes as requirements evolve, and upgrade existing clusters to provisioned mode without disruption.

EKS Capabilities: Not Just Cluster


Feature Description Key Benefit
Managed Argo CD Fully managed GitOps with Secrets Manager integration, CodeCommit integration, and automatic cross-account/cross-region networking Eliminate network configuration complexity for multi-account deployments
AWS Controllers for Kubernetes (ACK) Manage 50+ AWS services using Kubernetes APIs. Supports cross-account and cross-region resource management. Define infrastructure alongside applications - no separate IaC tools needed
Kubernetes Resource Orchestrator (KRO) Build abstractions over ACK - create custom APIs wrapping AWS resources with organizational standards Developers use simple APIs; platform teams enforce governance

The most strategic shift announced is EKS Capabilities, expanding beyond cluster management to handle the complete platform.

The Platform Problem

Getting a production-ready Kubernetes cluster is just the beginning. Applications need:

  • Deployment mechanisms
  • AWS service provisioning (S3 buckets, ElastiCache, RDS)
  • Secrets management
  • Network connectivity across accounts and regions

Building and maintaining these platform components requires significant engineering investment.

Managed Argo CD

AWS now offers fully managed Argo CD with AWS-specific integrations:

  • Secrets Manager Integration - Native support eliminates GitOps secrets management pain points
  • CodeCommit Integration - Simplified credential setup for Git repositories
  • Managed Networking - Cross-account and cross-region sync traffic handled behind the scenes

Self-managed Argo requires careful network configuration for multi-account deployments. The managed version eliminates this complexity entirely.

AWS Controllers for Kubernetes (ACK) and Kubernetes Resource Orchestrator (KRO)

These managed capabilities enable Kubernetes-native AWS resource management. Developers define infrastructure alongside application manifests instead of opening tickets to infrastructure teams.

KRO provides abstraction layers over ACK, allowing platform teams to publish custom APIs that wrap AWS resources with organizational standards.

Example workflow:

  • Platform team creates a "Database" custom resource that provisions RDS with approved configurations
  • Developers request databases through familiar Kubernetes manifests
  • Infrastructure provisioning happens automatically, following organizational policies

Three-Year Roadmap


AWS outlined five strategic priorities for EKS development through 2027:

1. Critical Workload Patterns at Any Scale

As clusters grow beyond single-cluster limits, AWS will focus on making multi-cluster workloads easier to manage. The goal is workload distribution across cluster boundaries.

2. AWS Service Integrations

Kubernetes increasingly serves as the front door to AWS. Customers provision EBS, S3, and other services through Kubernetes operators rather than directly through AWS APIs. AWS commits to ensuring all services work well for Kubernetes-native customers.

3. Meeting Workloads Where They Are

From EKS Distro (run anywhere) to cloud-managed EKS to edge deployments, AWS say they will continue supporting wherever workloads need to run. Improvements to outposts support and hybrid node capabilities are coming.

4. Simplified Platform Building

The long-term vision: eliminate the need for large platform engineering teams. Launch more managed capabilities so you can use Kubernetes without operating it.

5. Accelerating Community Innovation

AWS will continue contributing to the Kubernetes ecosystem through open source projects. The approach: adopt existing standards where possible (like Argo CD), create new standards when existing solutions fall short (like Karpenter), and open-source AWS-specific integrations (like ACK).

Key Takeaways


What AWS wants to tell us, they want to commit to manage Kubernetes operatios for their customer.

The following is what was captured from the session:

Observability - From network flow visualization to MCP-powered troubleshooting, AWS is making Kubernetes operations more transparent and debuggable.

Scaling - Ultra Clusters and Provisioned Control Planes bring enterprise-grade performance to workloads of any size while maintaining full Kubernetes conformance.

Operational Simplification - Every announcement reduces the operational burden of running Kubernetes. Upgrades get easier, troubleshooting becomes faster, and platform engineering requirements decrease.

For teams currently evaluating EKS or operating self-managed Kubernetes, these announcements make a case for managed services. The gap between self-managed and AWS-managed Kubernetes continues to widen, not in features or conformance, but in operational overhead.

The future of Kubernetes on AWS is clear: use the platform without becoming a Kubernetes operations expert. Focus on delivering business value while AWS handles the infrastructure complexity.

This is basically in line of my own thoughts, Kuberntes will eventually become pretty abstract to the developers. As Linux has become.

AWS Documentation Links by Feature


AWS re:Invent 2025 - The future of Kubernetes on AWS Original session: https://www.youtube.com/watch?v=Q6HT6zFcWzo

ECR (Elastic Container Registry) Features:

Enhanced Scanning with Inspector:

Pull Through Cache:

Tag Immutability:

Archive Storage Class:

Managed Image Signing:

EKS Platform Enhancements:

Cluster Insights & Upgrade Readiness:

EKS Global Dashboard:

Enhanced Container Network Observability:

CloudWatch Container Insights:

EKS Capabilities (Argo CD, ACK, KRO):

Additional EKS Features:

EKS Ultra Clusters & Provisioned Control Plane:

EKS Auto Mode:

Pod Identity:

CNCF Annual survey 2024 Report https://www.cncf.io/reports/cncf-annual-survey-2024/