<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Eks | The AWS Blog</title><link>https://theawsblog.com/tags/eks/</link><description>Articles, tutorials and insights from the AWS community.</description><generator>Hugo</generator><language>en</language><managingEditor>@theawsblog (The AWS Blog)</managingEditor><webMaster>@theawsblog</webMaster><lastBuildDate>Tue, 23 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://theawsblog.com/tags/eks/index.xml" rel="self" type="application/rss+xml"/><item><title>EKS Auto Mode improvements show why managed Kubernetes is becoming operational engineering</title><link>https://theawsblog.com/news/emiliano-montesdeoca/eks-auto-mode-scaling-improvements/</link><pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/eks-auto-mode-scaling-improvements/</guid><description>Recent EKS Auto Mode runtime, compute, storage, and networking improvements reduce Kubernetes operational friction, but teams still need workload-level SLOs and migration discipline.</description><content:encoded>&lt;p&gt;The latest EKS Auto Mode update is not one big feature. It is a collection of operational improvements: faster node startup, better Karpenter behavior, node-local DNS, smoother EBS migration, and more networking options.&lt;/p&gt;
&lt;p&gt;That is exactly why it matters.&lt;/p&gt;
&lt;p&gt;In the &lt;a href="https://aws.amazon.com/blogs/containers/faster-nodes-smarter-scaling-whats-new-inside-amazon-elastic-kubernetes-service-amazon-eks-auto-mode/"&gt;AWS Containers Blog post&lt;/a&gt;, AWS describes improvements across runtime, compute, storage, and networking. For builders, the lesson is that managed Kubernetes value increasingly comes from reducing the number of sharp edges you have to own yourself.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article lists several practical changes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;node ready latency reduced through faster startup detection,&lt;/li&gt;
&lt;li&gt;Karpenter scale-out and consolidation improvements,&lt;/li&gt;
&lt;li&gt;zram protection for transient system memory pressure,&lt;/li&gt;
&lt;li&gt;faster image pulls for large ML and GPU images,&lt;/li&gt;
&lt;li&gt;node-local DNS by default in Auto Mode,&lt;/li&gt;
&lt;li&gt;support for separate pod subnets and pod security groups,&lt;/li&gt;
&lt;li&gt;improved EBS migration and topology-aware volume scheduling.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;None of these changes remove the need to understand Kubernetes. They reduce the tax of operating the infrastructure layer below your workloads.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Most Kubernetes incidents are not about Kubernetes being unavailable. They are about the cluster being technically alive while applications wait for capacity, DNS, storage, or networking to catch up.&lt;/p&gt;
&lt;p&gt;Faster node startup helps bursty workloads. Better consolidation helps cost. Node-local DNS reduces a common hidden bottleneck. Separate pod subnets and security groups make enterprise network patterns easier to express without abandoning Auto Mode defaults.&lt;/p&gt;
&lt;p&gt;For platform teams, this changes the migration conversation. Auto Mode is not only about &amp;ldquo;less to manage.&amp;rdquo; It is about whether AWS-managed operational improvements arrive faster than your team could safely build and maintain them.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;There are still boundaries.&lt;/p&gt;
&lt;p&gt;Auto Mode can improve node lifecycle and system components, but it cannot fix bad pod requests, missing disruption budgets, slow application startup, or chatty service dependencies. If workloads request too much CPU, do not define readiness probes, or depend on large cold images, managed infrastructure only helps so far.&lt;/p&gt;
&lt;p&gt;Cost also needs attention. Faster scale-out is useful, but it can surface inefficient autoscaling policies. Faster consolidation is useful, but only if workloads tolerate disruption and your budgets are modeled correctly.&lt;/p&gt;
&lt;p&gt;Networking improvements should also be treated as architecture choices. Separate pod subnets and security groups can improve segmentation, but they introduce more routes, policies, IP planning, and troubleshooting paths.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;If you run EKS Auto Mode today, measure before and after. Look at:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;pending pod seconds during scale events,&lt;/li&gt;
&lt;li&gt;node ready time,&lt;/li&gt;
&lt;li&gt;image pull latency for large containers,&lt;/li&gt;
&lt;li&gt;DNS latency and CoreDNS saturation,&lt;/li&gt;
&lt;li&gt;consolidation events and interruption impact,&lt;/li&gt;
&lt;li&gt;cross-AZ and NAT gateway traffic.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are migrating to Auto Mode, do it workload by workload. Start with stateless services that have clean readiness probes, pod disruption budgets, and known resource requests. Then move stateful or network-sensitive workloads after validating storage topology and security group behavior.&lt;/p&gt;
&lt;p&gt;The best outcome is not simply fewer Kubernetes knobs. It is a platform where the knobs that remain are closer to application reliability, cost, and security decisions. That is where builders should spend their time.&lt;/p&gt;</content:encoded></item><item><title>EKS control plane egress through your VPC closes a real private-cluster gap</title><link>https://theawsblog.com/news/emiliano-montesdeoca/eks-control-plane-egress-vpc/</link><pubDate>Mon, 22 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/eks-control-plane-egress-vpc/</guid><description>Amazon EKS customer-routed control plane egress lets Kubernetes API server traffic use customer VPC routing, security controls, and private endpoints for webhooks and OIDC dependencies.</description><content:encoded>&lt;p&gt;Private EKS clusters have always had two sides: how clients and nodes reach the API server, and how the API server reaches things on behalf of Kubernetes. The first side was easier to reason about. The second side had awkward edges.&lt;/p&gt;
&lt;p&gt;AWS has announced &lt;a href="https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-control-plane-egress-through-your-vpc/"&gt;customer-routed control plane egress for Amazon EKS&lt;/a&gt;, which routes customer-controllable Kubernetes API server outbound traffic through your VPC. That includes admission webhook callbacks, OIDC discovery, and aggregate API server requests.&lt;/p&gt;
&lt;p&gt;This is a practical feature for teams that need private webhooks, private identity providers, and auditable network paths.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;With the new &lt;code&gt;controlPlaneEgressMode&lt;/code&gt; set to &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt;, the Kubernetes API server uses an elastic network interface in your VPC for specific outbound flows. Those flows can then follow your routing, security groups, VPC endpoints, DNS, Network Firewall, PrivateLink, Direct Connect, and logging patterns.&lt;/p&gt;
&lt;p&gt;EKS-managed service traffic still uses the EKS-managed path. The feature is scoped to customer-controllable API server egress, not every packet from the control plane.&lt;/p&gt;
&lt;p&gt;One important detail: after a cluster uses &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt;, the setting is immutable for the life of the cluster. That makes planning more important than experimentation on a random production cluster.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;Admission webhooks are often part of the security boundary. They validate images, enforce labels, inject sidecars, block risky configurations, and integrate with policy engines. If the API server can only call a public endpoint, teams end up exposing services that they would rather keep private.&lt;/p&gt;
&lt;p&gt;The same issue appears with external OIDC identity providers. If the control plane must fetch discovery documents and JWKS over an internet-reachable path, the cluster is not as private as the architecture diagram suggests.&lt;/p&gt;
&lt;p&gt;Customer-routed egress makes a cleaner design possible:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;webhook services can live behind internal load balancers,&lt;/li&gt;
&lt;li&gt;private DNS can resolve API server dependencies,&lt;/li&gt;
&lt;li&gt;VPC Flow Logs can show the path,&lt;/li&gt;
&lt;li&gt;SCPs can enforce the required egress mode across accounts,&lt;/li&gt;
&lt;li&gt;network teams can apply existing inspection and routing controls.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For regulated environments, the value is not only connectivity. It is evidence.&lt;/p&gt;
&lt;h2 id="design-considerations"&gt;Design considerations&lt;/h2&gt;
&lt;p&gt;This feature moves responsibility to your network design. If DNS, routes, endpoint policies, or security groups are wrong, API server calls can fail. That can break admissions, identity association, or aggregated APIs.&lt;/p&gt;
&lt;p&gt;I would pay attention to four areas:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;DNS resolution.&lt;/strong&gt; The API server now depends on the DNS path available from your VPC configuration for those customer-controllable names.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Webhook availability.&lt;/strong&gt; A private webhook outage can become a cluster-wide admission outage if failure policies are strict.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Certificate trust.&lt;/strong&gt; Private does not always mean privately trusted. The source article notes that OIDC issuer certificates still need a publicly trusted chain.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cost and routing.&lt;/strong&gt; NAT gateways, cross-AZ paths, inspection appliances, and endpoints can add cost or latency if the path is not designed deliberately.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start by identifying clusters that already use admission webhooks, external OIDC providers, or aggregate API servers. Those clusters have the most to gain.&lt;/p&gt;
&lt;p&gt;For new clusters, decide whether &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt; should be part of the baseline. For existing clusters, test in a non-production environment with the same webhook and identity dependencies before updating anything important.&lt;/p&gt;
&lt;p&gt;Then build a failure test. Block the webhook endpoint, break DNS resolution, and confirm your cluster behavior matches your expectations. Network privacy is useful only if the failure modes are understood.&lt;/p&gt;
&lt;p&gt;This EKS change does not make private Kubernetes automatic, but it removes a real architectural compromise. Builders now have a better way to align the control plane&amp;rsquo;s outbound path with the same network rules they already apply to workloads.&lt;/p&gt;</content:encoded></item></channel></rss>