Production AWS in hours, not weeks

TL;DR — Most teams take weeks to ship a production EKS cluster. Kuberly does it in 2–3 hours with Karpenter, Istio ambient mTLS, ArgoCD GitOps, Prometheus + Grafana + Loki observability, and a SOC 2 / PCI DSS baseline — all written as OpenTofu + Terragrunt into your own repo.

The conventional path

A senior DevOps engineer joins, spends 4 weeks building a baseline:

• VPC with private/public subnets, NAT, VPC endpoints
• EKS with Karpenter for node provisioning
• Istio for mTLS and traffic management
• ArgoCD for GitOps
• Prometheus, Grafana, Loki, Tempo for observability
• AWS Secrets Manager + External Secrets Operator
• Trivy + Checkov scanning on every PR

Each piece is a week of yak-shaving. Most teams skip half of it and pay the security debt later.

The Kuberly path

T+0    Connect AWS account (cross-account IAM role; you control the trust policy)
T+15m  EKS control plane up. VPC, subnets, NAT, endpoints provisioned
T+45m  Karpenter, Istio (ambient mode), ArgoCD, Vault references — all wired
T+1h   Observability stack (Prometheus, Grafana, Loki, Tempo) live
T+2h   First workload deployed via the dashboard. Push image → URL
T+3h   Custom domain on Route 53, cert-manager, Let's Encrypt issued

The OpenTofu + Terragrunt repo lands in your GitHub or Bitbucket org on day one. You read it, audit it, branch it. Standard tooling, no proprietary DSL — exactly what we describe in You own the IaC. You own the infra.

What it looks like operationally

• Push a Docker image or Git repo — Shipwright + ArgoCD handle build, sync, and rollback
• Provision a database — Postgres, Aurora, Redis, DocumentDB, MongoDB Atlas, ClickHouse, all from the dashboard, with IRSA wired automatically
• Debug — ask the autopilot why production is hot. It queries Loki + Prometheus + pod events directly via MCP. Answers ship with the raw data. For the architecture, see MCP for DevOps.
• Scale — Karpenter for nodes, KEDA (50+ scalers) for pods, no manual intervention

Why hours instead of weeks

The integration is the platform. We don't ship a list of components and let you wire them. We ship the wiring. Each runtime — EKS, ECS, Lambda, Bedrock AgentCore — shares the same VPC, the same IAM model, the same secrets store, the same observability. One OpenTofu + Terragrunt repo defines all four. The reasons we pick Terragrunt over raw Terraform are in Why we ship Terragrunt, not raw Terraform.

What "production" actually requires

Compliance is the part most teams underestimate. Kuberly ships the SOC 2 / PCI DSS baseline by default — Vault HA, IRSA per workload, private VPC, mTLS via Istio, IaC scanned on every PR. One of our customers got from a fresh AWS account to PCI DSS audit-ready in under two weeks. Same controls, same scoped IAM, same defensible posture every Kuberly customer inherits.

That's the part that turns "we have a cluster" into "we have a cluster you can sell into the enterprise."

---

Further reading

• AWS EKS Best Practices Guide — the baseline we encode.
• Istio ambient mesh — sidecar-free mTLS we ship by default.
• Karpenter NodePool docs — bin-packing and consolidation primer.
• External Secrets Operator — bridging AWS Secrets Manager into Kubernetes.
• PCI DSS v4.0 quick reference — the controls we attest against.
• DevOps on autopilot — what happens after onboarding.
• Karpenter is the most underrated EKS upgrade — why we default to it.

Want the same baseline running in your AWS account this week? Talk to us.