The $180,000 Kubernetes Mistake
The story of swapping a proposed EKS cluster for AWS Fargate at a fintech — saving $180k/year and shrinking the audit surface.
A fintech client came to me with an architecture proposal: a multi-AZ EKS cluster, Istio service mesh, ArgoCD, Prometheus, Loki, Karpenter, the works. For four microservices doing roughly 30 requests per second at peak.
Annual cost projection: $220k. Annual cost after redesign: $40k. Same SLOs, half the people needed to operate it, and a smaller SOC2 surface.
Why "complex = secure" is a lie
Every component in your stack is something the auditor needs to see hardened, patched, and access-controlled. An EKS cluster pulls in:
- Cluster IAM, OIDC provider, IRSA roles per service
- A CNI you have to upgrade in lockstep with k8s minors
- Admission controllers, network policies, PSPs/PSAs
- A control plane that is yours to patch CVEs on
vs. ECS Fargate with the same four services:
- One task role per service
- A managed control plane AWS patches for you
- VPC + ALB, both well-understood
Fewer moving parts, fewer findings.
When Kubernetes is the right answer
I'm not anti-k8s. It's the right tool when you have:
- Dozens to hundreds of services
- A platform team of >3 humans
- Workloads that genuinely need pod-level scheduling primitives
If you have four services and two ops engineers, Fargate or App Runner will outperform k8s on every metric that matters to the business: cost, time-to-recover, audit hours.
The decision rule
Choose the smallest platform that meets the business requirement. If you need a managed container runtime, start with AWS Fargate and prove why it is not enough before adding a cluster, ingress stack, and platform team backlog.
The same rule applies to security. A simpler platform with clear IAM, logs, and rollback often produces better evidence than a complex platform nobody fully owns. Complexity is not a maturity signal. Operability is.
The general principle
Complexity is a tax paid in three currencies: dollars, people-hours, and security exposure. Pay it only when the simpler thing genuinely cannot do the job.
Closing thought
The right platform is the one your team can run on its worst day. If a two-person ops crew can keep Fargate green at 3am during an incident, that is the maturity signal — not the number of CRDs in your cluster. Match platform complexity to operating capacity, not to architectural ambition.
Quick decision checklist
- Fewer than 10 services? Default to Fargate, App Runner, or Cloud Run.
- No dedicated platform team? Avoid self-managed Kubernetes.
- Compliance scope tight? Prefer managed runtimes with smaller audit surface.
- Already on Kubernetes and struggling? Cost out a migration honestly — six months of platform pain often pays back in twelve.
Ask AI About the Author
Open this query in ChatGPT, Claude, or Perplexity.
Comments
Comments are open to confirmed email subscribers. Use the email you subscribed with. To edit a comment, delete it and post a new one.
Get new field notes by email
Field notes from someone who ships before they write about it. Sovereign AI, AI-SDLC, DevOps, and what 59 production deployments teach you. No spam. Unsubscribe anytime.