EKS GitOps with ArgoCD

1. The GitOps Flow: Pull vs. Push

• Push Model (Old): Your Jenkins or GitHub Action has admin keys to your EKS cluster. It runs kubectl apply. If the network blips, the deployment fails, and you have “secret keys” floating around your CI system.
• Pull Model (GitOps): An agent (ArgoCD) lives inside your cluster. It watches your Git repo. When it sees a change, it applies it locally. This is more secure because no external system needs cluster admin keys.

2. The 2026 Breakthrough: AWS Managed ArgoCD (EKS Capabilities) As of December 2025, you no longer need to install, patch, or scale ArgoCD yourself. AWS introduced EKS Capabilities for ArgoCD.

• Zero Maintenance: AWS runs the ArgoCD controllers in a managed environment outside your worker nodes.
• Native IAM Integration: You log into the ArgoCD UI using AWS IAM Identity Center (SSO). No more managing separate local passwords.
• Multi-Cluster by Design: A single managed ArgoCD instance can govern multiple “spoke” clusters across different AWS regions.

3. Self-Healing & Drift Detection If a junior engineer manually deletes a Deployment using the AWS console, ArgoCD will see the “Actual State” (0 pods) doesn’t match the “Desired State” in Git (3 pods). It will instantly “Self-Heal” the cluster by recreating the pods.