EKS-compatible · Karpenter v1 · Pod Identity

Dedicated Kubernetes clusters
in under 3 minutes.

EKS-D-Xpress delivers fully isolated, EKS-compatible clusters for every developer and CI pipeline — with serverless Pod Identity and Karpenter auto-scaling, at a fraction of managed EKS cost.

Explore the platform View on GitHub
< 3 min cluster spin-up
$57–82 per dev / month
44% cheaper than EKS
K8s 1.35–1.36 EKS-D releases

Three layers. One platform.

EKS-D-Xpress is composed of three independent open-source projects that work together.

eks-d-xpress

EKS-D Distribution

Provisions dedicated EKS-D clusters on EC2 with kubeadm, full Karpenter v1 integration, and all EKS-compatible add-ons. Clusters are isolated per developer or CI branch.

  • Karpenter v1 NodePools + EC2NodeClass
  • Spot and On-Demand support (arm64 + x86_64)
  • etcd backup via DLM snapshots
  • AWS VPC CNI + EBS CSI driver
  • K8s 1.35 & 1.36 (EKS-D releases)
kube v1.36.0 etcd v3.5.21 karpenter v1
plasticity-of-cloud/eks-d-xpress
eks-d-xpress-control-plane

Serverless Control Plane & Pod Identity

Serverless control plane that brings EKS Pod Identity to any Kubernetes cluster — k3s, microk8s, EKS-D. Three Lambda functions handle credential exchange, cluster management, and tenant provisioning.

  • EKS Pod Identity compatibility layer for non-EKS clusters
  • Credential exchange Lambda (Java SnapStart, <50ms p99)
  • JWKS validation with DynamoDB caching
  • STS AssumeRole with session tags from token claims
  • Native GraalVM CLI binary (eks-dx)
Pod → Agent → Proxy → Lambda → STS → Credentials
plasticity-of-cloud/eks-d-xpress-control-plane
eks-d-xpress-infra

Shared Infrastructure

Single CDK stack that provisions the shared AWS foundation used by all tenants — VPC, launch templates, ECR pull-through cache, and VPC endpoint.

  • VPC 10.0.0.0/16 with S3 gateway endpoint
  • ECR pull-through cache (public.ecr.aws + registry.k8s.io)
  • 4 launch templates: (spot + on-demand) × (arm64 + x86_64)
  • IMDSv2, encrypted EBS, IMDS hop-limit=2
  • SSM parameters published for all consumers
m7g.large arm64 m7i.large x86
plasticity-of-cloud/eks-d-xpress-infra

How Pod Identity works

Credential exchange in 10 steps — entirely serverless, no long-lived keys.

Built for these use cases

CI/CD Isolation

Isolated EKS cluster per PR branch. Parallel tests, no resource contention, teardown when done.

Operator Development

Deploy CRDs, webhooks, and admission controllers safely without polluting shared clusters.

AWS Integration Testing

Native Pod Identity means real AWS service calls with zero access key management.

Any Kubernetes Cluster

Not just EKS-D. eks-dx-auth-proxy works on k3s, microk8s, or any OIDC-enabled cluster.

Real cost savings

Compared to managed EKS at $0.10/hr control plane plus worker nodes.

Scenario EKS-D-Xpress Managed EKS Savings
Business hours (160 hrs/mo) $63–73/mo $132–142/mo ~44%
Spot + Hibernation $52–62/mo $132–142/mo ~55%
Always-on (CI/CD) $82–95/mo $132–142/mo ~36%

Per developer. Includes m7g.large control plane, storage, shared NAT, and Spot worker nodes. Savings increase further with Compute Savings Plans.

Quick start

# 1. Deploy shared infrastructure
cd eks-d-xpress-infra
./setup-shared-infra.sh us-east-1 eks-dx-infra

# 2. Deploy the serverless control plane
cd eks-d-xpress-control-plane/infra
cdk deploy EksDXpressControlPlaneStack

# 3. Provision a tenant cluster (EKS-D on EC2)
eks-dx create tenant --arch arm64 --k8s-version 1.36 --spot

# 4. Register your cluster and configure Pod Identity
eks-dx create cluster --name my-cluster --region us-east-1
eks-dx create pod-identity-association \
  --cluster-name my-cluster \
  --namespace default \
  --service-account my-app \
  --role-arn arn:aws:iam::123456789012:role/my-role