Kubernetes

Kubernetes & Terraform Symbiosis: Modern Cloud-Native Infrastructure for Israeli Enterprises

Published December 2, 2025 • 15 min read

Terraform & Kubernetes: Better Together

Terraform and Kubernetes represent two of the most powerful tools in modern cloud infrastructure, yet they serve fundamentally different purposes. Terraform excels at provisioning and managing cloud infrastructure—VPCs, subnets, managed Kubernetes clusters, databases, and IAM roles. Kubernetes orchestrates containerized workloads, handling deployment, scaling, networking, and service discovery for applications running inside clusters.

By maintaining clear separation of concerns between these tools, Israeli enterprises can achieve scalable, secure, and auditable cloud-native operations. Terraform manages the "infrastructure layer"—everything up to and including the Kubernetes cluster itself. Kubernetes and GitOps tools manage the "application layer"—everything running inside the cluster.

This separation provides several benefits: infrastructure and application teams can work independently with clear boundaries, changes to cluster configuration don't require redeploying applications, and each tool operates in its area of strength rather than trying to do everything.

The Separation of Concerns Model

A well-architected Kubernetes deployment clearly separates infrastructure provisioning from application deployment. This isn't just organizational preference—it reflects fundamental differences in how these concerns change over time and who is responsible for them.

Infrastructure Layer (Terraform)

VPC, subnets, and network configuration
EKS/GKE/AKS cluster provisioning
Node groups and autoscaling configuration
IAM roles and service accounts
Cluster add-ons (CNI, CSI drivers, CoreDNS)
External resources (RDS, ElastiCache, S3)

Application Layer (Kubernetes/GitOps)

Application deployments and services
ConfigMaps and Secrets
Ingress and network policies
Horizontal Pod Autoscalers
Custom Resource Definitions (CRDs)
Helm releases and Kustomize overlays

Cluster Bootstrapping with Terraform

Terraform provides a declarative, version-controlled way to provision Kubernetes clusters across any cloud provider. Using the official Terraform modules for EKS, GKE, or AKS, you can define your cluster configuration as code and manage it through standard GitOps workflows.

A production-grade EKS cluster requires careful configuration of networking, security groups, IAM roles, and node groups. The terraform-aws-modules/eks/aws module encapsulates AWS best practices and handles the complex interdependencies between these components.

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"

  cluster_name    = "production-cluster"
  cluster_version = "1.29"

  cluster_endpoint_public_access = true

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  # EKS Managed Node Groups
  eks_managed_node_groups = {
    general = {
      min_size     = 2
      max_size     = 10
      desired_size = 3

      instance_types = ["m6i.large"]
      capacity_type  = "ON_DEMAND"

      labels = {
        role = "general"
      }
    }

    spot = {
      min_size     = 0
      max_size     = 20
      desired_size = 2

      instance_types = ["m6i.large", "m5.large", "m5a.large"]
      capacity_type  = "SPOT"

      labels = {
        role = "spot-workers"
      }

      taints = [{
        key    = "spot"
        value  = "true"
        effect = "NO_SCHEDULE"
      }]
    }
  }

  # Cluster access configuration
  enable_cluster_creator_admin_permissions = true
  
  access_entries = {
    platform_team = {
      kubernetes_groups = ["platform-admins"]
      principal_arn     = "arn:aws:iam::ACCOUNT:role/PlatformTeam"
      policy_associations = {
        admin = {
          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
          access_scope = {
            type = "cluster"
          }
        }
      }
    }
  }
}

GitOps with ArgoCD: Declarative Application Delivery

GitOps is an operational framework that uses Git as the single source of truth for declarative infrastructure and applications. ArgoCD is a GitOps continuous delivery tool that automatically syncs Kubernetes resources from Git repositories to clusters, ensuring your deployed state always matches your desired state.

With ArgoCD, you define your applications in Git repositories using Kubernetes manifests, Helm charts, or Kustomize overlays. ArgoCD continuously monitors these repositories and automatically applies changes to your cluster. This provides a complete audit trail of all changes, easy rollback to any previous state, and clear visibility into deployment status.

The combination of Terraform for infrastructure and ArgoCD for applications creates a powerful GitOps workflow where all changes—whether to cluster configuration or application deployments—flow through pull requests with proper review and approval.

# ArgoCD Application definition
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: production-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/company/k8s-manifests
    targetRevision: main
    path: apps/production
    helm:
      valueFiles:
        - values-production.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m

Bootstrapping ArgoCD with Terraform

A common pattern is using Terraform to bootstrap ArgoCD itself during cluster creation. This creates a "meta-GitOps" setup where Terraform provisions the cluster and installs ArgoCD, then ArgoCD takes over management of all other cluster components including its own configuration.

resource "helm_release" "argocd" {
  name             = "argocd"
  repository       = "https://argoproj.github.io/argo-helm"
  chart            = "argo-cd"
  version          = "5.51.0"
  namespace        = "argocd"
  create_namespace = true

  values = [
    yamlencode({
      server = {
        extraArgs = ["--insecure"]
        ingress = {
          enabled = true
          hosts   = ["argocd.example.com"]
        }
      }
      configs = {
        repositories = {
          private-repo = {
            url      = "git@github.com:company/k8s-manifests.git"
            sshPrivateKeySecret = {
              name = "repo-ssh-key"
              key  = "sshPrivateKey"
            }
          }
        }
      }
    })
  ]

  depends_on = [module.eks]
}

ACK & Crossplane: Managing Cloud Resources from Kubernetes

AWS Controllers for Kubernetes (ACK) and Crossplane extend Kubernetes to manage cloud resources directly through Custom Resource Definitions. Instead of using Terraform to provision an RDS database, you can create a Kubernetes manifest that defines the database, and ACK or Crossplane will create and manage it.

This approach has trade-offs. The advantage is that application teams can provision cloud resources using familiar Kubernetes tooling and GitOps workflows. The disadvantage is that it adds complexity and may conflict with infrastructure team governance. Many organizations use a hybrid approach: Terraform for shared infrastructure and security-sensitive resources, ACK/Crossplane for application-specific resources that teams need to self-service.

# ACK RDS Database definition
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  name: app-database
  namespace: production
spec:
  dbInstanceIdentifier: app-database-prod
  dbInstanceClass: db.t3.medium
  engine: postgres
  engineVersion: "15"
  masterUsername: admin
  masterUserPassword:
    namespace: production
    name: db-credentials
    key: password
  allocatedStorage: 100
  dbSubnetGroupName: production-db-subnet-group
  vpcSecurityGroupIDs:
    - sg-0123456789abcdef0

Terraform Kubernetes Provider: When to Use It

Terraform includes a Kubernetes provider that can manage Kubernetes resources directly. While this might seem like a way to manage everything with one tool, it's generally not recommended for application workloads. The Kubernetes provider is best suited for cluster-level configuration that's tightly coupled to infrastructure—things like namespaces, RBAC roles, and cluster-wide policies.

For application deployments, GitOps tools like ArgoCD or Flux provide better developer experience, faster deployment cycles, and more sophisticated rollout strategies. Reserve Terraform's Kubernetes provider for the "glue" between infrastructure and applications.

Production Architecture: Putting It All Together

A production-ready Kubernetes platform combines these tools in a layered architecture. Terraform provisions the foundational infrastructure and bootstraps GitOps tooling. ArgoCD manages application deployments and cluster add-ons. Policy engines like OPA Gatekeeper enforce security and compliance guardrails.

Recommended Architecture Layers

Layer 1 - Terraform: VPC, EKS cluster, IAM, node groups, external databases
Layer 2 - Terraform + Helm: ArgoCD, cert-manager, external-dns, ingress controller
Layer 3 - ArgoCD: Application deployments, monitoring stack, logging, policies
Layer 4 - ArgoCD ApplicationSets: Multi-environment application promotion

Frequently Asked Questions

Use Terraform for infrastructure provisioning (VPCs, clusters, databases, IAM) and Kubernetes/GitOps for application deployment. This separation of concerns lets infrastructure and application teams work independently. Terraform excels at managing cloud provider APIs, while Kubernetes provides better developer experience for application deployments with features like rolling updates and health checks.

GitOps uses Git as the single source of truth for infrastructure and applications. ArgoCD automatically syncs your cluster state to match what's defined in Git, providing audit trails, easy rollback, and clear visibility into deployment status. Benefits include consistent deployments, self-healing (ArgoCD corrects drift), and developer-friendly workflows through pull requests.

Consider Crossplane/ACK when application teams need self-service cloud resource provisioning using familiar Kubernetes tooling. However, use Terraform for shared infrastructure, security-sensitive resources, and when you need mature tooling with extensive provider support. Many organizations use both: Terraform for platform infrastructure, ACK/Crossplane for application-specific resources.

Use Terraform to provision the EKS cluster, then deploy ArgoCD using the Helm provider. ArgoCD can then manage all other cluster components, including its own configuration updates. This creates a "meta-GitOps" pattern where initial bootstrap is via Terraform, but ongoing changes flow through Git and ArgoCD for full auditability.

We recommend a layered approach: Layer 1 (Terraform) provisions VPC, EKS, IAM, and external databases. Layer 2 (Terraform + Helm) bootstraps ArgoCD, cert-manager, external-dns, and ingress. Layer 3 (ArgoCD) manages application deployments, monitoring, logging, and policies. Layer 4 (ArgoCD ApplicationSets) handles multi-environment promotion.

HostingX IL: Kubernetes & Terraform Services

HostingX IL delivers comprehensive Kubernetes and Terraform services for Israeli enterprises, including cluster design and provisioning, GitOps implementation with ArgoCD, security hardening, and ongoing platform management. Our team has deep experience building production-grade platforms that scale with your business.