SYSTEM Cited by 1 source
Generali Malaysia EKS platform¶
Generali Malaysia's EKS platform is the multi-tenant, AWS-managed EKS cluster (operated in EKS Auto Mode — AWS-managed K8s data plane on Bottlerocket nodes) that hosts Generali Malaysia's digital applications and several core insurance systems. Migration to AWS began 2019; EKS Auto Mode adoption is ongoing as of the 2026-03 source. This page synthesises the integration topology across six AWS services documented by the AWS Architecture Blog post.
Integration topology¶
Amazon
Managed
Grafana
(per-ns
dashboards)
▲
│ CloudWatch
│ data source
Users ──► Route 53 / ALB ──► Network Firewall (public subnet)
│ SNI allow-list │
▼ │
NAT GW (protected subnet) │
│ │
┌───────┴──────────────────────────┴─┐
│ │
▼ │
┌── EKS Auto Mode cluster ──┐ │
│ (Bottlerocket nodes, │ │
│ weekly AMI replacement, │ │
│ PDBs + NDBs, │ │
│ off-peak windows) │ │
│ │ │
│ Namespace A (tenant 1) │ │
│ Deployments (Helm) │ │
│ HPA auto-scaling │ │
│ Stateless-only pods │ │
│ ExtSecretsOperator │ ◄── Secrets Manager
│ │ │
│ Namespace B (tenant 2) │ │
│ ... │ │
└────────────┬───────────────┘ │
│ │
│ │
▼ │
CloudWatch Logs / Metrics ────────────────┘
GuardDuty (EKS audit + runtime + CloudTrail)
Inspector (ECR → running containers)
Cost: cluster-name / namespace / deployment / node cost-allocation
tags → Cost Explorer (unified with non-EKS AWS spend)
Savings Plans applied to compute
Well-Architected pillar mapping¶
The source organises the design around AWS's six Well-Architected pillars:
- Operational Excellence — EKS Auto Mode handles node lifecycle, OS upgrades, add-on upgrades, cluster-version upgrades. Shared platform-style multi-tenant cluster with namespace-scoped observability.
- Reliability — PDBs + NDBs + off-peak maintenance windows (patterns/disruption-budget-guarded-upgrades); HPA auto- scaling; stateless-only pods simplify recovery.
- Performance Efficiency — Auto Mode picks instance sizes from a customer-defined pool; HPA scales pods on real traffic; pods treated as immutable.
- Security — GuardDuty (EKS protection + runtime), Inspector (ECR vulns with running-pod context), Network Firewall (SNI egress allow-list), ESO + Secrets Manager (env-var secret injection), IAM integration.
- Cost Optimization — EKS Auto Mode's right-sizing + AWS Billing split cost allocation data for EKS (cluster-name / deployment / namespace / node tags) + Savings Plans.
- Sustainability — right-sizing via Auto Mode; minimising over-provisioned footprint.
Operating principles (stated by Generali)¶
- Only stateless micro-services on EKS.
- Pods treated as immutable — upgrade by replacement.
- Helm charts as the standardised deployment mechanism across services.
- HPA-based traffic-driven pod auto-scaling.
These four compound: stateless-only makes pod immutability cheap; pod immutability makes HPA safe; Helm encodes all three as template defaults; and the composition is what makes EKS Auto Mode's platform-driven node churn compatible with production workloads.
Named failure modes handled¶
- Auto Mode weekly AMI replacement terminates all replicas at once → Pod Disruption Budgets.
- Simultaneous bulk node replacement → Node Disruption Budgets.
- Off-peak alignment → customer-configured maintenance window.
- Stateful pod migration during node churn → avoided structurally by the stateless-only rule.
Reported outcomes (qualitative)¶
- "Significant reduction in operational overhead with EKS Auto Mode."
- "Enhanced security with automated threat detection and response."
- "Reduction in infrastructure costs through optimization."
- "Improved mean-time-to-resolution."
- "Accelerated application deployment cycles."
No percentages, cluster sizes, pod counts, or cost deltas published.
Stated future scope¶
- Hosting AI models on the same EKS platform.
- Hosting upcoming "agentic applications" on the same EKS platform.
No architectural detail given for either.
Seen in¶
- sources/2026-03-23-aws-generali-malaysia-eks-auto-mode — the sole source for this platform as of 2026-04-21. Tier-1 (AWS Architecture Blog) customer-case-study format: substance is in the integration topology, not in quantified outcomes.
Related¶
- systems/aws-eks, systems/eks-auto-mode, systems/bottlerocket, systems/kubernetes
- systems/amazon-guardduty, systems/amazon-inspector, systems/aws-network-firewall, systems/external-secrets-operator, systems/amazon-managed-grafana, systems/aws-secrets-manager
- concepts/well-architected-framework, concepts/shared-responsibility-model, concepts/pod-disruption-budget, concepts/egress-sni-filtering
- patterns/runtime-vulnerability-prioritization, patterns/eks-cost-allocation-tags, patterns/disruption-budget-guarded-upgrades