In 2026, most platform teams are running a hybrid stack: traditional IaC tools like Terraform or Pulumi handling cloud resource provisioning, Helm or Kustomize managing Kubernetes application config, and GitOps controllers like ArgoCD or Flux handling continuous delivery. On top of that, a new category has emerged — AI workspaces that sit above all of these tools and make the running state of your infrastructure queryable without requiring every engineer to memorize kubectl flags and Helm chart schemas.
This article walks through the modern IaC tools for Kubernetes-native workflows, where each fits, and where the gaps are — including the operational gap that IaC tools structurally cannot fill.
The IaC Landscape in 2026
Terraform is still dominant. Despite HashiCorp's BSL license change in 2023, most enterprises are still running it, and OpenTofu — the open-source fork maintained by the Linux Foundation — has matured quickly enough to be a credible drop-in replacement for teams that want to stay fully open-source. Pulumi has carved out meaningful adoption among developer-centric teams who want to write infrastructure in TypeScript, Python, or Go rather than HCL.
On the Kubernetes side, the GitOps model has become mainstream. ArgoCD and Flux are no longer "forward-thinking choices" — they are table stakes at organizations running Kubernetes in production. Crossplane has crossed from experimental to genuinely production-viable, with several organizations using it to manage AWS and GCP resources entirely through Kubernetes CRDs.
The other development is the emergence of AI tooling that sits above IaC. Not to replace Terraform or Helm, but to make the infrastructure those tools manage legible to the humans and agents who need to operate it day to day.
What "Kubernetes-Native" Actually Means
The phrase gets used loosely, so it is worth being precise. A Kubernetes-native IaC tool manages infrastructure resources as Kubernetes objects — Custom Resource Definitions (CRDs) that live in the cluster's etcd, go through the standard Kubernetes API, and are reconciled by controllers running inside the cluster.
Crossplane is the canonical example. When you define an AWS RDS instance in Crossplane, you write a Claim manifest. Kubernetes reconciles it. The RDS instance appears in kubectl get output. Its state is visible through the Kubernetes API, not through a separate state file or Terraform backend.
This is different from using Terraform with the Kubernetes provider. In that model, Terraform manages Kubernetes resources externally — the state lives in a Terraform backend, and Kubernetes itself has no awareness that Terraform is managing those resources. Both approaches work, but they have meaningfully different operational characteristics: Kubernetes-native tools benefit from the cluster's reconciliation loop and API observability; external IaC tools are more portable but require separate state management.
Tool-by-Tool Breakdown
Terraform
Terraform remains the most widely deployed IaC tool by adoption. Its HCL DSL is readable and its provider ecosystem is unmatched — virtually every cloud service and SaaS API has a maintained provider. For Kubernetes, teams typically use Terraform to provision the cluster itself (EKS, GKE, AKS) and then hand off to Helm or Kustomize for workload management. The main pain point is state file management: drift detection is manual, remote state backends add complexity, and large state files become slow to plan. Best for teams that need broad cloud coverage and have existing Terraform expertise.
OpenTofu
OpenTofu is the CNCF-sandbox fork of Terraform, created in response to HashiCorp's license change. It is HCL-compatible, meaning existing Terraform configurations migrate with minimal changes, and it has been adding features that Terraform has not. The provider ecosystem is shared. For most teams evaluating a switch, the operational difference is small — the main reason to choose OpenTofu is license compliance or avoiding vendor lock-in. It is a credible production choice and growing fast.
Pulumi
Pulumi lets you write infrastructure in TypeScript, Python, Go, C#, or Java. For developer-centric teams, this is a meaningful advantage: existing testing frameworks, type systems, and IDE support all apply to infrastructure code. Pulumi's Kubernetes integration is strong, with first-class support for Helm charts, Kustomize, and raw YAML manifests. The tradeoff is readability — IaC embedded in a Python program is less approachable than HCL for operators who did not write it.
Helm
Helm is the de facto Kubernetes package manager. If you are deploying any non-trivial Kubernetes application in 2026, you are almost certainly either consuming a Helm chart or maintaining one. It handles templating, versioning, and release management of Kubernetes manifests. The friction is also real: Helm templates combine Go templating syntax with YAML in ways that produce notoriously hard-to-debug output, and deeply nested value overrides in large charts can be difficult to reason about. That said, no tool has displaced it for application packaging and distribution.
Kustomize
Kustomize takes the opposite approach from Helm — no templating engine, just structured overlays applied to base YAML. It is built into kubectl (kubectl apply -k), which means no separate binary. For teams with straightforward environment promotion needs (dev/staging/prod with small differences), Kustomize is often simpler and more maintainable than Helm. It does not handle versioning or release management the way Helm does, so many teams use both: Helm for third-party chart deployment, Kustomize for their own application manifests.
Crossplane
Crossplane turns your Kubernetes cluster into a control plane for cloud resources. You define AWS S3 buckets, GCP Cloud SQL instances, or Azure VNets as Kubernetes CRDs, and Crossplane reconciles them against the actual cloud APIs. The major advantage is a unified control plane: cloud resources and workloads share the same Kubernetes API, RBAC, and event streams. The major disadvantage is complexity — building Crossplane Compositions requires dedicated platform engineering investment. Best suited for teams building internal developer platforms where the abstraction layer earns its maintenance cost.
ArgoCD
ArgoCD is a GitOps continuous delivery controller for Kubernetes. It watches Git repositories, compares the declared state in Git to the live cluster state, detects drift, and either alerts on it or reconciles automatically. ArgoCD has a mature UI, supports Helm and Kustomize natively, and handles multi-cluster deployments well. It has become the default GitOps choice for teams that want a full-featured, UI-backed GitOps operator.
Flux
Flux is the other major GitOps controller, maintained by the CNCF. It is lighter than ArgoCD and takes a more composable, controller-based approach. Flux integrates well with Helm via the HelmRelease CRD and is often preferred by teams that want a more minimal, Kubernetes-native feel — everything is a CRD, and the reconciliation model is idiomatic. There is no built-in UI (though Weave GitOps adds one), so teams that need a dashboard usually pick ArgoCD.
The Workflow That Actually Works in 2026
For most platform engineering teams, the stack that is working in production looks like this:
Terraform or OpenTofu for provisioning cloud infrastructure — VPCs, EKS/GKE clusters, RDS instances, IAM roles. These are resources where Terraform's provider ecosystem and declarative plan/apply cycle are hard to beat.
Helm and/or Kustomize for managing Kubernetes workloads — application deployments, ConfigMaps, Services, Ingress rules. Helm for third-party dependencies (cert-manager, ingress-nginx, Prometheus), Kustomize for in-house application configuration.
ArgoCD or Flux as the GitOps delivery layer — syncing the above from Git, providing drift detection, and giving the team a source of truth that is not "what a human last ran on their laptop."
Crossplane where teams need to provision cloud resources from within the cluster and have the platform capacity to build and maintain Compositions.
This is not a revolutionary stack. It is the stack that has converged across platform teams because each tool does its job well within its scope. What the stack lacks is an operational layer for understanding what is actually running.
See how this connects to broader AI-assisted DevOps team workflows for teams managing multiple clusters and environments.
The Gap IaC Tools Don't Fill
IaC tools are provisioning and change management tools. They are designed to answer: "Does the declared state match what should exist?" They are not designed to answer operational questions about the live state of running workloads.
Some questions that are routine in production but that IaC tools cannot answer:
- Why is this pod in a crash loop, and how does it relate to the Helm release that deployed thirty minutes ago?
- What are the actual resource requests and limits across all Deployments in the staging namespace, and how much headroom is left?
- Which ArgoCD Application last synced, and what changed in that sync?
- Is this Crossplane Claim stuck, and if so, what is the controller reporting?
- What Helm releases are currently deployed across all clusters, and are any of them running charts with known CVEs?
These questions require correlating live cluster state — pod logs, events, CRD status conditions, Helm release history — with the IaC definitions that produced that state. No IaC tool surfaces this. kubectl can surface it, but requires the right commands, the right flags, and the ability to interpret the output — knowledge that is unevenly distributed across a team.
This is the operational gap. It exists in every IaC-managed Kubernetes environment, and it tends to manifest as: senior engineers spending disproportionate time answering questions that could be answered by anyone with the right interface to the data.
Where Clanker Cloud Fits
Clanker Cloud is an AI workspace for infrastructure that sits above the IaC layer. It does not replace Terraform, Helm, or ArgoCD — it connects to your existing Kubernetes clusters (and AWS, GCP, Azure, Cloudflare, Hetzner, DigitalOcean, and GitHub) and makes the running state of that infrastructure queryable in plain English.
Practical examples of what this means:
- "What Helm releases are deployed in the production cluster and what versions are they running?" — answered by querying live Helm state, not by reading a values file.
- "What changed in the last ArgoCD sync for the payments Application?" — answered by reading the ArgoCD sync history and diff, without navigating the ArgoCD UI.
- "Is this Crossplane claim stuck, and what is the provider reporting?" — answered by inspecting the CRD status conditions and related events.
- "Which pods have been restarting in the last hour and what are the last log lines before each crash?" — answered by correlating pod event history and log output.
The BYOK model means you bring your own AI key — Gemma 4, Claude Code, Codex, Hermes — and no infrastructure data leaves your environment through Clanker Cloud's servers. The local-first desktop app means the AI has direct access to cluster state without a cloud intermediary.
For teams building internal developer platforms, this addresses the knowledge distribution problem: a developer who does not know Kubernetes well can ask plain-English questions and get answers based on the actual live state of the cluster, not a documentation page about what the state should theoretically be.
Explore the demo to see how this works against a real cluster, or check the FAQ for common setup questions.
Agent Integration via MCP
Clanker Cloud exposes an MCP endpoint, which means AI coding agents — Claude Code, Codex, or any MCP-compatible agent — can query live Kubernetes state as a tool call during code generation.
The practical implication: when Claude Code is writing a Terraform module or a Helm values file, it can call the Clanker Cloud MCP endpoint to inspect what is actually running in the target cluster before generating the configuration. A Deployment manifest generated with knowledge of the actual node resource limits, actual namespace resource quotas, and actual existing label selectors is more likely to apply cleanly than one generated against assumed or documented values.
This is documented in detail in the for AI agents section of the docs. The MCP endpoint is available to any agent that supports the Model Context Protocol, and authentication is handled through the same local-first key management as the rest of Clanker Cloud.
Full API and integration documentation is at docs.clankercloud.ai.
FAQ
What is the best IaC tool for Kubernetes in 2026?
There is no single answer, because the tools operate at different layers. For provisioning the cluster and surrounding cloud infrastructure, Terraform or OpenTofu is the most common choice. For managing Kubernetes workloads within the cluster, Helm and Kustomize cover most cases. For GitOps delivery, ArgoCD is the most widely adopted. Most production teams use at least two or three of these in combination rather than picking one.
What is the difference between Crossplane and Terraform for Kubernetes?
Both can manage cloud resources and Kubernetes resources. The key difference is where the control plane lives. Terraform manages resources externally — the state is in a Terraform backend, and Kubernetes has no native awareness of Terraform-managed resources. Crossplane runs inside the cluster and manages cloud resources as Kubernetes CRDs, meaning everything is visible through the Kubernetes API, RBAC, and event system. Crossplane requires more upfront platform investment but produces a more unified operational model. Terraform is more portable and has a larger provider ecosystem.
How do I manage Kubernetes infrastructure with AI?
The most practical approach is to use an AI workspace that connects to live cluster state rather than generating configuration purely from static code. Tools like Clanker Cloud sit above the IaC layer and let you query the running state of your Kubernetes infrastructure in plain English — which pods are running, what versions are deployed, what the recent ArgoCD sync changed. AI coding agents can also integrate via the MCP protocol to query live cluster state during Terraform or Helm code generation, producing output that matches actual cluster conditions.
Is Helm still the right choice for Kubernetes in 2026?
For most teams, yes — specifically for deploying and managing third-party Kubernetes software (ingress controllers, monitoring stacks, databases, operators). Helm charts are the dominant distribution format for Kubernetes applications, and the release management model (versioned releases, rollback, history) is practically useful. For managing your own application configuration, Kustomize is often simpler. The two are frequently combined: Helm for external dependencies, Kustomize for in-house manifests, both delivered through ArgoCD or Flux.
Get Started
Clanker Cloud is available as a local-first desktop application. Connect your clusters, bring your own AI keys, and start querying your IaC-managed infrastructure in plain English.
Ask Clanker Cloud what your cluster is doing
Install the local app, connect your kubeconfig, and turn cluster state, workload health, cost context, and safe next steps into one readable answer.