WorkOS vs Kubernetes
Side-by-side trajectory, velocity, and editorial themes.
WorkOS keeps shipping fine-grained identity primitives — for both humans and agents.
The cadence is steady and surgical: small, well-scoped releases across auth (user-scoped API keys, change-email API), authorization (FGA custom roles scoped to resource types, Groups API), admin operability (IT contacts, dashboard metadata editing), and directory enrichment. The recent MCP Auth resource-indicator support and a Node SDK feature-flags runtime client show the platform leaning toward agent/AI use cases and into developer tooling.
WorkOS is widening the identity surface in two directions at once. For humans, it's filling in long-tail B2B IAM gaps — granular API key scoping, self-serve email change, group-level org memberships, custom roles per resource. For agents, it's quietly building MCP Auth as a first-class control point. The two threads will meet at the application authorization layer, where the same FGA model can decide what a user or an agent is allowed to do.
Expect more MCP Auth surface area (token binding, scoped scopes, audit) and continued FGA depth — likely policy-language ergonomics or relationship-based filtering. Feature flags will likely gain server-side targeting and richer SDK coverage beyond Node.
Kubernetes 1.36 leans into AI/ML scheduling and control-plane scaling.
The 1.36 cycle is graduation-heavy, with PSI metrics, declarative validation, and volume group snapshots all promoted to GA. Alongside that, the project is making architectural moves around workload scheduling (a new PodGroup API), API-server safety (Mixed Version Proxy on by default), and very-large-cluster scaling (server-side sharded list and watch in alpha). Etcd 3.7 has hit beta in parallel.
Kubernetes is repositioning the control plane for two pressures at once: AI/ML batch workloads, where gang scheduling and DRA are becoming first-class concerns, and very-large clusters, where the control plane itself needs to shard. The pattern across this cycle is consolidation — old experimental scaffolding is reaching GA or being removed (ExternalIPs), while new APIs land with explicit separation of static template from runtime state. Less feature sprawl, more API hygiene.
Expect 1.37 to push server-side sharded watch toward beta and to keep extending DRA's reach into native resources like memory and networking. Workload-aware scheduling will likely accumulate scheduler-plugin-level coordination patterns next, with downstream batch frameworks starting to converge on the PodGroup shape.
See more alternatives to WorkOS →
See more alternatives to Kubernetes →