GitOps for Kubernetes: the perfect fit?

In this blog series, we’re getting up close and personal with GitOps, bringing you the whats, whys, and hows of this transformational framework. So far, we’ve covered the difference between GitOps and DevOps and some of the challenges GitOps poses. This article takes a look at how GitOps can be used to manage Kubernetes, and the pros and cons of this in practice.

GitOps is an operational framework applied to infrastructure automation. As the name suggests, it’s tied to a specific tool – Git. Git is a popular distributed version control system. It helps teams of developers work together on a codebase. With Git, various branches of code can be stored and worked on before they’re merged into production. And older versions of code are kept, so you can easily roll back to your last good version.

The key mechanism that makes GitOps work is the pull request. It’s the process developers use to submit their code. Developers formally ask for the code they’ve been working on to be integrated into another branch. And a GitOps operator picks up the commit and pulls in the new state declaration from Git. Pull requests give team members the chance to collaborate and reach a consensus.

While GitOps is relevant to all types of infrastructure automation, including virtual machines (VMs) and containers, it’s often touted as an effective way to manage Kubernetes.

Released in 2014 and created by Google, Kubernetes is an open–source platform used to manage containerised applications. Containers are a standardised way to build distributed systems. They package code, configurations, and dependencies into one resource. In essence, this means developers can be confident that whatever machine they’re running their app on and whatever customised settings it has in place, it will run as intended.

Kubernetes can run on any public cloud, private Data Center, or even your laptop. It’s packed with features and hugely popular. The desired state of a system is described in Kubernetes resource files, including pods (workloads, which can consist of one or several containers) and services (the way pods communicate with each other).

How does GitOps work with Kubernetes?

GitOps is a declarative approach, which means it’s focused on the result, rather than the steps you need to take to achieve it. The target system has to be configured declaratively too. This means you ‘declare’ the desired state of your application or cluster. And the computational process that creates this state is done by the system. Kubernetes is a popular example of this in practice.

A developer makes a Git pull request and the code is merged with the main codebase, which triggers the CI/CD pipeline, causing automatic testing, code rebuilding, and deployment. Software agents then notice the update, pull the new code, and update the resource. Seeing a change to the resource definition, a Kubernetes cluster software agent detects that it’s out of date, applies the changes, and deploys your new feature. Voila!

GitOps makes a bold assumption that code for all infrastructure is stored in a revision control system and automatic processes keep the production environment up to date. With many different technologies at play, GitOps depends on a system like Kubernetes to be a successful and efficient infrastructure–as–code process.

But what does GitOps do for Kubernetes? Here are just some of the benefits:

• A known quantity – most of your devs and ops teams will already be familiar with Git, so you can improve processes while maximising existing knowledge.
• Easy approvals implementation – with GitOps, your approvals process is fast and user–friendly. Devs have the right to create pull requests and release managers review and merge the code, but the GitOps Operator applies it.
• Roll it back – with all your changes stored in Git, you can revert commits and get back to a previously successful state when things go wrong. And if something happens to etcd on Kubernetes, you’ll have a natural back–up too.
• Safe and secure – because changes to your Kubernetes cluster go through the Git repository, your CI pipeline doesn’t need access, reducing network access to the Kubernetes API server and the chance of malicious attacks.
• Stored history – Git acts as a single source of truth, so changes can only happen by updating the corresponding Git repository. You get a full history of who made what change and why.
• Not tied to tools – link your Kubernetes cluster using Flux, ArgoCD, or whatever tool you choose. And any popular Git server will do, freeing you up to use what works best for your teams.

It’s clear GitOps and Kubernetes are a great match, but as with all frameworks and the systems they serve, there are some drawbacks. So let’s dive into some of the downsides.

• Scaling environments – GitOps lets you easily scale to thousands of Kubernetes clusters. But deployments are driven by file pull requests, and those files are written and managed by DevOps teams. Each cluster’s configuration values will be different, but the deployment script won’t be able to adjust automatically. As you introduce more and more environments, the pressure on your teams will increase alongside it.
• Only one synchronisation direction – you can only write changes from Git to Kubernetes, but if the state in Kubernetes changes immediately after synchronisation, you’ll have to ignore them to prevent repeat synchronisation.
• Easy to overcomplicate – it might be tempting to develop custom synchronisation solutions, rather than using those already available. But you’d be falling into a common trap. They’ll have the functionality you need Built-in, as well as useful security features that keep your system protected.
• Inaccessible data – when it comes to seeing which changes are moving to your Kubernetes clusters or tracking different container versions, visibility can be limited. Digging through Git data can be a pain, especially once you have multiple branches in place.
• It’s sensitive – Having all your Kubernetes secrets saved in Git raises big security concerns. You’ll need to explore encryption options to keep passwords and credentials protected.

There's a lot to love about a GitOps/Kubernetes approach to infrastructure management. But we know that when it comes to frameworks and tools, there’s no one–size–fits–all solution.  Our latest eBook is packed with the principles, practice, and all the benefits GitOps can bring, no matter which system you’re using.