Spacelift + ServiceNow = Self-Service IaC Without the Learning Curve

➡️ Register Now

Kubernetes

Kubernetes CI/CD Pipelines – 8 Best Practices and Tools

CI/CD Pipelines with Kubernetes | Best Practices and Tools

🚀 Level Up Your Infrastructure Skills

You focus on building. We’ll keep you updated. Get curated infrastructure insights that help you make smarter decisions.

CI/CD pipelines enhance the software delivery process by automating key stages such as testing, security scanning, and deployment. Adopting a pipeline-based workflow helps you ship more quickly by passing all code through a consistent set of steps, guaranteeing that required standards are adhered to.

You’ll achieve the greatest CI/CD success when you combine the right tools for your team’s situation. With so many platforms available, it can be challenging to select an optimal solution.

In this article, you’ll learn some best practices and techniques for managing CI/CD pipelines with Kubernetes. You can use these strategies to automate deployments straight to your production clusters. Let’s dive in!

Is Kubernetes used for CI/CD?

Kubernetes is commonly used to support CI/CD processes by automating the deployment, scaling, and management of containerized applications. It allows development teams to continuously deliver updates with minimal downtime, making it ideal for modern DevOps workflows. In a CI/CD pipeline, Kubernetes can orchestrate environments dynamically, ensuring consistency and efficiency from testing to production.

While Kubernetes does not directly provide CI/CD functionalities, it serves as a powerful platform for hosting CI/CD tools and running deployment pipelines, especially for cloud-native applications. Kubernetes manages containerized applications by handling scaling, health checks, and updates, ensuring consistency and reliability throughout the software delivery lifecycle.

Using Kubernetes with CI/CD pipelines helps you automatically deploy applications whenever your source code changes. You can improve the Kubernetes management experience by automating key tasks. CI/CD also provides an opportunity to verify new deployments meet the standards you expect, such as passing your test suite and being free from security issues.

Nonetheless, integrating Kubernetes into CI/CD workflows can create new problems. Cluster administrators often struggle to see what’s actually running in their environments, while addressing any deployment failures can be time-consuming. Integrations are also potential security risks, as compromising your CI/CD provider could let attackers access your clusters.

Below are some tips on how you can address these drawbacks by confidently combining CI/CD and Kubernetes.

Best practices for CI/CD and Kubernetes

CI/CD and Kubernetes are a powerful combo, but they also come with a steep learning curve. Here are some best practices that’ll help you build reliable, scalable, and maintainable pipelines and deployments.

The best practices for CI/CD and Kubernetes include:

  1. Use GitOps
  2. Scan your container images
  3. Use Helm to manage deployments
  4. Ensure there’s a rollback mechanism
  5. Use immutable image tags
  6. Follow Kubernetes security best practices
  7. Try pull-based CI/CD workflows
  8. Automate drift detection

1. Use GitOps

The term GitOps refers to the practice of keeping your infrastructure configuration as files in your source control repository. Managing everything with Git ensures every essential resource is versioned. It also means you can reference any resource within your pipelines, so you can check the validity of your config and quickly identify any errors.

gitops

Manually triggering pipelines from external systems is unreliable and error-prone. Using Git to run a pipeline each time you commit ensures changes can’t slip through to production unnoticed. If you need to revert a deployment, you can check out an older commit and replay the pipeline.

See the top GitOps tools to use for your workflows.

2. Scan your container images

Deploying container images straight to Kubernetes is a security risk. Your images could include zero-day vulnerabilities, accidentally hardcoded secrets, or a malicious package that’s infiltrated your supply chain.

To stay safe, you can use your pipeline to perform image vulnerability scans. By aborting the rest of the pipeline if a fault is found, you can prevent new vulnerabilities from being silently pushed into your cluster.

You can use tools such as Snyk to generate your reports. Snyk also powers the docker scan command that’s integrated into Docker’s CLI.

3. Use Helm to manage deployments

Applying Kubernetes manifests individually is problematic because files can get overlooked. Packaging your applications as Helm charts lets you version your manifests and easily repeat deployments into different environments. Helm tracks the state of each deployment as a “release” in your cluster.

Helm also simplifies configuration management. When you install your charts, you can easily supply variables, either using YAML files or as command-line arguments. This lets you conveniently override specific variables within your pipeline scripts.

Check out this Kustomize vs. Helm comparison.

4. Ensure there's a rollback mechanism (and check it works!)

Continuous delivery (CD) pipelines are great until they break. When this happens in Kubernetes, it can be unclear how to proceed. Your deployment could be stuck in a failed state, unable to transition into the newly desired one.

Make sure you’ve got a reliable rollback strategy ready to deal with these events. If you’re using GitOps, you should be able to rollback by reverting to a previous commit and then running your pipeline again. The old revision will now be new once more, enabling it to replace the bad state in your cluster.

Stateful workloads, such as databases, might need additional steps in case the failed deployment partially migrated some data while leaving other components stuck on the old version. Your rollback strategy should be capable of preserving and restoring persistent data when required. 

Finally, make sure your rollback system actually works – many teams discover bugs in their rollback scripts during real incidents.

5. Use immutable image tags

Image tag immutability makes your deployments reproducible and helps enable resilient rollbacks. Always deploying my-app:latest is dangerous because the exact image that’s selected could change each time.

It’s much safer to tag each image you build uniquely. Using a truncated commit SHA is a popular strategy, resulting in tags like my-app:0ab43f. This allows you to easily cross-reference commits against the image artifacts and deployments they create. If you need to roll back, you can modify your Kubernetes deployment to refer to the image built from the previous commit.

Download The Practitioner’s Guide to Scaling Infrastructure as Code

cheatsheet_image

6. Follow Kubernetes security best practices

It’s important to keep following standard Kubernetes security best practices when you’re integrating your clusters with CI/CD platforms: 

  • Harden your environment by enabling etcd encryption
  • Set up precise RBAC permissions for your CI/CD user accounts.
  • Ensure any sensitive config values are added to Secrets instead of plain ConfigMaps.

Check that your CI/CD platform only exposes your cluster connections to projects and users you’ve specifically authorized. Remember that anyone who can commit to your project could send malicious code through the pipeline into your Kubernetes cluster.

7. Try pull-based CI/CD workflows

There are two main ways to connect CI/CD systems to Kubernetes:

  • Push-based workflows rely on the CI/CD platform being provided with certificates and credentials that let it reach out to your Kubernetes cluster. You then use familiar tools such as Kubectl and Helm to push changes into Kubernetes from the outside.
  • Pull-based workflows run an agent utility inside the cluster. The agent is given credentials for your source-control system. Its access should be scoped to just the projects it needs to deploy. The agent periodically looks for changes and pulls them into the cluster. This inverts the push-based model.

Pull-based CI/CD is increasingly popular because it provides stronger protection for your cluster. To be effective, push-based workflows require privileged Kubernetes credentials to be stored on your source control server. If the server’s compromised, attackers could steal the credentials, access your cluster, and perform arbitrary actions. 

With a pull-based workflow, attacks against the CI/CD platform won’t grant access to your entire cluster.

8. Automate drift detection

In any Kubernetes environment, it is critical to align your desired system state with the actual state running in the cluster. Over time, this consistency can break down due to what’s known as configuration drift

Drift occurs when changes are made directly to the cluster, perhaps via kubectl, hotfixes, or a third-party tool, without those changes being reflected in version control. This can lead to fragile deployments, security vulnerabilities, and unexpected behavior that’s difficult to troubleshoot.

To mitigate this risk, it’s important to automate drift detection. That means regularly comparing the live state of your cluster with the declared state in Git or your infrastructure-as-code setup. This way, you can catch any differences early and either alert the team or automatically correct them.

Beyond GitOps tools, you can also integrate drift detection at the infrastructure level using something like Terraform (or OpenTofu). For example, you can run automated terraform plan checks on a schedule or as part of your CI pipeline to see if anything’s changed outside of the expected workflow.

Terraform doesn’t directly manage Kubernetes resources inside the cluster, unless you’re using providers like kubernetes or helm, but it’s still a powerful tool for handling the cloud infrastructure pieces your workloads rely on, like networking, databases, or storage.

5 Tools for effective CI/CD with Kubernetes

None of these best practices needs to be difficult. You should aim to create a toolchain that supports you in efficiently running CI/CD pipelines with Kubernetes, while avoiding security problems and common mistakes. 

Here are five CI/CD Kubernetes tools you can try out.

GitLab

GitLab is one of the most popular all-in-one software delivery platforms. It includes source management and CI/CD functions with excellent Kubernetes integration.

Modern GitLab releases have transitioned to a pull-based workflow using the GitLab Agent for Kubernetes. The agent runs in your cluster and is authorized to access specific GitLab projects. You can then interact with Kubernetes from within your pipeline scripts. All communication flows securely through the agent.

GitHub Actions

GitHub Actions is GitHub’s CI/CD solution. You can use it to run automated tasks each time you change your code. Although the platform lacks a built-in Kubernetes integration, third-party plugins such as Azure’s Deploy to Kubernetes Cluster action can automate deployments and manage different rollout strategies.

Read more: How to deploy Kubernetes with GitHub Actions?

Argo CD

Argo CD is a continuous delivery tool that’s purpose-built for Kubernetes. It’s maintained as a Cloud Native Computing Foundation (CNCF) project.

Argo is installed in your cluster as a Kubernetes controller. It monitors your applications and identifies any differences compared with your source control repository. When drift occurs, Argo will automatically resynchronize the state by pulling your code and updating the resources in your cluster. It facilitates fully automated Kubernetes deployments.

Read more about this tool in our ArgoCD – Practical Tutorial With Kubernetes article.

Kubectl and Helm

You can use existing Kubernetes CLIs such as Kubectl and Helm within your own CI/CD scripts. You will need to supply credentials that let the CLIs authenticate with your cluster, creating a push-based workflow.

This method can be more approachable and easier to set up than using a dedicated tool, especially if you’re only experimenting with Kubernetes. It lets you use the same commands you run on your workstation to roll out changes within your pipelines.

Spacelift

Spacelift brings the benefits of CI/CD to infrastructure management. You can use Spacelift to deploy changes to Kubernetes with GitOps while benefiting from robust security policies and automated compliance checks. 

Spacelift also works with other infrastructure as code (IaC) providers, so you can use similar techniques to manage every component of your stack.

Novibet logo in white

Novibet is in the cloud, and everything is provisioned through Terraform, which the team previously managed using GitHub Actions. However, as the organization scaled, managing Novibet’s IaC through a generic CI/CD platform began to stretch the capabilities of both the tool and the DevOps team. The Spacelift platform has enabled the team to deploy faster and with greater control as they move toward a platform engineering mindset and enable autonomy with guardrails.

Spacelift customer case study

Read the full story

Why Kubernetes for CI/CD?

Despite some initial complexity, integrating Kubernetes with your CI/CD workflows offers a range of practical benefits that align well with modern DevOps practices:

  • Automated, scalable deployments – Kubernetes streamlines the deployment process by automating routine tasks and enabling dynamic scaling of workloads, which helps reduce manual intervention and the potential for errors.
  • Consistent environments – Kubernetes uses infrastructure as code (IaC) to help maintain consistency across development, staging, and production environments, minimizing environment-specific issues.
    Controlled updates and rollbacks – Built-in support for rolling updates and automated rollbacks allows for smoother deployments and quicker recovery from issues, contributing to greater release stability.
  • Parallel processing for faster delivery – CI/CD pipelines can leverage Kubernetes’ distributed architecture to run tasks in parallel, which can significantly reduce build, test, and deployment times.
  • Security and access management – Kubernetes offers fine-grained access control through features like RBAC, namespaces, and network policies, supporting better isolation and governance within your CI/CD workflows.

Key points

Using CI/CD with Kubernetes allows you to automate deployments, rapidly scale your services, and be confident that all live code has passed your test suite. The two technologies pair well if you follow the best practices we’ve explored.

When selecting a CI/CD pipeline solution for Kubernetes, assess the integration’s depth and consider its security model, rollback mechanisms, and support for your source management system.

You can use CI/CD to apply infrastructure changes using IaC techniques, either to Kubernetes or other tools such as Ansible and Terraform. Check out Spacelift to collaborate on infrastructure with full control and flexibility. It includes role-based security policies, detailed usage insights, and full visibility into everything running in your cloud accounts.

The most flexible CI/CD automation tool

Spacelift is an alternative to using homegrown solutions on top of a generic CI. It helps overcome common state management issues and adds several must-have capabilities for infrastructure management.

Learn more

Kubernetes Commands Cheat Sheet

Grab our ultimate cheat sheet PDF

for all the kubectl commands you need.

k8s book
Share your data and download the cheat sheet