惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
Apple Machine Learning Research
Apple Machine Learning Research
The Register - Security
The Register - Security
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
N
News and Events Feed by Topic
腾讯CDC
P
Proofpoint News Feed
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
爱范儿
爱范儿
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
D
Docker
Y
Y Combinator Blog
博客园 - 聂微东
G
Google Developers Blog
S
Security @ Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
S
Schneier on Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
SegmentFault 最新的问题
云风的 BLOG
云风的 BLOG
阮一峰的网络日志
阮一峰的网络日志
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
CERT Recently Published Vulnerability Notes
I
Intezer
G
GRAHAM CLULEY
有赞技术团队
有赞技术团队
Attack and Defense Labs
Attack and Defense Labs
V
Visual Studio Blog
博客园 - Franky
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LINUX DO - 最新话题
C
Cybersecurity and Infrastructure Security Agency CISA

Sealos Blog

Build a Full-Stack App with Claude Code + InsForge — Zero Backend Code | Sealos Blog InsForge vs Supabase: Which Backend for AI-Powered Development? | Sealos Blog Kubernetes NodePort Exhaustion: SSH Gateway Solution | Sealos Blog Claude Code Metrics Dashboard: Grafana Setup (2026) | Sealos Blog What Is RustFS? Apache 2.0 MinIO Alternative (2026) | Sealos Blog Claude Code Mobile: iPhone, Android & SSH (2026) | Sealos Blog Eaglercraft Server Hosting: Fast Setup (2026) | Sealos Blog An Honest Review: Migrating a Complex Microservice App from Heroku to Sealos | Sealos Blog The Ultimate Guide to Kubernetes Audit Logging for Security and Compliance | Sealos Blog Cost Optimization Shootout: Sealos Autonomous FinOps vs. Kubecost Manual Reports | Sealos Blog For CTOs: How to Cut Your Cloud Bill by 50% Without Sacrificing Performance | Sealos Blog Building Resilient Systems: A Deep Dive into Sealos High-Availability and Auto-Failover | Sealos Blog Building a Scalable Event-Driven Architecture with Sealos Managed Kafka | Sealos Blog Advanced RAG Pipelines: Why Your Choice of Vector Database (like Milvus) Matters | Sealos Blog Advanced MLOps: How to Monitor and Evaluate LLM Applications in Production | Sealos Blog A Developer's Guide to Kubernetes RBAC: Securing Your Cluster the Easy Way with Sealos | Sealos Blog A CISO's Guide to Cloud Development: Securing the CI/CD Pipeline with Sealos DevBox | Sealos Blog What is Kubernetes Multi-Tenancy? A Guide for Platform Engineers | Sealos Blog What is Infrastructure from Code (IfC)? The Next Step After Infrastructure as Code (IaC) | Sealos Blog What is GitOps? A Beginner's Guide to "Push-to-Deploy" Workflows | Sealos Blog What is eBPF? The Future of Kubernetes Networking and Security | Sealos Blog What is an "AI-Native" Platform? (And Why You Need One for MLOps) | Sealos Blog What is an Agentic Workflow? Building the Next Generation of AI Apps | Sealos Blog What is a Kubernetes Chargeback Model (And How Does it Save You Money?) | Sealos Blog What is a "Headless" Development Environment? (And How it Works with VS Code) | Sealos Blog What is a Graph-Based Vector Database? (And When to Use It Over Milvus) | Sealos Blog What is a "Cloud Operating System"? The Next Evolution of PaaS Explained | Sealos Blog The Real Cost of EKS: How Sealos Delivers a Simpler, Cheaper Kubernetes Experience | Sealos Blog The 3 Types of Kubernetes Autoscaling (HPA, VPA, CA) and How Sealos Manages Them for You | Sealos Blog Sealos vs Vercel: Why a Cloud OS Beats a Frontend Platform for Full-Stack Apps | Sealos Blog Sealos vs. Render vs. Fly.io: A 2025 Guide to the Best Heroku Alternatives | Sealos Blog Sealos vs. OpenShift: Kubernetes for Developers vs. Kubernetes for Ops Teams | Sealos Blog Sealos vs. Netlify: When to Choose a Full Kubernetes Platform over a Static Site Hoster | Sealos Blog Sealos vs. DigitalOcean App Platform: A Head-to-Head Comparison on Cost, Features, and Scalability | Sealos Blog Sealos vs. AWS Elastic Beanstalk: The Modern PaaS for Developers Who Hate YAML | Sealos Blog Sealos DevBox vs. AWS Cloud9: Why Your CDE Should Be Platform-Agnostic | Sealos Blog For Developers: Stop Wasting Time on DevOps. A 10-Minute Guide to Shipping Faster with DevBox. | Sealos Blog Deploying n8n with Docker: From Local Setups to a Radically Simple Cloud Alternative | Sealos Blog The Impact of Prompt Bloat: How the Sealos AI Proxy Can Cache Queries and Cut LLM Costs | Sealos Blog The FinOps Playbook: How to Implement Kubernetes Chargebacks and Showbacks with Sealos | Sealos Blog Smoke Testing for ML Pipelines: Catching Data and Model Errors Before They Hit Production | Sealos Blog Optimizing PostgreSQL Performance: A Guide to Sealos Managed Database Tuning | Sealos Blog Managing Kubernetes Multi-Tenancy: How Sealos Enforces Resource Quotas and Network Policies | Sealos Blog From Days to Minutes: How to Standardize Developer Environments for Your Entire Engineering Org | Sealos Blog For Platform Engineers: How to Build a Golden Path IDP (Internal Developer Platform) with Sealos | Sealos Blog For FinOps Managers: The 5 Leakiest Buckets in Your Kubernetes Budget (And How to Plug Them) | Sealos Blog For Educators & IT Admins: How to Provide a Secure, Scalable Cloud Lab for 1000+ Students on a Budget | Sealos Blog What is a Vector Database? A Beginner's Guide to Milvus, Pinecone, and More | Sealos Blog Why Your Microservices Architecture is Failing (And How a Cloud OS Can Fix It) | Sealos Blog The Power of Autoscaling: A Deep Dive into HPA, VPA, and Cluster Autoscaler | Sealos Blog The Total Economic Impact of Cloud Development Environments (CDEs) | Sealos Blog The Illustrated Guide to the Kubernetes Control Plane | Sealos Blog The MLOps Lifecycle Explained: From Data Prep to Model Deployment | Sealos Blog Beyond Vercel's AI Cloud: The Case for an AI-Native Operating System | Sealos Blog The Architecture of a Modern AI Application: A 2025 Blueprint | Sealos Blog GitHub Codespaces is Great, But Your Workflow is Incomplete. Here's Why. | Sealos Blog The Best Heroku Alternatives in 2025 for Scalability and Cost | Sealos Blog CAST AI vs. Kubecost vs. Sealos: Choosing the Right K8s Cost Management Tool | Sealos Blog DevBox vs. Gitpod vs. Replit: An Unbiased Comparison for 2025 | Sealos Blog Unlocking Hidden Savings: A Guide to Using Spot Instances Safely in Kubernetes | Sealos Blog Can a CDE Really Replace Your MacBook Pro? A Performance Benchmark | Sealos Blog The End of "Works on My Machine": Achieving 100% Reproducible Builds with DevBox | Sealos Blog The Ultimate Guide to GPU Provisioning and Management in Kubernetes | Sealos Blog Rightsizing Kubernetes Workloads: How to Stop Wasting Money on CPU and Memory Requests | Sealos Blog The 2025 Guide to Kubernetes Cost Optimization: 10 Strategies to Cut Your Bill in Half | Sealos Blog FinOps for Startups: How to Build a Cost-Conscious Culture from Day One | Sealos Blog How to Onboard a New Developer in Under 5 Minutes with Sealos DevBox | Sealos Blog Calculating Kubernetes Costs: A Breakdown of EKS, GKE, and AKS Pricing Models | Sealos Blog Case Study: How We Reduced Our Kubernetes Bill by 87% with Sealos | Sealos Blog Are You Overpaying for Managed Kubernetes? The True Cost of Vendor Lock-in | Sealos Blog Beyond Monitoring: How Sealos Autonomously Optimizes Your Cloud Spend | Sealos Blog A Practical Guide to Kubernetes Security: Hardening Your Cluster in 2025 | Sealos Blog A Secure-by-Design Development Workflow with Isolated Cloud Environments | Sealos Blog Setting Up a Collaborative Python Data Science Environment with DevBox | Sealos Blog Using the Sealos AI Proxy to Manage and Cache LLM API Calls | Sealos Blog Migration Guide: Moving Your Node.js & Postgres App from Heroku to Sealos in Under an Hour | Sealos Blog Serving Machine Learning Models at Scale: A Guide to Inference Optimization | Sealos Blog Headless Development with Sealos: Using Your Local VS Code with a Powerful Cloud Backend | Sealos Blog How to Build and Deploy a RAG Pipeline with Llama 3 and Milvus on Sealos | Sealos Blog From Localhost to Production in 15 Minutes: A Full-Stack CDE Workflow with Sealos DevBox | Sealos Blog GitOps on Autopilot: Implementing a CI/CD Pipeline with Sealos and GitHub Actions | Sealos Blog Fine-Tuning Open-Source LLMs on a Budget with Sealos | Sealos Blog From Docker Compose to Kubernetes: A Simple Migration Path with Sealos | Sealos Blog Building an AI Agentic Workflow with LangChain and Sealos | Sealos Blog What is Helm for Kubernetes? The Ultimate Package Manager Explained | Sealos Blog What is a Custom Resource Definition (CRD) in Kubernetes? | Sealos Blog What is a Kubernetes StatefulSet? A Practical Guide | Sealos Blog What is a Kubernetes Ingress Controller? A Guide to Smart Traffic Routing | Sealos Blog What is a Kubernetes Operator? Automating Complex Applications | Sealos Blog What is a Kubernetes Service? A Simple Guide for Developers | Sealos Blog Streamlining Your CI/CD Pipeline with a DevBox Build Environment | Sealos Blog Why Standardized Development Environments Are Key to Team Velocity | Sealos Blog What Is GitHub Codespace? | Sealos Blog DevBox Install? Skip It Entirely. Get a Ready-to-Code Environment in One Click with Sealos DevBox. | Sealos Blog How to Set Up a DevBox: The Ultimate Guide to 1-Click Cloud Development | Sealos Blog Empowering Indie Devs and Startup Teams: How Sealos DevBox Accelerates Agile Development | Sealos Blog From Chaos to Consistency: How Sealos DevBox Transforms Enterprise Development Workflows | Sealos Blog From Campus Labs to Cloud Freedom: How Sealos DevBox Supercharges Student Development | Sealos Blog How Sealos DevBox Cut Container Commit Time from 15 Minutes to 1 Second | Sealos Blog DevBox vs Codespaces: Which Remote Dev Environment Fits You Best? | Sealos Blog
Beyond kubectl apply: 5 GitOps Best Practices for Production-Ready CI/CD on Sealos | Sealos Blog
Sealos · 2025-10-25 · via Sealos Blog

If you've worked with Kubernetes, the command kubectl apply -f deployment.yaml is likely etched into your muscle memory. It's the trusty hammer in your toolbox—simple, direct, and effective for getting an application running. But as you move from a development sandbox to the high-stakes world of production, you quickly realize that relying on manual kubectl commands is like building a skyscraper with that same hammer. It's slow, error-prone, lacks an audit trail, and simply doesn't scale.

This is where GitOps comes in. It's a transformative paradigm for continuous delivery that uses Git as the single source of truth for declarative infrastructure and applications. By defining your entire system in a Git repository, you unlock powerful workflows for automated, secure, and auditable deployments.

But simply pointing a GitOps tool at a repository of YAML files is just the beginning. To truly harness its power for production environments, you need to move beyond the basics. This article explores five essential best practices that will elevate your GitOps strategy from a simple proof-of-concept to a robust, production-ready CI/CD machine, and how a platform like Sealos can accelerate this journey.

First, a Quick GitOps Refresher

Before diving into the best practices, let's briefly recap the core principle of GitOps.

GitOps: A model for continuous deployment where Git is the central source of truth. The desired state of your entire system (applications, infrastructure, configuration) is declared in a Git repository. An automated agent running in your Kubernetes cluster continuously monitors this repository and reconciles the live state of the cluster to match the state defined in Git.

The typical workflow looks like this:

  1. A developer pushes a change to the application's configuration in a Git repository.
  2. This change is reviewed and merged via a standard Pull Request (PR).
  3. A GitOps operator (like Argo CD or Flux) running in the cluster detects the change in the Git repository.
  4. The operator automatically applies the necessary changes to the cluster to match the new desired state.

This process ensures every change is version-controlled, reviewed, and automatically applied, creating a reliable and transparent "digital paper trail" for your entire system.


One of the first and most critical decisions in your GitOps journey is how to structure your repositories. A poorly organized repo can become a tangled mess of conflicting configurations, making it difficult to manage environments and track changes. The two primary approaches are the monorepo and the polyrepo.

Monorepo vs. Polyrepo

ApproachDescriptionProsCons
MonorepoA single Git repository contains both your application source code and your Kubernetes deployment manifests.- Atomic commits across app code and config.- Simplified dependency management.- Easier for small teams to get started.- Can become slow and unwieldy.- Complex CI/CD pipeline configuration.- Tightly couples app lifecycle with infrastructure lifecycle.
PolyrepoSeparate repositories are used for application source code and deployment configurations. This is the most common and recommended approach for production GitOps.- Clear separation of concerns.- Independent lifecycles for app and infra.- Better access control and security.- Scales well with multiple teams and services.- Cross-repository changes require coordination.- Can lead to repository sprawl if not managed.

Best Practice: For most production use cases, adopt a polyrepo strategy with a dedicated configuration repository.

This means you'll have:

  • Application Repositories: One or more repos containing the source code for your microservices. The CI pipeline here is responsible for building, testing, and pushing a container image to a registry.
  • Configuration Repository (The "GitOps Repo"): A single repository that declaratively defines the desired state of your entire cluster, including all applications and their configurations for different environments.

A common and effective structure for your configuration repository uses environment-specific branches or directories.

Example: Environment-per-Branch Strategy

In this model, each long-lived branch corresponds to an environment:

  • dev: The state of the development environment.
  • staging: The state of the staging/testing environment.
  • main (or prod): The state of the production environment. This branch should be heavily protected.

Changes are promoted from one environment to the next by creating Pull Requests between these branches (e.g., a PR from dev to staging).

With your repository structure in place, the next step is to define how changes move from development to production. Manual git merge commands are a recipe for disaster. Instead, you should enforce a strict promotion pipeline built around Pull Requests (PRs).

This process turns Git into a powerful workflow engine for change management.

The Promotion Workflow

  1. Change Initiation: A developer wants to deploy a new version of an application. They create a new branch from dev in the configuration repository and update the relevant YAML file (e.g., changing the image tag in a Deployment manifest).
  2. PR to Staging: The developer opens a PR from their feature branch to the staging branch. This is the crucial first gate.
  3. Automated Checks: The PR triggers a series of automated checks:
    • Linting: Ensure YAML files are well-formed.
    • Validation: Use tools like kubeval or conftest to validate manifests against Kubernetes schemas or custom policies (e.g., "all deployments must have resource limits").
    • Security Scans: Scan manifests for security misconfigurations.
  4. Review and Merge to Staging: Once checks pass, the team reviews the PR. Upon approval, it's merged into the staging branch. The GitOps operator sees the update and deploys the change to the staging cluster.
  5. Testing in Staging: The application is now live in the staging environment for automated end-to-end tests, QA, and performance testing.
  6. PR to Production: After successful validation in staging, a new PR is opened from the staging branch to the main branch.
  7. Final Approval and Merge to Production: This PR requires stricter review, often from senior engineers or team leads. Once approved and merged, the GitOps operator deploys the change to the production cluster.

This PR-based flow provides full traceability. Every change to production is linked to a reviewed, approved, and tested PR, giving you a complete audit log of who changed what, when, and why.

This is non-negotiable for production. Committing plain-text or even base64 encoded Kubernetes Secret manifests to Git is a major security vulnerability. Anyone with read access to the repository can easily decode them.

You need a robust solution for managing secrets that integrates with the GitOps workflow. The goal is to be able to safely commit an encrypted version of your secrets to Git, with decryption happening only inside the cluster.

  • Sealed Secrets: A popular open-source solution from Bitnami. It works by using a public/private key pair.

    • A controller in the cluster holds the private key.
    • You use a CLI tool (kubeseal) with the public key to encrypt your standard Kubernetes Secret into a SealedSecret custom resource.
    • You can safely commit this SealedSecret manifest to your Git repository.
    • The controller in the cluster detects the SealedSecret and decrypts it into a regular Secret that your applications can use.
  • External Secret Operators: Tools like the External Secrets Operator or HashiCorp Vault integrations allow you to store secrets in a dedicated secrets manager (like AWS Secrets Manager, Google Secret Manager, Azure Key Vault, or HashiCorp Vault).

    • You commit a manifest to Git that references the secret in the external manager.
    • An operator in the cluster reads this manifest, fetches the secret from the external manager, and injects it as a standard Kubernetes Secret.

Best Practice: Choose a secrets management strategy early. Sealed Secrets is an excellent starting point due to its simplicity and tight integration with the Kubernetes ecosystem. For more complex needs or existing investment in cloud secret managers, the External Secrets Operator is a powerful choice.

A common friction point in GitOps is updating the application version. The CI pipeline for your application builds a new image and pushes it to a registry (e.g., myapp:v1.2.1). But how does the configuration repository get updated with this new image tag?

Manually creating a PR to bump the image tag is tedious and breaks the "continuous" flow of CI/CD. The solution is to automate this process.

Automating Image Tag Updates

Tools like Argo CD Image Updater or Flux Image Automation Controller are designed for this. They act as a bridge between your container registry and your GitOps repository.

The automated workflow:

  1. Your application's CI pipeline builds and pushes a new image, myapp:v1.2.1, to your registry.
  2. The Image Updater tool, which is configured to monitor that image repository, detects the new tag.
  3. Based on a defined policy (e.g., update on any new semantic version), the tool automatically clones the configuration repository, updates the image tag in the correct YAML file, and commits the change.
  4. It then pushes this commit back to the repository, often directly to the dev branch or by creating a new PR.

This closes the loop, creating a fully automated pipeline from git push in the application repo to a deployment in your development environment.

The Power of git revert for Rollbacks

One of the most elegant benefits of GitOps is how it simplifies rollbacks. If a deployment to production introduces a bug, you don't need to scramble with kubectl commands. The fix is simple, safe, and audited:

To roll back, you just revert the problematic commit in your Git repository.

git revert <commit-hash>

Once the revert commit is pushed to the main branch, the GitOps operator will see that the desired state has changed back to the previous version and automatically roll back the application in the cluster. It's that simple.

Deploying directly to 100% of your production traffic is risky, no matter how much you've tested in staging. A single bug can cause a major outage. Progressive Delivery is an advanced practice that mitigates this risk by gradually exposing a new version to users.

The two most common patterns are:

  • Canary Releases: A new version of the application is deployed alongside the stable version, and a small percentage of live traffic (e.g., 5%) is routed to it. You monitor key metrics like error rates and latency. If the new version performs well, you gradually increase its traffic until it handles 100%, at which point the old version is retired.
  • Blue-Green Deployments: The new version ("green") is deployed alongside the old version ("blue"), but it doesn't receive any live traffic initially. You can run final tests against the green environment. When you're ready, you switch the router to send 100% of traffic from the blue version to the green version. This makes rollbacks nearly instantaneous—you just switch the router back.

Implementing Progressive Delivery in GitOps

Implementing this requires more than just a GitOps operator. You typically need a combination of:

  • A Service Mesh (like Istio or Linkerd) or a smart Ingress Controller (like NGINX or Traefik): These tools control the traffic routing between different versions of your application.
  • A Progressive Delivery Operator (like Argo Rollouts or Flagger): These operators extend Kubernetes Deployments with advanced deployment strategies. They automate the process of a canary release by gradually shifting traffic and monitoring metrics from a provider like Prometheus. If metrics degrade, they automatically roll back the deployment.

With Argo Rollouts, for example, you would replace your Deployment object with a Rollout object in your GitOps repository. The operator then takes over, orchestrating the complex traffic shifting and analysis for you.


Implementing these best practices requires a solid Kubernetes foundation. Managing, securing, and scaling a production-grade Kubernetes cluster is a significant undertaking. This is where a cloud operating system like Sealos shines, by providing the robust, managed platform on which you can build your advanced GitOps workflows.

Here’s how Sealos simplifies the journey:

  • Production-Ready Kubernetes in Minutes: Sealos allows you to deploy a highly available Kubernetes cluster on any cloud with a single command. This removes the immense operational burden of cluster lifecycle management, letting you focus on your applications and GitOps pipelines.
  • Integrated Application Management: The Sealos App Deploy guide provides a user-friendly interface for deploying applications. You can configure it to pull from your GitOps repository, giving you a powerful UI on top of your declarative configuration. This is perfect for teams who want both the power of GitOps and the convenience of a GUI.
  • Simplified Stateful Services: GitOps excels with stateless applications, but managing databases and other stateful services can be complex. Sealos offers managed, highly available database services (e.g., PostgreSQL, MySQL, MongoDB) that can be provisioned with a few clicks. This allows your GitOps repository to focus on your stateless application logic while Sealos handles the persistence layer.
  • The Perfect Foundation for Progressive Delivery: To implement canary releases, you need a stable environment with a well-configured ingress controller and service mesh. Sealos provides a certified, vanilla Kubernetes experience, making it straightforward to install and manage tools like Istio, Linkerd, NGINX Ingress, and progressive delivery operators like Flagger or Argo Rollouts.

By leveraging Sealos for the underlying infrastructure, your team is free to perfect the GitOps workflows that deliver real business value, without getting bogged down in the complexities of Kubernetes administration.

Moving beyond kubectl apply is a crucial step in maturing your cloud-native operations. By embracing GitOps, you trade imperative, error-prone commands for a declarative, auditable, and automated system that brings stability and velocity to your development lifecycle.

By implementing these five best practices, you can build a truly production-ready CI/CD system:

  1. Structure your repos for a clear separation of concerns.
  2. Use a PR-based promotion pipeline for audited change management.
  3. Manage secrets securely by encrypting them before they ever touch Git.
  4. Automate image updates to close the loop between CI and CD.
  5. Adopt progressive delivery to deploy with confidence and minimize risk.

This journey may seem complex, but platforms like Sealos abstract away the infrastructural heavy lifting, making it easier than ever to build these sophisticated, powerful, and reliable deployment systems. The result is less time fighting fires and more time delivering value—the ultimate goal of any modern engineering team.