Tools and Workflows for Kubernetes in CI/CD

October 22, 2025October 22, 2025 Mariusz Michalowski Argo Rollouts, cloud-native automation, container orchestration, continuous delivery, devops, GitHub Actions, GitLab CI, GitOps, Kubernetes CI/CD, Kubernetes deployment, Kubernetes pipelines

by Mariusz Michalowski

Kubernetes CI/CD automates the process of building, testing and deploying container images to clusters. Most teams use either push-based pipelines or pull-based GitOps, with many running a hybrid approach.

In this guide, we outline the typical workflow and review widely used tools for Kubernetes delivery.

How Kubernetes CI/CD Typically Works

A common flow: code → build container image → scan → push to registry → update manifests/Helm → roll out to clusters (staging, then prod). Two delivery patterns dominate:

Pipeline-driven (push): A CI system builds an image, updates manifests, and pushes changes to clusters with kubectl/Helm. You’ll manage credentials for cluster access, often via short-lived tokens or OIDC, and gate promotions with tests and policy checks. This model feels familiar to teams moving from VM-era pipelines.

GitOps (pull): A controller inside the cluster watches Git and an OCI registry and pulls the desired state. CI handles builds and security checks; CD is reconciliation. Benefits include clear audit trails, drift detection and easier multi-cluster rollouts. The trade-off is learning declarative workflows and treating Git as the single source of truth.

1) GitOps Controllers

Argo CD

Argo CD keeps Kubernetes in sync with what’s in Git. It continuously reconciles desired state (manifests, Helm, Kustomize) to clusters, surfaces drift, and supports multi-cluster deployments. Teams like its application view, health checks, and automated or manual sync waves. It excels at declarative delivery and plays well with service meshes and progressive add-ons.

Flux

Flux (CNCF) offers a modular set of controllers for GitOps: source, kustomize, helm, and notification. It supports multi-tenancy patterns, image automation (updating tags based on policies), and fine-grained RBAC through Kubernetes primitives. Flux tends to be lightweight, scriptable, and easy to compose inside platform engineering blueprints.

2) Pipeline Orchestrators and Runners

Jenkins

A long-standing CI workhorse with a huge plugin ecosystem. The Kubernetes plugin spins up ephemeral agents for builds, and pipelines (Jenkinsfile) can build images, run tests, push to registries, and call kubectl or Helm. Strengths are flexibility and community support; trade-offs include operational overhead and plugin maintenance. The plugin typically creates a pod per build and tears it down, giving elastic agents.

Tekton

Tekton is Kubernetes-native CI/CD. Pipelines, Tasks, and Steps are CRDs, so everything is declarative and versionable. It integrates with triggers for event-driven builds, supports workspaces and reusable catalog tasks and emphasizes portability: A Tekton pipeline can run across clusters with minimal changes. Expect YAML and strong alignment with cloud-native patterns.

GitHub Actions / GitLab CI

Both provide hosted runners (and self-hosted options) with first-class Docker and Kubernetes tasks. You define pipelines as code, cache dependencies, publish images, and deploy via kubectl, Helm or GitOps PRs. They’re popular for tight VCS integration, marketplace templates, and built-in secrets management. Consider them when developer ergonomics and repo-centric workflows are priorities.

3) Progressive Delivery and Release Automation

Argo Rollouts

Argo Rollouts adds canary and blue/green strategies using a custom Rollout resource. It integrates with service meshes and ingress controllers to shift traffic gradually, pause for analysis and roll back automatically. It’s a natural complement to Argo CD, bringing risk-aware release tactics to GitOps-driven environments.

Flagger

Flagger automates canary releases and A/B testing for Kubernetes using meshes like Istio, Linkerd, App Mesh and others. It measures metrics from Prometheus, Datadog, and CloudWatch to decide whether to advance or rollback. Flagger is valued for opinionated, metrics-driven rollouts that reduce manual babysitting during deploys.

Spinnaker

Spinnaker focuses on multi-cloud, multi-target delivery with reusable deployment strategies and strong visualization. It supports Kubernetes alongside VMs and serverless, making it useful for hybrid estates. It’s powerful but heavier than most GitOps add-ons; platform teams often centralize it for standardized release practices.

4) Infrastructure-as-Code and Policy-Oriented Delivery

Spacelift

Spacelift automates infrastructure-as-code workflows (e.g., Terraform, Pulumi, CloudFormation) and adds policy-as-code using Open Policy Agent. In Kubernetes contexts, teams use Spacelift to manage cluster infrastructure, namespaces and supporting cloud resources as code, gate changes with policies, and trigger downstream deployments or GitOps updates. It’s often paired with GitHub/GitLab pipelines and Argo/Flux to separate infra changes from app rollouts.

Crossplane

Crossplane lets you define cloud resources as Kubernetes objects and compose higher-level abstractions for platform teams. With GitOps, infra definitions live in Git and converge in-cluster, aligning infra provisioning with the same reconciliation loop used for apps. It reduces context-switching but requires careful RBAC, composition design, and lifecycle governance.

5) Packaging and Manifest Management

Helm

Helm packages Kubernetes manifests into versioned charts with templating and values files. It’s ubiquitous for app distribution and easy rollbacks. In CI/CD, Helm fits both push and pull models: Pipelines run helm upgrade, or GitOps controllers render and apply charts from Git.

Kustomize

Kustomize layers, patches and overlays without templates, keeping YAML readable and composable. It’s built into kubectl, integrates cleanly with Argo CD and Flux, and is favored when teams want minimal templating and native overlays.

Common Combinations (That Work in Practice)

Here’s how teams usually combine the tool mentioned above in practice:

Repo-centric GitOps: GitHub Actions → build/test/scan + push image → PR updates Helm chart → optionally store charts/manifests in an OCI registry → Argo CD syncs → Argo Rollouts handles canary/blue-green.

Lightweight, multi-tenant GitOps: GitLab CI → build/publish → Flux (Helm/Kustomize) reconciles per team/namespace → Flagger drives metrics-based canaries.

Kubernetes-native pipelines: Tekton (CRD-based CI) → push to registry → commit manifest change → Argo CD applies Kustomize overlays → Prometheus + Rollouts gate progression.

Hybrid/enterprise delivery: Jenkins (ephemeral K8s agents) → Helm package/deploy → Spinnaker orchestrates multi-cluster/multi-cloud releases with standardized strategies.

Infra/app separation with policy: Spacelift (Terraform/Pulumi + OPA) manages clusters, namespaces, and cloud resources → GitHub/GitLab CI builds images → Argo CD deploys apps → policy checks gate merges and rollouts.

Wrapping up

There’s no single “best” Kubernetes CI/CD tool — only the best fit for your model, skills, and constraints. Start with your preferred deployment style (pipeline vs. GitOps), layer in security and policy, and choose the tools that keep your builds observable, your rollouts predictable and your clusters in sync.