Overview
- Push-based: CI/CD pipeline actively pushes changes into the cluster (e.g., runs
kubectl, Helm, or other deployment tooling). - Pull-based (GitOps): An in-cluster operator continuously reconciles the desired state from Git or an image registry and pulls changes into the cluster.
Push-based model
The push-based model is the pattern used by most traditional pipelines. How it works:- CI builds images, runs tests, and — after success — applies manifests or Helm charts directly to the cluster.
- Deployments are executed by the CI system using commands such as
kubectl apply -forhelm upgrade --install.
- CI needs:
- Read access to the source repo (to fetch code).
- Write access to the container registry (to push images).
- Write (cluster) credentials to apply changes in the Kubernetes cluster.
- The cluster needs read access to container registries to pull images.
- Simple to implement using existing CI tools (e.g., Jenkins, GitLab CI, Azure DevOps).
- Pipelines can run arbitrary and complex deployment scripts.
- Direct secret injection from CI can be simpler for some workflows.
- CI becomes tightly coupled with deployment logic; migrating CI tools can require rework.
- Storing cluster credentials in CI increases attack surface — a compromised CI runner can modify the cluster.
- Enforcing least-privilege is harder because CI often requires broad cluster permissions.
Storing long-lived or overly broad cluster credentials in CI systems is a common attack vector. Prefer short-lived credentials, fine-grained permissions, and dedicated service accounts whenever possible.
Pull-based model (GitOps)
The pull-based approach underpins GitOps: an operator inside the cluster continuously reconciles declared desired state from Git or an image registry. How it works:- CI builds images and pushes them to the container registry.
- The GitOps operator (for example, Argo CD or Flux) monitors a Git repo (or registry) and pulls manifests or image updates.
- When changes are detected, the operator applies them to the cluster.
- CI typically needs:
- Write access to the container registry (to publish images).
- Write access to the Git repository (if CI updates manifests or image tags).
- The cluster operator needs:
- Read access to Git and registries.
- In-cluster permissions to create/update Kubernetes objects (scoped to the operator).
- CI does not require direct write access to the Kubernetes cluster.
- Decouples deployment from CI: any CI that can publish images and update Git can trigger deployments.
- Reduces external attack surface: external systems don’t need direct cluster write permissions.
- Single source of truth: Git stores desired state and audit history.
- Better for multi-team and multi-cluster setups: operators can be scoped per repo, directory, or namespace.

- GitOps encourages commit-centric workflows, so secrets should be encrypted before they are stored in Git (e.g., Bitnami Sealed Secrets, Mozilla SOPS, or Vault integrations).
- The operator or an in-cluster decryptor must be capable of decrypting secrets at runtime.
- This adds operational complexity versus injecting secrets from CI, but gives better traceability, reproducibility, and audit trails.
- The operator needs appropriate in-cluster RBAC permissions, but these can be scoped and audited centrally.
- Pull-based workflows favor declarative, auditable pipelines and generally scale better across clusters and teams.
- Push-based workflows still make sense for small teams, legacy systems, or when pipelines require tight control over custom deployment steps.
Quick comparison
Recommended decision guide
-
Use Pull-based (GitOps) when:
- You want declarative, auditable deployments and Git as single source of truth.
- You operate multiple clusters or many teams.
- You need a smaller external attack surface and easier policy enforcement.
-
Use Push-based when:
- Your deployment requires complex procedural steps not easily expressed declaratively.
- You have a simple, single-cluster setup or legacy tooling that expects push-style deployments.
- You accept the operational cost of securing CI credentials and permissions.
References
- Kubernetes Documentation
- Argo CD GitOps course (KodeKloud)
- Flux GitOps course (KodeKloud)
- Jenkins course (KodeKloud)
- Bitnami Sealed Secrets (KodeKloud)
- HashiCorp Vault (KodeKloud)