GitOps — Theory
GitOps — Theory (interview deep-dive)
Section titled “GitOps — Theory (interview deep-dive)”Push vs pull deployments
Section titled “Push vs pull deployments”- Push (traditional CI): CI pipeline has cluster credentials and runs
kubectl apply. - Pull (GitOps): cluster has credentials to read git; CI only updates the repo.
Pull benefits:
- CI doesn’t need cluster access.
- Same model for any cluster (local, edge, multi-cluster) — they pull themselves.
- Drift detection built in.
- Rollback = git revert.
Argo CD vs Flux
Section titled “Argo CD vs Flux”| Argo CD | Flux | |
|---|---|---|
| UI | rich | minimal (CLI/CRDs) |
| App model | Application CRD | Kustomization + HelmRelease CRDs |
| Multi-cluster | hub model | per-cluster agents |
| Scale | thousands of apps | thousands of clusters |
| Ecosystem | Argo Rollouts, Workflows, Events, Image Updater | Flux Image Automation, Notification Controller |
Both are CNCF graduated and fine. Pick by team preference.
Promotion strategy
Section titled “Promotion strategy”GitOps decouples build from deploy. Build once, promote artifact across envs by changing manifests.
- Dev: auto-update on every commit.
- Staging: bot opens PR; auto-merge after CI green.
- Prod: bot opens PR; human approval required.
Tooling: kargo, environment ApplicationSets, custom GitHub bot.
When someone runs kubectl edit directly:
- Argo CD: shows OutOfSync.
selfHeal=truere-applies; otherwise human resolves. - Flux: same; reconciles every interval.
Drift is sometimes legitimate (incident scaling). Argo’s annotation argocd.argoproj.io/sync-options: IgnoreExtraneous=true or temporarily disabling self-heal helps.
Branch model in GitOps
Section titled “Branch model in GitOps”- One branch (main) + folders per env — most common, clear.
- Branch per env — risk of divergence.
- Trunk-based with PRs — recommended.
Multi-cluster patterns
Section titled “Multi-cluster patterns”- Hub-and-spoke: central Argo manages many clusters via API access.
- Per-cluster agent: each cluster runs its own Flux/Argo, pulls its own subdir.
- ApplicationSets (Argo): generate Applications from a pattern (one Application per cluster).
Drift vs reconciliation gotchas
Section titled “Drift vs reconciliation gotchas”- Resource managed by HPA / VPA / autoscaler with
replicasin manifest → fight. Solution:ignoreDifferencesforspec.replicas. - Same for cert-manager mutating annotations, Istio injection, etc.
Common interview Qs
Section titled “Common interview Qs”- What’s the diff between CI and CD in GitOps? CI builds, CD = controller reconciling git. Manifest change ≡ deploy intent.
- Where do secrets go? Not raw in git; use sealed secrets / external secrets / SOPS.
- You see OutOfSync — what now? Inspect diff. If unintended manual change, restore via sync; if intentional, commit it back.
- Roll back a bad deploy.
git revert <sha>and let controller reconcile. - One repo or two (apps + manifests)? Two recommended. Decouples build from deploy; manifests repo is what the cluster sees.
- Argo CD vs Flux — pick. Argo for visibility / many app teams. Flux for many-cluster / ops-heavy.
- HPA conflicts with deployment replicas in git?
ignoreDifferencesfor that field; or omitreplicasentirely from manifest. - How does GitOps handle DB migrations? Init container, Job, Argo PreSync hook. Schema must lead code.
- Deploy a hotfix straight to prod manifests, skip dev? Possible (commit to prod overlay) but breaks the promotion model. Better: hotfix branch, accelerated canary.
- What’s app-of-apps? Root Argo Application that contains many child Application CRDs — bootstraps a cluster from one click.
Anti-patterns
Section titled “Anti-patterns”- Reaching into cluster directly with kubectl in prod.
- Repo with no branch protection.
- Auto-sync prod without review.
- Storing image tag as
latest(no immutability). - Sealed secrets without rotation policy.
- Committing IaC for one env into wrong env folder.
- Multi-tenant cluster + flat repo without RBAC mapping.