what is gitops

What Is GitOps? Your Practical Guide for 2026

Sébastien Puyet

Sébastien Puyet

14 min read
What Is GitOps? Your Practical Guide for 2026

GitOps is a declarative operating model where Git stores the desired state for infrastructure and applications, serves as the single source of truth, creates a complete audit trail, and drives automated reconciliation. The term was created in 2017, and by 2025 GitOps research was already measuring adoption at scale across 660 survey responses, which says a lot about how quickly it moved from idea to standard practice.

Those inquiring about what is GitOps typically aren't seeking a textbook definition. Instead, they're usually trying to solve a familiar problem: someone changed production manually, the change wasn't reviewed, the rollback path was fuzzy, and the incident channel filled up with guesswork. GitOps exists to remove that class of operational chaos.

The important shift isn't "deploy from Git instead of a pipeline." It's bigger than that. GitOps treats operations the same way mature teams treat application code: changes are reviewed, versioned, visible, reproducible, and continuously enforced by software instead of memory and shell history.

For Kubernetes teams, that's often where the conversation starts. But GitOps is better understood as an operating model for managing change across infrastructure and applications, with monitoring and feedback built into the loop. The tooling matters, but the core value is stability without giving up delivery speed.

Table of Contents

From Manual Pushes to Automated Control

A lot of production pain starts with a small manual fix. Someone runs kubectl edit, changes a secret by hand, patches a deployment to get a service back, and moves on because the outage is over. A week later, the cluster drifts from what the team thinks is deployed, and nobody can tell which change is real.

GitOps is the answer to that mess because it replaces undocumented operational intent with reviewed, versioned desired state. Instead of trusting terminal history and tribal knowledge, the team trusts Git. The system then continuously drives reality toward what the repository says should exist.

Practical rule: if a production change matters, it should exist as a commit before it exists in the cluster.

That changes the day-to-day job. Operators stop thinking in terms of "what command should run on the cluster right now?" and start thinking "what state should the platform converge to?" That shift sounds subtle, but it removes a lot of failure modes tied to rushed human intervention.

GitOps is also newer than many people assume. The term was created in 2017, and by 2025 industry research had already tracked GitOps adoption with 660 survey responses in Octopus Deploy's State of GitOps work, as summarized in Harness's overview of GitOps principles. That's a fast move from named idea to benchmarked operating discipline.

Why the model matters more than the tool

Teams often reduce GitOps to "using Argo CD" or "using Flux." That's backward. The controller is only one piece.

The model depends on a few operational decisions:

  • Changes happen through Git. Production shouldn't have a shadow path through ad hoc commands.
  • Configurations are declarative. The repo states the intended end result, not a sequence of fragile setup steps.
  • Automation closes the loop. A controller keeps comparing live state with desired state and acts on drift.

When those conditions exist, teams get a cleaner audit trail, safer reviews, and a more reliable rollback story. When they don't, installing a GitOps controller just adds another dashboard to ignore.

The Core Principles of a GitOps Framework

The easiest way to understand GitOps is to break it into three parts. None of them is groundbreaking on its own. The value comes from combining them into one operating model.

A diagram illustrating the three core principles of a GitOps framework: declarative configuration, version control, and automated synchronization.

Declarative state changes the job

Declarative configuration means the team describes the final state it wants, not the exact sequence of commands to get there. A deployment manifest says the application should run this image, with these replicas, this service definition, and these environment settings. It doesn't document every imperative step an operator would type.

That matters because declarative systems are easier to review. A pull request shows what will be true after the change lands. It doesn't hide intent inside shell scripts, wiki pages, or runbooks that only one person remembers.

A practical analogy helps. Ordering food is declarative. A person asks for a dish and expects the kitchen to prepare it. Writing the exact recipe and cooking sequence is imperative. GitOps works best when the repository describes the dish, and the platform handles the preparation.

Git becomes the control plane for change

In GitOps, Git isn't just where YAML files happen to live. It's the single source of truth for infrastructure and application state. CloudBees describes GitOps as a declarative operating model where desired state is stored in Git, creating an audit trail with commit IDs, timestamps, and committer identity in its explanation of GitOps.

That audit trail is one of the biggest operational wins. A team can answer basic but critical questions without hunting through chats or shell sessions:

Question GitOps answer
Who changed production config? The commit author and reviewer history
When did it change? The commit timeline
What exactly changed? The diff
How to roll it back? Revert the commit and let sync happen

This is why mature GitOps setups rely heavily on pull requests, branch protection, and code review discipline. If Git is the source of truth, then sloppy repository governance becomes an operational problem, not just a development problem.

GitOps works only when the team respects Git as the authoritative path, not as a record written after the real work happens.

Reconciliation is what makes GitOps operational

Without reconciliation, GitOps would just be version-controlled configuration. The operational part comes from the controller.

A GitOps controller continuously watches the live environment, compares it with the desired state in version control, and applies changes until they match. Splunk explains this as continuous reconciliation, and notes that manual changes outside Git are overwritten on the next sync, which reduces drift and improves consistency in its GitOps guide.

That mechanism changes how teams think about drift:

  • Manual drift becomes temporary. Someone can patch live state, but the controller will push it back toward the declared target.
  • Environment consistency improves. Staging and production can come from the same machine-readable definitions.
  • Rollback gets cleaner. Reverting Git tells the controller what "good" looks like again.

What doesn't work is mixing declarative GitOps with a regular stream of imperative production changes. That creates two authorities. Once that happens, the controller looks unreliable when it's doing exactly what it was told to do.

A Typical GitOps Workflow with CI/CD

GitOps doesn't replace CI/CD. It separates concerns more cleanly. CI still builds software, runs tests, and produces an artifact. GitOps takes over at the point where that artifact should become running reality in an environment.

A flow chart illustrating a typical GitOps workflow with CI/CD stages from code commitment to monitoring.

Where CI stops and GitOps starts

A common workflow looks like this:

  1. A developer commits application code. That change lands in the application repository.
  2. CI runs build and test jobs. GitHub Actions, GitLab CI, Jenkins, or another pipeline builds the artifact and pushes an image to a registry.
  3. The deployment config is updated in Git. The pipeline opens or merges a change that updates the image tag or manifest in a configuration repository.
  4. The GitOps controller detects the config change. Argo CD or Flux sees the updated desired state.
  5. The cluster converges. The controller applies the new state and keeps checking whether the live system matches it.

That split is cleaner than having the CI pipeline push directly into production. It also creates a stronger review point around deployment intent, not just build success.

Teams that are tightening release discipline should also pair this with stronger guidance around security and IaC in CI/CD, because the GitOps repo becomes part of the production control path.

Later in the flow, video can help show how the moving pieces fit together in practice.

Pull-based delivery changes the risk profile

Most GitOps systems use a pull model. The controller runs inside the target environment and pulls desired state from Git. That means the deployment system doesn't need broad external write access from a CI runner into every cluster.

That model doesn't solve every security issue, but it usually narrows the blast radius. It also improves resilience. If the CI pipeline finishes and the cluster is temporarily unstable, the controller keeps working toward convergence instead of relying on a one-shot push event.

The operational upside isn't theoretical. In the 2025 State of GitOps findings, top-performing GitOps adopters achieved about twice the DORA performance of lower-end adopters, as discussed in the State of GitOps presentation. That's a meaningful signal because DORA covers deployment frequency, lead time, recovery time, and change failure rate.

A healthy GitOps setup doesn't just automate deployment. It reduces the number of places where humans can make one-off production changes under pressure.

Monitoring belongs in the deployment loop

A lot of diagrams stop at "deployment succeeded." Real systems don't.

A usable GitOps workflow includes feedback after rollout:

  • Controller health: Is sync running, failing, or stuck?
  • Application health: Did the new version come up cleanly?
  • Infrastructure signals: Did memory, CPU, latency, or restart counts shift after deployment?
  • External checks: Can users still reach the service?

That last part gets missed more often than it should. A sync can be green while the application is broken. For teams that want to extend deployment visibility into runtime checks, this guide on monitoring cloud services is a practical reminder that release automation and service monitoring need to stay connected.

Choosing Your GitOps Controller Flux vs Argo CD

Teams evaluating GitOps frequently arrive at the same shortlist: Flux and Argo CD. Both are credible. Both can run production well. The right choice usually comes down to operating style, not ideology.

A comparison table outlining the key differences between Flux and Argo CD GitOps controllers.

How the two tools feel in practice

Argo CD tends to feel like a platform. It gives teams a strong web UI, a visible application model, and a straightforward way to inspect sync status, drift, and health from one place. For organizations with many developers, platform users, or stakeholders who want visibility without living in the CLI, that matters.

Flux feels more like a toolkit. It fits well when the team prefers composable controllers, Git-first workflows, and less dependence on a central UI. Engineers who are comfortable debugging through repositories, Kubernetes resources, and CLI output often like that style because it stays closer to native platform primitives.

Neither approach is automatically better. The better question is which one fits the team's habits.

Decision points that actually matter

A side-by-side evaluation is more useful than a feature checklist.

Decision area Flux Argo CD
Operating style Modular and controller-driven Integrated application management
UI expectations CLI-first, lighter built-in visual workflow Strong built-in dashboard experience
Team fit Good for platform engineers who prefer composable pieces Good for mixed teams that want broad visibility
Learning curve Often easier for Kubernetes-native operators Often easier for app teams who want a clear app view

There are also trade-offs teams only discover after rollout:

  • Troubleshooting path: Argo CD often makes drift and sync status easier to visualize quickly. Flux can feel cleaner when the team already debugs through Kubernetes objects and Git history.
  • Multi-team governance: Argo CD often appeals to centralized platform groups serving many app teams. Flux often appeals to groups that want looser composition and tighter Git-centric control.
  • Extensibility model: Flux's modular design can be an advantage when a team wants to assemble a specific workflow from smaller building blocks.

Choose the controller your operators will actually understand at 2 a.m., not the one that wins the most conference comparisons.

A practical selection approach is simple:

  1. List who needs day-to-day visibility. If that's broader than the platform team, Argo CD often has an advantage.
  2. Check how the team debugs systems now. CLI-heavy teams usually adapt to Flux faster.
  3. Test one realistic service. A hello-world deployment won't expose the hard parts. Use a service with secrets, multiple environments, and an actual rollback path.
  4. Review tenancy and cluster boundaries early. A controller that looks fine in one cluster can become awkward once multiple teams and environments enter the picture.

The biggest mistake here is over-optimizing for tool philosophy. Controller choice matters, but repository quality, review discipline, secret handling, and monitoring usually have a bigger effect on success.

Observability in GitOps Monitoring and Alerting

GitOps reduces manual deployment risk. It doesn't remove operational risk. It shifts where teams need visibility.

A controller can fail to sync. A manifest can be valid YAML and still break an application. A cluster can remain technically "in sync" while the service behind the deployment returns errors. Without observability, GitOps can give a false sense of safety.

What breaks in a GitOps system

Three failure patterns show up often in GitOps environments.

First, the controller itself can hit problems. Repository access breaks, reconciliation gets blocked, or dependencies fail in ways that stop convergence. The desired state may be correct, but the system isn't applying it.

Second, runtime health can diverge from sync health. A rollout finishes, the application starts crashing, and the GitOps dashboard still shows success because the config was applied as requested.

Third, drift can exist at layers the controller doesn't fully own. External systems, manual interventions, and infrastructure dependencies can still create mismatches that need investigation, not just automatic correction.

What should be monitored

A useful GitOps monitoring plan covers both the control loop and the workload:

  • Controller status: sync failures, reconciliation delays, repository errors
  • Cluster and node signals: CPU, memory, disk pressure, restarts
  • Application behavior: health endpoints, latency, error conditions
  • External reachability: uptime checks from outside the environment

The monitoring stack also needs to be readable by the people who carry incidents. If status lives across too many tools, responders spend their first minutes doing dashboard archaeology instead of diagnosis.

For teams reviewing options, this roundup of DevOps monitoring tools is useful because it frames monitoring as an operational system, not just a metrics endpoint.

Plainly put, GitOps without monitoring is incomplete. Automation can apply the change. Observability tells the team whether the change was good, whether the controller is healthy, and whether the service still works for users.

Practical Examples and Repository Structures

Repository structure shapes how GitOps feels in daily use. A clean model helps teams review changes confidently. A messy one turns every pull request into archaeology.

An infographic comparing single Git repository and multiple repository strategies for organizing GitOps infrastructure and application code.

Mono-repo patterns

In a mono-repo, application code, deployment manifests, and environment overlays live together. That can work well for smaller teams or systems with a limited number of services.

A simple layout might look like this:

  • apps/frontend-app for source and build logic
  • apps/backend-service for API code
  • infra/kubernetes-cluster for platform definitions
  • environments/staging and environments/production for environment-specific config

The advantage is proximity. A developer can change code and see related deployment config nearby. Reviews are easier when one repository tells the whole story.

The downside is boundary control. As teams grow, mixing app code and production config can complicate permissions, approvals, and ownership.

Multi-repo patterns

A multi-repo setup separates concerns more aggressively. One repository holds application code. Another holds deployment manifests. Another may hold infrastructure as code such as Terraform or OpenTofu.

That pattern works well when different teams own different layers. Platform engineers can govern cluster config without giving every app developer broad write access to environment definitions. Security and audit controls are often easier to reason about in this model.

A rough comparison helps:

Structure Best fit Main trade-off
Mono-repo Smaller teams, tightly coupled apps and config Weaker ownership boundaries
Multi-repo Larger teams, stronger separation of duties More coordination between repos

Resource governance also belongs in these repositories early, not after the first capacity incident. This guide on adding resource limits and requests early is a good example of the kind of operational guardrail that should live beside manifests, not in someone's memory.

GitOps goes beyond Kubernetes

A lot of articles answer what is GitOps as if the only valid target is Kubernetes. That's too narrow.

GitLab notes that GitOps is expanding beyond Kubernetes into broader cloud systems and infrastructure types in its GitOps topic guide. That's the practical view teams should keep. If a system can be managed declaratively, GitOps principles can usually help govern it.

That can include:

  • Infrastructure as code managed with Terraform or OpenTofu
  • VM and network configuration when defined through versioned, declarative files
  • Platform policies stored and reviewed in Git
  • Application config outside Kubernetes, as long as an automated system reconciles desired state

GitOps isn't "a Kubernetes deployment trick." Kubernetes just gave the model a very natural home.

Adopting GitOps Security Pitfalls and Next Steps

A common GitOps failure looks like this. The controller reports sync is healthy, the pull request was approved, and production still breaks because the repo contains bad access patterns, weak secret handling, or no alert that the new state is failing at runtime.

That is why GitOps adoption needs to be treated as an operating model change, not a repo cleanup project. Git becomes part of the production control plane. The review process, the controller permissions, the secret flow, and the monitoring path all need the same level of design as the manifests themselves.

Security controls that matter early

Start with secrets. Plaintext credentials in Git turn version history into a long-term exposure record, and deleting the latest commit does not fix that. Use encrypted secret workflows, an external secrets operator, or a secret manager that fits the platform and compliance requirements.

Controller scope comes next. Giving one GitOps controller cluster-admin across every namespace is easy to set up and hard to justify later. Scope service accounts to the environments and teams they manage, and keep RBAC aligned with ownership boundaries. This reduces blast radius and makes approvals more meaningful because reviewers know what a given repo can change.

Trust setup also shows up early in real deployments. Internal Git servers, private registries, and non-public endpoints often require custom certificate handling before reconciliation works reliably. Teams building lab or internal environments usually end up needing tasks like creating a self-signed certificate with OpenSSL just to establish a clean chain of trust for controllers and agents.

Security validation should extend beyond YAML review. A manifest can look correct and still expose an internal path that should not exist. For teams testing lateral movement risk and internal exposure, MSP Pentesting is one example of how internal penetration testing can complement config review.

Common mistakes during adoption

The most common mistake is allowing manual production edits to continue after GitOps is introduced. Once engineers can still hotfix live resources, Git stops being the source of operational truth and drift becomes normal.

Another mistake is hiding deployment logic in scripts that sit outside reviewable declarative config. If the actual behavior lives in shell steps, template hacks, or undocumented controller exceptions, the team loses the auditability GitOps is supposed to provide.

Teams also get into trouble by starting with their hardest system first. A payment platform, shared ingress layer, or central identity service will teach painful lessons under pressure. A lower-risk service gives the team room to tighten approvals, rollback paths, drift detection, and alerting before the model spreads.

Monitoring is often missed here, and that gap matters. GitOps can confirm that desired state was applied. It does not confirm that users can log in, jobs are finishing, latency is acceptable, or error rates stayed flat after the sync. Good adoption includes health checks, log review, metrics, and alerts tied directly to Git-driven changes so the team can tell the difference between "applied" and "working."

A sensible way to start

Start with one service and define strict boundaries. Store its manifests and policies in Git, require pull requests, block direct production changes, and give the controller only the access that service needs.

Then add runtime feedback. Alert on sync failures, drift, failed rollouts, and application health after deployment. If a change reconciles cleanly but degrades the service, the operating model should surface that fast.

Expand in stages after the team proves it can review, deploy, observe, and recover changes through Git. That is the next step. GitOps works when it improves change control and operational visibility at the same time.

Fivenines helps teams close the gap between GitOps automation and runtime visibility. Its all-in-one monitoring platform covers Linux servers, containers, uptime checks, cron jobs, and alert routing in one place, which makes it easier to see whether a synced change produced a healthy system. For teams running production infrastructure and wanting simpler observability without stitching together multiple tools, Fivenines is worth a look.

Read more