Most enterprises claim to do GitOps. Few actually do. They have ArgoCD installed but still SSH into servers for βquick fixes.β They have a Git repo but half the changes bypass it.
This maturity model helps you honestly assess where you are and plan a path to where you should be.
The Five Levels
Level 1: Manual (Ad-hoc)
How you deploy: kubectl apply, SSH, console clicks, Slack messages asking someone to deploy.
Characteristics:
- No single source of truth
- βIt works on my machineβ deployments
- Snowflake environments (no two are alike)
- Rollbacks are manual and terrifying
- Audit trail: βI think Dave deployed that last Tuesdayβ
Assessment score: 0-20%
Level 2: Version Controlled (Git-backed)
How you deploy: Manifests in Git, CI pipeline applies them, but changes still happen outside Git.
Characteristics:
- Kubernetes manifests in a Git repository
- CI/CD pipeline runs
kubectl applyorhelm upgrade - Some manual changes still happen directly on clusters
- Drift exists but is not detected or corrected
- Partial audit trail through Git history
Assessment score: 20-40%
Level 3: Declarative (GitOps-ready)
How you deploy: ArgoCD or Flux watches Git, applies changes, detects drift.
Characteristics:
- GitOps operator (ArgoCD/Flux) reconciles desired vs actual state
- Drift detection β unauthorized changes are flagged
- Pull-based deployment (cluster pulls from Git, no push access needed)
- Self-healing β manual changes are automatically reverted
- Complete audit trail via Git commits
# ArgoCD Application with self-healing
apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
syncPolicy:
automated:
prune: true
selfHeal: true # Revert manual changes
syncOptions:
- CreateNamespace=trueAssessment score: 40-60%
Level 4: Progressive (Advanced GitOps)
How you deploy: Canary deployments, feature flags, automated rollbacks based on metrics.
Characteristics:
- Progressive delivery with Argo Rollouts or Flagger
- Automated canary analysis β metrics-driven promotion/rollback
- Policy-as-code gates (OPA/Kyverno) block non-compliant deployments
- Secrets managed externally (Vault) and synced via GitOps
- Multi-environment promotion workflows (dev β staging β prod)
# Argo Rollouts canary with automated analysis
apiVersion: argoproj.io/v1alpha1
kind: Rollout
spec:
strategy:
canary:
steps:
- setWeight: 10
- pause: { duration: 5m }
- analysis:
templates:
- templateName: success-rate
args:
- name: service-name
value: my-service
- setWeight: 50
- pause: { duration: 10m }
- analysis:
templates:
- templateName: success-rateAssessment score: 60-80%
Level 5: Fully Automated (Enterprise GitOps)
How you deploy: Everything is automated. Humans review PRs. Machines do everything else.
Characteristics:
- Multi-cluster fleet management via ApplicationSets
- Automated dependency updates (Renovate/Dependabot for Kubernetes)
- Security scanning in the GitOps pipeline (image scanning, policy checks)
- Compliance reporting generated from Git history
- Zero-touch deployments β merge PR, everything else is automated
- Disaster recovery via Git repo clone to new cluster
Assessment score: 80-100%
Assessment Checklist
Score yourself (1 = not doing, 5 = fully implemented):
| Practice | Score (1-5) |
|---|---|
| All manifests in Git | |
| GitOps operator (ArgoCD/Flux) deployed | |
| Drift detection and self-healing enabled | |
No manual kubectl changes in production | |
| Secrets managed externally | |
| Progressive delivery (canary/blue-green) | |
| Policy gates in deployment pipeline | |
| Multi-cluster GitOps | |
| Automated dependency updates | |
| Compliance audit from Git history |
Total: ___/50
Related Resources
- ArgoCD Cheat Sheet
- GitHub Actions Tutorial
- Helm vs Kustomize
- Platform Engineering Metrics
- Backstage Developer Portal
- Kubernetes Multi-Cluster Management
About the Author
I am Luca Berton, AI and Cloud Advisor. I help enterprises implement GitOps at scale. Book a consultation.
