Home DevOps Docker CI/CD for Kubernetes: Build, Scan, Sign, and Deploy Without the Pain
Advanced 3 min · July 11, 2026

Docker CI/CD for Kubernetes: Build, Scan, Sign, and Deploy Without the Pain

Full CI/CD pipeline for Kubernetes: docker build → scan → sign → kubectl set image → Helm upgrade --atomic → blue-green/canary → rollback strategies → ArgoCD GitOps.

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.

Follow
Production
production tested
July 11, 2026
last updated
1,787
articles · all by Naren
Before you start⏱ 30 min
  • Production DevOps experience
  • Deep understanding of the tool's internals
  • Experience debugging distributed systems
 ● Production Incident 🔎 Debug Guide
Quick Answer

A Docker CI/CD pipeline for Kubernetes follows: code push → build image (docker build -t app:$SHA) → scan (docker scout cves) → sign (cosign sign) → push to registry → deploy to K8s (kubectl set image or helm upgrade --atomic) → health check → rollback on failure. Blue-green and canary deployments add traffic splitting. ArgoCD GitOps watches the registry and syncs automatically.

✦ Definition~90s read
What is Docker CI/CD for Kubernetes?

A Docker CI/CD pipeline for Kubernetes automates the lifecycle from code commit to production deployment. The pipeline builds a Docker image, scans it for vulnerabilities, signs it with cosign, pushes it to a registry, and deploys it to a Kubernetes cluster using kubectl, Helm, or ArgoCD.

Think of a CI/CD pipeline as a factory assembly line for your app.

The core stages are: (1) Build — docker build produces an OCI image with commit SHA tag. (2) Scan — docker scout cves or trivy image checks for vulnerabilities; pipeline fails if critical CVEs exceed threshold. (3) Sign — cosign sign attaches a cryptographic signature to the image. (4) Push — docker push sends the signed image to the registry. (5) Deploy — kubectl set image, helm upgrade --atomic, or ArgoCD sync updates the cluster. (6) Health check — verify the deployment is healthy; if not, trigger rollback.

Advanced patterns include blue-green deployments (switch traffic between two identical environments), canary deployments (route 5% of traffic to new version and gradually increase), and environment promotion (dev → staging → prod, with manual approval gates between each).

Plain-English First

Think of a CI/CD pipeline as a factory assembly line for your app. Your code enters on one end (a git push), and a fully tested, signed, and deployed application comes out the other end. The pipeline is like an automated quality inspector at every station: does the image build? (yes → pass). Does it have vulnerabilities? (no → pass). Is it properly signed? (yes → pass). Did it deploy successfully? (yes → pass). If any station fails, the pipeline stops and notifies the team.

Kubernetes deployment on its own is powerful but incomplete. Pushing an ad-hoc image tag and running kubectl apply -f deployment.yaml works for a demo, but in production it's a recipe for drift, rollback chaos, and security gaps. Every team that scales past a single cluster discovers they need a repeatable, auditable pipeline that builds, scans, signs, and deploys with guardrails at every stage.

The challenge is that Kubernetes itself doesn't care about the CI/CD pipeline. It will happily run a container with critical CVEs, unsigned images, or the wrong tag. The pipeline is where you enforce quality — and Docker's toolchain (buildx, Scout, cosign) provides the building blocks.

This article walks through a complete production pipeline from git push to running pods. We'll cover kubectl set image for simple rollouts, helm upgrade --atomic for Helm-managed applications, blue-green and canary deployment strategies, rollback tactics (kubectl rollout undo, helm rollback), environment promotion with manual gates, and ArgoCD GitOps integration.

Pipeline Foundation: Build, Tag, Scan, Sign, Push

Every Kubernetes CI/CD pipeline starts with the same five steps: build an image with a unique tag, scan it for vulnerabilities, sign it for authenticity, push it to a registry, and record the digest. The unique tag is critical — using :latest in Kubernetes leads to configuration drift where different nodes run different versions. Always use the commit SHA as the image tag.

The scan step uses Docker Scout (policy-based) or Trivy (comprehensive). The sign step uses cosign (Sigstore) for keyless signing. Signing is increasingly required for admission control — Kubernetes can be configured with OPA/Gatekeeper or Kyverno to only allow signed images.

The push step should record the image digest (myapp@sha256:abc...) rather than the tag, because tags can be overwritten. The digest is immutable and guarantees that what was scanned and signed is exactly what gets deployed.

ci-build-scan-sign-push.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Set unique tag based on commit SHA
SHA=$(git rev-parse --short HEAD)
IMAGE="myapp:$SHA"
REGISTRY="registry.example.com"

# Step 1: Build
docker buildx build --platform linux/amd64,linux/arm64 \
  -t $REGISTRY/$IMAGE --push .

# Step 2: Scan with Docker Scout (block on critical CVEs)
docker scout policy $REGISTRY/$IMAGE --policy .scout-policy.yaml

# Step 3: Sign with cosign (keyless, using OIDC)
cosign sign --yes $REGISTRY/$IMAGE

# Step 4: Record digest for immutable deployment
DIGEST=$(docker buildx imagetools inspect $REGISTRY/$IMAGE \
  --format '{{json .Manifest.Digest}}')
echo "Image digest: $DIGEST"
Never Use :latest in Kubernetes Deployments
The :latest tag is mutable. Different nodes may pull different versions at different times. Always tag with the commit SHA and reference the digest in deployment manifests for immutable, reproducible deployments.
Production Insight
A team using :latest tags discovered during a rollback that every pod was running a different image version. The inconsistency caused a 40-minute outage as they force-imaged each pod.
Key Takeaway
Use commit SHA as image tag, record the digest, and reference the digest in deployment manifests. This guarantees every pod runs the exact same image that passed scanning and signing.
docker-kubernetes-ci-cd THECODEFORGE.IO CI/CD Pipeline Architecture for K8s Layered components from code to deployment Source Control GitHub | GitLab | Bitbucket CI Pipeline Build | Tag | Scan Container Registry ECR | GCR | Docker Hub Deployment Strategies kubectl set image | Helm upgrade --atomic | Blue-Green Rollback Mechanisms kubectl rollout undo | Helm rollback | ArgoCD sync GitOps Integration ArgoCD | Flux | Manual Gates THECODEFORGE.IO
thecodeforge.io
Docker Kubernetes Ci Cd

Deploying to Kubernetes with kubectl set image and Rollout

The kubectl set image command updates a deployment's container image in-place, triggering a rolling update. Combined with kubectl rollout status to wait for completion and kubectl rollout undo to revert on failure, this is the simplest production-ready deployment pattern.

Key parameters: kubectl rollout status deployment/<name> --timeout=5m waits up to 5 minutes for the rollout to complete. If it times out or detects a failure, the pipeline should call kubectl rollout undo deployment/<name> to revert.

For zero-downtime, ensure your deployment has a rolling update strategy with appropriate maxSurge and maxUnavailable.

kubectl-deploy-rollback.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Deploy new image
kubectl set image deployment/myapp \
  myapp=$REGISTRY/$IMAGE --record

# Wait for rollout to complete (timeout after 5 minutes)
if ! kubectl rollout status deployment/myapp --timeout=5m; then
  echo "Rollout failed — rolling back"
  kubectl rollout undo deployment/myapp
  kubectl rollout status deployment/myapp --timeout=3m
  exit 1
fi

echo "Deployment successful — image: $DIGEST"

# Verify all pods are running the correct image
kubectl get pods -l app=myapp \
  -o jsonpath='{.items[*].spec.containers[*].image}'
Record Rollouts with --record
The --record flag annotates the deployment with the command that triggered the update. This shows in kubectl rollout history deployment/<name>, making it easy to track what was deployed and when.
Production Insight
A team automated their rollback with a kubectl rollout undo in the pipeline's failure handler. When a bad config caused all 20 pods to crash-loop, the pipeline detected the failure and triggered the undo within 2 minutes.
Key Takeaway
The kubectl rollout pattern (set image → status → undo on failure) is the simplest production deployment method.

Helm Upgrade --atomic: Deployments with Automatic Rollback

Helm manages Kubernetes applications as releases with versioned chart deployments. The helm upgrade --atomic command deploys a chart and automatically rolls back to the previous revision if the deployment fails. This is more robust than kubectl set image because Helm tracks all resources (Deployments, ConfigMaps, Services, Ingresses) as a single release.

Key flags: --atomic rolls back on failure, --timeout 5m sets the maximum wait time, --install creates the release if it doesn't exist, --history-max 10 limits stored revisions.

helm-deploy-atomic.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Deploy with Helm — atomic upgrade with automatic rollback
helm upgrade --install myapp ./chart \
  --set image.repository=$REGISTRY \
  --set image.tag=$SHA \
  --set image.digest=$DIGEST \
  --atomic --timeout 5m --history-max 10 \
  --namespace production

# If the atomic deploy fails, explicitly roll back
if [ $? -ne 0 ]; then
  echo "Helm upgrade failed — rolling back"
  REVISION=$(helm history myapp -n production \
    -o json | jq '.[-2].revision')
  helm rollback myapp $REVISION \
    --namespace production --wait --timeout 3m
  exit 1
fi
helm upgrade --atomic Is Not a Silver Bullet
Atomic rollback only works if the deployment attempts to become healthy. If the chart has a syntax error or references a non-existent ConfigMap, Helm may fail immediately. Always validate charts with helm lint before running the upgrade.
Production Insight
A team deployed a chart that accidentally deleted a Service used by other applications. When they rolled back with helm rollback, the Service was restored — without Helm's release tracking, recovery would have required manual recreation from backups.
Key Takeaway
Helm with --atomic and --history-max provides versioned, atomic deployments with automatic rollback.
Deployment Strategies: Blue-Green vs Canary Trade-offs between risk and speed Blue-Green Canary Deployment Method Switch traffic between two identical env Gradually shift traffic to new version Rollback Speed Instant by switching back to blue Quick by reducing canary traffic Resource Cost Double infrastructure during switch Minimal extra resources Risk Exposure Full exposure after switch Limited exposure during rollout Testing Complexity Requires full environment parity Requires monitoring and metrics Use Case High-stakes production releases Gradual feature rollouts THECODEFORGE.IO
thecodeforge.io
Docker Kubernetes Ci Cd

Blue-Green and Canary Deployment Strategies

Beyond simple rolling updates, blue-green and canary deployments provide finer control over release risk. Blue-green maintains two identical environments (blue = current, green = new) and switches traffic atomically. Canary routes a small percentage of traffic to the new version and gradually increases it.

Blue-green implementation: deploy the new version with a different label (e.g., version: green), run health checks, then update the Service selector to point to the new version. Rollback is instant — just switch the selector back. The downside: doubled resource requirements during deployment.

Canary implementation: deploy the new version with a small replica count, use a service mesh (Istio, Linkerd) or ingress controller weight-based routing to split traffic. Monitor error rates for a soak period, then gradually increase the canary weight. If error rate spikes, the pipeline aborts the canary.

canary-deploy.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Canary deployment with Istio VirtualService traffic splitting
# Step 1: Deploy canary (1 replica of new version)
kubectl apply -f k8s/canary-deployment.yaml

# Step 2: Verify canary is healthy
kubectl rollout status deployment/myapp-canary --timeout=3m

# Step 3: Route 5% traffic to canary
kubectl patch virtualservice myapp --type=merge \
  -p '{"spec":{"http":[{"route":[{"destination":{"host":"myapp","subset":"stable"},"weight":95},{"destination":{"host":"myapp","subset":"canary"},"weight":5}]}]}}'

# Step 4: Observe for 5 minutes
sleep 300
if [ "$(get_error_rate canary)" -gt 1.0 ]; then
  echo "Canary error rate too high — aborting"
  kubectl scale deployment/myapp-canary --replicas=0
  exit 1
fi

# Step 5: Gradually increase canary weight
echo "Canary healthy — scaling to 100%"
kubectl patch virtualservice myapp --type=merge \
  -p '{"spec":{"http":[{"route":[{"destination":{"host":"myapp","subset":"canary"},"weight":100}]}]}}'
Canary Without a Service Mesh Is Just a Replica Count Game
True canary deployments require weight-based traffic routing, which needs a service mesh (Istio, Linkerd), an ingress controller with canary support (nginx-ingress), or a dedicated tool (Flagger, Argo Rollouts).
Production Insight
A team used Istio canary deployments to roll out a new payment processing algorithm. The canary showed a 2% error rate vs 0.1% for stable. The pipeline automatically aborted the canary, preserving the stable version.
Key Takeaway
Blue-green provides instant rollback via label switch but doubles resource cost. Canary provides gradual rollout with automated abort but requires a service mesh for true traffic splitting.

Rollback Strategies: kubectl rollout undo, helm rollback, and Automated Fallback

A deployment strategy is only as good as its rollback mechanism. The key principle: rollback should be automated in the pipeline, not a manual kubectl command executed by an engineer under pressure.

For kubectl set image deployments, kubectl rollout undo deployment/<name> reverts to the previous revision. Revision history is limited by revisionHistoryLimit in the deployment spec (default: 10).

For Helm deployments, helm rollback <release> <revision> reverts the entire release. Use --wait --timeout 3m to wait for the rollback to complete. Helm tracks every upgrade as a new revision.

For ArgoCD GitOps, rollback is done by reverting the Git commit and letting ArgoCD sync.

rollback-strategies.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# kubectl rollout undo
kubectl rollout undo deployment/myapp
kubectl rollout undo deployment/myapp --to-revision=3
kubectl rollout history deployment/myapp

# helm rollback
helm rollback myapp --namespace production --wait --timeout 3m
helm rollback myapp 5 --namespace production --wait --timeout 3m
helm history myapp --namespace production

# Automated pipeline rollback pattern
deploy() {
  if ! helm upgrade --atomic myapp ./chart; then
    echo "Deploy failed — rolling back"
    helm rollback myapp $(helm history myapp -o json | jq '.[-2].revision')
  fi
}
Rollback Creates a New Revision, Not a Time Machine
  • kubectl rollout undo reverts to the previous revision but keeps the current revision in history
  • helm rollback creates a new release revision — the rolled-back state becomes the current
  • Always store the previous successful revision number as a pipeline variable for reliable rollback
  • Limit revision history to avoid etcd bloat
Production Insight
A team's automated rollback pipeline stored the previous revision number as a CI variable before starting the deploy. When the deploy failed, the rollback step referenced that variable — not a hardcoded number.
Key Takeaway
Automate rollback in the pipeline script. Store the previous revision before deploying. Test the rollback mechanism regularly.

Environment Promotion with Manual Gates

Single-environment pipelines are simpler but risky — every commit goes straight to production. Environment promotion adds staging environments where changes are validated before reaching production, with manual approval gates between them.

Manual gates in GitHub Actions use environment with required reviewers. In GitLab CI, use when: manual with needs in the production job. The gate stops the pipeline until an authorized reviewer approves it.

The promoted artifact should be the same image digest from dev — never rebuild for production. Build once, promote across environments.

.github/workflows/environment-promotion.ymlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Deploy with Environment Promotion
on:
  push:
    branches: [main]
jobs:
  build:
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Build and push
        id: build
        run: |
          SHA=$(git rev-parse --short HEAD)
          docker buildx build --push -t myapp:$SHA .
          echo "digest=$(docker buildx imagetools inspect myapp:$SHA --format '{{.Manifest.Digest}}')" >> $GITHUB_OUTPUT
  deploy-dev:
    needs: [build]
    environment: dev
    steps:
      - run: helm upgrade --install myapp ./chart --set image.digest=${{ needs.build.outputs.digest }}
  deploy-staging:
    needs: [deploy-dev]
    environment: staging
    steps:
      - run: helm upgrade --install myapp ./chart --set image.digest=${{ needs.build.outputs.digest }} --atomic
  deploy-prod:
    needs: [deploy-staging]
    environment: prod
    steps:
      - run: helm upgrade --install myapp ./chart --set image.digest=${{ needs.build.outputs.digest }} --atomic --timeout 10m
Build Once, Promote Across Environments
Never rebuild the image for staging or production. Use the same digest from the build step across all environments. This eliminates the risk that staging tests a different binary than what runs in production.
Production Insight
A team used environment promotion with manual gates after a production incident caused by an untested config change. The gate required a senior engineer to approve the production deploy after verifying staging tests passed.
Key Takeaway
Build the image once and promote the same digest across dev → staging → prod with manual gates. This guarantees consistency.

ArgoCD GitOps Integration

ArgoCD follows the GitOps pattern: the Git repository is the single source of truth for the desired state of the cluster. ArgoCD continuously monitors the Git repo and the live cluster, and syncs any drift. In this model, the CI pipeline's job is to: (1) build and push the image, (2) update the deployment manifest in the Git repo with the new image digest. ArgoCD detects the change in Git and syncs the cluster automatically.

The pipeline should never call kubectl or helm directly when using ArgoCD. Instead, it commits the updated manifest to the Git repo using a GitOps token with write access. ArgoCD syncs on its own schedule (typically 3 minutes, or faster with webhooks).

argocd-gitops-integration.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# CI pipeline for ArgoCD GitOps — no kubectl or helm commands!

# Step 1: Build, scan, sign, push image
docker buildx build --push -t myapp:$SHA .
docker scout policy myapp:$SHA --policy .scout-policy.yaml
cosign sign --yes myapp:$SHA
DIGEST=$(docker buildx imagetools inspect myapp:$SHA --format '{{.Manifest.Digest}}')

# Step 2: Clone the GitOps repo and update the manifest
git clone https://$GITOPS_TOKEN@github.com/org/gitops-repo.git
cd gitops-repo

# Update the image digest in the k8s deployment manifest
yq eval -i ".spec.template.spec.containers[0].image = \"myapp@$DIGEST\"" apps/myapp/deployment.yaml

# Commit and push
git config user.email "ci@example.com"
git config user.name "CI Pipeline"
git add -A
git commit -m "Update myapp image to $SHA ($DIGEST)"
git push

# Step 3: ArgoCD auto-detects the change within 3 minutes
GitOps Repo Isolation
Keep your GitOps repository separate from your application code repository. This prevents an application repo compromise from granting access to deployment manifests. Use a dedicated CI token with write access only to the GitOps repo.
Production Insight
A fintech team adopted ArgoCD GitOps after a production incident where manual kubectl commands drifted from the repo manifests. After switching, every cluster change was tracked in Git with a commit SHA author. Auditors could trace any pod to exactly which CI build produced it.
Key Takeaway
ArgoCD GitOps decouples CI from CD. The pipeline only writes to Git — never to the cluster directly. This creates an immutable audit trail and prevents configuration drift.
● Production incidentPOST-MORTEMseverity: high

Helm Upgrade --atomic Saved Our Friday Deploy When the Pods Wouldn't Start

Symptom
After a routine deployment of a payment service config change, all 12 pods entered CrashLoopBackOff. The application logs showed 'unexpected database config: connection refused' — the configmap had a typo in the database hostname.
Assumption
The team assumed their CI/CD pipeline would catch the error because they ran integration tests before deploy. The tests passed because they used a mock database that didn't validate the hostname.
Root cause
The deployment used kubectl set image followed by kubectl rollout status — but there was no automated rollback. When the pods crashed, nobody was on call to catch it for 20 minutes.
Fix
1. Switched all Helm deployments to helm upgrade --atomic --timeout 5m — this rolls back automatically if health checks fail within 5 minutes. 2. Added a post-deploy health check step (kubectl rollout status --timeout=3m) with rollback trigger in the pipeline script. 3. Added a Kubernetes readiness probe that validates the database connection before accepting traffic. 4. Implemented canary deployments for config changes: deploy to 1 pod first, observe for 2 minutes, then scale to full.
Key lesson
  • helm upgrade --atomic is the minimum viable production deployment command — it rolls back automatically on health check failure.
  • Integration tests cannot catch all runtime configuration errors. Add readiness probes that validate external dependencies.
  • Always have a rollback mechanism in the pipeline script itself, not just in Helm.
  • Canary deployments reduce blast radius for config changes, which are harder to validate in tests than code changes.
Production debug guideSystematic debugging for failed deployments, rollback issues, and pipeline stage failures.5 entries
Symptom · 01
Helm upgrade --atomic rolls back every time even though the pods seem healthy.
Fix
Check the pod logs for the immediate post-deploy period. --atomic waits for all pods to become ready AND stay ready for the --timeout period. Check readiness and liveness probe configurations.
Symptom · 02
kubectl set image reports 'deployment updated' but the old pods are still running.
Fix
The deployment rollout strategy is likely Recreate or the maxSurge/maxUnavailable settings prevent new pods from starting. Run kubectl describe deployment <name> and check the RollingUpdateStrategy.
Symptom · 03
ArgoCD says 'OutOfSync' immediately after deployment, never becoming Synced.
Fix
The ArgoCD application has auto-sync disabled or the desired state in Git doesn't match what the pipeline deployed. Use argocd app sync <app> with --prune to force reconciliation.
Symptom · 04
Pipeline fails at 'cosign sign' with 'no matching signatures' or key errors.
Fix
The cosign private key is not available in the CI environment or the key was generated with a different OIDC provider. Verify the key is stored as a CI secret and the correct key password is provided.
Symptom · 05
Blue-green deployment switches traffic but new pods produce 502 errors.
Fix
The new pods aren't responding to the service's health check endpoint. Check that the new pods have the correct labels matching the service selector and that the readiness probe passes on the expected port.
StrategyRollout SpeedRollback SpeedResource CostTraffic ControlAutomation
Rolling updateFastFast (undo)NormalSequentialkubectl rollout
Blue-greenFast (switch)Instant (switch)2x during deployFull switchService label update
CanaryGradual (minutes)Fast (scale down)1.05xWeighted routingService mesh / ingress
ArgoCD GitOps3 min (poll)Git revert + syncNormalDeclarativeGit push triggers sync
Helm atomicFastAutomaticNormalSequentialhelm upgrade --atomic
⚙ Quick Reference
7 commands from this guide
FileCommand / CodePurpose
ci-build-scan-sign-push.shSHA=$(git rev-parse --short HEAD)Pipeline Foundation
kubectl-deploy-rollback.shkubectl set image deployment/myapp \Deploying to Kubernetes with kubectl set image and Rollout
helm-deploy-atomic.shhelm upgrade --install myapp ./chart \Helm Upgrade --atomic
canary-deploy.shkubectl apply -f k8s/canary-deployment.yamlBlue-Green and Canary Deployment Strategies
rollback-strategies.shkubectl rollout undo deployment/myappRollback Strategies
.githubworkflowsenvironment-promotion.ymlname: Deploy with Environment PromotionEnvironment Promotion with Manual Gates
argocd-gitops-integration.shdocker buildx build --push -t myapp:$SHA .ArgoCD GitOps Integration

Key takeaways

1
Every K8s CI/CD pipeline must include build, scan, sign, push, deploy, and rollback. The rollback mechanism must be automated in the pipeline script.
2
helm upgrade --atomic provides automatic rollback on health check failure. For simpler apps, kubectl set image + kubectl rollout undo is sufficient.
3
Blue-green and canary deployments reduce blast radius but require infrastructure for true traffic splitting.
4
ArgoCD GitOps decouples CI from CD
the pipeline writes to Git, ArgoCD syncs the cluster. This prevents configuration drift.
5
Build the image once and promote the same digest across environments. Never rebuild for production.

Common mistakes to avoid

4 patterns
×

Using :latest image tags in Kubernetes deployments.

×

Not automating rollback in the pipeline script.

×

Rebuilding the image for staging or production instead of promoting the build artifact.

×

Using kubectl or helm commands directly against the cluster in ArgoCD pipelines.

INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR
Design a production CI/CD pipeline for a Dockerized application on Kuber...
Q02JUNIOR
Compare rolling update, blue-green, and canary deployments. When would y...
Q03JUNIOR
How does ArgoCD GitOps differ from a traditional pipeline that calls kub...
Q04JUNIOR
What happens when a Helm upgrade --atomic deployment fails? Walk through...
Q01 of 04JUNIOR

Design a production CI/CD pipeline for a Dockerized application on Kubernetes. Walk through each stage.

ANSWER
Stage 1: Docker build with commit SHA tag. Stage 2: CVE scan — fail pipeline on critical CVEs. Stage 3: Sign image with cosign. Stage 4: Push to registry. Stage 5: Deploy via kubectl set image or helm upgrade --atomic. Stage 6: Wait for rollout status — on failure, trigger rollback. Stage 7: Post-deploy health check. For production, add environment promotion with manual gates and upgrade to ArgoCD GitOps.
FAQ · 5 QUESTIONS

Frequently Asked Questions

01
Should I use kubectl set image or helm upgrade in my pipeline?
02
How do I handle image pull secrets in Kubernetes CI/CD?
03
What's the difference between --record in kubectl and --atomic in helm?
04
Can I use canary deployments without a service mesh?
05
How many Helm release revisions should I keep?
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.

Follow
Verified
production tested
July 11, 2026
last updated
1,787
articles · all by Naren
🔥

That's Docker. Mark it forged?

3 min read · try the examples if you haven't

Previous
Docker Scout and Supply Chain Security
39 / 41 · Docker
Next
Docker Bake and Buildx Multi-Platform Builds