Home DevOps Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration
Advanced 6 min · July 12, 2026

Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration

A production-focused guide to Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration on Google Cloud Platform..

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.

Follow
Verified
production tested
July 12, 2026
last updated
2,073
articles · all by Naren
Before you start⏱ 30 min
  • Google Cloud project with billing enabled, gcloud CLI installed and configured, kubectl, Skaffold v2.0+, GKE cluster(s) for each target, Cloud Build API enabled, Cloud Deploy API enabled, IAM roles: Cloud Deploy Service Agent, Container Developer, Cloud Build Service Account.
✦ Definition~90s read
What is Cloud Deploy (Continuous Delivery)?

Cloud Deploy is Google Cloud's managed continuous delivery service that automates deployment of applications to GKE, Cloud Run, and Anthos. It defines delivery pipelines with sequential targets (e.g., dev, staging, prod), supports automatic rollbacks on failure, and integrates with Skaffold for build and deploy orchestration.

Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration is like having a specialized tool that handles cloud deploy so you don't have to build and manage it yourself — it just works out of the box with Google Cloud's infrastructure.

Use it when you need repeatable, auditable, and progressive delivery with built-in safety mechanisms like deployment verification and canary analysis.

Plain-English First

Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration is like having a specialized tool that handles cloud deploy so you don't have to build and manage it yourself — it just works out of the box with Google Cloud's infrastructure.

You've built a perfect CI pipeline. Code merges, tests pass, artifacts are built. Then your deployment to production silently breaks the checkout flow, and you spend 45 minutes manually reverting a Helm chart. That's the gap Cloud Deploy fills: it's not just about pushing artifacts—it's about orchestrating the rollout with gated promotions, automated rollbacks, and integration with Skaffold to keep your build and deploy in sync. Most teams treat deployment as an afterthought; the ones that don't sleep better. Cloud Deploy forces you to define explicit delivery pipelines with verification steps, so a bad release never reaches production without a fight. This isn't a CI/CD overview—it's a deep dive into how to structure your delivery pipeline for reliability, using Cloud Deploy and Skaffold together.

The Anatomy of a Delivery Pipeline

A delivery pipeline in Cloud Deploy is a series of targets (e.g., dev, staging, prod) connected by promotion rules. Each target can have a verification mechanism—like a Cloud Build test or a custom Skaffold deploy—that must pass before promotion. The pipeline is defined in a YAML file that references Skaffold configurations for each target. This separation of concerns means your build logic stays in Skaffold, while Cloud Deploy handles the orchestration and rollback. A common mistake is to treat the pipeline as a linear sequence; instead, design it with parallel verification steps and approval gates for production. For example, you might have a 'canary' target that runs a subset of traffic before full rollout. The pipeline definition is immutable after creation, so plan your target names and ordering carefully.

delivery-pipeline.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: deploy.cloud.google.com/v1
kind: DeliveryPipeline
metadata:
  name: my-app-pipeline
serialPipeline:
  stages:
  - targetId: dev
    profiles: []
  - targetId: staging
    profiles: [staging]
  - targetId: prod
    profiles: [prod]
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: dev
description: Development cluster
gke:
  cluster: projects/my-project/locations/us-central1/clusters/dev-cluster
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: staging
description: Staging cluster
gke:
  cluster: projects/my-project/locations/us-central1/clusters/staging-cluster
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod
description: Production cluster
requireApproval: true
gke:
  cluster: projects/my-project/locations/us-central1/clusters/prod-cluster
Output
Delivery pipeline 'my-app-pipeline' created with targets: dev, staging, prod.
🔥Target Immutability
Once a target is created, its cluster reference cannot be changed. To update, you must create a new target and update the pipeline. Plan your target names to be environment-specific, not cluster-specific.
📊 Production Insight
We once had a pipeline where dev and staging pointed to the same cluster due to a copy-paste error. A bad deploy to dev immediately broke staging. Always use separate clusters per target.
🎯 Key Takeaway
Delivery pipelines define the promotion path; targets define the deployment environments.
gcp-cloud-deploy THECODEFORGE.IO Cloud Deploy Pipeline Flow: Release to Rollback Step-by-step process from commit to production with rollback Commit & Build Cloud Build triggers CI, produces container image Create Release Skaffold render + apply, generate release artifact Promote to Target Progressive rollout across environments (dev, staging, prod) Canary Deployment Traffic split: 5% → 25% → 100% with auto-promotion Automated Rollback Failure detection triggers revert to last successful release Manual Rollforward Operator promotes a known-good release to recover ⚠ Skaffold config drift between environments Use skaffold profiles and kustomize overlays to keep configs consistent THECODEFORGE.IO
thecodeforge.io
Gcp Cloud Deploy

Skaffold as the Deploy Engine

Skaffold is the tool that Cloud Deploy uses to actually run the deployment. It handles building container images, applying Kubernetes manifests, and managing the deploy lifecycle. In the context of Cloud Deploy, Skaffold runs in a Cloud Build step triggered by a release. The Skaffold configuration (skaffold.yaml) defines the build and deploy steps, and Cloud Deploy passes environment-specific profiles (e.g., dev, staging) to customize the deployment. This integration means you can test your deployment locally with Skaffold and then use the same configuration in production. A critical detail: Cloud Deploy uses Skaffold's 'render' and 'apply' commands, so your skaffold.yaml must support those. Avoid using custom build steps that aren't idempotent—Cloud Deploy may retry deployments on failure.

skaffold.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: skaffold/v4beta6
kind: Config
build:
  artifacts:
  - image: us-central1-docker.pkg.dev/my-project/my-repo/my-app
    docker:
      dockerfile: Dockerfile
  tagPolicy:
    gitCommit: {}
deploy:
  kubectl:
    manifests:
    - k8s/*.yaml
profiles:
  - name: staging
    patches:
      - op: replace
        path: /deploy/kubectl/manifests
        value: ["k8s/overlays/staging/*.yaml"]
  - name: prod
    patches:
      - op: replace
        path: /deploy/kubectl/manifests
        value: ["k8s/overlays/prod/*.yaml"]
Output
Skaffold configuration with profiles for staging and prod.
⚠ Profile Consistency
Ensure all profiles produce the same number of manifests. A mismatch can cause Cloud Deploy to fail silently during promotion.
📊 Production Insight
We used to have separate skaffold.yaml files per environment. Merging into a single file with profiles reduced drift and made rollbacks predictable.
🎯 Key Takeaway
Skaffold profiles allow environment-specific customization without duplicating pipeline logic.

Creating a Release and Promoting

A release in Cloud Deploy is a snapshot of the source code and Skaffold configuration at a point in time. You create a release from a specific commit or tag, and Cloud Deploy automatically renders the manifests and deploys to the first target (e.g., dev). Promotion moves the release to the next target, optionally requiring approval. The promotion can be manual or automated via Cloud Build triggers. A key feature is the ability to specify a 'skaffold version' per release, ensuring reproducibility. When promoting, Cloud Deploy re-renders the manifests using the target's profile, so the same release can produce different manifests for different environments. This is powerful but can lead to surprises if your profiles are not consistent.

create-release.shBASH
1
2
3
4
5
6
gcloud deploy releases create my-release-001 \
  --delivery-pipeline=my-app-pipeline \
  --region=us-central1 \
  --source=./ \
  --skaffold-version=2.0.0 \
  --images=my-app=us-central1-docker.pkg.dev/my-project/my-repo/my-app:latest
Output
Release 'my-release-001' created. Deploying to target 'dev'.
💡Tag Your Images
Always use explicit image tags (e.g., commit SHA) rather than 'latest' to ensure traceability and rollback capability.
📊 Production Insight
We once promoted a release that had a typo in the staging profile—it deployed the wrong service name. Always run a dry-run promotion to staging before going to prod.
🎯 Key Takeaway
Releases are immutable snapshots; promotions re-render manifests per target profile.
gcp-cloud-deploy THECODEFORGE.IO Cloud Deploy Architecture: Pipeline & Skaffold Layered stack from CI to deployment targets CI Layer Cloud Build | Source Repository | Artifact Registry Pipeline Definition Delivery Pipeline | Targets (dev/staging/prod) | Skaffold Config Release & Promotion Release Object | Promotion Rules | Canary Strategy Deploy Engine Skaffold Render | Skaffold Apply | Kubernetes Manifests Rollback Mechanisms Automated Rollback | Manual Rollback | Rollforward Target Clusters GKE Cluster (dev) | GKE Cluster (staging) | GKE Cluster (prod) THECODEFORGE.IO
thecodeforge.io
Gcp Cloud Deploy

Automated Rollbacks on Failure

Cloud Deploy can automatically roll back a deployment if the verification step fails. Verification is defined per target and can be a Cloud Build test, a custom Skaffold deploy, or a Cloud Deploy 'verify' job. When a rollout fails verification, Cloud Deploy automatically rolls back to the previous successful rollout. This is not a simple revert—it re-applies the previous release's manifests. The rollback is atomic and audited. However, automatic rollback is not a substitute for proper canary analysis; it only triggers on explicit verification failures. If your verification is weak (e.g., a simple HTTP check that passes even when the app is broken), the rollback won't save you. Design verification to be as close to production traffic as possible.

target-with-verify.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod
description: Production cluster
requireApproval: true
gke:
  cluster: projects/my-project/locations/us-central1/clusters/prod-cluster
verification:
  cloudBuild:
    serviceAccount: projects/my-project/serviceAccounts/verify-sa@my-project.iam.gserviceaccount.com
    workerPool: projects/my-project/locations/us-central1/workerPools/verify-pool
    config:
      steps:
      - name: 'gcr.io/cloud-builders/gcloud'
        entrypoint: 'bash'
        args:
        - '-c'
        - |
          gcloud deploy rollouts list --delivery-pipeline=my-app-pipeline --release=my-release-001 --region=us-central1 --filter="state=SUCCEEDED" --format="value(name)" | head -1
Output
Verification step runs after deployment to prod. If it fails, rollback is automatic.
⚠ Rollback vs. Rollforward
Automatic rollback only reverts to the previous rollout. If you need to skip a bad release, you must manually promote a later release. Consider using canary deployments for safer rollouts.
📊 Production Insight
We had a verification that checked a health endpoint but didn't test the database connection. The app returned 200 but couldn't serve traffic. Add multi-layer verification: health check, dependency check, and synthetic transaction.
🎯 Key Takeaway
Automatic rollbacks are only as good as your verification step.

Manual Rollbacks and Rollforward

Sometimes automatic rollback isn't enough—you need to manually roll back to a specific release or roll forward to a fix. Cloud Deploy supports manual rollback by creating a new rollout from a previous release. You can also 'roll forward' by creating a new release with the fix and promoting it. The key is that rollbacks are not destructive; they create a new rollout that applies the old manifests. This means you can roll back multiple times. However, if your database schema has changed, a rollback might not be safe. Always test rollbacks in staging first. A common pattern is to keep the last N releases available for quick rollback.

manual-rollback.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
# Roll back to a previous release
gcloud deploy rollouts create rollback-001 \
  --delivery-pipeline=my-app-pipeline \
  --release=my-release-001 \
  --region=us-central1 \
  --target=prod

# Or roll forward with a new release
gcloud deploy releases create my-release-002 \
  --delivery-pipeline=my-app-pipeline \
  --region=us-central1 \
  --source=./ \
  --images=my-app=us-central1-docker.pkg.dev/my-project/my-repo/my-app:fixed
Output
Rollback to release my-release-001 initiated. New rollout created.
🔥Rollback History
Cloud Deploy retains rollout history. You can see all rollouts for a release, including rollbacks. Use this for audit trails.
📊 Production Insight
We once had a rollback that failed because the previous release used a different Skaffold version. Always pin the Skaffold version in your release to avoid compatibility issues.
🎯 Key Takeaway
Manual rollbacks create new rollouts from old releases; they are safe and auditable.

Canary Deployments with Cloud Deploy

Cloud Deploy supports canary deployments by defining multiple targets for the same environment (e.g., prod-canary, prod-stable). You promote to the canary target first, run verification, and then promote to stable. This is not a native canary analysis (like traffic splitting), but a sequential promotion. For true canary analysis, you need to integrate with a service mesh or Cloud Deploy's rollout strategies. Cloud Deploy also supports 'deployment strategies' like 'canary' and 'blue-green' via Skaffold's custom deploy. However, the simplest approach is to have a separate canary cluster and use Cloud Deploy's promotion gates to control traffic. This pattern is common for high-risk deployments.

canary-pipeline.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
serialPipeline:
  stages:
  - targetId: dev
  - targetId: staging
  - targetId: prod-canary
  - targetId: prod-stable
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod-canary
gke:
  cluster: projects/my-project/locations/us-central1/clusters/prod-canary-cluster
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod-stable
gke:
  cluster: projects/my-project/locations/us-central1/clusters/prod-stable-cluster
Output
Pipeline with canary and stable targets for production.
💡Canary Verification
Use a separate verification step for the canary target that checks error rates and latency before promoting to stable.
📊 Production Insight
We ran a canary that passed all checks but still caused a 5% increase in errors because the canary cluster had different resource limits. Ensure canary clusters mirror production exactly.
🎯 Key Takeaway
Canary deployments in Cloud Deploy are achieved through separate targets and sequential promotion.

Integrating with Cloud Build for CI

Cloud Deploy is often triggered by Cloud Build after a successful CI pipeline. The typical flow: Cloud Build builds the image, runs tests, then creates a Cloud Deploy release and promotes it to dev. This is done using the gcloud deploy commands in a Cloud Build step. You can also use Cloud Build to run verification steps. A common mistake is to put too much logic in Cloud Build; keep it simple: build, test, release. The release creation should be a separate step that can be retried independently. Use Cloud Build's substitution variables to pass the image tag and commit SHA.

cloudbuild.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
steps:
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'us-central1-docker.pkg.dev/$PROJECT_ID/my-repo/my-app:$COMMIT_SHA', '.']
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'us-central1-docker.pkg.dev/$PROJECT_ID/my-repo/my-app:$COMMIT_SHA']
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
  entrypoint: 'bash'
  args:
  - '-c'
  - |
    gcloud deploy releases create release-$BUILD_ID \
      --delivery-pipeline=my-app-pipeline \
      --region=us-central1 \
      --source=. \
      --images=my-app=us-central1-docker.pkg.dev/$PROJECT_ID/my-repo/my-app:$COMMIT_SHA
substitutions:
  _REGION: us-central1
Output
Cloud Build creates a release after building and pushing the image.
⚠ Release Naming
Use unique release names (e.g., based on build ID) to avoid conflicts. Cloud Deploy does not allow duplicate release names within a pipeline.
📊 Production Insight
We had a Cloud Build step that created a release and immediately promoted to dev. When the build failed mid-promotion, the release was orphaned. Separate release creation and promotion into distinct steps.
🎯 Key Takeaway
Cloud Build triggers Cloud Deploy releases; keep CI and CD separate for reliability.

Handling Multi-Environment Configurations

Managing environment-specific configurations (e.g., different replica counts, secrets, or feature flags) is a common challenge. Cloud Deploy handles this through Skaffold profiles and Kustomize overlays. Each target can have a different profile that applies patches to the base manifests. For secrets, use Google Cloud Secret Manager and reference them in your manifests via environment variables or volume mounts. Avoid storing secrets in the repository. A robust pattern is to have a base set of manifests and overlay directories for each environment. Cloud Deploy will render the correct manifests based on the target's profile.

kustomization.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patches:
- path: replica-count.yaml
  target:
    kind: Deployment
    name: my-app
configMapGenerator:
- name: app-config
  literals:
  - ENV=staging
secretGenerator:
- name: app-secrets
  envs:
  - secrets.env
Output
Kustomize overlay for staging environment.
🔥Secret Management
Use Secret Manager for secrets, not Kustomize secretGenerator. The latter stores secrets in plaintext in the cluster.
📊 Production Insight
We once had a staging overlay that accidentally increased resource limits to prod levels, causing a cost spike. Use resource quotas per namespace to catch such issues.
🎯 Key Takeaway
Use Kustomize overlays with Skaffold profiles for environment-specific configs.

Monitoring and Auditing Deployments

Cloud Deploy integrates with Cloud Logging and Cloud Monitoring to provide visibility into deployments. Each rollout creates log entries that show the state changes, verification results, and any errors. You can set up alerts on rollout failures or rollbacks. For auditing, Cloud Deploy records who created releases and approved promotions. This is essential for compliance. A common gap is not monitoring the verification step itself—if the verification fails silently, you won't know until the rollback happens. Use Cloud Monitoring to track rollout duration and success rate.

list-rollouts.shBASH
1
2
3
4
5
gcloud deploy rollouts list \
  --delivery-pipeline=my-app-pipeline \
  --release=my-release-001 \
  --region=us-central1 \
  --format="table(name, state, createTime)"
Output
NAME STATE CREATETIME
rollout-abc SUCCEEDED 2026-07-12T10:00:00
rollout-def FAILED 2026-07-12T09:00:00
💡Alert on Rollback
Set up a Cloud Monitoring alert on the 'deploy_rollout_state' metric with state 'ROLLED_BACK' to get notified immediately.
📊 Production Insight
We missed a rollback because the alert was only on rollout failure, not on rollback. Rollbacks can happen automatically without a failure alert if verification fails. Add alerts for both.
🎯 Key Takeaway
Cloud Deploy provides audit logs and metrics; use them to monitor deployment health.

Advanced: Custom Deploy Strategies with Skaffold

For complex deployments (e.g., blue-green, canary with traffic splitting), you can use Skaffold's custom deploy actions. Cloud Deploy supports custom Skaffold deploy by specifying a 'deploy' section in the skaffold.yaml that runs a script. This script can interact with a service mesh like Istio or use Cloud Deploy's rollout strategies. However, this adds complexity and should be used only when necessary. A simpler approach is to use Cloud Deploy's built-in 'canary' strategy, which is available for GKE targets. This strategy automatically creates a canary deployment and scales it up while monitoring.

skaffold-custom-deploy.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
deploy:
  custom:
    - name: blue-green
      deployCommand:
        - bash
        - -c
        - |
          kubectl apply -f blue-deployment.yaml
          kubectl apply -f green-deployment.yaml
          # switch service selector
          kubectl patch service my-app -p '{"spec":{"selector":{"version":"blue"}}}'
Output
Custom deploy script for blue-green deployment.
⚠ Custom Deploy Risks
Custom deploy scripts bypass Cloud Deploy's built-in verification and rollback. Ensure your script handles failures gracefully.
📊 Production Insight
We wrote a custom deploy script that didn't handle the case where the old deployment was already deleted. It caused a downtime. Always test custom scripts in a non-production environment first.
🎯 Key Takeaway
Custom deploy strategies give flexibility but increase complexity; prefer built-in strategies when possible.

Canary Deployment Strategy: Phased Rollouts

Cloud Deploy supports canary deployments with phased rollouts. A canary rollout deploys to a percentage of traffic first (e.g., 25%), then advances to 50%, then 100% (stable). Each phase has a deploy job and optional verify job. The phases are named canary-25, canary-50, and stable. On the first deployment to a target (no existing version), the canary phases are skipped and the app deploys directly to stable. After that, canary deployments work as expected. You can configure custom percentages and custom-automated canaries. Production insight: always enable verification on canary phases. We deployed a canary that passed the deploy step but failed the verify step due to elevated error rates. The rollout was automatically halted before reaching 100%. This caught a regression that would have affected all users.

canary-strategy.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: deploy.cloud.google.com/v1
kind: DeliveryPipeline
metadata:
  name: my-app-canary-pipeline
serialPipeline:
  stages:
  - targetId: dev
  - targetId: staging
  - targetId: prod
    strategy:
      canary:
        canaryDeployment:
          percentages: [25, 50, 100]
          verify: true
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod
gke:
  cluster: projects/my-project/locations/us-central1/clusters/prod-cluster
requireApproval: true
Output
Pipeline with canary deployment strategy.
💡Always Verify Canary Phases
Enable verification on each canary phase. A deploy can succeed even if the app crashes—verification catches runtime issues before they reach all users.
📊 Production Insight
We deployed a canary that checked only HTTP 200 status. The app returned 200 but was serving stale data. Adding a verification step that checked response freshness caught the issue during the 25% phase.
🎯 Key Takeaway
Canary deployments roll out in phases (e.g., 25%, 50%, 100%) with verification at each step.

Parallel Deployment: Multi-Target Simultaneous Rollouts

Cloud Deploy supports parallel deployment, allowing you to deploy to multiple targets simultaneously (e.g., deploy to us-central1 and europe-west1 at the same time). This is configured using a multiTarget type or by defining parallel stages in the pipeline. Parallel deployment reduces rollout time for multi-region applications. However, it increases risk—a failure in one region can affect the entire deployment. Use parallel deployment for stateless, region-independent services. For stateful or region-coupled services, use sequential deployment. Production insight: we use parallel deployment for our CDN edge service—it must be updated in all regions simultaneously to avoid cache inconsistency. For the database migration service, we use sequential deployment to avoid split-brain scenarios.

parallel-deploy.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
apiVersion: deploy.cloud.google.com/v1
kind: DeliveryPipeline
metadata:
  name: multi-region-pipeline
serialPipeline:
  stages:
  - targetId: staging
  - profiles: []
    strategy:
      standard:
        verify: false
  - targetId: prod-us
  - targetId: prod-eu
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod-us
gke:
  cluster: projects/my-project/locations/us-central1/clusters/prod-cluster
---
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: prod-eu
gke:
  cluster: projects/my-project/locations/europe-west1/clusters/prod-cluster
Output
Multiregion pipeline with parallel deployment to US and EU.
⚠ Parallel Deployment Risk
Failure in one region can affect the entire parallel rollout. Use parallel deployment only for stateless, region-independent services. For critical services, consider sequential multi-region deployment.
📊 Production Insight
We rolled out to 5 regions in parallel. One region had a misconfigured cluster and the deployment failed, rolling back all regions. Now we deploy in 2-region waves with a verification gate between waves.
🎯 Key Takeaway
Parallel deployment reduces multi-region rollout time but increases risk; use for stateless services only.

Cloud Run Deployer with Skaffold

Cloud Deploy now supports Cloud Run as a target runtime (in addition to GKE and Anthos). This is configured via Skaffold's Cloud Run deployer, which uses the serving.knative.dev/v1 schema. The setup is similar to GKE: you define a delivery pipeline with targets, and Cloud Deploy uses Skaffold's Cloud Run deployer to apply the manifests. This enables progressive delivery (canary) and rollbacks for Cloud Run services. Production insight: Cloud Run's automatic scaling combined with Cloud Deploy's canary deployment creates a powerful combination. We deploy a new revision to 25% of traffic, run verification tests, then promote to 100%. If the verification fails, Cloud Deploy rolls back automatically. This is much simpler than manual traffic splitting.

skaffold-cloudrun.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: skaffold/v4beta6
kind: Config
deploy:
  cloudrun:
    projectid: my-project
    region: us-central1
manifests:
  rawYaml:
    - service.yaml
profiles:
  - name: prod
    manifests:
      rawYaml:
        - service-prod.yaml
Output
Skaffold configuration for Cloud Run deployment.
🔥Cloud Run as Target
Cloud Run is now a first-class target in Cloud Deploy. Use Skaffold's Cloud Run deployer for serverless deployments with canary support and automatic rollbacks.
📊 Production Insight
We migrated from manual Cloud Run traffic splitting to Cloud Deploy's canary strategy. The deployment process went from 15 minutes of manual clicking to a single automated command. Rollbacks that took 5 minutes are now instant.
🎯 Key Takeaway
Cloud Deploy supports Cloud Run targets via Skaffold's Cloud Run deployer, enabling canary rollouts for serverless apps.
Automated vs Manual Rollback in Cloud Deploy Trade-offs between speed and control during failures Automated Rollback Manual Rollback Trigger Health check failure or deployment error Operator decision or incident review Speed Seconds to minutes (fully automated) Minutes to hours (requires human interve Risk of Over-Rollback May revert transient issues unnecessaril Controlled, but can be delayed Audit Trail Automatic log in Cloud Deploy release hi Requires manual documentation Use Case High-risk deployments, critical services Low-risk changes, canary analysis needed THECODEFORGE.IO
thecodeforge.io
Gcp Cloud Deploy

Troubleshooting Common Failures

Common failures in Cloud Deploy include: permission errors (the Cloud Deploy service account lacks permissions to deploy to the cluster), Skaffold rendering errors (e.g., invalid YAML), and verification timeouts. The first step is to check the rollout logs in Cloud Logging. For Skaffold errors, run skaffold render locally with the same profile. For permission issues, ensure the Cloud Deploy service account has the 'container.developer' role on the cluster. Another common issue is that the release source does not include the skaffold.yaml file—Cloud Deploy requires it at the root of the source directory.

debug-rollout.shBASH
1
2
3
4
5
6
7
8
# Get rollout details
gcloud deploy rollouts describe rollout-abc \
  --delivery-pipeline=my-app-pipeline \
  --release=my-release-001 \
  --region=us-central1

# Check logs
kubectl logs -n my-namespace deployment/my-app --tail=50
Output
Rollout details show state 'FAILED' with error: 'Permission denied on cluster'.
🔥Service Account Permissions
The Cloud Deploy service account needs roles: 'container.developer' on the GKE cluster, and 'clouddeploy.operator' on the project.
📊 Production Insight
We spent hours debugging a rollout failure that turned out to be a missing 'skaffold.yaml' in the release source. Always verify the source directory structure before creating a release.
🎯 Key Takeaway
Most failures are due to permissions or Skaffold config errors; check logs first.
⚙ Quick Reference
14 commands from this guide
FileCommand / CodePurpose
delivery-pipeline.yamlapiVersion: deploy.cloud.google.com/v1The Anatomy of a Delivery Pipeline
skaffold.yamlapiVersion: skaffold/v4beta6Skaffold as the Deploy Engine
create-release.shgcloud deploy releases create my-release-001 \Creating a Release and Promoting
target-with-verify.yamlapiVersion: deploy.cloud.google.com/v1Automated Rollbacks on Failure
manual-rollback.shgcloud deploy rollouts create rollback-001 \Manual Rollbacks and Rollforward
canary-pipeline.yamlserialPipeline:Canary Deployments with Cloud Deploy
cloudbuild.yamlsteps:Integrating with Cloud Build for CI
kustomization.yamlapiVersion: kustomize.config.k8s.io/v1beta1Handling Multi-Environment Configurations
list-rollouts.shgcloud deploy rollouts list \Monitoring and Auditing Deployments
skaffold-custom-deploy.yamldeploy:Advanced
canary-strategy.yamlapiVersion: deploy.cloud.google.com/v1Canary Deployment Strategy
parallel-deploy.yamlapiVersion: deploy.cloud.google.com/v1Parallel Deployment
skaffold-cloudrun.yamlapiVersion: skaffold/v4beta6Cloud Run Deployer with Skaffold
debug-rollout.shgcloud deploy rollouts describe rollout-abc \Troubleshooting Common Failures

Key takeaways

1
Delivery Pipelines Define the Path
Cloud Deploy pipelines map out promotion stages (dev, staging, prod) with optional approval gates and verification steps.
2
Skaffold is the Deploy Engine
Skaffold renders manifests and applies them; profiles allow environment-specific customization without duplicating pipeline logic.
3
Automatic Rollbacks Require Strong Verification
Rollbacks only trigger on verification failure; design verification to catch real production issues, not just health checks.
4
Manual Rollbacks are Safe and Auditable
Rolling back creates a new rollout from an old release, preserving history and allowing multiple rollbacks.

Common mistakes to avoid

3 patterns
×

Ignoring gcp cloud deploy best practices

Symptom
Production incidents and unexpected behavior
Fix
Follow GCP documentation and implement proper monitoring and testing
×

Over-provisioning without rightsizing analysis

Symptom
Wasted cloud spend and poor resource utilization
Fix
Use committed use discounts and rightsize based on actual usage metrics
×

Skipping IAM least-privilege principles

Symptom
Security vulnerabilities and compliance violations
Fix
Implement custom roles with minimum required permissions and use conditions
INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR
What is Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integr...
Q02SENIOR
How do you configure Cloud Deploy: Delivery Pipelines, Rollbacks, and Sk...
Q03SENIOR
What are the cost optimization strategies for Cloud Deploy: Delivery Pip...
Q01 of 03JUNIOR

What is Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration and when would you use it in production?

ANSWER
Cloud Deploy: Delivery Pipelines, Rollbacks, and Skaffold Integration is a Google Cloud service for managing infrastructure efficiently. It's ideal for organizations needing scalable, reliable cloud solutions. Use it when you need automated management and consistent performance across your GCP projects.
FAQ · 6 QUESTIONS

Frequently Asked Questions

01
What is the difference between Cloud Deploy and Cloud Build?
02
Can I use Cloud Deploy without Skaffold?
03
How do I roll back to a specific release?
04
Does Cloud Deploy support canary deployments?
05
What happens if a verification step fails?
06
How do I handle secrets in Cloud Deploy?
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.

Follow
Verified
production tested
July 12, 2026
last updated
2,073
articles · all by Naren
🔥

That's Google Cloud. Mark it forged?

6 min read · try the examples if you haven't

Previous
Artifact Registry
45 / 55 · Google Cloud
Next
Cloud Source Repositories