Kustomize in GitOps & securing it
Argo/Flux, build, scan, deploy.
Kustomize is a natural fit for GitOps: overlays are plain YAML in Git, and Argo CD and Flux both build kustomizations natively — point the GitOps controller at an overlay directory and it renders and applies it, keeping the cluster synced to Git. You rarely run kubectl apply -k by hand in this model; Git is the source of truth and the controller reconciles. The security work is to make the build reviewable and the deploy least-privilege.
render-scan:script:- kustomize build overlays/prod > out.yaml # pinned standalone kustomize- kubeconform -strict out.yaml # schema validity- checkov -f out.yaml --framework kubernetes # security posture- trivy config out.yaml # misconfig scan# gate the merge on the assembled result, before the GitOps controller applies it
Securing the pipeline
The controls mirror every IaC pipeline. Render the overlay and scan the assembled manifests in CI before merge — a patch can quietly drop a securityContext or a remote base can add a privileged pod, and only the built output reveals it. Let the GitOps controller hold cluster credentials with scoped RBAC (not cluster-admin), pin remote bases and helmCharts to immutable refs, and keep secrets out of the repo with SOPS or an external secrets operator.