The question
“How would you design a CI/CD pipeline that deploys to Kubernetes without storing any cluster credentials anywhere?”
The expected wrong answer: export your kubeconfig, base64-encode it, paste it into a CI secret named KUBE_CONFIG, and call it a day. This works. Most clusters that got hacked had this setup.
There are two correct answers in 2026, and which one you reach for depends on what you’re actually deploying.
Answer 1: GitOps (the one your interviewer probably wants)
In a GitOps setup, your CI pipeline never touches the cluster. It can’t leak credentials it doesn’t have.
The flow:
Developer pushes code
→ CI builds and tests
→ CI updates the image tag in the Git repo (a commit, not a kubectl command)
→ Argo CD detects the change
→ Argo CD applies it to the cluster
The cluster reaches out to Git. CI never reaches into the cluster. The only thing with cluster credentials is Argo CD itself — running inside the cluster, with no credentials to leak externally.
For self-hosted setups on Hetzner or Vultr, this is particularly clean because there’s no cloud IAM to configure. You point Argo CD at your GitLab repo, tell it which branch to watch, and you’re done.
# The Argo CD Application CRD — the only thing you need
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: myapp
namespace: argocd
spec:
source:
repoURL: https://gitlab.example.com/myorg/myapp
targetRevision: main
path: helm-charts/myapp
destination:
server: https://kubernetes.default.svc
namespace: myapp
syncPolicy:
automated:
prune: true
selfHeal: true
selfHeal: true means if someone manually kubectl applys something, Argo CD reverts it. The Git repo is the only source of truth.
The CI image-tag update step looks like this:
# .gitlab-ci.yml
deploy:
stage: deploy
script:
- |
# Update the image tag in values.yaml and push
sed -i "s/tag: .*/tag: ${CI_COMMIT_SHORT_SHA}/" values/myapp.yml
git config user.email "[email protected]"
git config user.name "CI"
git add values/myapp.yml
git commit -m "chore: bump myapp to ${CI_COMMIT_SHORT_SHA}"
git push
CI needs write access to the Git repo — but that’s a deploy key, not a cluster credential. If it leaks, someone can push code. You’d rotate the deploy key and audit the commits. If a cluster credential leaks, someone owns your cluster.
Answer 2: OIDC federation (for when you genuinely need push-based)
Some operations don’t fit the GitOps model. Infrastructure provisioning (terraform apply), one-off database migrations, or initial cluster bootstrapping — these need direct cluster access. The correct pattern here is OIDC federation.
The idea: your CI platform (GitLab, GitHub Actions) already issues JWT tokens to every job. These JWTs are signed by the CI platform and contain claims like which repo, which branch, which pipeline triggered the job. You configure your Kubernetes API server to trust those JWTs, and the CI job authenticates directly using the token it already has.
No stored credentials. Every job gets a fresh token. The token expires when the job ends.
For a self-hosted GitLab, configure your k8s API server to trust GitLab as an OIDC issuer:
# /etc/rancher/k3s/config.yaml (or kube-apiserver flags)
kube-apiserver-arg:
- "oidc-issuer-url=https://gitlab.example.com"
- "oidc-client-id=your_client_id"
- "oidc-username-claim=sub"
- "oidc-groups-claim=groups_direct"
Then create a ClusterRoleBinding that maps a specific GitLab identity to a Kubernetes role:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-ci-deployer
subjects:
- kind: User
name: "project_path:myorg/myapp:ref_type:branch:ref:main"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: deploy-role
apiGroup: rbac.authorization.k8s.io
The subject name is the sub claim from the GitLab JWT — it encodes the repo path and branch. Only jobs running on main in myorg/myapp get this binding. A job on a feature branch gets nothing.
In the CI job:
deploy:
stage: deploy
id_tokens:
K8S_TOKEN:
aud: your_client_id
script:
- |
kubectl config set-credentials gitlab-ci \
--token="${K8S_TOKEN}"
kubectl config set-context deploy \
--cluster=mycluster \
--user=gitlab-ci
kubectl config use-context deploy
kubectl rollout restart deployment/myapp -n myapp
The token in K8S_TOKEN is injected by GitLab. It expires with the job. The API server validates the signature against GitLab’s JWKS endpoint on every request.
Which one to use
| GitOps | OIDC federation | |
|---|---|---|
| CI needs cluster access | No | Yes (short-lived token) |
| Audit trail | Git history | kube-apiserver audit log |
| Revocability | Revert the commit | Token expires with the job |
| Self-hosted setup effort | Low | Moderate (OIDC config) |
| Works for infra provisioning | Not really | Yes |
For application deployments: GitOps. The cluster reconciles continuously, drift is impossible, and CI is completely decoupled from cluster state.
For infrastructure provisioning or one-off operations: OIDC federation. Short-lived credentials, branch-scoped permissions, nothing to rotate.
What you should never do: store a kubeconfig or a long-lived ServiceAccount token in CI secrets. Not because it’s hard to make work — it’s easy — but because the blast radius of a leak is unbounded, there’s no audit trail, and there’s no expiry. Everything that goes wrong with static secrets goes wrong eventually.
This is part of a series on Kubernetes interview questions. Next: how to handle secrets in a GitOps repository.