All Products
Search

This Product

    Container Service for Kubernetes:Best Practices Overview

    Document Center

    Container Service for Kubernetes:Best Practices Overview

    Last Updated:Mar 26, 2026

    ACK One GitOps, powered by hosted Argo CD, lets you build a complete CI/CD pipeline where every code commit automatically flows through image building, multi-cluster deployment, canary release, and rollback — all driven by Git as the single source of truth.

    This topic walks through an eight-step workflow that connects Container Registry with ACK One GitOps to deliver applications to Dev, Staging, and Production clusters.

    How it works

    The pipeline separates responsibilities between two roles:

    • Dev team — commits code, monitors Dev deployments, and approves promotion to Staging and Production.

    • Operations and maintenance (O&M) team — configures the CI pipeline and filter rules, associates the pipeline with Container Registry Enterprise Edition, and triggers canary releases to Staging and Production.

    image

    The pipeline runs as follows:

    1. The O&M team prepares a business code repository and a deployment repository, then enables ACK One GitOps and configures the CI pipeline.

    2. The dev team commits code to the business code repository.

    3. Container Registry Enterprise Edition builds and pushes a new container image to the image repository.

    4. The ACK One GitOps image updater detects the new image tag and writes it back to the deployment repository.

    5. Argo CD detects the YAML change in the deployment repository and deploys the new image to the Dev cluster automatically. If the Staging cluster is configured with auto application synchronization, ACK One GitOps automatically updates the image version.

    6. The dev team verifies the application in Dev.

    7. The O&M team promotes the release to Staging and Production using Argo Rollouts or Kruise Rollout for canary releases.

    How each environment handles image updates:

    Dev Staging and Production
    Sync mode Automatic Manual trigger required
    Rollout strategy Direct deploy Canary release via Argo Rollouts or Kruise Rollout
    Who triggers Image updater (automatic) O&M team
    Important

    Rolling updates in Staging and Production clusters across regions require additional steps. Committing code changes alone does not deploy the updated image to these clusters.

    Key concepts

    GitOps

    GitOps uses a Git repository as the single source of truth for application deployment. Argo CD continuously monitors the Git repository and synchronizes the cluster state to match the declared configuration.

    image

    GitOps brings four key advantages to Kubernetes deployments:

    • Ease of learning — Git is easy to learn and integrate.

    • Version control and auditing — every deployment change is a Git commit with a full audit trail and one-click rollback.

    • Security — developers need only Git repository permissions, not direct Kubernetes cluster access.

    • Continuous deployment — Argo CD reconciles the cluster state against Git automatically, eliminating manual kubectl apply steps.

    ACK One GitOps

    ACK One Fleet implements GitOps-based continuous delivery with hosted open source Argo CD. The hosted model removes Argo CD installation and upgrade overhead.

    image

    ACK One GitOps provides:

    • A hosted Argo CD console and CLI, accessible directly with your Alibaba Cloud account — no extra configuration needed.

    • Integrated single sign-on (SSO) and multi-user permission management via the Argo CD console.

    • Automatic Argo CD enablement for all clusters associated with ACK One Fleet instances.

    • ApplicationSet support for multi-cluster application distribution.

    Argo CD is an open source Cloud Native Computing Foundation (CNCF) project. For more information about Argo CD, see What is Argo CD?

    Step 1: View the deployment repository structure

    Before setting up the pipeline, review the reference deployment repository structure. For details, see Introduction to sample applications deployed based on ACK One GitOps.

    Step 2: Enable and log on to ACK One GitOps

    Enable and log on to GitOps through the ACK One console or the CLI.

    Use the console

    1. Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Multi-cluster GitOps.

    2. On the Multi-cluster GitOps page, click Dingtalk_20231226104633.jpg next to the Fleet instance name and select a Fleet instance.

    3. GitOps is enabled by default for new Fleet instances. If GitOps is disabled, click Enable GitOps, then click OK in the confirmation dialog. When GitOps is enabled, the GitOps page shows GitOps Console and Access Control.

    4. Click GitOps Console.

    To access GitOps over the internet, enable public access first. For details, see Enable public access to GitOps.

    Use the CLI

    For CLI instructions, see the Enable public access to the GitOps console section in "Work with GitOps" and Log on to the GitOps system.

    Step 3: Build an image CI pipeline

    Choose the method that matches your infrastructure.

    Method 1: Use Container Registry

    Create an image repository with Container Registry Enterprise Edition, bind it to your business code repository, and configure build rules. For details, see Use a Container Registry Enterprise Edition instance to build an image.

    To pull images without Kubernetes Secrets, either turn on Pull from Anonymous Users on the Container Registry Enterprise Edition overview page, or deploy the aliyun-acr-credential-helper component. For details, see Use the aliyun-acr-credential-helper component to pull images without using a secret.

    If your business code repository is a Git repository and image pulling times out, enable Build With Servers Deployed Outside Chinese Mainland.

    Method 2: Use an ACK One workflow cluster

    For details, see Use an ACK One workflow cluster to build an image CI pipeline.

    Step 4: Deploy an application with ACK One GitOps

    After enabling GitOps, deploy and manage applications through the Argo CD console or CLI. Use ApplicationSets to roll out the same application across multiple clusters in a single operation.

    For details, see Use ACK One GitOps to deploy applications.

    Step 5: Automate continuous delivery with the image updater

    The image updater closes the loop between your CI pipeline and the deployment repository:

    1. The CI pipeline builds and pushes a new image to Container Registry Enterprise Edition.

    2. The image updater detects the new tag that matches the configured filter rules.

    3. The image updater writes the new tag back to the deployment repository.

    4. Argo CD detects the YAML change and runs a Sync operation to deploy the updated image.

    This lets you trigger a full end-to-end deployment — from code commit to running container — without manually editing the deployment repository.

    If you prefer to update the deployment repository directly (for example, by editing the YAML image tag yourself), Argo CD monitors that change and deploys it without requiring the image updater.

    For details, see Use ACK One GitOps and Container Registry to build CI/CD pipelines.

    Step 6: Perform canary releases to Staging and Production

    Staging and Production require a manual trigger and a canary release strategy — not a direct image swap. This guards against deploying a broken image to production-scale traffic.

    For details, see Use ACK One GitOps and Argo Rollouts to perform canary releases and Use Kruise Rollout to implement canary releases based on ACK One GitOps.

    Step 7: Roll back an application

    When a release causes an incident, roll back using one of the following methods.

    Quick rollback via the Argo CD console

    On the Applications page of the Argo CD console, click HISTORY AND ROLLBACK, select the target version, and click ROLLBACK.

    For details, see the Roll back to an application version section in "Use ACK One GitOps to deploy applications".

    Quick rollback via the CLI

    For CLI rollback instructions, see the Use the Argo CD CLI section in "Application management".

    End-to-end rollback via Git revert

    If the incident requires reverting both the running image and the source code history, revert the commit and push the change to trigger the full CI/CD pipeline:

    # Revert the most recent commit
git revert HEAD

# To revert a range of commits:
# git revert HEAD~3..HEAD

# To revert specific non-consecutive commits:
# git revert <commit-id-1> <commit-id-2> ... <commit-id-n>

# Push to trigger the CI/CD pipeline
git push origin HEAD:${branch}

    The image updater picks up the new image built from the reverted code and writes the updated tag to the deployment repository. Argo CD then deploys it.

    Step 8: Manage user permissions

    Argo CD's permission model lets you grant or restrict access to specific resources — applications, clusters, and repositories — at the project level. Use the following policy template:

    p, <user/group>, <resource>, <action>, <project>/<object>

    Supported actions: create, update, delete, get.

    For details, see Configure multi-tenant permissions for ACK One GitOps.

    What's next

    After completing this pipeline setup, explore these related topics: