Share this post
In Kubernetes environments, GitOps typically means using Git as the source of truth for deployment configuration and relying on automation to apply and maintain that state in clusters. GitOps tools differ primarily in how desired state is represented, when it is enforced, and where enforcement logic runs.
Part 1 of this series examined the architectural differences between Argo CD and Portainer GitOps, focusing on continuous in-cluster reconciliation versus deployment-time enforcement.
This Part 2 extends that comparison by introducing Flux CD, and examining how its cluster-native GitOps model compares to Portainer GitOps at the implementation level. The focus remains on reconciliation behavior, deployment and coordination models, and the resulting operational impact.
How Flux CD implements and deploys GitOps
Flux CD is a Kubernetes-native GitOps toolkit implemented as a set of Kubernetes controllers that continuously reconcile cluster resources against Git-defined desired state. These controllers may run per cluster, or centrally in a hub cluster when using hub and spoke deployments.
Like Argo CD, Flux compares declared resource definitions in Git with live cluster state and applies changes to bring the system back into alignment. This applies both to changes introduced through Git and to manual changes made directly in the cluster.
Where Flux differs is not in the reconciliation mechanism, but in how authority is expressed.
In Flux, reconciliation is always performed by Kubernetes controllers acting on declarative Git-defined state. Controllers may be distributed per cluster or centralized in a hub, but Flux does not introduce a persistent operational control plane, environment inventory, or imperative management layer outside Git and Kubernetes resources. Authentication, targeting, and coordination are still expressed through Kubernetes primitives and Git configuration rather than a centralized runtime authority.
Because reconciliation is continuous, Git remains authoritative at all times. Configuration drift is detected and corrected automatically by reconciliation loops, regardless of whether those loops are running inside each cluster or centrally as part of a hub and spoke deployment.
Deployment and coordination model
Flux supports two common deployment patterns, and the difference matters.
In the default per cluster model, each Kubernetes cluster runs its own Flux controllers, authenticates to Git, and continuously reconciles its own desired state. This is the pattern most people mean when they say Flux is cluster native, it keeps enforcement authority inside the cluster boundary.
Flux can also be deployed in a hub and spoke model. In this pattern, Flux controllers run centrally in a hub cluster and reconcile workloads into multiple spoke clusters by connecting to their Kubernetes APIs using kubeconfigs stored in the hub. Coordination can be scaled further using Flux Operator constructs such as ResourceSets, which generate per cluster Kustomizations and HelmReleases from shared definitions targeting multiple clusters.
Across both patterns, the defining characteristic remains unchanged. Flux is still a continuous reconciliation system where desired state is expressed declaratively in Git and enforced by Kubernetes controllers. Centralizing where the controllers run does not turn Flux into an operational control plane, it centralizes reconciliation execution while keeping the operating model Git first and controller driven.
How Portainer GitOps implements and deploys GitOps
Portainer implements GitOps by treating Git as the authoritative source for application deployment state and enforcing that state during deployment events.
Git change detection runs centrally within the Portainer management plane on an administrator-defined schedule. Managed clusters do not poll Git repositories and do not participate in change detection.
When a deployment or update event occurs, Portainer retrieves resource definitions from Git and applies them to the target environment through the Kubernetes API. Any divergence from Git-defined state present at that moment is overwritten as part of the deployment process. Between deployment events, Portainer does not observe or reconcile live cluster state.
Portainer GitOps does not require GitOps controllers to run inside managed clusters. GitOps functionality is provided as part of the existing Portainer deployment, and enabling GitOps does not increase the runtime footprint of managed clusters.
This model centralizes reconciliation logic and minimizes background activity within clusters.
Reconciliation behavior and load placement
Flux CD continuously reconciles live cluster state against Git. Controllers perform ongoing comparison and correction regardless of whether new Git changes occur. This provides immediate drift detection and enforcement, at the cost of constant reconciliation activity within every cluster.
Portainer GitOps reconciles application state only during deployment and update events. Git repositories are monitored centrally, and clusters incur no reconciliation overhead unless an update is applied. Enforcement is deterministic at deployment time rather than continuous.
The distinction is not whether Git can overwrite drift. Both tools can. The distinction is when enforcement happens and where the reconciliation work runs.
Security and operational impact
Flux treats Git as the primary source of operational authority, with reconciliation performed by Kubernetes controllers acting on declarative state. Depending on deployment model, Git credentials and reconciliation logic may reside per cluster or centrally in a hub, but enforcement remains expressed through Kubernetes-native resources rather than a persistent runtime control plane. Operational consistency across clusters is achieved through Git repository structure, conventions, and automation, not through centralized operational governance.
Portainer centralizes Git access, change detection, and enforcement logic. Managed clusters do not require Git credentials and are engaged only when updates are applied. This reduces cluster exposure and background activity, trading continuous enforcement for predictable, event-driven operations.
When to choose Argo CD, Flux CD, or Portainer
At a high level, the architectural differences between the three approaches can be summarized by where reconciliation runs and when enforcement occurs.
Argo CD enforces desired state through continuous reconciliation loops running inside Kubernetes. Reconciliation logic operates continuously regardless of deployment activity, with cluster state observed and corrected in real time.
Flux CD also enforces desired state through continuous reconciliation loops, but does so using Kubernetes-native controllers driven entirely by declarative Git state. Reconciliation may run per cluster or centrally via hub-and-spoke deployments, but Flux does not introduce a persistent operational control plane. Coordination across clusters is achieved through Git structure, Kubernetes resources, and automation rather than centralized runtime governance.
Portainer GitOps enforces desired state deterministically during deployment events. Git change detection and reconciliation logic run centrally in the Portainer management plane, and clusters are involved only when updates are applied. Between deployments, cluster state is not continuously observed or corrected.
All three tools can overwrite configuration drift. The defining differences are when enforcement happens, where reconciliation work runs, and how much operational authority is centralized versus distributed.
Those differences define the architectural trade-offs between Argo CD, Flux CD, and Portainer GitOps.
.png)
.png)
.png)