A Pre-Built CNCF Pipeline: From Git to Running on Kubernetes

Kubernetes makes running containers at scale possible, but it doesn’t make it simple.

Shipping an app is rarely about kubectl apply. Before your code ever touches the cluster, you’re building images, scanning for vulnerabilities, wiring up configs, enforcing policies, stitching together CI/CD, and plugging in logs, metrics, and traces. Every step requires picking a tool, integrating it, and keeping that integration healthy as everything changes around it.

It’s doable — but tedious. And it pulls your focus away from what you actually came here to do: ship reliable software without fighting the platform.

App Platform for LKE removes this overhead with a pre-engineered, fully integrated pipeline built entirely on open source Cloud Native Computing Foundation (CNCF) tools. From the moment your code lands in Git to the moment it’s running in production — with policy, security, and observability baked in — every step is automated, connected, and ready out of the box. 

In this blog post, we’ll break down how App Platform works under the hood and how it streamlines the path from commitment to production.

App Platform for LKE streamlines the full application lifecycle from source to production by automatically building, securing, deploying, and monitoring your containerized applications and services. With integrated pipelines, policies, and observability built in, platform and DevOps teams gain a consistent, compliant workflow for getting applications into production without managing complex tooling.

App Platform connects directly to your Git repository and continuously monitors commits and pull requests currently on git commits from a given branch. When you push code, the platform detects the event and triggers the pipeline automatically with no webhook configuration or manual CI setup required.

This is where a pre-configured toolchain delivers the most value. In a do-it-yourself platform, connecting these tools takes weeks of integration work. Here, they work together out of the box.

Grype, a vulnerability scanner for container images and filesystems, identifies known risks across libraries, packages, and frameworks. 

Grype is pre-configured in App Platform to check against CVE databases and security advisories, and surfaces issues early in the workflow. It gives developers faster feedback and reduces the cost of fixing vulnerabilities before they reach the build stage.

Once source code passes security validation, the platform automatically builds your container image using standard Dockerfiles or Buildpacks. The build environment is optimized with: 

• Layer caching for faster iterations 

• Multistage build support to produce smaller, more efficient images

• Built-in resource limits to prevent runaway builds 

This ensures consistent, repeatable image creation without extra configuration or pipeline maintenance.

Your newly built image lands in its dedicated private container registry delivered by Harbor, an enterprise-grade container registry pre-configured with role-based access control, image signing, and retention policies. The moment an image arrives, Trivy performs a deep security scan of the complete container: base layers, OS packages, application dependencies, and configuration files.

App Platform has Trivy configured to scan continuously, not just on initial upload. As new vulnerabilities are disclosed, Trivy rescans existing images for any newly discovered issues catching emerging threats without manual scanning schedules.

App Platform uses pre-engineered configuration templates based on Kubernetes best practices. These templates eliminate hours of YAML writing while remaining customizable when you need specific configuration.

Before any deployment reaches your cluster, pre-configured Kyverno decides to enforce or audit security policies. Enforcing the policies will prevent the manifest from being deployed. 

These rules can be customized to match organizational requirements or add frameworks, but the integration itself is already done.

Argo CD manages deployment to your Kubernetes cluster using GitOps principles. Your validated manifests in Git become the source of truth, and Argo CD synchronizes your cluster state automatically. 

App Platform has Argo CD pre-configured with automatic synchronization on Git changes, self-healing when cluster state changes, and automatic rollback on failed deployments. 

After deployment, Trivy performs runtime scanning of live containers, checking for vulnerabilities that emerge after deployment and configuration changes that introduce risks. This runtime scanning runs continuously in the background without impacting application performance.

App Platform uses pre-configured NGINX Ingress Controller and Istio service mesh to handle traffic routing and secure connectivity. NGINX provides external ingress with automatic TLS certificate management, rate limiting, and traffic routing rules. 

Istio handles service-to-service communication within the cluster, pre-configured with mutual TLS for secure communication, traffic management for canary deployments, and distributed tracing for debugging microservices.

Prometheus provides observability, pre-configured to scrape metrics from your applications, Kubernetes infrastructure, and platform tools. You get immediate visibility into application performance, resource utilization, error rates, and latency. 

The integration includes pre-built dashboards, alerting rules for critical issues, and connections to Grafana for visualization.

Every tool in this pipeline — Grype, Harbor, Trivy, Kyverno, Argo CD, NGINX, Istio, and Prometheus — comes directly from the CNCF ecosystem. These aren't proprietary implementations or vendor forks, but the actual open source projects configured and integrated. 

App Platform does all the integration and automation work, as well as the ongoing maintenance of the tools, so you can focus on your application.

Your deployment artifacts remain portable. Kubernetes manifests work on any cluster. Container images in Harbor can move to any Open Container Initiative (OCI)–compliant registry. Kyverno policies are in standard YAML that works anywhere Kyverno runs. 

App Platform adds value through pre-configuration and integration, not through proprietary extensions that create lock-in.

The difference between using App Platform and assembling tools yourself is the accumulated knowledge embedded in the configuration. Each tool has dozens of configuration options. Getting each one right individually is hard; getting them to work together reliably is harder still.

App Platform encodes best practices from production Kubernetes deployments: how Trivy integrates with Harbor, what Kyverno policies catch critical issues, how Argo CD handles rollbacks, what Prometheus metrics matter. 

This configuration represents months of refinement compressed into a platform that works correctly from day one.

Building this pipeline yourself means evaluating tools, integrating them, debugging connection issues, and handling version compatibility. Platform teams typically spend 12 to 18 months reaching production-ready state, and then have to dedicate ongoing resources to maintenance and updates.

App Platform gives you this capability immediately. Security scanning happens automatically. Deployments flow through policy validation. Services are exposed with proper traffic management. Monitoring captures metrics without configuration. Instead of spending months on platform engineering, you're deploying applications on day one.

By managing the complex update cycles of the 30+ integrated Kubernetes projects, App Platform frees your engineering resources from maintenance tasks. It also supports sustainability by keeping your deployments continuously aligned with upstream open source updates. 

Instead of investing time and energy in manual upgrades, your teams benefit from an always current, fully maintained platform that reduces technical debt and ensures long-term stability.

App Platform for LKE runs on standard LKE infrastructure with no additional licensing fees. You pay only for the Kubernetes resources you use.

Sign up to deploy your first application, or read the documentation to explore the architecture and learn how to customize the platform for your needs.

• Sign up to create your first cluster

• Read the documentation to explore integrated tools and capabilities