A Security-Centric Analysis of Declarative & Imperative Deployment Approaches in Kubernetes-Based Application Environments

Kagganti Nataraja, Prajwal

A Security-Centric Analysis of Declarative & Imperative Deployment Approaches in Kubernetes-Based Application Environments

Tools

Kagganti Nataraja, Prajwal (2025) A Security-Centric Analysis of Declarative & Imperative Deployment Approaches in Kubernetes-Based Application Environments. Masters thesis, Dublin, National College of Ireland.

Preview	PDF (Master of Science) Download (3MB) \| Preview
Preview	PDF (Configuration Manual) Download (757kB) \| Preview

Abstract

This study empirically compares declarative (GitOps via Argo CD) and imperative (CI/CD via Jenkins/kubectl) Kubernetes deployment approaches on a controlled single-node Minikube cluster running a Flask microservice. Three security-centric parameters are evaluated: Policy Compliance Rate (Kubescape against CIS/NSA controls), Vulnerability Exposure (Trivy CVE severity counts), and Drift Correction Success Rate (response to simulated unauthorised changes). Across all metrics, the declarative approach performed better: Kubescape measured 87% compliance for the declarative deployment (13/15 controls) versus an estimated <50% for the imperative path lacking non-root execution and resource limits; under drift experiments, declarative achieved 100% automatic reconciliation for the introduced change while the imperative path provided 0%; Trivy scanning of the imperative image surfaced 14 vulnerabilities (4 Critical, 6 High), whereas the declarative workflow reduced exposure through least-privilege and policy-as-code with pre-deployment scanning gates. These findings suggest adopting a declarative GitOps model as the default for production and compliance-sensitive workloads, reserving imperative workflows for rapid local development, debugging, and short-lived fixes.

Item Type:	Thesis (Masters)
Supervisors:	Name Email Emani, Sai UNSPECIFIED
Uncontrolled Keywords:	Kubernetes security; declarative methods; GitOps; policy compliance; drift management; vulnerability scanning
Subjects:	T Technology > T Technology (General) > Information Technology > Cloud computing Q Science > QA Mathematics > Computer software > Computer Security T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
Divisions:	School of Computing > Master of Science in Cloud Computing
Depositing User:	Ciara O'Brien
Date Deposited:	26 Mar 2026 13:10
Last Modified:	26 Mar 2026 13:10
URI:	https://norma.ncirl.ie/id/eprint/9222

Actions (login required)

View Item