Skip to main content
GitHub Actions
CHAPTER 12

GitHub Actions for Kubernetes and Cloud

Updated: May 15, 2026
25 min read

# CHAPTER 12

GitHub Actions for Kubernetes and Cloud

1. Introduction

In Chapter 8, we deployed applications to a single server using simple SSH commands. While sufficient for small projects, enterprise applications run on massive, dynamically scaling cloud architectures—specifically Kubernetes (K8s) clusters or managed cloud services like AWS Elastic Container Service (ECS). In this environment, you don't SSH into a server; you send API commands to a cloud provider. In this chapter, we will explore how GitHub Actions acts as the orchestrator for cloud-native deployments across major providers like AWS, Azure, and Google Cloud.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Understand the difference between Server (SSH) deployments and Cluster (API) deployments.
  • Authenticate GitHub Actions securely with a cloud provider (AWS/GCP/Azure).
  • Utilize the kubectl tool within a workflow to update Kubernetes deployments.
  • Understand the GitOps philosophy in relation to Kubernetes.

3. Beginner-Friendly Explanation

Imagine managing a fleet of delivery trucks.
  • Server Deployment (SSH): You personally walk up to truck #5, open the hood, and change the oil. You have to know exactly which truck you are fixing.
  • Cloud/Kubernetes Deployment (API): You sit in a control tower. You type a command into a computer: "I need 50 trucks on the road immediately running the new Version 2 engine." You don't know *which* specific trucks they are, and you don't care. The automated factory (Kubernetes) instantly builds them and puts them on the road.

GitHub Actions is the person sitting in the control tower sending the master commands to the factory.

4. Cloud Authentication (OIDC)

To command AWS to launch a container, GitHub must prove it is allowed to do so. Historically, developers created a long-lived API password in AWS and pasted it into GitHub Secrets. This is a massive security risk. The modern standard is OIDC (OpenID Connect). Instead of a password, AWS and GitHub establish a "trust relationship." GitHub says, "I am workflow X in repository Y." AWS checks the trust policy and temporarily grants permission for 15 minutes. There are no passwords to steal!
yaml
1234567 
# Example: Secure AWS Authentication without passwords
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::1234567890:role/GitHubDeploymentRole
          aws-region: us-east-1

5. Deploying to Kubernetes

Once the new Docker image is pushed to the registry (Chapter 11), GitHub Actions must tell the Kubernetes cluster to start using it.

This is done using kubectl, the command-line tool for Kubernetes. The core command is a "Rolling Update": kubectl set image deployment/my-webapp webapp=myusername/my-webapp:v42

This tells Kubernetes: "Find the deployment named my-webapp. Take the old containers offline one-by-one, and replace them with the new v42 image."

6. Mini Project: Deploy App to a Cloud Platform Concept

Let's look at the deployment stage of a professional Kubernetes pipeline.

Step-by-Step Pipeline Concept:

yaml
123456789101112131415161718192021222324252627282930313233343536373839404142 
name: Deploy to Kubernetes
on:
  push:
    branches: [ main ]

# Required to use OIDC authentication securely
permissions:
  id-token: write 
  contents: read

jobs:
  deploy-to-k8s:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      # Step 1: Authenticate with the Cloud Provider securely via OIDC
      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
          service_account: 'my-deployer-sa@my-project.iam.gserviceaccount.com'

      # Step 2: Get the Kubernetes credentials
      - name: Get GKE credentials
        uses: google-github-actions/get-gke-credentials@v2
        with:
          cluster_name: 'production-cluster'
          location: 'us-central1'

      # Step 3: Tell Kubernetes to update the live application!
      - name: Deploy to Kubernetes
        run: |
          # Apply any infrastructure YAML changes
          kubectl apply -f ./k8s/deployment.yaml
          
          # Force the rolling update to the new Docker image hash
          kubectl set image deployment/frontend-app frontend=myregistry/frontend:${{ github.sha }}
          
          # Wait for the deployment to finish successfully
          kubectl rollout status deployment/frontend-app

7. Real-World Scenarios

A startup was deploying microservices manually. An engineer would build a Docker image, open the AWS console, click "Edit Task Definition," paste the new image name, and click save. As they grew to 20 microservices, this took hours and resulted in copy-paste errors that brought down services. They implemented GitHub Actions. They configured OIDC trust with AWS and wrote workflows that utilized the aws-actions/amazon-ecs-deploy-task-definition action. Deployments became a single-click merge process, reducing deployment time from 2 hours to 4 minutes and entirely eliminating human error.

8. Best Practices

  • Wait for Rollout: In Step 3 above, notice the command kubectl rollout status. This is crucial! If you just run kubectl set image, the GitHub Action instantly turns green and finishes. But Kubernetes might take 5 minutes to actually start the containers. If the containers crash, GitHub won't know. By adding rollout status, GitHub waits for Kubernetes to confirm the containers are healthy before marking the workflow as successful.

9. Security Recommendations

  • Least Privilege Roles: The IAM Role that GitHub assumes (e.g., GitHubDeploymentRole) must have the absolute minimum permissions required. It should only be allowed to update the specific Kubernetes namespace or AWS ECS service it is responsible for. It should NEVER have full AdministratorAccess to the cloud account.

10. Troubleshooting Tips

  • OIDC Configuration: If the authentication step fails with Not authorized to perform AssumeRoleWithWebIdentity, the error is almost never in the YAML file. The error is in the cloud provider's IAM console. You must verify that the "Trust Policy" exactly matches your GitHub Organization and Repository name.

11. Exercises

  1. 1. Explain why OIDC (OpenID Connect) authentication is vastly superior to storing long-lived AWS Access Keys in GitHub Secrets.
  1. 2. What is the operational purpose of the kubectl rollout status command at the end of a CI/CD pipeline?

12. FAQs

Q: Is "GitOps" the same thing as using GitHub Actions? A: Not quite. What we described here is "Push-based" deployment (GitHub *pushes* the command to Kubernetes). "GitOps" usually refers to "Pull-based" deployment, where an agent inside Kubernetes (like ArgoCD) constantly watches the GitHub repository and pulls changes automatically, removing the need for kubectl in the Action entirely.

13. Interview Questions

  • Q: Describe the architectural flow of securely authenticating a GitHub Actions workflow with an AWS account using OIDC. What permissions must be declared in the YAML file?
  • Q: You are tasked with migrating a monolithic SSH-based deployment workflow to a cloud-native Kubernetes deployment workflow. Contrast the actions taken by the CI/CD pipeline in these two distinct environments.

14. Summary

In Chapter 12, we mastered the final frontier of modern deployments: Cloud-Native orchestration. We abandoned brittle SSH scripts in favor of robust, API-driven interactions with Kubernetes clusters. We elevated our security posture by implementing passwordless OIDC authentication, establishing cryptographically secure trust bridges between GitHub and major cloud providers. Finally, we learned the precise kubectl commands required to trigger rolling updates, ensuring zero-downtime deployments for enterprise applications at scale.

15. Next Chapter Recommendation

Our pipelines are powerful, but as our test suites grow, they are starting to execute slowly. How can we speed them up? Proceed to Chapter 13: Matrix Builds and Parallel Jobs.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Docker Integration with GitHub Actions
Next Chapter Matrix Builds and Parallel Jobs

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🧪 Related Labs 1