Cloudythings Blog

Immutable Edge Platforms

Applying immutability, GitOps, and remote attestation to fleets of edge devices running Kubernetes, WASM, and microVM workloads.

April 08, 2025 at 09:57 AM EST 12 min read
Edge ComputingImmutabilityGitOpsSecuritySRE
Edge computing racks with microservers running immutable workloads
Image: Taylor Vick / Unsplash

Edge fleets—retail stores, manufacturing lines, telco POPs—used to require manual patching and bespoke tooling. Now they run Kubernetes (K3s, MicroK8s), WebAssembly, and microVM workloads. Immutability is the only sustainable way to keep them compliant and reliable. Drawing from case studies by Chick-fil-A, Verizon, and Cruise, we built an immutable edge platform pattern that pairs GitOps with remote attestation.

Golden images and declarative config

Each device boots from a signed image (Bottlerocket, Fedora CoreOS, or Ubuntu Core) built via Packer. Configuration lives in Git, managed through:

  • Ignition/Cloud-Init templates for OS settings.
  • Kubernetes manifests applied via Argo CD or Flux.
  • WebAssembly module registries for WASM workloads.

Edge devices pull updates over secure channels, verifying signatures before applying.

Remote attestation and rollout control

We implement attestation with TPM or Intel SGX:

  • Devices report measurements to an attestation service (SPIRE, Keylime).
  • Only attested devices receive workload tokens or configuration updates.
  • Rollouts proceed in waves; failed attestations halt the wave automatically.

This mirrors the approach Microsoft and Google documented for secure edge deployments.

Engineer validating remote attestation dashboards for edge devices
Photo by Kevin Bhagat on Unsplash. Attestation is the backbone of trust.

GitOps orchestration

We run Argo CD per cluster or per device group:

  • Root syncs manage platform components (service mesh, observability agents).
  • Application syncs deliver business workloads.
  • Policy controllers (OPA, Kyverno) ensure only signed manifests deploy.

Desync detection triggers alerts; engineers know when devices drift from desired state.

Observability under constrained networks

Edge networks are unreliable. We use:

  • Lightweight telemetry (OpenTelemetry exporters with batching, Loki promtail shipping).
  • Store-and-forward strategies—agents buffer logs locally and ship when connectivity resumes.
  • Summary metrics aggregated at regional hubs to reduce bandwidth.

Hyperlocal dashboards allow site technicians to diagnose issues without central access.

Resilient upgrades

Upgrades follow blue/green patterns:

  • Deploy new image to inactive partition.
  • Run post-upgrade health checks.
  • Flip bootloader pointer and reboot during maintenance windows.
  • Rollback automatically on failure.

Kubernetes workloads use canaries and progressive delivery even at the edge, echoing best practices from our central platform playbooks.

Immutable edge platforms eliminate configuration drift, reduce on-site truck rolls, and align with zero-trust principles. With GitOps and attestation, edge fleets become as manageable as cloud clusters.