Digital Independence with the Immich 3.0 Update
Configuration as Data vs. Templating

At its core, kpt is driven by the Kubernetes Resource Model (KRM). These are declarative YAML manifests that describe the desired state of resources while remaining entirely autonomous. In the kpt paradigm, a package is decoupled from any specific infrastructure; it can exist as a simple local directory, a ZIP archive, or a subdirectory within a Git repository. This portability transforms configuration into an independent artifact that can be moved and transformed without losing its context.
To manage these packages, kpt employs built-in validators and mutators. These act as filters that verify data integrity and modify it according to predefined rules. This introduces the concept of WYSIWYG ("What You See Is What You Get")—a principle migrated from text editors into the DevOps realm. In the context of kpt, this translates to absolute predictability: the file an engineer reviews before deployment is identical to what actually lands in the cluster. It eliminates the hidden metamodels and "on-the-fly" modifications that often trigger elusive bugs when using complex templating engines.

The industry has long been accustomed to the Configuration as Code (CaC) approach, where configurations are defined via scripts or templates. However, kpt advocates for a more profound concept: Configuration as Data (CaD). The distinction is fundamental: when configuration is treated as data, it is stored and versioned as a pure description of state rather than as executable code.
This shift offers several critical advantages. First, it ensures flawless auditability; structured data can be diffed, passed through linters, and sent for review without the need to trigger heavy rendering pipelines. Second, it establishes a clear separation of concerns: the intent (what we want) is decoupled from the implementation logic (how to apply it). Third, it enables high composability—different tools can read and transform the same models, creating chains of independent, easily testable mutations.
A comparison with Kustomize further clarifies the value proposition of kpt. While they share similar goals, Kustomize generates final manifests dynamically through a system of patches and overlays at the moment of rendering. This creates a disconnect between what is stored in Git and what is actually applied to the cluster. In contrast, kpt prioritizes "in-place" updates. An engineer can examine and approve the final configuration beforehand, eliminating surprises during production deployment.
That said, kpt does not aim to be a universal "Swiss Army knife." Its purpose is to efficiently solve a specific set of data management challenges, leveraging an extensible function library and seamless integration with industry leaders like ArgoCD, Flux, and Helm.
The practical utility of this approach is most evident in large-scale projects. In the Nephio system, for instance, kpt serves as the central pipeline link for deploying open-source networks (RAN and Core) on Kubernetes. In such mission-critical infrastructures, where the cost of error is extreme, data predictability outweighs the flexibility of templates.
Its current status in the CNCF Sandbox is merely a starting point. The kpt team is currently focused on stabilizing the API for the release of its first full version. Key priorities on the roadmap include enhancing pipeline performance, a complete overhaul of documentation, and the introduction of long-awaited features: native secrets management, multi-cluster support, and deeper integration with the Helm ecosystem.

