GitOps Will Replace ClickOps Entirely by 2028
Why GitOps is on track to fully replace manual ClickOps workflows in infrastructure management. The cultural shift, tooling maturity, and enterprise adoption driving this transformation.
Here's a prediction: by 2028, manually clicking through cloud consoles to provision infrastructure will be as unacceptable as deploying code by FTP-ing files to a server.
ClickOps — the practice of managing infrastructure through web console clicks — is already on its way out. But it's dying slower than it should because of inertia, not because it has any technical merit left. Let me explain why GitOps will finish it off completely.
The State of ClickOps in 2026
Let's be honest about where we are. Most organizations still have significant ClickOps happening:
- Security groups modified through the AWS console at 2 AM during an incident
- IAM policies created by clicking through the Azure portal because "it's faster"
- Load balancer rules tweaked in the GCP console because the Terraform config is "too complex"
- Database parameter groups adjusted through the RDS console because the change "is just temporary"
Every one of these "just this once" clicks creates drift. Drift creates incidents. Incidents create more emergency clicks. It's a death spiral.
A 2026 DORA survey found that teams with more than 20% manual infrastructure changes have 3.2x more change-failure rates than teams with fully automated pipelines. The data is clear: ClickOps is a reliability risk.
Why GitOps Is Winning
GitOps isn't just "Infrastructure as Code in a Git repo." It's a complete operational model built on four principles:
- Declarative configuration — everything described as desired state
- Git as single source of truth — every change is a commit
- Automatic reconciliation — agents continuously sync desired state to actual state
- Drift detection and correction — unauthorized changes get automatically reverted
The tooling has matured dramatically:
ArgoCD and Flux Have Won the Kubernetes Space
ArgoCD crossed 20,000 GitHub stars and became the default GitOps tool for Kubernetes. Flux v2 with its OCI artifact support has made it possible to store and distribute manifests like container images.
Both tools now support:
- Multi-cluster management
- Progressive delivery (canary, blue-green)
- Automated image updates
- RBAC and multi-tenancy
- Full audit trails
Terraform/OpenTofu Brought GitOps to Cloud Resources
With tools like Atlantis, Spacelift, and env0, even traditional cloud infrastructure now follows the GitOps model:
Developer opens PR → Atlantis runs terraform plan → Team reviews →
PR merged → Atlantis runs terraform apply → State updated
Nobody touches the cloud console. Nobody runs terraform apply from their laptop. The PR is the deployment.
Crossplane Extended GitOps Beyond Kubernetes
Crossplane lets you manage AWS, GCP, and Azure resources using Kubernetes-native YAML. Now your cloud infrastructure follows the exact same GitOps workflow as your applications:
apiVersion: s3.aws.upbound.io/v1beta1
kind: Bucket
metadata:
name: my-app-assets
spec:
forProvider:
region: us-east-1
acl: private
serverSideEncryptionConfiguration:
- rule:
- applyServerSideEncryptionByDefault:
sseAlgorithm: aws:kmsCommit this to Git → ArgoCD syncs it → AWS bucket appears. Modify it in the console? ArgoCD reverts it. That's the power of reconciliation.
The Three Forces Killing ClickOps
1. Compliance and Audit Requirements
SOC 2, ISO 27001, HIPAA, and PCI-DSS all increasingly require:
- Change traceability — who changed what, when, and why
- Approval workflows — documented review before changes
- Immutable audit logs — tamper-proof change history
Git gives you all three for free. Every commit has an author, timestamp, message, and optional approval (PR reviews). No cloud console can match this audit trail.
Compliance teams are starting to reject infrastructure changes that don't go through Git. This alone will kill ClickOps in regulated industries by 2027.
2. AI-Assisted Infrastructure
The rise of AI coding assistants (GitHub Copilot, Claude, Cursor) makes writing IaC faster than clicking through consoles. When generating a complete Terraform module takes 30 seconds with an AI assistant, the "it's faster to click" argument evaporates.
AI can also:
- Review IaC pull requests for security issues
- Generate test cases for infrastructure changes
- Auto-fix drift by generating correction commits
You can't AI-assist a manual console click. The workflow has to be code-first for AI to help.
3. Platform Engineering and Internal Developer Platforms
Platform teams are building Internal Developer Platforms (IDPs) that abstract away the cloud console entirely. Developers don't need to know AWS — they interact with a self-service portal backed by GitOps:
Developer selects "Create new microservice" →
Platform generates repo with IaC + CI/CD + monitoring →
Everything committed to Git → ArgoCD deploys →
Developer gets a URL in 10 minutes
Backstage, Port, and Humanitec are making this pattern accessible to mid-size companies, not just FAANG.
The Remaining ClickOps Strongholds (And Why They'll Fall)
"Emergency changes need the console"
No. Emergency changes especially need Git. When you're at 3 AM fixing an outage, the last thing you want is an untracked change that someone has to reverse-engineer later.
The fix: fast-track PR workflows. ArgoCD can sync in under 60 seconds. A pre-approved "emergency" PR template with auto-merge on single approval is still faster than navigating the AWS console.
"Some things can't be codified"
This was true in 2020. In 2026, every major cloud resource has a Terraform provider, Crossplane composition, or Pulumi component. AWS has over 1,200 Terraform resource types. If it exists in the console, it can be declared in code.
"New team members need the console to learn"
Learning the console is valuable for understanding what resources exist. But modifying resources through the console? That should be read-only for non-admin roles. Use IAM policies to enforce this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalTag/Role": "automation"
}
}
}
]
}Humans get read-only. Only the CI/CD pipeline (with the automation tag) can mutate infrastructure.
The Timeline
2026 (now): GitOps is standard for Kubernetes deployments. Cloud infrastructure is 60-70% codified at mature organizations. ClickOps still happens for "edge cases."
2027: Platform engineering teams enforce Git-only changes via IAM policies. AI assistants make IaC generation faster than console navigation. Compliance frameworks explicitly require GitOps workflows for cloud changes.
2028: ClickOps becomes a compliance violation at any serious organization. Cloud consoles become monitoring dashboards, not control planes. The "Ops" in DevOps is fully automated through reconciliation loops.
How to Start the Transition Today
If your team still has significant ClickOps, here's a realistic migration path:
Phase 1: Import and codify (weeks 1-4)
- Import existing resources into Terraform state using
terraform import - Set up a Git repo with proper branching strategy
- Install Atlantis or similar for PR-based plan/apply
Phase 2: Lock down write access (weeks 5-8)
- Implement read-only IAM policies for human users
- Route all changes through Git PRs
- Set up drift detection (Terraform Cloud, driftctl, or Crossplane)
Phase 3: Self-service and automation (weeks 9-12)
- Build developer self-service templates
- Implement policy-as-code (OPA, Kyverno) for guardrails
- Set up automated drift correction
Phase 4: Full GitOps (month 4+)
- ArgoCD/Flux for Kubernetes workloads
- Crossplane for cloud resources
- Everything reconciled continuously
If you want hands-on practice with GitOps tools, KodeKloud's labs offer real cluster environments where you can experiment with ArgoCD and Flux without breaking anything.
The Bottom Line
ClickOps isn't just inefficient — it's becoming a liability. Every manual console change is an unaudited, unreviewable, unreproducible mutation to your infrastructure. In a world where compliance, reliability, and speed all demand automation, the cloud console's role is shifting from control plane to observation deck.
The teams that make this transition now will have a massive advantage. The teams that resist will spend 2028 scrambling to catch up.
Git is the control plane. Accept it.
What's your team's ClickOps percentage? The honest answer might surprise you.
Stay ahead of the curve
Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.
Related Articles
GitOps Will Become the Default Infrastructure Management Model by 2028
Why GitOps is moving beyond Kubernetes deployments to become the standard way all infrastructure is managed — from cloud resources to databases to security policies.
YAML Engineering Is Dying — What Replaces It Will Change DevOps Forever
Why the era of hand-writing thousands of YAML lines is ending. CUE, KCL, Pkl, CDK8s, and general-purpose languages are replacing raw YAML for infrastructure configuration.
Agentic SRE Will Replace Traditional Incident Response by 2028
AI agents are moving beyond alerting into autonomous incident detection, root cause analysis, and remediation. Here's why Agentic SRE will fundamentally change how we handle production incidents.