The best CMSes to run in Kubernetes are platforms that ship official container images, support stateless application pods backed by externalized state (database, search, object storage), expose Helm charts or Operators for declarative deployment, and integrate cleanly with GitOps tooling. By those criteria, the strongest enterprise candidates are dotCMS, Strapi, Drupal, and Payload. dotCMS is the option built specifically for compliance-led organizations that need multi-site governance, audit trails, and a Universal Visual Editor running natively inside the cluster.
If your platform team has standardized on Kubernetes, your CMS should match that standard — not fight it. This article explains what makes a CMS Kubernetes-friendly, compares the main candidates, and shows how to deploy dotCMS in a production cluster with Helm and GitOps.
At a Glance
82% of container users now run Kubernetes in production, up from 66% in 2023 (CNCF 2025 Annual Survey).
A Kubernetes-ready CMS must externalize state, ship official container images, provide Helm charts, support horizontal scaling, and integrate with GitOps controllers like ArgoCD or Flux.
dotCMS, Drupal, Strapi, and Payload all support Kubernetes deployment; they differ on multi-site governance, visual editing, and enterprise audit posture.
dotCMS provides official Helm charts at dotcms.github.io/helm-charts and documented patterns for ArgoCD-driven GitOps deployment.
For compliance-led teams running 10s or 100s of sites on a single cluster, the deciding factors are multi-tenant governance, role-based access, and audit trails — not container size.
Section Overview
What Makes a CMS Kubernetes-Ready — the technical criteria platform teams should test before adopting.
Why Kubernetes Matters for CMS Workloads — scale, resilience, and the operational benefits cloud-native teams expect.
Core Architecture Patterns — stateless application pods, externalized state, ingress, secrets, and observability.
Comparison Table — dotCMS, Drupal, Strapi, Payload, and WordPress evaluated as Kubernetes citizens.
How dotCMS Runs in Kubernetes — Helm charts, GitOps with ArgoCD, multi-site governance inside the cluster.
FAQs and Resources — direct answers and authoritative external links.
What Is a Kubernetes-Ready CMS?
A Kubernetes-ready CMS is one that runs cleanly under standard Kubernetes patterns: containerized application pods that can scale horizontally, externalized stateful services (database, search, object storage) deployed as separate workloads or managed services, declarative installation via Helm or an Operator, support for ingress controllers and service meshes, and configuration through environment variables, ConfigMaps, and Secrets.
The opposite is a CMS designed around a single long-running server with state baked into the local file system. That kind of platform can technically be containerized but loses most of what Kubernetes offers — automated scaling, self-healing, rolling updates, and declarative reproducibility. If a CMS requires shared file system access between application instances or stores critical state on local disk, Kubernetes adoption becomes painful.
Why Kubernetes Matters for CMS Workloads
Three forces drive platform teams to standardize their CMS on Kubernetes alongside the rest of their stack.
Production scale is the new default. The CNCF 2025 Annual Survey reports that 82% of container users now run Kubernetes in production, a 16-point jump from 2023, and that 98% of organizations have adopted cloud-native technologies in some form (CNCF, 2026). For platform engineering teams, anything that doesn't run in Kubernetes is now an exception that requires justification.
Operational consistency reduces risk. Running a CMS under the same orchestrator, the same observability stack, the same secret manager, and the same patch cadence as the rest of the platform means fewer special cases for the on-call team and fewer compliance gaps for the audit team. A CMS that demands its own bespoke deployment model creates exactly the kind of unmanaged surface area regulators flag.
AI workloads are accelerating the trend. CNCF's 2025 survey found that 66% of organizations hosting generative AI models use Kubernetes to manage inference workloads. CMSes that integrate with AI services — for content generation, translation, personalization, or governance — increasingly sit alongside those workloads in the same cluster. Running the CMS outside Kubernetes makes those integrations harder to secure and observe.
Core Architecture Patterns for CMS on Kubernetes
A production deployment of a CMS in Kubernetes follows a small set of well-understood patterns.
Stateless application pods
The CMS application container should be stateless. All persistent state — content, users, workflow state, sessions — lives in services outside the application pod. This lets Kubernetes scale the pods horizontally, replace failed instances cleanly, and roll out new versions without coordinating disk migrations.
Externalized state
The database (Postgres, MySQL, MariaDB), search index (Elasticsearch, OpenSearch), and asset store (S3-compatible object storage) run as separate workloads or as managed cloud services. For compliance-led environments, all three typically run inside the same trust boundary as the CMS. For development, they can be deployed as StatefulSets in the same cluster.
Helm charts or Operators
Declarative installation matters. A Helm chart turns "install the CMS" into a single command with version-controlled values, enabling reproducible deployments across dev, staging, and production. An Operator goes further by encoding upgrade logic and lifecycle management as Kubernetes-native controllers.
Ingress and TLS
The CMS exposes editorial UI and content APIs through an ingress controller (NGINX, Traefik, Istio, or a managed offering). TLS termination happens at the ingress, with certificates managed by cert-manager or a cloud provider's certificate service.
Secrets and configuration
Database credentials, SSO client secrets, API keys, and license tokens belong in Kubernetes Secrets, ideally backed by an external secret manager (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Application configuration goes in ConfigMaps. Nothing sensitive belongs in the container image.
Observability
Logs flow to the cluster's logging stack (Loki, Elasticsearch, a cloud equivalent). Metrics expose through Prometheus endpoints. Distributed traces use the OpenTelemetry collector. A Kubernetes-friendly CMS exposes all three by default rather than forcing custom instrumentation.
GitOps
ArgoCD or Flux watches a Git repository for desired-state manifests and reconciles them against the cluster. The CMS deployment, including its Helm values and any custom resources, lives in that repository. Every change is reviewed, version-controlled, and replayable.
Comparison Table
The platforms below all run on Kubernetes. They differ on what production deployment looks like.
Capability | dotCMS | Drupal | Strapi (Community) | Payload | WordPress |
|---|---|---|---|---|---|
Official container images | Yes | Community + vendor variants | Yes | Yes | Community |
Official Helm chart | Yes | Community charts (Lagoon, Acquia) | Community | Community | Community (Bitnami) |
Stateless application tier | Yes | Requires shared file system unless configured for object storage | Yes (when sessions/media externalized) | Yes | Requires plug-ins for stateless operation |
Externalizes search to Elasticsearch/OpenSearch | Yes | Via modules | Limited | Limited | Via plug-ins |
GitOps reference patterns (ArgoCD) | Yes, documented | Custom | Custom | Custom | Custom |
Multi-site / multi-tenant on a single cluster | Yes, native | Possible via modules | Manual | Manual | Multisite plug-in |
Built-in audit trails and version history | Yes | Via modules | Enterprise tier | Limited | Via plug-ins |
Workflow approvals out of the box | Yes | Via modules | Enterprise tier | Custom | Plug-in |
Universal Visual Editor inside the cluster | Yes | Limited (Layout Builder) | No | Limited | Block editor |
Evergreen upgrade path | Yes | Manual | Manual | Manual | Manual |
WordPress on Kubernetes is achievable but rarely the right call for compliance-led, multi-site environments — it was designed for a single server with a shared file system. Drupal is mature and runs well in clusters but typically requires module assembly to reach enterprise governance parity. Strapi and Payload are strong choices for engineering-led teams that will build their own editorial experience. dotCMS is purpose-built for compliance-led organizations that want both Kubernetes-native operations and out-of-the-box multi-site governance.
How dotCMS Runs in Kubernetes
dotCMS was designed to run as a containerized workload. Its application tier is stateless, its state externalizes cleanly to Postgres, Elasticsearch or OpenSearch, and S3-compatible object storage, and its release cadence supports rolling updates without downtime.
Official Helm charts
dotCMS publishes Helm charts at dotcms.github.io/helm-charts. The charts cover the application deployment, ingress configuration, secret references, and resource limits, with values files for development, staging, and production profiles (Deploy dotCMS Using Helm Charts on Kubernetes).
GitOps with ArgoCD
The reference deployment pattern uses ArgoCD to reconcile dotCMS manifests from a Git repository against the target cluster. Helm packages and templates the application; ArgoCD continuously enforces the desired state. Together they make dotCMS deployments declarative, version-controlled, and replayable across environments (Managing dotCMS Helm Deployments with GitOps).
Container orchestration patterns
dotCMS runs as a Java application inside a standard container, which makes it easy to include in modern cloud infrastructure. Horizontal scaling, self-healing, and rolling deployments work the same way they do for any other Java workload in the cluster. Platform teams can apply their existing observability, secret management, and policy controls without special cases (Container Orchestration: Running dotCMS in Kubernetes).
Multi-site governance inside the cluster
A single dotCMS deployment in Kubernetes can host dozens or hundreds of sites under shared governance. Each site has its own permissions, workflows, and audit trail, but they all share the same upgrade path, the same observability stack, and the same compliance posture. This is what makes dotCMS appropriate for organizations that would otherwise run a separate CMS instance per brand or region.
Universal Visual Editor without external dependencies
The Universal Visual Editor — used by marketers and content owners to edit pages in context — runs inside the dotCMS deployment. There is no external SaaS service the editor depends on. For air-gapped clusters or sovereignty-constrained environments, this matters: the editorial experience does not break when egress is locked down (Visual Headless CMS vs Traditional Headless CMS).
According to Forrester senior analyst Nick Barber, "Agile content management systems have evolved over the past 30 years to deliver modern, digital experiences that are collaborative, iterative, and satisfy both developers and practitioners." A Kubernetes-native CMS with built-in multi-site governance and a visual editor that runs inside the cluster is what compliance-led platform teams need to deliver on that promise.
Frequently Asked Questions
Can I run dotCMS on managed Kubernetes services like EKS, AKS, or GKE?
Yes. dotCMS runs on any conformant Kubernetes distribution — EKS, AKS, GKE, OpenShift, Rancher, or self-managed clusters on bare metal. The Helm charts are distribution-agnostic, and the application has no provider-specific dependencies.
What database and search backends does dotCMS need in a Kubernetes deployment?
dotCMS uses Postgres for content and configuration, and Elasticsearch or OpenSearch for content indexing. Both can run as StatefulSets inside the cluster for non-production environments, or as managed services (RDS, Aurora, Azure Database for PostgreSQL, Amazon OpenSearch) for production. Asset storage typically uses S3-compatible object storage.
Should the application tier scale horizontally?
Yes. dotCMS application pods are stateless when configured with externalized sessions and asset storage. Horizontal Pod Autoscaler can scale them based on CPU, memory, or custom metrics. The shared state — database, search, object storage — sits outside the application pods.
How does GitOps work with dotCMS?
The dotCMS Helm chart values file lives in a Git repository alongside any custom manifests. ArgoCD or Flux watches that repository and reconciles changes against the cluster. Configuration changes flow through a pull request rather than imperative kubectl commands. Strapi describes a similar pattern for stateless container deployments at scale (Strapi: How to Deploy and Scale on Kubernetes).
Can I run dotCMS in an air-gapped Kubernetes cluster?
Yes. The container images, Helm charts, and database can all be mirrored to an internal registry. dotCMS does not require outbound calls for license validation or core operation. Verify any AI features or integrations against your egress policy.
Resources
External references:
CNCF: Kubernetes Established as the De Facto OS for AI — 2025 Annual Survey
CNCF: What 500+ Experts Revealed About Kubernetes Adoption and Workloads
Related dotCMS reading: