Reference Architecture

Portainer Enterprise
Reference Architecture

A complete architectural reference for designing, deploying, and governing an enterprise-grade Kubernetes management platform. Covers the full stack — from cluster infrastructure through identity, policy, GitOps, observability, security audit, and data protection.

12 Chapters 2 Appendices 5 Maturity Levels 3 Platform Sections
Who are you? Filter chapters by your role.
Enterprise Architect
Platform strategy, integration patterns, and architectural decision frameworks.
Platform Engineer
Deployment, cluster ops, GitOps, observability, and day-2 operations.
Security & Compliance
IAM, policy enforcement, SIEM integration, audit trails, and compliance evidence.
Infrastructure Leader
Business outcomes, maturity assessment, operational governance, and DR posture.

Click a role to highlight the most relevant chapters. All chapters are always accessible.

Level 1
Ad-Hoc
Level 2
Opportunistic
Level 3
Emerging
Level 4
Capable
Level 5
Advanced

Each chapter includes maturity-level implementation scenarios. Use Appendix B to assess your current level.

Chapters — navigate directly to what applies to you
Ch 01
Enterprise Container Platform Reference Model
The operator control plane concept, the seven-layer enterprise stack, architecture principles, and business outcomes.
ArchitectEngineerLeader
Ch 02
Portainer Deployment Reference
Deployment topology, agent modes, HA, sizing, certificate management, Terraform provider, and upgrade lifecycle.
EngineerArchitect
Ch 03
Cluster Creation and Configuration
Distribution and OS selection, CNI, Gateway API, DNS, storage, lifecycle governance, and DR topology.
EngineerArchitect
Ch 04
Identity and Access Management
OIDC/LDAP/AD integration, RBAC model, group-to-role mapping, namespace isolation, and break-glass procedures.
SecurityArchitectEngineer
Ch 05
Container Registries
Registry integration, approved registry enforcement, image scanning, supply chain controls, and air-gapped workflows.
EngineerSecurity
Ch 06
Git Repositories
GitOps as governance, Git platform integrations, manifest formats, branching strategy, and environment promotion.
Engineer
Ch 07
Policy Enforcement
Fleet Governance policy types, OPA Gatekeeper, policy lifecycle, staged rollout, and platform vs workload separation.
SecurityArchitectEngineer
Ch 08
Secret Management
Vault/OpenBao, External Secrets Operator, Sealed Secrets, cloud secret stores, and native Kubernetes secrets.
SecurityEngineer
Ch 09
Platform Observability
Logs, metrics, alerting via OneUptime, incident management, Loki/Prometheus/Grafana, and fleet-wide monitoring.
EngineerLeader
Ch 10
Security Audit and SIEM Integration
Portainer audit log, Kubernetes API audit, Falco, SIEM integrations (Splunk, Sentinel, Elastic, Wazuh), and compliance frameworks.
SecurityLeader
Ch 11
Data Protection
Velero, CloudCasa, Kasten K10, CSI snapshots, cold/warm standby DR patterns, and Portainer state backup.
EngineerLeader
Ch 12
Developer and Operator Interaction Layer
Personas, platform engineer workflows, application team workflows, self-service guardrails, and Portainer Run.
EngineerArchitect
Appendix A
Appendix A — Architectural Decision Framework
Deployment scenarios and key architectural decisions synthesized across all chapters.
ArchitectLeader
Appendix B
Appendix B — Platform Maturity Framework
The six maturity levels, self-assessment questions, and how to use maturity targets for implementation planning.
LeaderArchitect