Introduction

About this Reference Architecture

This Portainer Enterprise Reference Architecture defines the architecture for deploying and operating a governed enterprise container platform. It covers the full stack: cluster infrastructure, identity, policy, GitOps, observability, security audit, and data protection. Coverage is at the level of architectural decisions and integration patterns, not step-by-step configuration instructions.

The problem this addresses

As Kubernetes deployments grow across cloud, on-premises, and edge, organizations encounter the same failure modes: configuration drift between environments, inconsistent access control, tooling that accumulates without governance, and operational complexity that scales faster than team capacity. Kubernetes is a powerful orchestration engine but is not, by itself, a platform. The gap between raw Kubernetes capability and enterprise operational requirements is substantial, and widening as adoption grows.

This reference architecture describes how to close that gap: an operator control plane that governs the fleet, enforces policy, centralises identity, and makes the platform auditable and operable at scale without requiring every team member to be a Kubernetes specialist.

Who should read this

  • Platform engineers responsible for designing, deploying, or governing the container platform
  • Enterprise architects evaluating how Portainer fits within a broader technology stack
  • Infrastructure leads responsible for Kubernetes fleet operations, compliance, and security posture
  • Security and compliance teams who need to understand the audit trail, policy enforcement, and SIEM integration architecture

What this document covers

This guide covers

  • A reference architecture for an enterprise container platform based on Portainer
  • Guiding principles for platform governance
  • Architectural standards for cluster configuration, workload deployment, and access control
  • Maturity-level-based target-state implementation for each system
  • Architectural decision rationale and scenario comparisons for common choices
  • Deployment models and agent patterns for Portainer
  • Integration architecture for identity, container registries, Git repositories, and secrets management
  • Integration architecture for observability, security, compliance systems, and data protection

This guide does not cover

  • Step-by-step configuration instructions for Portainer or integrated systems
  • Deep-dive cluster creation and bootstrapping procedures
  • Application-level architecture or workload design
  • Detailed implementation guides for specific configurations (contact Portainer's Managed Services team)

This guide is not a step-by-step implementation guide. The diversity of existing production environments is too great to cover all scenarios exhaustively. While Portainer integrates with third-party cluster creation tools, this guide is also not a deep-dive into cluster creation and bootstrapping; it describes the integration points and how to approach them architecturally.


How to use this Reference Architecture

This guide is structured as a reference of what a complete enterprise container management platform looks like. Since it is all-encompassing, not all chapters will be relevant to every organization: use only the parts applicable to your situation. This Reference Architecture is a “choose your own adventure” based on your own judgment of where you need to level up the architecture of your container management platform.

Use the chapter list and descriptions below, as well as the maturity level-based implementation scenarios in each chapter. Chapter 1 serves as an introduction to the platform as a whole, contextualizing the role each component plays and helping you decide which parts of this document are relevant to you. The maturity framework is described in Appendix B.

Chapter list

01
Enterprise Container Platform Reference Model
The operator control plane concept, the seven-layer enterprise stack, where Portainer fits, document scope and target audience, maturity framework, architecture principles, and business outcomes.
02
Portainer Deployment Reference
Deployment topology, server placement, agent modes (Standard / Edge / Async), HA, sizing, data protection, certificate management, Terraform provider, upgrade lifecycle, security hardening, and reference deployment scenarios.
03
Cluster Creation and Configuration
Distribution and OS selection, provisioning tooling (Helmfile, Sidero Omni, Crossplane), cluster profiles, CNI and network policy, Gateway API and load balancing, DNS and certificate management, storage and CSI, lifecycle governance, and DR topology.
04
Identity and Access Management
Provider integration (OIDC, LDAP/AD), group-to-role mapping, RBAC model, team structures, namespace isolation and tenancy, environment access hierarchy, RBAC design patterns, and break-glass access procedures.
05
Container Registries
Registry integration patterns, approved registry enforcement, JIT credential injection, image scanning and supply chain controls (three-layer scanning, signing, SBOM), and air-gapped registry workflows.
06
Git Repositories
GitOps as a governance mechanism, Git platform integration (GitHub, GitLab, Azure DevOps, Bitbucket, Gitea), OCI registries as GitOps sources, manifest formats (Helm, Kustomize, Compose), branching strategy, and environment promotion.
07
Policy Enforcement
Fleet Governance policy types (Security, Registry, Setup, RBAC), OPA Gatekeeper as the native admission control engine, policy lifecycle and staged rollout, and platform vs. workload policy separation.
08
Secret Management
Vault / OpenBao, External Secrets Operator, Sealed Secrets, cloud-provider secret stores (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager), native Kubernetes secrets, and Portainer's own credential model.
09
Platform Observability
Logs, metrics, alerting, and incident management via OneUptime, a unified observability platform deployed fleet-wide via the Portainer Observability Policy. Covers log and metrics collection, uptime monitoring, alert evaluation, on-call scheduling, incident management, and status pages.
10
Security Audit and SIEM Integration
Portainer Control Plane audit log, Kubernetes API server audit log, optional Falco runtime stream, SIEM integration (Splunk, Sentinel, Elastic, Wazuh), MITRE ATT&CK detection rules, and per-framework compliance evidence (SOC 2, ISO 27001, PCI-DSS, HIPAA).
11
Data Protection
Kubernetes-native backup tooling (Velero, CloudCasa, Kasten K10), CSI snapshot integration, cold and warm standby DR patterns, air-gapped edge data protection, and fleet-wide backup governance via Portainer.
12
Developer and Operator Interaction Layer
Platform personas and their primary interfaces, platform engineer and application team workflows, application templates, self-service guardrails, incident response workflow, Portainer Run (developer portal), and Industrial App Portal (OT operator interface).
A
Appendix A: Architectural Decision Framework
Consolidated index of all key architectural decisions across every chapter, with section references. Navigate directly to specific decisions without reading entire chapters.
B
Appendix B: Platform Maturity Framework
Self-assessment questionnaire and six-level maturity model (L0–L5) for identifying your current and target state. Start here to determine which scenario in each chapter applies to your environment.

The Maturity Framework

This document includes implementation scenarios based on a five-level maturity framework (L1–L5, plus L0 for missing capability). Every chapter covering a deployable capability provides five scenarios matched to these levels. For each relevant capability, you can use that chapter's scenarios to identify your current and target maturity level.

The delta between current and target, mapped across the chapters that apply to your environment, is your implementation roadmap. For the complete self-assessment questionnaire, see Appendix B.

Level 1
Ad-Hoc
Level 2
Opportunistic
Level 3
Emerging
Level 4
Capable
Level 5
Advanced

Implementing improvements

This reference architecture is comprehensive by design. As with every complex, long-term implementation project, improvements should be implemented sequentially, not in parallel. The transition to a mature, governed container platform spans multiple distinct architectural areas and workstreams: cluster operations, container supply chain, CI/CD transformation, networking, observability, GitOps, and platform engineering. Each is substantial enough to be a significant initiative in its own right.

The organizations that succeed treat them as sequential projects: pick one, nail it, learn from it, then move to the next. They level up in adjacent areas in lockstep, ensuring roughly the same level of maturity across the board before moving on. Each completed workstream becomes the foundation for the following one. Organizations that attempt all workstreams simultaneously typically produce none of them well; twelve months in, with nothing working properly, the instinct is to blame the technology rather than the planning.

The principle is simple: slow is smooth, smooth is fast. This guide gives you the target architecture; your adoption plan determines the sequence. In practice, moving from initial exploration to a fully operational, production-grade Kubernetes platform typically takes between 9 and 15 months . This is not a worst case but a common outcome, driven by the iterative nature of CNCF tool evaluation, integration failures, and the time required to stabilize a production-grade stack.

JP
Joep Piscaer
Field CTO at Portainer, VCDX #101