Layer 3: Immutable Infrastructure — Making Self-Healing Safe
🌐 中文A system can only heal itself if it can be safely destroyed and rebuilt. This is the principle underlying immutable infrastructure: instead of patching, configuring, and modifying servers in place, you treat infrastructure as disposable. A server has a problem? Delete it. Start a new one from a known-good image.
This is not a new idea. It is not even a cutting-edge idea. But it is essential for autonomous operations. Layers 0-2 (observability, runbook automation, SLO control) give you the ability to detect problems and decide to fix them. Layer 3—immutable infrastructure—gives you the ability to fix them safely.
Without immutable infrastructure, automated remediation is dangerous. You cannot reliably replace a failed component because you do not know what state it is in. You cannot confidently roll back a change because the previous state might be lost. You cannot quickly scale up because every new instance might be subtly different. Mutable infrastructure makes autonomous operations fragile.
Mutable vs. Immutable: The Root Difference
In mutable infrastructure, servers are pets. You give them names. You update them. You patch them. You remember that one time you manually fixed a configuration file at 3 AM on a Thursday.
After years of patches, updates, and manual interventions, each server is unique. You cannot reliably predict what will happen if you restart one. You cannot quickly replace it because you do not know exactly what state it was in. When something goes wrong, fixing it requires investigation: "What has this server been through? What was patched? What was misconfigured?"
In immutable infrastructure, servers are cattle. You do not name them. If one dies, you do not mourn it—you replace it. Every server is created from the same immutable image. Configuration is determined at creation time, from code, not modified after. When something is wrong, you do not fix it; you replace it.
The implications for autonomous operations are profound:
- Predictability: Every instance is identical. Automated actions have predictable outcomes.
- Safety: Restart an immutable instance, and you know it will come back in the same state. No surprise configurations, no side effects from patches.
- Speed: Rolling out a new version or recovering from a failure is just "spin up new, kill old." No manual steps. No state migration.
- Auditability: Every instance is deterministically created from code. You can trace back to the exact commit that defined its state.
The Three Layers of Immutable Infrastructure
Layer 3a: Container Images (Immutable Application Delivery)
The foundation of immutable infrastructure is the container image. A Docker image is a complete, versioned snapshot of your application and its runtime environment:
FROM python:3.11
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY src/ /app/
ENTRYPOINT ["python", "/app/main.py"]
# Build happens once:
docker build -t my-service:v1.2.3 .
# Image is immutable:
docker run my-service:v1.2.3 # always the same
docker run my-service:v1.2.3 # always the sameThe critical discipline: never patch a running container. Never docker exec into a container to manually fix something. If the container is wrong, kill it and start a new one.
For autonomous operations, this means:
- Container fails → Kubernetes kills it and creates a new one from the same image
- New version deployed → Old containers replaced with new image
- Failure fully remediated in seconds without human investigation
Layer 3b: Infrastructure as Code (Reproducible Infrastructure)
Application is just the first layer. Your infrastructure—Kubernetes clusters, databases, networking, storage—must also be defined as code.
# Kubernetes manifest: an immutable declaration
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-service
spec:
replicas: 3
selector:
matchLabels:
app: my-service
template:
metadata:
labels:
app: my-service
spec:
containers:
- name: my-service
image: my-service:v1.2.3
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10This declarative definition is the source of truth. You do not modify it by hand (although you can if needed). You modify it through CI/CD, following a clear change process.
For autonomous operations:
- Current state does not match declared state → Kubernetes corrects it
- Pod is unhealthy (liveness probe fails) → Kubernetes kills it and restarts
- Resource limit exceeded → Pod evicted, recreated with proper limits
- No manual "fix" needed. Just declare the desired state and let Kubernetes enforce it.
Layer 3c: GitOps (Declared State in Version Control)
GitOps takes it one step further: your desired infrastructure state is stored in Git, and an automated controller continuously reconciles the actual state to match.
Git repository (source of truth):
/prod/namespaces/default/deployments.yaml
/prod/namespaces/default/services.yaml
/prod/config/resource-limits.yaml
Flux/ArgoCD controller:
1. Every 60 seconds, poll Git repo
2. Compare desired state (in Git) with actual state (in cluster)
3. If different:
- kubectl apply -f
- Drift corrected
- Reconciliation logged
Result: Git is the authoritative source.
No manual kubectl apply.
Every change is tracked and auditable.
Rollback is just `git revert`. This is profound for autonomous operations. Remediation is not a custom script that "tries to fix things." Remediation is: "restore the known-good configuration from Git."
The Immutable Infrastructure Workflow
┌─────────────────────────────────────────────────┐
│ Developer pushes code change │
└──────────────────┬────────────────────────────────┘
│
┌──────────▼──────────┐
│ CI pipeline │
│ - Build │
│ - Test │
│ - Build image │
│ - Push to registry │
└──────────┬──────────┘
│
┌──────────▼──────────────────────┐
│ Git: Update manifest │
│ spec.image = my-service:v1.2.4 │
└──────────┬──────────────────────┘
│
┌──────────▼──────────────────────┐
│ GitOps Controller detects change │
│ (Flux/ArgoCD) │
└──────────┬──────────────────────┘
│
┌──────────▼──────────────────────┐
│ Kubernetes: │
│ - New pods from new image │
│ - Old pods gradually terminated │
│ - Health checks verify new pods │
│ - Traffic shifted to new version │
└──────────┬──────────────────────┘
│
┌──────────▼──────────────────────┐
│ Observability: Monitor │
│ - Error rate │
│ - Latency │
│ - Resource usage │
└──────────┬──────────────────────┘
│
┌──────────▼──────────────────────┐
│ If SLO breached: │
│ - Auto-rollback (Flux updates │
│ Git to previous image) │
│ - Remediation complete │
└──────────────────────────────────┘Drift Detection and Self-Healing
The beauty of GitOps is that it automatically detects and corrects drift. But what is drift?
Drift: When actual state diverges from desired state.
Example drifts and auto-correction:
- A pod is manually deleted → GitOps creates a new one
- Resource limits are manually changed → GitOps resets them
- Someone manually patches a config file → GitOps overwrites it
- A secret is manually rotated → GitOps restores from Git
The system does not ask for permission. It corrects.
Every correction is logged and observable.This requires trust in your desired state (which is why Git is the single source of truth). It also requires observability to verify corrections worked.
Common Pitfalls and Anti-Patterns
Immutable containers with mutable state. You cannot restart a container if it stores data locally. If your container writes to /data/app.db and that directory is not backed by a volume, restarting the container loses the data.
Solution: externalize state. Store data in databases, object storage, or persistent volumes. The container itself is stateless.
GitOps without proper RBAC. If anyone with cluster access can also merge to the main branch, you have given up on auditability. Use proper Git access controls. Use branch protection. Require review for production changes.
Immutable infrastructure that is actually mutable. If your Dockerfile includes "apt-get update && apt-get upgrade," your image is not actually immutable—it changes every time it is built. Pin versions explicitly.
Overly aggressive drift correction. If GitOps corrects every drift immediately, you cannot test changes in production. Some organizations allow manual changes for investigation, but automatically revert after a time window (e.g., 1 hour).
Immutable Infrastructure Enables the Entire Stack
Without immutable infrastructure, the previous layers are constrained:
- Runbook automation (Layer 1) can restart services, but cannot be confident they will come back correctly.
- SLO control loops (Layer 2) can trigger auto-rollback, but rolling back a mutable system is risky and slow.
With immutable infrastructure:
- Remediation is safe (replace component from known-good image)
- Rollback is simple (Git revert, re-deploy)
- Scaling is reliable (all new instances identical to existing ones)
- Self-healing actually works (no hidden state to worry about)
The Migration Path
Moving to immutable infrastructure is not an all-or-nothing proposition. Most organizations transition gradually:
- Phase 1: Containerize applications (Docker)
- Phase 2: Orchestrate with Kubernetes
- Phase 3: Define infrastructure as code (Helm, Kustomize)
- Phase 4: Adopt GitOps for drift correction (Flux, ArgoCD)
- Phase 5: Automated remediation fully confident in immutable base
Organizations at Phase 3 have made significant progress. Phase 4-5 is where autonomous operations becomes truly reliable.
Next in the Series
With observability, automation, control loops, and immutable infrastructure in place, the final layer is Human Oversight: redesigning the human role for a system that mostly governs itself. Read Layer 4.
At AIDARIS, we help organizations build immutable infrastructure that actually works and gain the confidence to automate remediation on top of it. If you are transitioning from mutable to immutable and uncertain about the path forward, we'd like to help.