> It’s there so you’re not dependent on some bespoke VM state. It also allows you to do code review on infra changes like port numbers being exposed

That's simply not true.

Every Kubernetes cluster I have seen and used gives a lot more leeway for the runtime state to change than a basic Ansible/Salt/Puppet configuration, just due to the sheer number of components involved. Everything from Terraform to Istio and ArgoCD are all changed in their own little unique way with their unique possibilities for state changes.

Following GitOps in the Kubernetes ecosystem is something that requires discipline.

> environments where “maintenance downtime” is acceptable and there are only one or two people that actually adjust the configurations

Yes, because before Kubernetes that was how all IT was done? A complete clown show, amirite?