2023-04-20-fluxcd2-kustomization-delegation-caveats

← 2023-08-13-k3s-i-want-a-rootless-cluster-with-bgp-damn-it | posts | 2023-03-27-k8s-cluster-step-ca-from-scratch →

Hi,

when you use fluxcd2 to allow teams/apps to be seperated into namesapces and wanna use Principle of least Privilege/limit to the target namespace, be careful with the following:

Errors around secrets are masked as "error: data values must be of type string" as per (this discussion)[https://github.com/fluxcd/flux2/discussions/2355]
- disable/remove them for testing, otherwhise you can't debug, this is a gross UX issue.
You apply the kustomization(kustomize.toolkit.fluxcd.io/v1beta1) referencing the remote repo/stuff the following mess of namespaces apply:
- the resource itself
  - goes into namespace A
- targetNamespace
  - should place stuff into namespace B
- telling it to use a "serviceAccountName"
  - needs to exist in namespace A but needs to have permission in namespace B
- use decryption
  - secretRef for that needs to be in namespace A

More to be followed