Skip to content

Flux Access Role Quick Fix - RBAC Role Configuration

DodaTech Updated 2026-06-26 1 min read

Flux requires specific RBAC roles for source-controller, kustomize-controller, and helm-controller. Incorrect role bindings prevent resource reconciliation. This guide covers the fix.

Quick Fix

Wrong

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: flux-controller
  namespace: apps
rules: []

The issue: empty rules list. The Flux controller cannot list, get, create, or update any resources. All reconciliations fail with forbidden errors.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flux-controller
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Expected output after applying the fix
# Flux controller has necessary RBAC permissions
# Can manage all resource types in assigned namespaces
# Reconciliation proceeds without forbidden errors
# Status: Ready

Prevention

  • Use ClusterRole for Flux controllers with broad resource access
  • Restrict scope by binding ClusterRole to specific namespaces using RoleBinding
  • Include coordination.k8s.io for leader election leases
  • Use kubectl auth can-i --as=system:serviceaccount:flux-system:kustomize-controller to verify
  • Follow Flux installation guide for correct RBAC manifests

DodaTech Tools

Doda Browser's RBAC analyzer checks Flux controller permissions. DodaZIP archives RBAC configurations for security audit. Durga Antivirus Pro validates role permissions.

FAQ

What are the minimum RBAC permissions needed for Flux controllers?

Each controller needs list, watch, get, create, update, patch, and delete for its managed resource types. Source controller needs access to sources, kustomize-controller to kustomize resources. ||| Can I restrict Flux to specific namespaces? Yes, use RoleBinding instead of ClusterRoleBinding to bind the ClusterRole only to specific namespaces, restricting Flux's scope. ||| How do I check if Flux has correct permissions? Use kubectl auth can-i --list --as=system:serviceaccount:flux-system:<controller> to list allowed actions for each controller.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro