FluxCD - Security¶
Evaluation Context
FluxCD differs fundamentally from ArgoCD's central RBAC matrix by delegating authorization entirely to strict native Kubernetes RBAC and ServiceAccount Impersonation.
1. Decision Matrix / RBAC¶
| Entity / Scope | Context | Target / Status |
|---|---|---|
| Kustomize Controller | Requires explicit namespace binding. | Defaults to --default-service-account=default |
| Multi-tenancy | Prevents GitOps escape via reference blocking. | MUST run --no-cross-namespace-refs=true |
| Impersonation | Reconciler execution context. | Reads .spec.serviceAccountName |
2. Threat Model & Extracted Constraints¶
Based on formal Context7 documentation review:
- Kubernetes RBAC Delegation: Unlike ArgoCD with Casbin, FluxCD forces the operators to write explicit RoleBindings per namespace. The controller impersonates the target tenant service account.
- Cross-Namespace Escape: By default, early implementations could reference secrets across namespaces. For hard multi-tenancy, you MUST pass --no-remote-bases=true and --no-cross-namespace-refs=true into the gotk-components deployment via Kustomize patches.