Flux can not seem to apply Kustomization

Question

I have recently been trying to get flux to work on an AKS I made from scratch. using this script that I made:

$rg = "fluxtestingaks"
$aks = "fluxaks"
$acr = "fluxaksacr"
$location = "uksouth"
$tenant = ""

$output = az login --tenant $tenant
if (!$output) {
    Write-Error "Error loging in to azure"
    return
}

$output = az group create --name $rg --location $location
if (!$output) {
    Write-Error "Error creating resource group"
    return
}
$output = az acr create --resource-group $rg --name $acr --sku Basic
if (!$output) {
    Write-Error "Error creating azure container repository"
    return
}
$output = az aks create -g $rg -n $aks --load-balancer-managed-outbound-ip-count 1 --enable-managed-identity --node-vm-size Standard_B2s --node-count 1 --generate-ssh-keys
if (!$output) {
    Write-Error "Error creating azure kubernetes cluster"
    return
}

$output = az aks update -g $rg -n $aks --enable-managed-identity 
if (!$output) {
    Write-Error "Error creating azure system identity"
    return
}

Then I followed this documentation to get flux installed onto the AKS: https://fluxcd.io/flux/guides/image-update/

And I had to manually run this command to make flux install onto the AKS: flux install --components-extra="image-reflector-controller,image-automation-controller"

All was going well until I try to apply or reconcile a Kustomization I have been using this command: flux reconcile kustomization flux-system --with-source

But I get this error: ✗ Kustomization reconciliation failed: Namespace/flux-system dry-run failed, reason: Forbidden, error: namespaces "flux-system" is forbidden: User "system:serviceaccount:flux-system:flux-applier" cannot patch resource "namespaces" in API group "" in the namespace "flux-system"

I have spent some time researching what this could be and concluded that I need an RBAC policy for the flux-system user no bother so I made this YAML file:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: flux-applier
  namespace: flux-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: flux-permissions
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: flux-permissions
  namespace: flux-system
subjects:
- kind: ServiceAccount
  name: flux-applier
  apiGroup: ""
roleRef:
 kind: Role
 name: flux-permissions
 apiGroup: ""

I have applied this to the Azure Kubernetes Cluster but I still get this same stupid error. Any help would be amazing thank you.

score 0 · Answer 1 · answered Feb 01 '23 at 15:53

After Posting this I worked out what was wrong. I was on the right track what happened is I forgot to include the resources: "namespace" in my resources section of the rolebind.

Here is my complete code for future reference if anyone has an issue with this.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: flux-applier
  namespace: flux-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: flux-permissions
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods", "namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: flux-permissions
  namespace: flux-system
subjects:
- kind: ServiceAccount
  name: flux-applier
  apiGroup: ""
roleRef:
 kind: Role
 name: flux-permissions
 apiGroup: ""

Flux can not seem to apply Kustomization

1 Answers1