Skip to main content
Version: 0.8.1

User permissions

This is an explanation of the kubernetes permissions needed by users of the Weave GitOps application. As covered in service account permissions the primary way that the application interacts with the Kube API is via impersonation. This means that the permissions granted to the users and groups that Weave GitOps can impersonate determine the scope of actions that it can take within your cluster.

A minimal set of permissions are generated for the static cluster-user as part of the helm chart.

By default both a ClusterRole and Role are generated for the static cluster-user. Both have the same permissions with former being optional and the latter being bound to the flux-system namespace (where Flux stores its resources by default). The default set of rules fall into three groups, discussed below, they are:

# Flux Resources
- apiGroups: [""]
resources: [ "kustomizations" ]
verbs: [ "get", "list", "patch" ]
- apiGroups: [""]
resources: [ "helmreleases" ]
verbs: [ "get", "list", "patch" ]
- apiGroups: [""]
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories" ]
verbs: [ "get", "list", "patch" ]
# Resources managed via Flux
- apiGroups: [""]
resources: ["secrets", "pods" ]
verbs: [ "get", "list" ]
- apiGroups: ["apps"]
resources: [ "deployments", "replicasets"]
verbs: [ "get", "list" ]
# Feedback
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list"]

Flux Resources

The resources that Flux works with directly.

Api GroupResourcesPermissions
kustomize.toolkit.fluxcd.iokustomizationsget, list, patch
helm.toolkit.fluxcd.iohelmreleasesget, list, patch
source.toolkit.fluxcd.iobuckets, helmcharts, gitrepositories, helmrepositoriesget, list, patch

In order for Weave GitOps to be able to accurately display the state of Flux it needs to be able to query the CRDs that Flux uses. This is done using the get and list permissions

The patch permissions are used to enable the 'sync' functionality which forces reconciliation of a resource. This is done Weave GitOps modifying the annotations of the resource in the same way flux reconcile does on the CLI.

Resources managed via Flux

Api GroupResourcesPermissions
""secrets, podsget, list
appsdeployments, replicasetsget, list

Weave GitOps reads basic resources so that it can monitor the effect that Flux has on what's running.

Reading secrets enables Weave GitOps to monitor the state of Helm releases as that's where it stores the state by default. For clarity this these are the Helm release objects not the Flux HelmRelease resource (which are dealt with by the earlier section).

Feedback from Flux

The primary method by which Flux communicates the status of itself is by events, these will show when reconciliations start and stop, whether they're successful and information as to why they're not.