What RBAC permissions are required for flux check to run successfully?

[attributeerror]

I'm trying to create a GitHub Actions workflow that automatically updates FluxCD to the latest version, but it should also check prerequisites and installation requirements before creating the pull request - if the latest Flux version isn't compatible, the pull request to upgrade it shouldn't be created.

When running flux check on my own terminal using my full-access user, it runs successfully and gives me the expected output. However, when running it on the service account that I've defined with restricted RBAC permissions it hangs on each component before saying the deployment isn't ready.

In my terminal:

In GitHub Actions:

The ClusterRole looks like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: github-actions-role
rules:
- apiGroups:
  - notification.toolkit.fluxcd.io
  - source.toolkit.fluxcd.io
  - helm.toolkit.fluxcd.io
  - image.toolkit.fluxcd.io
  - kustomize.toolkit.fluxcd.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  - apps
  resources:
  - 'deployments'
  - 'customresourcedefinitions'
  verbs:
  - get
  - list
  - watch
- apiGroups: [""]
  resources:
  - 'pods'
  verbs:
  - get
  - list
  - watch

Has anyone done this before and, if so, what RBAC permissions are required for this command to access the resources it needs?

[stefanprodan]

Try with the deployments and CRDs as separate entries

[attributeerror]

Thanks for the response, @stefanprodan! I've made the change you suggested, resulting in the below ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: github-actions-role
rules:
- apiGroups:
  - notification.toolkit.fluxcd.io
  - source.toolkit.fluxcd.io
  - helm.toolkit.fluxcd.io
  - image.toolkit.fluxcd.io
  - kustomize.toolkit.fluxcd.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

This change didn't work, unfortunately - any other ideas?

[stefanprodan]

You also need replicasets. Are you sure there is a ClusterRoleBinding for this role and the SA of the gh runner?

[attributeerror]

Yep, here's the ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: github-actions-rolebinding
subjects:
  - kind: ServiceAccount
    name: github-actions
    namespace: default
roleRef:
  kind: ClusterRole
  name: github-actions-role
  apiGroup: rbac.authorization.k8s.io

Adding replicasets as a resource group did the trick, thank you!!

[stefanprodan]

This is the RBAC needed for the Flux CLI commands that don't alter the cluster state such as flux get, flux events, flux check:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flux-view
rules:
- apiGroups:
  - source.toolkit.fluxcd.io
  - kustomize.toolkit.fluxcd.io
  - helm.toolkit.fluxcd.io
  - notification.toolkit.fluxcd.io
  - image.toolkit.fluxcd.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - events
  - namespaces
  verbs:
  - get
  - list
  - watch