Flux multi-tenancy concern

[mo-saeed]

I have enabled flux multi-tenancy form the community helm chart and i have a strange situation (maybe this is normal)

I create kustomization in namespace flux-central with serviceAccountName flux-central, this kustomization role is to deploy configmaps in flux-apps namespace.

when i apply the kustomization it shows dry-run error message that the service account flux-central is not able to spawn configmaps in flux-apps which is perfect. when i assign role cluster-admin in namespace flux-apps to flux-central svc then it works fine, the strange thing that this serviceaccount flux-central is not even there. so the dry run makes sense but now i am wondering which serviceaccount is actually applying the resources. is the whole multitenancy just happens in the dry-run and then applying the resources will be done using some other service account.

sorry for my long question, i just wanted to understand how this works.

[stefanprodan]

when i assign role cluster-admin in namespace flux-apps to flux-central then it works fine

How did you assigned the role?

[mo-saeed]

I create role binding and applied it with my admin personal user. mainly assign the non-existent serviceaccount from namespace flux-central to cluster-admin on flux-apps

[stefanprodan]

Flux uses the Kubernetes impersonation API, this API relies on bindings, it will not look for SA objects. It is a good practice to create the SA but not required at apply time.

[mo-saeed]

Thanks @stefanprodan

[stefanprodan]

Not creating the SA will impact the Flux GC, the GC looks for the SA before pruning, so I recommend you create it.

[mo-saeed]

I will absolutely do. that was a mistake therefore i was in a puzzle and confusion how it even worked.