This repository was archived by the owner on Jan 21, 2021. It is now read-only.
The team flux causes lots of 403 error events in the audit log #16
Description
Each time a namespaced team flux is running its sync it gets a bunch of 403 Forbidden from the API, cluttering the the audit log with
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "20162fc3-bb05-458f-906e-8c3eb60f04a1",
"stage": "ResponseComplete",
"requestURI": "/apis/crd.k8s.amazonaws.com/v1alpha1/eniconfigs?labelSelector=fluxcd.io%2Fsync-gc-mark",
"verb": "list",
"user": {
"username": "system:serviceaccount:team1:flux",
"uid": "9b41e074-5dec-11ea-a627-06ab94fdafa0",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:team1",
"system:authenticated"
]
},
"sourceIPs": [
"10.41.72.187"
],
"userAgent": "fluxd/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef": {
"resource": "eniconfigs",
"apiGroup": "crd.k8s.amazonaws.com",
"apiVersion": "v1alpha1"
},
"responseStatus": {
"metadata": {},
"status": "Failure",
"reason": "Forbidden",
"code": 403
},
"requestReceivedTimestamp": "2020-06-17T13:36:10.116307Z",
"stageTimestamp": "2020-06-17T13:36:10.116387Z",
"annotations": {
"authorization.k8s.io/decision": "forbid",
"authorization.k8s.io/reason": ""
}
}
I guess its rooted in the cluster role flux-readonly. Is there anything we can do to improve the situation, or event have flux to not check stuff without having permission?