CoursesFluxAdvanced

Hardening Flux & the supply chain

Signed commits, verified images.

Advanced14 min · lesson 11 of 12

Hardening Flux spans the controllers, the Git trust, and the supply chain — and Flux’s design gives you strong tools for the last two. Run the controllers with least privilege (they ship with locked-down securityContexts; keep them), restrict them with NetworkPolicies, and use tenant impersonation so reconciliation is scoped. Then lean on verification: enable signed-commit verification on GitRepository sources and Cosign verification on OCIRepository/image sources so Flux only reconciles content from trusted identities.

Flux hardening layers
controllers
least-privilege SAs
scoped RBAC, netpol
impersonation
tenants reconcile as their SA
trust + supply chain
signed commits
verify at the source
Cosign on OCI/images
verify artifacts
admission policy
second gate in-cluster
Scope the controllers, verify everything Flux pulls, and keep an admission gate — even a trusted commit meets policy.

Git and the whole chain

Because Git is the deploy authority, the source repo needs production-grade protection — branch protection, required reviews, CODEOWNERS, and signed commits that Flux verifies. Store manifests and charts as signed OCI artifacts where you can, verify them, and pair Flux with admission policy (Kyverno/Gatekeeper) so a malicious or mistaken commit that passes source verification still hits a policy gate at admission. Defense in depth: verified source, scoped reconciliation, admission policy, and audited events via notifications.

Verification is available — not using it trusts the whole path
Flux can verify signed commits and signed OCI/image artifacts, but only if you configure it; by default it trusts whatever the source serves. For anything sensitive, turn on source verification so unsigned or wrongly-signed content is refused before it reconciles, protect the Git repo like production, and keep an admission policy as a backstop. Flux gives you a genuinely strong supply-chain posture — but it is opt-in, so opt in.