FeatureRequest: Kubernetes warnings reported through Flux

[mob-galtryn]

We are running Flux in a multi-tenancy environment and would like to make kubernetes warnings available to the users when they deploy an application.

An example of this Pod Security Admission, when a non-compliant deployment is created via kubectl any warnings are returned and when deployed through Flux the warnings are recorded in the controller logs. However our users do not have access to controller logs and so are blind to these warnings, could these be reported back via Flux events so users can see any warnings generated by their deployments.

[matheuscscp]

These logs are not printed by Flux itself, but by libraries it uses. Flux cannot tap into those logs

[Cajga]

Hi @matheuscscp, seeing warnings that affect deployments that done through flux would be very useful.

Errors make it to the kustomization or helmrelease CRs so users can see them and fix these. Wouldn't there be a way for "warnings" to get "attached" to the CRs (events or extra status field or ...)? Apparently, client-go allows to have custom handling of warning messages, could this be helpful?

[matheuscscp]

Can you please post here some of these warnings as they show up in your logs?

[Cajga]

Sure... So, here is a simple deployment that does not meet the requirement of restricted PSS:

$ cat deployment-psstest.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: rester
    app.kubernetes.io/name: rester
    app.kubernetes.io/part-of: rester
    app.kubernetes.io/version: 0.2.7
  name: rester-psstest
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: rester
      app.kubernetes.io/name: rester
  strategy: {}
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: rester
        app.kubernetes.io/name: rester
    spec:
      containers:
      - image: registry.example.com/rester/rester:0.2.7
        name: rester
        resources:
          limits:
            cpu: 1
            memory: 1Gi
            ephemeral-storage: 1Gi
          requests:
            cpu: 1
            memory: 1Gi
            ephemeral-storage: 1Gi
      imagePullSecrets:
      - name: private-registry-auth

When you apply this to a namespace that has the pod-security.kubernetes.io/warn: restricted and pod-security.kubernetes.io/warn-version: latest labels with kubectl apply you get the following message:

$ kubectl apply -f deployment-psstest.yaml -n app-rester-kustomize-dev
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "rester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "rester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "rester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "rester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/rester-psstest created

If you do the same with flux the deployment is successful and you only see these messages in the kustomization controller:

$ kubectl logs -n flux-system kustomize-controller-7d459fcdd4-wxhmv |grep -i kustomize-dev|grep "would violate PodSecurity"|jq
{
  "level": "info",
  "ts": "2026-02-02T16:57:28.951Z",
  "msg": "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"rester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"rester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"rester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"rester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")",
  "controller": "kustomization",
  "controllerGroup": "kustomize.toolkit.fluxcd.io",
  "controllerKind": "Kustomization",
  "Kustomization": {
    "name": "rester-on-gitlabx",
    "namespace": "gitops-rester-kustomize-dev"
  },
  "namespace": "gitops-rester-kustomize-dev",
  "name": "rester-on-gitlabx",
  "reconcileID": "e91c420d-68d3-423a-b11c-9354bba58654"
}

NOTE: As you know, PSS warnings are not the only use case. K8s API warns clients on deprecations... We use them with validating admission policies (we warn on the dev platform and enforce on test and prod), etc.

[matheuscscp]

We use the controller-runtime client, not client-go directly, so controller-runtime would need to support this for us to consider this feature

[Cajga]

@matheuscscp , I am not a dev but it may does:

• https://github.com/kubernetes-sigs/controller-runtime/blob/v0.23.1/pkg/client/client.go#L95
• https://github.com/kubernetes-sigs/controller-runtime/blob/v0.23.1/pkg/client/client.go#L141

And it seems this is their default implementation (in case no custom is set):

• https://github.com/kubernetes-sigs/controller-runtime/blob/v0.23.1/pkg/log/warning_handler.go

Or, am I wrong?

[matheuscscp]

Cool, next thing is checking if Helm would support a similar thing, as we want consistency for the Flux applier controllers

If Helm also supports this, an RFC for discussing how to implement this feature in both kustomize-controller and helm-controller would be needed

[Cajga]

I did my best but I run into the limitation of my Go knowledge. Then I tried to rely on Copilot but it did not give me a result that I could verify myself. Let me put here the summary of it's answer (again, I have no clue if this is any helpful):

Helm uses k8s client-go types (it uses *rest.Config in many places) but it does not re-export or wrap rest.SetDefaultWarningHandler. You can call k8s.io/client-go/rest.SetDefaultWarningHandler(...) from your own program and that will affect client-go behavior used by Helm in the same process.

@matheuscscp, maybe you could check the helm part?

[mehrdadbn9]

Hi, I'd like to work on adding Kubernetes warnings to the repository. This feature request improves visibility. Could a maintainer please assign it to me? Thank you!

[matheuscscp]

@mehrdadbn9 Done

[matheuscscp]

@mehrdadbn9 Lets finish this PR first: fluxcd/pkg#1131