Managing Kubernetes clusters and their configurations can be a complex task. GitOps, a modern approach to handling cluster management, has gained significant popularity. It revolves around using Git as the single source of truth for storing both application and infrastructure configurations. Flux, a powerful GitOps tool, seamlessly integrates with Kubernetes to enable automated configuration updates and deployments.

In this blog post, we will dive deep into Flux and introduce the AWS CloudFormation Template Sync Controller, which allows you to manage AWS CloudFormation templates using Flux. We will then discuss how to configure the controller and explore various security considerations and best practices to help you master GitOps with Flux.

Understanding Flux and its capabilities

Flux is a powerful tool that brings GitOps to both applications and infrastructure management. It supports multi-tenancy, multi-cluster management, and seamlessly integrates with the Kubernetes ecosystem. Key Flux features include:

• Support for Kustomize and Helm configurations

• Integration with Kubernetes RBAC for access control

• Health assessments for clusters and workloads

• Dependency management for infrastructure and workloads

• Alerting to external systems like Slack

• Integration with Git providers and CI/CD workflow providers

Setting up the AWS CloudFormation Template Sync Controller with Flux

To get started with the AWS CloudFormation Template Sync Controller, you need a Kubernetes cluster with Flux installed and configured. The controller also requires AWS credentials, a created IAM policy, and access to an S3 bucket for storing CloudFormation templates.

Prerequisites

• A Kubernetes cluster with Flux installed (See Flux documentation for installation instructions)

• AWS credentials (IAM policy, access keys, etc.)

• An Amazon S3 bucket for storing CloudFormation templates

Step 1. Register the Cloudformation controller repository with Flux

To begin, create a `cfn-controller-source.yaml` file in your Flux configuration repository. The contents of the controller file should resemble the following:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
  name: aws-cloudformation-controller-for-flux
  namespace: flux-system
spec:
  interval: 1h
  timeout: 60s
  ref:
    branch: main
  url: https://github.com/awslabs/aws-cloudformation-controller-for-flux

Make sure to update the `.spec.ref` field with the correct CloudFormation controller release version or commit ID.

Step 2. Deploy the CloudFormation controller using Flux

Create a file named `cfn-controller.yaml` in your Flux configuration repository and provide the necessary configurations. The contents depend on your chosen credential provisioning method (IAM roles, environment variables, or a mounted file). Update the file with the appropriate values for your region and S3 bucket.

For example, if utilizing short-lived IAM role credentials on an EKS cluster (recommended), your `cfn-controller.yaml` would look like this:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: aws-cloudformation-controller-for-flux
  namespace: flux-system
spec:
  interval: 5m
  path: ./config/default
  prune: true
  wait: true
  timeout: 5m
  sourceRef:
    kind: GitRepository
    name: aws-cloudformation-controller-for-flux
  patches:
    - patch: |
        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: cfn-controller
          annotations:
            eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/AWSCloudFormationControllerFluxIRSARole
      target:
        kind: ServiceAccount
        name: cfn-controller
    - patch: |
        apiVersion: apps/v1
        kind: Deployment
        metadata:
          name: cfn-controller
        spec:
          template:
            spec:
              containers:
              - name: manager
                env:
                  - name: AWS_REGION
                    value: "us-west-2"
                  - name: TEMPLATE_BUCKET
                    value: "my-cloudformation-templates-bucket"
      target:
        kind: Deployment
        name: cfn-controller

Follow the steps outlined in the provided installation guide to complete the CloudFormation controller deployment, validate its functionality, and enable Flux notifications.

Security Considerations and Recommendations for Flux and AWS CloudFormation Template Sync

When using Flux alongside the AWS CloudFormation Template Sync Controller, it’s crucial to implement security best practices and grant users limited permissions.

For Kubernetes cluster security, follow these Flux project guidelines:

• Adhere to Flux’s recommended security practices for shared cluster multi-tenancy

• Implement node isolation and network isolation for Flux components and the CloudFormation controller

For user permissions within Kubernetes, grant users the least privileged permissions needed for interactions with the CloudFormation controller. Two sample Kubernetes roles can be utilized that provide appropriate access.

Additional Resources

For more information, I would suggest reading the official documentation for both projects:

• https://github.com/awslabs/aws-cloudformation-controller-for-flux

• https://fluxcd.io/flux/

Conclusion

Flux and the AWS CloudFormation Template Sync Controller provide a comprehensive GitOps solution for managing both applications and infrastructure in Kubernetes. With automated updates and region-aware deployments, these tools make cluster management easier and more efficient. By following the outlined steps and adhering to security best practices, you can successfully harness the power of GitOps to streamline your workflow and improve your Kubernetes cluster management.