Back to Flux

Flux Security

View Flux Security Documentation

Review Flux's compliance certifications, audit logs, access controls, and security architecture.

View Flux Security Documentation

Enterprise-grade security.

Disclosure: We may earn a commission if you purchase through this link, at no extra cost to you. Learn more.

Flux Security Overview

Flux implements multiple security layers designed for production Kubernetes environments. Security features include OIDC authentication integration, Kubernetes-native RBAC, OCI artifact signing and verification, and supply chain security through integration with Sigstore/Cosign and Notary. Flux follows Kubernetes security best practices with minimal required permissions and pod security context configurations.

Authentication and Authorization

Flux leverages Kubernetes native RBAC for authorization, inheriting the cluster's built-in access controls. OIDC integration allows centralized authentication through providers like Azure AD, Okta, and Keycloak. Flux controllers run with minimal required permissions following the principle of least privilege. Service accounts can be configured with specific roles and role bindings for fine-grained access control per controller.

Supply Chain Security

Flux supports supply chain security through OCI artifact signing and verification using Cosign and Notary. Container images and configuration artifacts can be signed and verified during the reconciliation process. Flux integrates with Sigstore for keyless signing and transparency log verification. This ensures that only trusted and verified artifacts are deployed to production clusters, meeting compliance requirements for software supply chain integrity.

Secure Communication

Flux controllers communicate with Git repositories, container registries, and Kubernetes API servers using TLS-encrypted connections. Webhook receivers can be configured with HMAC verification for secure event processing. OCI artifact distribution supports mutual TLS and mTLS for secure artifact transfer. Network policies can restrict controller communication to only required endpoints.

Secrets Management

Flux can integrate with external secrets management solutions through the Kubernetes External Secrets Operator, Sealed Secrets, or SOPS. Git repository credentials and registry authentication are managed through standard Kubernetes secrets. Flux supports SOPS-encrypted files in Git repositories for storing sensitive configuration data securely. The Mozilla SOPS integration allows encryption of secrets at rest in Git with AWS KMS, GCP KMS, Azure Key Vault, or age encryption.

Compare Flux with Alternatives

See how Flux stacks up against competitors across features, pricing, and user reviews.

Trusted by thousands of DevOps teams. Read verified reviews before you buy.

Related Links