Flux OpenShift installation

How to configure Flux for OpenShift

Required permissions

To bootstrap Flux, the person running the command must have cluster admin rights for the target OpenShift cluster. It is also required to prepare a Git repository as described in the bootstrap customization.

First copy the scc.yaml to the flux-system directory. This manifest contains the RBAC necessary to allow the Flux controllers to run as non-root on OpenShift.

Then add the scc.yaml and the following patches to the flux-system kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - gotk-components.yaml
  - gotk-sync.yaml
  - scc.yaml
patches:
  - patch: |
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: all
      spec:
        template:
          spec:
            securityContext:
              $patch: delete
            containers:
              - name: manager
                securityContext:
                  runAsUser: 65534
                  seccompProfile:
                    $patch: delete      
    target:
      kind: Deployment
      labelSelector: app.kubernetes.io/part-of=flux
  - patch: |-
      - op: remove
        path: /metadata/labels/pod-security.kubernetes.io~1warn
      - op: remove
        path: /metadata/labels/pod-security.kubernetes.io~1warn-version      
    target:
      kind: Namespace
      labelSelector: app.kubernetes.io/part-of=flux

Finally, push the changes to the Git repository and run flux bootstrap.

OperatorHub

Flux can be installed on Red Hat OpenShift cluster directly from OperatorHub using Flux Operator.

The Flux Operator is an open-source project part of the Flux ecosystem that provides a declarative API for the lifecycle management of the Flux controllers on OpenShift.

First create a Subscription resource in the flux-system namespace to install the Flux Operator:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: flux-operator
  namespace: flux-system
spec:
  channel: stable
  name: flux-operator
  source: operatorhubio-catalog
  sourceNamespace: olm
  config:
    env:
      - name: DEFAULT_SERVICE_ACCOUNT
        value: "flux-operator"

After the subscription, create a FluxInstance resource with .spec.cluster.type set to openshift:

apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
  name: flux
  namespace: flux-system
  annotations:
    fluxcd.controlplane.io/reconcileEvery: "1h"
spec:
  distribution:
    version: "2.x"
    registry: "ghcr.io/fluxcd"
  components:
    - source-controller
    - kustomize-controller
    - helm-controller
    - notification-controller
    - image-reflector-controller
    - image-automation-controller
  cluster:
    type: openshift
    multitenant: true
    networkPolicy: true
    domain: "cluster.local"
  sync:
    kind: GitRepository
    url: "https://my-git-server.com/my-org/my-fleet.git"
    ref: "refs/heads/main"
    path: "clusters/my-cluster"
    pullSecret: "flux-system"

For more information on how to configure the Flux instance, refer to the following resources:

Last modified 2025-07-10: Add OperatorHub install guide to OpenShift docs (0ad950c)