Flux Web UI Actions

The Flux Web UI provides interactive actions that allow users to manage Flux resources and Kubernetes workloads directly from the browser. Actions include triggering reconciliations, suspending and resuming resources, downloading artifacts, restarting workloads, running jobs, and deleting pods.

Actions are only available when authentication is configured. Each action requires specific RBAC permissions granted through Kubernetes ClusterRole or Role resources. The Flux Operator ships with two predefined roles: flux-web-user (read-only) and flux-web-admin (full access including actions). See the Role-Based Access Control section for details on assigning roles to users and groups.

GitOps Actions

GitOps actions operate on Flux resources such as Kustomizations, HelmReleases, and source resources. These actions are available on the resource detail page for all reconcilable Flux resources.

Reconcile

The Reconcile action triggers an immediate reconciliation of a Flux resource, bypassing the regular reconciliation interval. For HelmRelease and ResourceSetInputProvider resources, a force request is also added to ensure the reconciliation runs even when no changes are detected or the schedule hasn’t elapsed.

RBAC

Requires the reconcile and patch verbs on the target resource. For example, to allow reconciling Kustomizations, the user needs reconcile and patch on kustomizations in the kustomize.toolkit.fluxcd.io API group.

Pull

The Pull action reconciles the upstream source (GitRepository, OCIRepository, Bucket, or HelmChart) of a Kustomization or HelmRelease. This is useful when you want to fetch the latest changes from the source repository without waiting for the source’s reconciliation interval.

The Pull action is not available when the resource or its source is suspended, or when the source is an ExternalArtifact.

RBAC

Requires the reconcile and patch verbs on the source resource. For example, to pull a GitRepository, the user needs reconcile and patch on gitrepositories in the source.toolkit.fluxcd.io API group.

Suspend and Resume

The Suspend action pauses reconciliation of a Flux resource. While suspended, the resource will not be reconciled by its controller. The Web UI displays which user suspended the resource.

The Resume action re-enables reconciliation and triggers an immediate reconciliation request. Resuming removes the suspension tracking annotation.

RBAC

Requires the suspend and patch verbs to suspend, and the resume and patch verbs to resume. These verbs apply to the target resource’s API group and kind.

Download Artifact

The Download Artifact action downloads the artifact tarball from a Flux source resource. This is available for Bucket, GitRepository, OCIRepository, HelmChart, and ExternalArtifact resources.

For ArtifactGenerator resources, a dropdown menu is displayed listing all ExternalArtifacts from the resource’s inventory. Each artifact can be downloaded individually.

RBAC

Requires the download verb on the source resource. For example, to download an OCIRepository artifact, the user needs download on ocirepositories in the source.toolkit.fluxcd.io API group.

Workload Actions

Workload actions operate on Kubernetes workloads managed by Flux. These actions are available on the workload detail page for Deployments, StatefulSets, DaemonSets, CronJobs, and Pods.

Rollout Restart

The Rollout Restart action triggers a rolling restart of a Deployment, StatefulSet, or DaemonSet by patching the pod template with a kubectl.kubernetes.io/restartedAt annotation. This causes the controller to recreate all pods in a rolling fashion, similar to kubectl rollout restart.

RBAC

Requires the restart and patch verbs on the workload resource. For example, to restart a Deployment, the user needs restart and patch on deployments in the apps API group.

Run Job

The Run Job action creates a new Job from a CronJob’s job template, triggering an immediate execution outside of the CronJob’s schedule. The created Job is owned by the CronJob so that its pods appear under the CronJob in the Web UI. The Web UI displays which user created the Job.

RBAC

Requires the restart verb on cronjobs and the create verb on jobs in the batch API group.

Delete Pod

The Delete Pod action deletes an individual pod. For pods owned by a Deployment, StatefulSet, or DaemonSet, the Kubernetes controller will automatically recreate the pod. A confirmation dialog is shown before the deletion is performed.

RBAC

Requires the delete verb on pods in the core API group.

Audit

The Web UI can generate audit events for user actions, providing a trail of who performed what action and when. Audit events are recorded as Kubernetes Events and forwarded to Flux’s notification-controller, enabling integration with external notification systems.

Enabling Audit

To enable auditing, set spec.userActions.audit in the web configuration to a list of actions to audit. Use the special value ["*"] to audit all actions.

web:
  config:
    userActions:
      audit:
        - "*"
    authentication:
      type: OAuth2
      oauth2:
        provider: OIDC
        # ... omitted for brevity ...

To audit only specific actions, list them individually:

web:
  config:
    userActions:
      audit:
        - reconcile
        - suspend
        - resume
        - download
        - restart
        - delete

Audit Events

Each audited action generates a Kubernetes Event with the reason WebAction. The event message includes the username, action, and target resource. The following annotations are set on the event:

AnnotationDescription
event.toolkit.fluxcd.io/actionThe action performed (e.g., reconcile, suspend)
event.toolkit.fluxcd.io/usernameThe username of the user who performed the action
event.toolkit.fluxcd.io/groupsThe groups of the user who performed the action
event.toolkit.fluxcd.io/subjectThe target workload (for workload actions only)

For workload actions (rollout restart, create job, delete pod), the audit event is associated with the Flux resource managing the workload (e.g., the Kustomization, HelmRelease or ResourceSet).

Notifications with Flux Alerts

Audit events are automatically forwarded to Flux’s notification-controller when it is installed in the cluster. You can configure Flux Alert and Provider resources to send audit notifications to external systems such as Slack, Microsoft Teams, or any webhook endpoint.

Example configuration for sending audit notifications to Slack:

apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
  name: web-actions-audit
  namespace: apps
spec:
  providerRef:
    name: slack
  eventSources:
    - kind: Kustomization
      name: "*"
    - kind: HelmRelease
      name: "*"
    - kind: ResourceSet
      name: "*"
  inclusionList:
    - ".*on the web UI$"

The inclusionList regex filter matches the audit event message format, ensuring that only Web UI action events are forwarded to the notification provider.