Flux Kustomization Standards

Intermediate

Enforce best practices for Flux Kustomization resources — pruning, health checks, dependency ordering, interval settings, and reconciliation configuration.

File Patterns

**/clusters/**/*.yaml**/clusters/**/*.yml**/flux-system/**/*.yaml

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Flux Kustomization Standards

## Rule
All Flux Kustomization resources MUST include pruning, health checks, and appropriate reconciliation intervals.

## Format
```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: <app-name>
  namespace: flux-system
spec:
  interval: <5m-30m>
  sourceRef:
    kind: GitRepository
    name: flux-system
  path: ./<environment-path>
  prune: true
  wait: true
  timeout: 5m
  healthChecks:
    - apiVersion: apps/v1
      kind: Deployment
      name: <deployment-name>
      namespace: <namespace>
```

## Requirements
1. **prune: true** — ALWAYS set to garbage-collect removed resources
2. **Health checks** — ALWAYS define for Deployments and StatefulSets
3. **wait: true** — set when other Kustomizations depend on this one
4. **timeout** — set explicit timeout (default 5m is usually sufficient)
5. **dependsOn** — use when resources require other Kustomizations first
6. **interval** — 5m for apps, 10m for infrastructure, 30m for slow-changing resources

## Examples

### Good
```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 5m
  dependsOn:
    - name: infrastructure
  sourceRef:
    kind: GitRepository
    name: flux-system
  path: ./apps/production
  prune: true
  wait: true
  timeout: 5m
  healthChecks:
    - apiVersion: apps/v1
      kind: Deployment
      name: my-app
      namespace: production
```

### Bad
```yaml
# Missing prune, health checks, timeout, and dependency
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 1m  # Too frequent
  sourceRef:
    kind: GitRepository
    name: flux-system
  path: ./apps/production
```

## Enforcement
Review all Kustomization manifests in CI with a YAML linter that checks for required fields. Use OPA/Gatekeeper policies to reject Kustomizations without prune and health checks.

FAQ

Discussion

Loading comments...

# Flux Kustomization Standards ## Rule All Flux Kustomization resources MUST include pruning, health checks, and appropriate reconciliation intervals. ## Format ```yaml apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: <app-name> namespace: flux-system spec: interval: <5m-30m> sourceRef: kind: GitRepository name: flux-system path: ./<environment-path> prune: true wait: true timeout: 5m healthChecks: - apiVersion: apps/v1 kind: Deployment name: <deployment-name> namespace: <namespace> ``` ## Requirements 1. **prune: true** — ALWAYS set to garbage-collect removed resources 2. **Health checks** — ALWAYS define for Deployments and StatefulSets 3. **wait: true** — set when other Kustomizations depend on this one 4. **timeout** — set explicit timeout (default 5m is usually sufficient) 5. **dependsOn** — use when resources require other Kustomizations first 6. **interval** — 5m for apps, 10m for infrastructure, 30m for slow-changing resources ## Examples ### Good ```yaml apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: my-app namespace: flux-system spec: interval: 5m dependsOn: - name: infrastructure sourceRef: kind: GitRepository name: flux-system path: ./apps/production prune: true wait: true timeout: 5m healthChecks: - apiVersion: apps/v1 kind: Deployment name: my-app namespace: production ``` ### Bad ```yaml # Missing prune, health checks, timeout, and dependency apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: my-app namespace: flux-system spec: interval: 1m # Too frequent sourceRef: kind: GitRepository name: flux-system path: ./apps/production ``` ## Enforcement Review all Kustomization manifests in CI with a YAML linter that checks for required fields. Use OPA/Gatekeeper policies to reject Kustomizations without prune and health checks.