[BUG] microsoft.flux extension fails to install on AKS Automatic — fluxconfig-controller blocked by aks-managed-protect-system-namespaces policy

[L3mondrop]

Bug Report

Describe the bug

The microsoft.flux extension (v1.19.5) cannot be installed on an AKS Automatic cluster. The fluxconfig-controller pod enters CrashLoopBackOff because the aks-managed-protect-system-namespaces ValidatingAdmissionPolicy blocks it from creating a ConfigMap in the flux-system namespace. Since the Helm release is atomic, the entire extension is rolled back and uninstalled after the timeout.

This means GitOps with Flux is completely broken on AKS Automatic, despite Flux being listed as a supported GitOps solution for AKS.

To Reproduce

1. Create an AKS Automatic cluster
2. Install the Flux extension:

   az k8s-extension create \
     --resource-group <rg> \
     --cluster-name <cluster> \
     --cluster-type managedClusters \
     --name flux \
     --extension-type microsoft.flux \
     --auto-upgrade-minor-version true

3. Wait for the installation to complete (~5 minutes)
4. Installation fails with:

   ExtensionOperationFailed: Helm installation failed : Timed out waiting for 
   the resource to come to a ready/completed state Last resource not ready was 
   flux-system/fluxconfig-controller
   InnerError: release flux failed, and has been uninstalled due to atomic being set: 
   context deadline exceeded
   

Root cause

During installation, the fluxconfig-controller pod repeatedly crashes with:

Failed to create the immutable value configmap against the apiServer for the 
fluxConfigurations with err: configmaps "fluxconfig-immutable-values" is forbidden: 
ValidatingAdmissionPolicy 'aks-managed-protect-system-namespaces' with binding 
'aks-managed-protect-system-namespaces-binding' denied request: Modification of 
resources in managed system namespaces is not allowed

The aks-managed-protect-system-namespaces ValidatingAdmissionPolicy:

• Protects the flux-system namespace (added in AKS release 2025-10-12)
• Exempts service accounts from kube-system, gatekeeper-system, app-routing-system, and aks-istio-system
• Does NOT exempt any service accounts from flux-system

The fluxconfig-controller runs as service account flux-operatorsa in flux-system. When it tries to CREATE the fluxconfig-immutable-values ConfigMap, the policy denies the request. The pod crash-loops, the Helm atomic timeout triggers, and the entire extension is uninstalled.

Note: The other 5 Flux pods (source-controller, kustomize-controller, helm-controller, notification-controller, fluxconfig-agent) all start successfully before the rollback — confirming the issue is isolated to the policy exemption gap.

Expected behavior

The microsoft.flux extension should install and run on AKS Automatic without errors, since both are Microsoft-managed components.

Suggested fix

Add system:serviceaccounts:flux-system to the exempt groups in the aks-managed-protect-system-namespaces ValidatingAdmissionPolicy, similar to the existing exemptions for system:serviceaccounts:kube-system and system:serviceaccounts:aks-istio-system.

Environment

Field	Value
AKS tier	Automatic
Kubernetes version	1.33.7
Region	swedencentral
Flux extension version	1.19.5 (latest, February 2026)
Cluster creation date	2026-03-09

[sjwaight]

Looping in @ponatara also for awareness.

[jessicalavoie]

same issue. Following this for any infos.

[OmnipotentOwl]

Also just ran into this exact same issue with the Dapr extension because the service accounts for dapr's namespace are not excluded from the aks-managed-protect-system-namespaces ValidatingAdmissionPolicy blocks the configuration of the Secret for the dapr-trust-bundle and similar ConfigMap. Looking at the actual ValidatingAdmissionPolicy through kubectl describe it looks like generally the policy was not setup to exempt the non kube-system service accounts for all managed capabilities within AKS.

Additionally, due to the ValidatingAdmissionPolicy it is also not possible to integrate dapr from the extension with Istio running in the managed version in AKS.

Failed to add Istio revision label to the namespace 'dapr-system' in the cluster '<cluster-name>'. Error: namespaces "dapr-system" is forbidden: ValidatingAdmissionPolicy 'aks-managed-protect-system-namespace-objects' with binding 'aks-managed-protect-system-namespace-objects-binding' denied request: Editing or deleting protected system namespaces is not allowed. '<user principal>' does not have the required Kubernetes permissions to view this resource. Ensure you have the correct role/role binding for this user or group.

[sjwaight]

@OmnipotentOwl please open a separate issue for Dapr so we can track that independently of the Flux extension. Thanks.

[dipti-pai]

The AKS automatic team has released a fix for this issue. It is currently being rolled out and should be available in most regions by next week.

[microsoft-github-policy-service]

Thanks for reaching out. I'm closing this issue as it was marked with "resolution/fix-released" and it hasn't had activity for 7 days.