Skip to content

Add support for drift detection ignore rules#1627

Draft
dipti-pai wants to merge 1 commit intofluxcd:mainfrom
dipti-pai:drift-ignore-rules
Draft

Add support for drift detection ignore rules#1627
dipti-pai wants to merge 1 commit intofluxcd:mainfrom
dipti-pai:drift-ignore-rules

Conversation

@dipti-pai
Copy link
Copy Markdown
Member

@dipti-pai dipti-pai commented Mar 31, 2026
edited by stefanprodan
Loading

Changes include :

  • Spec changes to add DriftIgnoreRules[] to kustomization spec.
  • Convert the drift ignore rules to []jsondiff.IgnoreRule and set in ApplyOptions
  • Doc changes and tests.

Fix: #1138

Test summary with kustomize-controller

E2E Test Results — DriftIgnoreRules

Setup

$ kubectl get gitrepository -n drift-ignore-test
NAME              URL                                           AGE   READY   STATUS
drift-test-repo   https://github.com/dipti-pai/flux-test-repo   17s   True    stored artifact for revision 'main@sha1:b2a96870abdf6a295501e298a147e1e4ea5d878a'

Source manifests (in ssaDriftIgnoreRulesTest/) deploy:

  • ConfigMap test-configmanaged-key: "v1", ignored-key: "original", another-ignored: "keep-me"
  • Deployment test-nginxnginx:1.25, 1 replica, with resource requests/limits
  • Service test-service — with annotation external-dns.alpha.kubernetes.io/hostname: "test.example.com"

Reconciliation verification approach

Each test triggers reconciliation after introducing drift, checks the controller logs and confirms non-ignored fields are in-tact.

Test 1 — Ignore /spec/replicas on Deployments (HPA use case)

Kustomization:

driftIgnoreRules:
  - paths:
      - "/spec/replicas"
    target:
      kind: Deployment

Initial state:

$ kubectl get ks -n drift-ignore-test
NAME                AGE   READY   STATUS
test-basic-ignore   29s   True    Applied revision: main@sha1:b2a96870abdf6a295501e298a147e1e4ea5d878a

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.replicas}'
1

Simulate HPA scaling (server-side apply with hpa-controller field manager):

$ kubectl apply --server-side --field-manager=hpa-controller --force-conflicts -f deployment-scaled.yaml
deployment.apps/test-nginx serverside-applied

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.replicas}'
3

Trigger reconciliation:

$ kubectl annotate ks test-basic-ignore -n drift-ignore-test reconcile.fluxcd.io/requestedAt=$(date +%s) --overwrite
kustomization.kustomize.toolkit.fluxcd.io/test-basic-ignore annotated

After reconciliation — resource verification:

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.replicas}'
3  # <-- replicas preserved!

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].image}'
nginx:1.25  # <-- image unchanged

** controller log:**

{
  "level": "info",
  "ts": "2026-03-31T17:44:58.182Z",
  "msg": "server-side apply completed",
  "Kustomization": {"name": "test-basic-ignore", "namespace": "drift-ignore-test"},
  "reconcileID": "745d39ee-dca1-4654-b608-449d29b54a48",
  "output": {
    "ConfigMap/drift-ignore-test/test-config": "unchanged",
    "Deployment/drift-ignore-test/test-nginx": "configured",
    "Namespace/drift-ignore-test": "unchanged",
    "Service/drift-ignore-test/test-service": "unchanged"
  }
}

Test 2 — Targeted selectors (external-dns + ConfigMap field)

Kustomization:

driftIgnoreRules:
  - paths:
      - "/metadata/annotations/external-dns.alpha.kubernetes.io~1hostname"
    target:
      kind: Service
      name: test-service
  - paths:
      - "/data/ignored-key"
    target:
      kind: ConfigMap
      name: test-config

Initial state:

$ kubectl get svc test-service -n drift-ignore-test -o jsonpath='{.metadata.annotations}'
{"external-dns.alpha.kubernetes.io/hostname":"test.example.com"}

$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data}'
{"another-ignored":"keep-me","ignored-key":"original","managed-key":"v1"}

Simulate external-dns and controller changes (server-side apply):

$ kubectl apply --server-side --field-manager=external-dns --force-conflicts -f svc-modified.yaml
service/test-service serverside-applied

$ kubectl apply --server-side --field-manager=config-controller --force-conflicts -f cm-modified.yaml
configmap/test-config serverside-applied

$ kubectl get svc test-service -n drift-ignore-test -o jsonpath='{.metadata.annotations}'
{"external-dns.alpha.kubernetes.io/hostname":"production.example.com"}

$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data}'
{"another-ignored":"keep-me","ignored-key":"changed-by-controller","managed-key":"v1"}

After reconciliation — resource verification:

$ kubectl get svc test-service -n drift-ignore-test -o jsonpath='{.metadata.annotations}'
{"external-dns.alpha.kubernetes.io/hostname":"production.example.com"}  # <-- annotation preserved!

$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data}'
{"another-ignored":"keep-me","ignored-key":"changed-by-controller","managed-key":"v1"}  # <-- ignored-key preserved!

controller log:

{
  "level": "info",
  "ts": "2026-03-31T17:47:36.973Z",
  "msg": "server-side apply completed",
  "Kustomization": {"name": "test-targeted-ignore", "namespace": "drift-ignore-test"},
  "reconcileID": "072c53f3-47b8-465d-8788-01fe2266e6aa",
  "output": {
    "ConfigMap/drift-ignore-test/test-config": "configured",
    "Deployment/drift-ignore-test/test-nginx": "unchanged",
    "Namespace/drift-ignore-test": "unchanged",
    "Service/drift-ignore-test/test-service": "configured"
  }
}

Test 3 — Multi-resource (Deployment replicas + Service annotations + ConfigMap fields)

Kustomization:

driftIgnoreRules:
  - paths:
      - "/spec/replicas"
    target:
      kind: Deployment
  - paths:
      - "/metadata/annotations"
    target:
      kind: Service
  - paths:
      - "/data/ignored-key"
      - "/data/another-ignored"
    target:
      kind: ConfigMap

Out-of-band changes via server-side apply (3 different field managers):

$ kubectl apply --server-side --field-manager=hpa-controller --force-conflicts ...     # replicas: 3
$ kubectl apply --server-side --field-manager=external-dns --force-conflicts ...       # added annotation
$ kubectl apply --server-side --field-manager=config-controller --force-conflicts ...  # changed CM keys

Before reconciliation:

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.replicas}'
3

$ kubectl get svc test-service -n drift-ignore-test -o jsonpath='{.metadata.annotations}'
{"external-dns.alpha.kubernetes.io/hostname":"test.example.com","my-custom-annotation":"my-value"}

$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data}'
{"another-ignored":"y","ignored-key":"x","managed-key":"v1"}

After reconciliation — resource verification:

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.replicas}'
3  # <-- preserved

$ kubectl get svc test-service -n drift-ignore-test -o jsonpath='{.metadata.annotations}'
{"external-dns.alpha.kubernetes.io/hostname":"test.example.com","my-custom-annotation":"my-value"}  # <-- preserved

$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data}'
{"another-ignored":"y","ignored-key":"x","managed-key":"v1"}  # <-- ignored fields preserved, managed-key intact

** controller log:**

{
  "level": "info",
  "ts": "2026-03-31T17:50:30.122Z",
  "msg": "server-side apply completed",
  "Kustomization": {"name": "test-multi-resource", "namespace": "drift-ignore-test"},
  "reconcileID": "76976031-dc4a-4763-a6d1-d0b4adaa9d44",
  "output": {
    "ConfigMap/drift-ignore-test/test-config": "configured",
    "Deployment/drift-ignore-test/test-nginx": "configured",
    "Namespace/drift-ignore-test": "unchanged",
    "Service/drift-ignore-test/test-service": "unchanged"
  }
}

Test 4 — Nested paths (VPA container resources)

Kustomization:

driftIgnoreRules:
  - paths:
      - "/spec/template/spec/containers/0/resources"
    target:
      kind: Deployment
      name: test-nginx

Initial state:

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].resources}'
{"limits":{"cpu":"200m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}

Simulate VPA adjusting resources (server-side apply with vpa-recommender field manager):

$ kubectl apply --server-side --field-manager=vpa-recommender --force-conflicts -f deployment-vpa.yaml
deployment.apps/test-nginx serverside-applied

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].resources}'
{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}

After reconciliation — VPA resources preserved:

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].resources}'
{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}  # <-- VPA resources preserved!

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].image}'
nginx:1.25  # <-- image unchanged

controller log (VPA change):

{
  "level": "info",
  "ts": "2026-03-31T17:53:07.760Z",
  "msg": "server-side apply completed",
  "Kustomization": {"name": "test-nested-paths", "namespace": "drift-ignore-test"},
  "reconcileID": "61099129-e120-4b06-8643-0e3fe4f2df51",
  "output": {
    "ConfigMap/drift-ignore-test/test-config": "unchanged",
    "Deployment/drift-ignore-test/test-nginx": "configured",
    "Namespace/drift-ignore-test": "unchanged",
    "Service/drift-ignore-test/test-service": "unchanged"
  }
}

Test 4b — Non-ignored field drift correction

Change image to nginx:1.24, then reconcile:

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].image}'
nginx:1.24  # <-- changed

# After reconciliation:
$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].image}'
nginx:1.25  # <-- reverted to nginx:1.25

$ kubectl get deploy test-nginx -n drift-ignore-test -o jsonpath='{.spec.template.spec.containers[0].resources}'
{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}  # <-- VPA resources STILL preserved

controller log (image correction):

{
  "level": "info",
  "ts": "2026-03-31T17:54:34.124Z",
  "msg": "server-side apply completed",
  "Kustomization": {"name": "test-nested-paths", "namespace": "drift-ignore-test"},
  "reconcileID": "271aa062-20eb-4146-aaf6-da883e243f19",
  "output": {
    "ConfigMap/drift-ignore-test/test-config": "unchanged",
    "Deployment/drift-ignore-test/test-nginx": "configured",
    "Namespace/drift-ignore-test": "unchanged",
    "Service/drift-ignore-test/test-service": "unchanged"
  }
}

Test 5 — Edge cases (non-existent paths + non-matching selector)

Kustomization:

driftIgnoreRules:
  - paths:
      - "/data/nonexistent-key"
      - "/spec/this/does/not/exist"
  - paths:
      - "/data/ignored-key"
    target:
      kind: ConfigMap
      name: does-not-exist

Initial state — reconciles successfully despite non-existent paths:

$ kubectl get ks -n drift-ignore-test
NAME              AGE   READY   STATUS
test-edge-cases   29s   True    Applied revision: main@sha1:b2a96870abdf6a295501e298a147e1e4ea5d878a

Change ignored-key via SSA (rule targets does-not-exist CM, so should NOT match test-config):

# Before reconciliation:
$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data.ignored-key}'
edge-changed

# After reconciliation:
$ kubectl get cm test-config -n drift-ignore-test -o jsonpath='{.data.ignored-key}'
original  # <-- reverted to "original" (selector targets "does-not-exist", not "test-config")

controller log:

{
  "level": "info",
  "ts": "2026-03-31T17:57:09.475Z",
  "msg": "server-side apply completed",
  "Kustomization": {"name": "test-edge-cases", "namespace": "drift-ignore-test"},
  "reconcileID": "2daa7063-36f1-46af-9c43-6cb674e399c8",
  "output": {
    "ConfigMap/drift-ignore-test/test-config": "configured",
    "Deployment/drift-ignore-test/test-nginx": "unchanged",
    "Namespace/drift-ignore-test": "unchanged",
    "Service/drift-ignore-test/test-service": "unchanged"
  }
}

No errors in controller logs:

$ kubectl -n kustomize-system logs deployment/kustomize-controller --since=2m | grep -i error
(no errors)

Test 6 — Ignore mandatory /spec/selector, introduce drift, no other SSA owner

Kustomization:

driftIgnoreRules:
  - paths:
      - "/spec/selector"
    target:
      kind: Deployment
      name: test-nginx

Initial creation succeeds:

$ kubectl get ks test-6c-selector-no-owner -n drift-test-10
NAME                        AGE   READY   STATUS
test-6c-selector-no-owner   28s   True    Applied revision: main@sha1:b2a96870abdf6a295501e298a147e1e4ea5d878a

$ kubectl get deploy test-nginx -n drift-test-10 -o jsonpath='{.spec.selector}'
{"matchLabels":{"app":"nginx"}}

Introduce image drift via non-SSA patch (no new manager claims selector):

$ kubectl patch deploy test-nginx -n drift-test-10 --type json \
    -p '[{"op":"replace","path":"/spec/template/spec/containers/0/image","value":"nginx:1.24"}]'
deployment.apps/test-nginx patched

$ kubectl get deploy test-nginx -n drift-test-10 -o jsonpath='{.spec.template.spec.containers[0].image}'
nginx:1.24  # <-- introduce drift

After reconciliation — APPLY FAILS:

$ kubectl get ks test-6c-selector-no-owner -n drift-test-10
NAME                        AGE    READY   STATUS
test-6c-selector-no-owner   100s   False   Deployment/drift-test-10/test-nginx apply failed: ...

Controller error log:

{
  "level": "error",
  "ts": "2026-03-31T22:06:05.184Z",
  "msg": "Reconciliation failed after 206.673654ms, next try in 2m0s",
  "Kustomization": {"name": "test-6c-selector-no-owner", "namespace": "drift-test-10"},
  "error": "Deployment/drift-test-10/test-nginx apply failed: Deployment.apps \"test-nginx\" is invalid: [spec.selector: Required value, spec.template.metadata.labels: Invalid value: {\"app\":\"nginx\"}: `selector` does not match template `labels`, spec.selector: Invalid value: null: field is immutable]"
}

@dipti-pai dipti-pai mentioned this pull request Mar 31, 2026
Open
@dipti-pai dipti-pai force-pushed the drift-ignore-rules branch from 029fa79 to 02e1e73 Compare April 1, 2026 20:19
@stefanprodan stefanprodan mentioned this pull request Apr 10, 2026
Closed
1 task
@hiddeco
Copy link
Copy Markdown
Member

hiddeco commented Apr 20, 2026

Any specific reason for the API to not match the API of the helm-controller?

@dipti-pai
Add support for drift detection ignore rules
e688fe8 
Signed-off-by: Dipti Pai <diptipai89@outlook.com>
@dipti-pai dipti-pai force-pushed the drift-ignore-rules branch from 02e1e73 to e688fe8 Compare April 20, 2026 21:27
@stefanprodan
Copy link
Copy Markdown
Member

stefanprodan commented May 1, 2026
edited
Loading

Any specific reason for the API to not match the API of the helm-controller?

We discussed this at the dev meetings. KC does drift detection and correction by design, so the envelop we use in HC would be confusing here, people would expect driftDetection.mode: disabled|warn while we can not support it. Even if this feature seems the same in KC and HC, it's actually very different. HC does not take into consideration the ignore rules when the Helm SDK client does the apply, a release upgrade blindly applies all changes even if there are ignore rules for certain fields. KC fully implements the rules, they are enforced not only during drift detection but also at apply time, given this, I think the API construct not matching HC is is a good thing.

stefanprodan
stefanprodan reviewed May 1, 2026
View reviewed changes
Comment thread docs/spec/v1/kustomizations.md
Comment on lines +902 to +922
#### Ignore a field on all resources

To ignore a specific field on all resources managed by the Kustomization:

```yaml
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: app
namespace: flux-system
spec:
# ...omitted for brevity
driftIgnoreRules:
- paths:
- "/spec/replicas"
```

#### Ignore fields on specific resources

To ignore fields only on resources that match a target selector:
Copy link
Copy Markdown
Member

@stefanprodan stefanprodan May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#### Ignore a field on all resources
To ignore a specific field on all resources managed by the Kustomization:
```yaml
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: app
namespace: flux-system
spec:
# ...omitted for brevity
driftIgnoreRules:
- paths:
- "/spec/replicas"
```
#### Ignore fields on specific resources
To ignore fields only on resources that match a target selector:
Example:

We have the warning about omitting the target, so I don't think we need a dedicated example for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Constant rewriting of the CRD

3 participants

@dipti-pai @hiddeco @stefanprodan