Document need for permission to /livez/ping

[carlpett]

When source-controller starts, it apparently tries to make a request to /livez/ping on the api server (right?), which is not covered by the recommended RBAC settings. This doesn't seem to have any effect on the controller working or not, but it does lead to a security event on every start (forbidden: User "system:serviceaccount:flux-system:source-controller" cannot head path "/livez/ping").

I don't see any explicit calls to this endpoint in code for source-controller, but I did find a mention in the cli-utils repo: https://github.com/fluxcd/cli-utils/blob/5af6753e42af4622cd7d6e16ffe1fb2f946a2103/pkg/flowcontrol/flowcontrol.go. The file appears vendored from upstream Kubernetes stuff, so (speculation ahead) perhaps the same code is run as part of imported packages in the source-controller?

Should it be documented that this is required, or can the call be disabled somehow if not needed?

[stefanprodan]

All Flux controllers call the flow control API at startup to determine the rate limits enforced by the Kubernetes API. We should add this endpoint to https://github.com/fluxcd/flux2/blob/main/manifests/rbac/controller.yaml. Could you please open a PR for this in flux2 repo? Thanks