Please take look at the https://github.com/fluxcd/flux2-multi-tenancy

You need to enforce multi-tenancy lockdown with --default-service-account and each tenant must have its own namespace. Then it doesn't really matter what serviceAccountName they set in their Flux Kustomizations, they can't escape their namespace since they can't create ClusterRoleBindings.

When you deploy a tenant repository, the Kustomization doing it must not use kustomize-controller's cluster-admin ServiceAccount.

Here I mean the contents of the tenant repository (i.e. the YAMLs inside it), not the GitRepository object representing this repository.

Thank you. So no-cross-namespace-refs applies to the GitRepo and the resources it populates, is that correct?

Meaning, if I have a service account 'dev-team' in the apps namespace without any cluster roles; a kustomization.yaml within this git repo cannot define a namespace and service account outside of the apps namespace?

Settings (plus the other multi-tenant lockdown settings)

--no-cross-namespace-refs=true
----default-service-account=default

Git Repo

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: dev-team
  namespace: apps
spec:
  interval: 1m
  url: https://github.com/fluxcd/flux2-multi-tenancy
  ref:
    branch: dev-team

So no-cross-namespace-refs applies to the GitRepo and the resources it populates, is that correct?

--no-cross-namespace-refs applies to any Flux API the controller containing this flag is responsible for.

Flux objects reference other Flux objects. If you set this flag on a given Flux controller, then this controller will not allow any of the objects it manages to reference objects which are not in the same namespace.

--default-service-account forces the Flux controller to use the service account set by this flag if spec.serviceAccountName is not set. If this flag is not set and spec.serviceAccountName is also not set, the controller will apply the YAMLs with its own privileged service account.