Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application Controller lacks sufficient permissions for dynamicClusterDistribution in namespaced installations #2743

Closed
MIJOTHY-V2 opened this issue Jun 5, 2024 · 0 comments · Fixed by #2754
Closed

Application Controller lacks sufficient permissions for dynamicClusterDistribution in namespaced installations #2743

MIJOTHY-V2 opened this issue Jun 5, 2024 · 0 comments · Fixed by #2754
Labels
argo-cd bug Something isn't working

Comments

@MIJOTHY-V2
Copy link

MIJOTHY-V2 commented Jun 5, 2024
edited
Loading

Describe the bug

When setting dynamicClusterDistribution: true, and using a namespaced installation of argocd (createClusterRoles: false), the application controller's serviceaccount does not have sufficient permissions for managing the shard configmap:

{"level":"info","msg":"shard mapping configmap argocd-app-controller-shard-cm not found. Creating default shard mapping configmap.","time":"2024-05-03T11:39:52Z"}
{"level":"fatal","msg":"unable to get shard due to error updating the sharding config map: error creating shard mapping configmap configmaps is forbidden: User \"system:serviceaccount:argocd:argocd-application-controller\" cannot create resource \"configmaps\" in API group \"\" in the namespace \"argocd\"","time":"2024-05-03T11:39:52Z"}

This is likely a consequence of

argo-helm/charts/argo-cd/templates/argocd-application-controller/role.yaml

Lines 9 to 17 in 19ef184

- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch

where there are no create, update, or patch permissions for configmaps defined.

This issue does not arise for cluster-wide installations, as the permissions granted by the cluster role are sufficient:

argo-helm/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml

Lines 12 to 21 in 19ef184

- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'

Related helm chart

argo-cd

Helm chart version

6.11.1

To Reproduce

  1. Deploy argocd, with values like
createClusterRoles: false
controller:
  replicas: 3
  dynamicClusterDistribution: true
  1. Inspect logs of application controller to see sharding configmap creation error
  2. Verify sharding configmap doesn't exist

Expected behavior

When dynamicClusterDistribution: true is set, the application controller should be able to manage its sharding configmap.

Screenshots

No response

Additional context

I am using ArgoCD to manage multiple remote clusters, with no other applications in the argocd cluster itself, hence the namespaced installation.

It looks like this is also the case upstream
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
argo-cd bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(argo-cd): Add missing permission for Dynamic Cluster Distribution yu-croco/argo-helm
2 participants
@mkilchhofer @MIJOTHY-V2