Argo-cd: Serviceaccount can't list CRDs

Created on 14 Mar 2019  路  4Comments  路  Source: argoproj/argo-cd

I've deployed argo-cd via the kubectl apply command. After I've added an application nothing happens. In the logs of the application-controller I'm getting this error message:

time="2019-03-14T13:14:42Z" level=info msg="Start watch app resources on https://kubernetes.default.svc"
time="2019-03-14T13:14:42Z" level=warning msg="Failed to watch app resources on https://kubernetes.default.svc: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:fr:argocd-application-controller\" cannot list resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope, retrying in 10s"

Here the clusterrole argocd-application-controller

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: argocd-application-controller
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'
picture florianrusch

Most helpful comment

@florianrusch this is expected. Because cluster role bindings need to specify some namespace, our set of default installation manifests are using default of argocd. To get this to work in another namespace, you would need to change this line:

https://github.com/argoproj/argo-cd/blob/master/manifests/cluster-rbac/argocd-application-controller-clusterrolebinding.yaml#L16

and this line:

https://github.com/argoproj/argo-cd/blob/master/manifests/cluster-rbac/argocd-server-clusterrolebinding.yaml#L16

tools like kustomize help with this by allowing you to overlay your desired change from our base.

picture jessesuen on 14 Mar 2019
👍4

All 4 comments

In the UI I'm getting this error message:

replicasets.apps is forbidden: User "system:serviceaccount:fr:argocd-application-controller" cannot list resource "replicasets" in API group "apps" at the cluster scope
florianrusch picture florianrusch on 14 Mar 2019

Interessting...I've reinstalled argo in the default namespace argocd and now it's working as aspected. Before I've installed it in the namespace fr.

florianrusch picture florianrusch on 14 Mar 2019

@florianrusch this is expected. Because cluster role bindings need to specify some namespace, our set of default installation manifests are using default of argocd. To get this to work in another namespace, you would need to change this line:

https://github.com/argoproj/argo-cd/blob/master/manifests/cluster-rbac/argocd-application-controller-clusterrolebinding.yaml#L16

and this line:

https://github.com/argoproj/argo-cd/blob/master/manifests/cluster-rbac/argocd-server-clusterrolebinding.yaml#L16

tools like kustomize help with this by allowing you to overlay your desired change from our base.

jessesuen picture jessesuen on 14 Mar 2019
👍4

@jessesuen thank you for the explanation

florianrusch picture florianrusch on 20 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

peterbosalliandercom picture peterbosalliandercom  路  3Comments
ksaito1125 picture ksaito1125  路  3Comments
rosscdh picture rosscdh  路  3Comments
duboisf picture duboisf  路  3Comments
jutley picture jutley  路  3Comments