Argo: Workflow controller not working in namespaced deployment
Is this a BUG REPORT or FEATURE REQUEST?:
BUG REPORT
What happened:
Workflow controller failed in namespace deployment.
Got errors like:
github.com/argoproj/argo/workflow/controller/controller.go:159: Failed to list *v1alpha1.WorkflowTemplate: workflowtemplates.argoproj.io is forbidden: User "system:serviceaccount:argo-template-dev:argo" cannot list resource "workflowtemplates" in API group "argoproj.io" at the cluster scope
What you expected to happen:
Workflow controller should get deployed successfully in namespaced environment
How to reproduce it (as minimally and precisely as possible):
Deploy workflow controller in a namespace with limited permission to access the cluster scope resources
Anything else we need to know?:
The newly added WorkflowTemplate is the root cause. Unlike WorkflowInformer (https://github.com/argoproj/argo/blob/master/workflow/controller/controller.go#L150), WorkflowTemplateInformer (https://github.com/argoproj/argo/blob/master/workflow/controller/controller.go#L152) does not respect namespaces if specified in the configmap.
Environment:
- Argo version: 2.4.0-RC1
$ argo version
- Kubernetes version :
$ kubectl version -o yaml
Other debugging information (if applicable):
- workflow result:
$ argo get <workflowname>
- executor logs:
$ kubectl logs <failedpodname> -c init
$ kubectl logs <failedpodname> -c wait
- workflow-controller logs:
$ kubectl logs -n argo $(kubectl get pods -l app=workflow-controller -n argo -o name)
tigerwings
All 3 comments
+1 on that one ... just hit it today as well. The workflow controller should not require cluster level access to workflow templates.
CermakM
on 24 Aug 2019
Let me check the issue.
dtaniwaki
on 24 Aug 2019
Fixed in #1580.
dtaniwaki
on 24 Aug 2019
Related issues
tommyJimmy87
路
3Comments
danxmoran
路
4Comments
CermakM
路
3Comments
kounoike
路
4Comments
logicfox
路
4Comments
Most helpful comment
Fixed in #1580.