Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgoCD Namespaced install tries to perform cluster scoped list resources when --application-namespaces is set #21237

Open
3 tasks done
SjuulJanssen opened this issue Dec 18, 2024 · 0 comments
Open
3 tasks done

ArgoCD Namespaced install tries to perform cluster scoped list resources when --application-namespaces is set #21237

SjuulJanssen opened this issue Dec 18, 2024 · 0 comments
Labels
bug Something isn't working version:2.12 Latest confirmed affected version is 2.12

Comments

@SjuulJanssen
Copy link

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

ArgoCD tries to use cluster scoped k8s api's to list "application" while using a namespaced installation

To Reproduce

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.12.8/manifests/namespace-install.yaml  # also is the case with v2.13.2
- rbac.yaml
patches:
- target:
    name: argocd-cmd-params-cm
    kind: ConfigMap
  patch: |-
    - op: add
      path: /data
      value:
        application.namespaces: app1

ns.yaml

# Only included to show intention, not required for reproducing the issue
apiVersion: v1
kind: Namespace
metadata:
  name: app1

rbac.yaml

# Only included to show intention, not required for reproducing the issue
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-role
  namespace: app1
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argocd-role-binding
  namespace: app1
subjects:
- kind: ServiceAccount
  name: argocd-application-controller
  namespace: app1
- kind: ServiceAccount
  name: argocd-server
  namespace: app1
roleRef:
  kind: Role
  name: argocd-role
  apiGroup: rbac.authorization.k8s.io

** Expected **
No usage of cluster scoped list commands at all.

Logs

time="2024-12-18T07:24:06Z" level=info msg="ArgoCD Application Controller is starting" built="2024-12-11T18:39:59Z" commit=9c3b45f5da0b1cdf516e87b2c0f3aa1c21473642 namespace=default version=v2.12.8+9c3b45f
time="2024-12-18T07:24:06Z" level=info msg="Processing all cluster shards"
time="2024-12-18T07:24:06Z" level=info msg="Processing all cluster shards"
time="2024-12-18T07:24:06Z" level=info msg="appResyncPeriod=3m0s, appHardResyncPeriod=0s, appResyncJitter=0s"
time="2024-12-18T07:24:06Z" level=info msg="Starting configmap/secret informers"
W1218 07:24:06.151244       7 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:default:argocd-application-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope  E1218 07:24:06.151321       7 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Application: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:default:argocd-application-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope                                                                                                                                     time="2024-12-18T07:24:06Z" level=info msg="Configmap/secret informer synced"                                                                                             time="2024-12-18T07:24:06Z" level=warning msg="The cluster https://kubernetes.default.svc has no assigned shard."                                                         time="2024-12-18T07:24:06Z" level=warning msg="Cannot init sharding. Error while querying application list from database: applications.argoproj.io is forbidden: User \"system:serviceaccount:default:argocd-application-controller\" cannot list resource \"applications\" in API group \"argoproj.io\" at the cluster scope"                      time="2024-12-18T07:24:06Z" level=warning msg="Failed to save cluster info: dial tcp 10.43.74.157:6379: connect: connection refused"                                      W1218 07:24:07.522990       7 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:default:argocd-application-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope  E1218 07:24:07.523073       7 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Application: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:default:argocd-application-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope
@SjuulJanssen SjuulJanssen added the bug Something isn't working label Dec 18, 2024
@andrii-korotkov-verkada andrii-korotkov-verkada added the version:2.12 Latest confirmed affected version is 2.12 label Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working version:2.12 Latest confirmed affected version is 2.12
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrii-korotkov-verkada @SjuulJanssen