Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 Forbidden when editing application details after enabling Dex #21421

Closed
3 tasks done
bzurkowski opened this issue Jan 8, 2025 · 2 comments
Closed
3 tasks done

403 Forbidden when editing application details after enabling Dex #21421

bzurkowski opened this issue Jan 8, 2025 · 2 comments
Labels
bug Something isn't working component:auth more-information-needed Further information is requested

Comments

@bzurkowski
Copy link

bzurkowski commented Jan 8, 2025
edited
Loading

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

My team is using Argo CD with Dex to delegate user authentication to Google as the IDP.

Before enabling Dex, everything was working fine. However, after enabling Dex, we encountered a 403 Forbidden error when attempting to edit application details, such as labels or sync policies, through the Argo CD dashboard. These actions are also disallowed even when I log in as an admin user.

Despite this issue, I am still able to perform other actions, such as deleting Pods, via the dashboard. Additionally, editing application details works without any issues when using kubectl.

The applied RBAC policy is as follows:

cm:
  users.anonymous.enabled: "false"
rbac:
  policy.default: "role:authenticated"
  policy.csv: |
    p, role:authenticated, *, *, *, deny
    g, [email protected], role:readonly
    g, [email protected], role:admin

Got similar results with the following policy:

cm:
  users.anonymous.enabled: "false"
rbac:
  policy.default: "role:readonly"
  policy.csv: |
    g, [email protected], role:readonly
    g, [email protected], role:admin

To Reproduce

  1. Ensure Dex is enabled with the IDP connector.
  2. Attempt to edit application details (e.g., labels or sync policies) through the Argo CD dashboard.

Expected behavior

Editing application details through the Argo CD dashboard should work without encountering a 403 Forbidden error.

Screenshots

image

Version

v2.12.4

Logs

No relevant information found in logs.
@bzurkowski bzurkowski added the bug Something isn't working label Jan 8, 2025
@bzurkowski
Copy link
Author

I just noticed that this issue does not occur in other environment where Dex is enabled. I will investigate further, as there might be another underlying issue that could provide valuable insights for others in the future.

@rumstead rumstead added more-information-needed Further information is requested component:auth labels Jan 9, 2025
@bzurkowski
Copy link
Author

I investigated further and found that the issue was caused by a WAF policy at the load balancer, which disallowed large payload sizes for PUT and POST methods. It appears that ArgoCD traffic tends to have large payloads due to application spec and OIDC group claims consuming significant space. After creating a dedicated WAF policy for ArgoCD, the issue was resolved, and all administrative actions are now functioning as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working component:auth more-information-needed Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bzurkowski @rumstead